xss漏洞修复 ASP代码

             Response.Write "<br>字段名:" & Server.HTMLEncode(sItem)

            Response.Write "<br>字段值:" & Server.HTMLEncode(sValue)
 
 
%27"()%26%25<zzz> 这个是啥?
 

字符分解与含义

特殊字符及URL编码解析表
字符/编码 解码后 作用与风险
%27 ' 单引号,用于闭合SQL语句或字符串
%22 " 双引号,闭合HTML属性或字符串
() () 括号,用于执行函数或包裹参数
%26 & 和符号,用于HTML实体或URL参数分隔
%25 % 百分号,常用于URL编码或通配符
<zzz> <zzz> 非标准HTML标签,测试标签过滤

 

 

 

 

<%@LANGUAGE="VBSCRIPT"%>
<%
Option Explicit
 
'<<--
Dim SysPath,dbPath,db
db=Server.MapPath("/db&shuju913/webdesign99.cn.mdb")
'-->>
 
'<<--
Dim conn,connstr
Set conn = Server.CreateObject("Adodb.Connection")
connstr="Provider=Microsoft.JET.OLEDB.4.0;Data Source="&db
conn.open(connstr)
'-->>
 
'<<--
Function CloseConn
conn.close
Set conn = Nothing
End Function
 
 
 
 
'
'Dim conn2,connstr2
'Set conn2 = Server.CreateObject("Adodb.Connection")
'connstr2="Provider=Microsoft.JET.OLEDB.4.0;Data Source="&Server.MapPath("../www/db&shuju913/webdesign99.cn.mdb")
'conn2.open(connstr2)
'Function CloseConn2
'conn2.close
'Set conn2 = Nothing
'
'
'End Function
'
 
 
 
 
 
 
 
 
'记录来路和本地址
dim  comeUrl,thisUrl,thisUrlAll
comeUrl=Request.ServerVariables("HTTP_REFERER")
thisUrl=request.ServerVariables("PATH_INFO")
if request("id")<> "" then
thisUrlAll = "http://"&request.ServerVariables("Server_NAME")&request.ServerVariables("SCRIPT_NAME")&"?id"&chr(61)&""&request("id")
else
thisUrlAll = "http://"&request.ServerVariables("Server_NAME")&request.ServerVariables("SCRIPT_NAME")'全部url
end if
  
'安全设置
Const EnableStopInjection = True 
Dim ScriptName
Dim ErrMsg
Dim FoundErr, UserTrueIP
'正则表达式相关的变量
Dim regEx, Match, Match2, Matches, Matches2
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.MultiLine = True
ScriptName = Trim(Request.ServerVariables("SCRIPT_NAME"))
UserTrueIP = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If UserTrueIP = "" Then UserTrueIP = Request.ServerVariables("REMOTE_ADDR")
UserTrueIP = ReplaceBadChar(UserTrueIP)
If EnableStopInjection = True Then
    If Request.QueryString <> "" Then Call StopInjection(Request.QueryString)
    If Request.Cookies <> "" Then Call StopInjection(Request.Cookies)
    If LCase(Mid(ScriptName, InStrRev(ScriptName, "/") + 1)) <> "upfile.asp" Then
        Call StopInjection2(Request.Form)
    End If
End If
FoundErr = False
ErrMsg = ""
Sub StopInjection(Values)
    Dim FoundInjection
    regEx.Pattern = "'|;|([\s\b+()]+(select|update|insert|delete|declare|@|exec|dbcc|alter|drop|create|backup|if|else|end|and|or|add|set|open|close|use|begin|retun|as|go|exists)[\s\b+]*)"
    Dim sItem, sValue
    For Each sItem In Values
        sValue = Values(sItem)
        If regEx.Test(sValue) Then
            FoundInjection = True
            Response.Write "很抱歉,由于您提交的内容中含有危险的SQL注入代码,致使本次操作无效! "
            Response.Write "<br>字段名:" & Server.HTMLEncode(sItem)
            Response.Write "<br>字段值:" & Server.HTMLEncode(sValue)
            Response.Write "<br>关键字:"
            Set Matches = regEx.Execute(sValue)
            For Each Match In Matches
                Response.Write FilterJS(Match.value)
            Next
            Response.Write "<br><br>如果您是正常提交仍出现上面的提示,请联系站长修改Config.asp文件的第7行,暂时禁用掉防SQL注入功能,操作完成后再打开。"
        End If
    Next
    If FoundInjection = True Then
        Response.End
    End If
End Sub
Sub StopInjection2(Values)
    Dim FoundInjection
    regEx.Pattern = "[';#()][\s+()]*(select|update|insert|delete|declare|@|exec|dbcc|alter|drop|create|backup|if|else|end|and|or|add|set|open|close|use|begin|retun|as|go|exists)[\s+]*"
    Dim sItem, sValue
    For Each sItem In Values
        sValue = Values(sItem)
        If regEx.Test(sValue) Then
            FoundInjection = True
            Response.Write "很抱歉,由于您提交的内容中含有危险的SQL注入代码,致使本次操作无效! "
            Response.Write "<br>字段名:" & sItem
            Response.Write "<br>字段值:" & sValue
            Response.Write "<br>关键字:"
            Set Matches = regEx.Execute(sValue)
            For Each Match In Matches
                Response.Write FilterJS(Match.value)
            Next
            Response.Write "<br><br>如果您是正常提交仍出现上面的提示,请联系站长修改Config.asp文件的第7行,暂时禁用掉防SQL注入功能,操作完成后再打开。"
        End If
    Next
    If FoundInjection = True Then
        Response.End
    End If
End Sub
'**************************************************
'函数名:ReplaceBadChar
'作  用:过滤非法的SQL字符
'参  数:strChar-----要过滤的字符
'返回值:过滤后的字符
'**************************************************
Function ReplaceBadChar(strChar)
    If strChar = "" Or IsNull(strChar) Then
        ReplaceBadChar = ""
        Exit Function
    End If
    Dim strBadChar, arrBadChar, tempChar, i
    strBadChar = "+,',%,^,&,?,(,),<,>,[,],{,},/,\,;,:," & Chr(34) & "," & Chr(0) & ",--"
    arrBadChar = Split(strBadChar, ",")
    tempChar = strChar
    For i = 0 To UBound(arrBadChar)
        tempChar = Replace(tempChar, arrBadChar(i), "")
    Next
    tempChar = Replace(tempChar, "@@", "@")
    ReplaceBadChar = tempChar
End Function
'**************************************************
'函数名:ReplaceLabelBadChar
'作  用:函数标签过滤非法的SQL字符
'参  数:strChar-----要过滤的字符
'返回值:过滤后的字符
'**************************************************
Function ReplaceLabelBadChar(strChar)
    If strChar = "" Or IsNull(strChar) Then
        ReplaceLabelBadChar = ""
        Exit Function
    End If
    Dim strBadChar, arrBadChar, tempChar, i
    strBadChar = "+,',%,^,&,?,(,),<,>,[,],{,},/,\,;,:," & Chr(34) & "," & Chr(0)
arrBadChar = Split(strBadChar, ",")
    tempChar = strChar
    For i = 0 To UBound(arrBadChar)
        tempChar = Replace(tempChar, arrBadChar(i), "")
    Next
    tempChar = Replace(tempChar, "@@", "@")
    Dim oldString
    oldString = ""
    Do While oldString <> tempChar
        oldString = tempChar
        regEx.Pattern = "(select|union|update|insert|delete|exec|from|WD_admin|--)?"
        tempChar = regEx.Replace(tempChar, "")
    Loop
    ReplaceLabelBadChar = tempChar
End Function
'**************************************************
'函数名:ReplaceUrlBadChar
'作  用:过滤Url中非法的SQL字符
'参  数:strChar-----要过滤的字符
'返回值:过滤后的字符
'**************************************************
Function ReplaceUrlBadChar(strChar)
    If strChar = "" Or IsNull(strChar) Then
        ReplaceUrlBadChar = ""
        Exit Function
    End If
    Dim strBadChar, arrBadChar, tempChar, i
    strBadChar = "+,',(,),<,>,[,],{,},\,;," & Chr(34) & "," & Chr(0) & ",--"
    arrBadChar = Split(strBadChar, ",")
    tempChar = strChar
    For i = 0 To UBound(arrBadChar)
        tempChar = Replace(tempChar, arrBadChar(i), "")
    Next
    tempChar = Replace(tempChar, "@@", "@")
    ReplaceUrlBadChar = tempChar
End Function
'=================================================
'函数名:ReplaceBadUrl
'作  用:过滤非法Url地址函数
'=================================================
Function ReplaceBadUrl(ByVal strContent)
    regEx.Pattern = "(a|%61|%41)(d|%64|%44)(m|%6D|4D)(i|%69|%49)(n|%6E|%4E)(\_|%5F)(.*?)(.|%2E)(a|%61|%41)(s|%73|%53)(p|%70|%50)"
    Set Matches = regEx.Execute(strContent)
    For Each Match In Matches
        strContent = Replace(strContent, Match.value, "")
    Next
    regEx.Pattern = "(u|%75|%55)(s|%73|%53)(e|%65|%45)(r|%72|%52)(\_|%5F)(.*?)(.|%2E)(a|%61|%41)(s|%73|%53)(p|%70|%50)"
    Set Matches = regEx.Execute(strContent)
    For Each Match In Matches
        strContent = Replace(strContent, Match.value, "")
    Next
    ReplaceBadUrl = strContent
End Function
'**************************************************
'函数名:CheckBadChar
'作  用:检查是否包含非法的SQL字符
'参  数:strChar-----要检查的字符
'返回值:True  ----字符合法
'        False ----字符不合法
'**************************************************
Function CheckBadChar(strChar)
    Dim strBadChar, arrBadChar, i
    strBadChar = "@@,+,',%,^,&,?,(,),<,>,[,],{,},/,\,;,:," & Chr(34) & ",--,union,select,insert,delete,from,WD_admin"
    arrBadChar = Split(strBadChar, ",")
    If strChar = "" Then
        CheckBadChar = False
    Else
        Dim tempChar
        tempChar = LCase(strChar)
        For i = 0 To UBound(arrBadChar)
            If InStr(tempChar, arrBadChar(i)) > 0 Then
                CheckBadChar = False
                Exit Function
            End If
        Next
    End If
    CheckBadChar = True
End Function
Function CheckUserBadChar(strChar)
    Dim strBadChar, arrBadChar, i
    strBadChar = "',%,^,&,?,(,),<,>,[,],{,},/,\,;,:," & Chr(34) & ",*,|,"",.,#,union,select,insert,delete,from,WD_admin"
    arrBadChar = Split(strBadChar, ",")
    If strChar = "" Then
        CheckUserBadChar = False
    Else
        Dim tempChar
        tempChar = LCase(strChar)
        For i = 0 To UBound(arrBadChar)
            If InStr(tempChar, arrBadChar(i)) > 0 Then
                CheckUserBadChar = False
                Exit Function
            End If
        Next
    End If
    CheckUserBadChar = True
End Function
'参  数:strInput 需要过滤的内容
'=================================================
Function FilterJS(ByVal strInput)
    If IsNull(strInput) Or Trim(strInput) = "" Then
        FilterJS = ""
        Exit Function
    End If
    Dim reContent
    ' 替换掉HTML字符实体(Character Entities)名字和分号之间的空白字符,比如:&auml    ;替换成&auml;
    regEx.Pattern = "(&#*\w+)[\x00-\x20]+;"
    strInput = regEx.Replace(strInput, "$1;")
    ' 将无分号结束符的数字编码实体规范成带分号的标准形式
    regEx.Pattern = "(&#x*[0-9A-F]+);*"
    strInput = regEx.Replace(strInput, "$1;")
    ' 将&nbsp; &lt; &gt; &amp; &quot;字符实体中的 & 替换成 &amp; 以便在进行HtmlDecode时保留这些字符实体
    'RegEx.Pattern = "&(amp|lt|gt|nbsp|quot);"
    'strInput = RegEx.Replace(strInput, "&amp;$1;")
    ' 将HTML字符实体进行解码,以消除编码字符对后续过滤的影响
    'strInput = HtmlDecode(strInput);
    ' 将ASCII码表中前32个字符中的非打印字符替换成空字符串,保留 9、10、13、32,它们分别代表 制表符、换行符、回车符和空格。
    regEx.Pattern = "[\x00-\x08\x0b-\x0c\x0e-\x19]"
    strInput = regEx.Replace(strInput, "")  
    oldhtmlString = ""
    Do While oldhtmlString <> strInput
        oldhtmlString = strInput
        regEx.Pattern = "(<[^>]+src[\x00-\x20]*=[\x00-\x20]*[^>]*?)&#([^>]*>)"  '过虑掉 src 里的 &#
        strInput = regEx.Replace(strInput, "$1&amp;#$2")
        regEx.Pattern = "(<[^>]+style[\x00-\x20]*=[\x00-\x20]*[^>]*?)&#([^>]*>)"  '过虑掉style 里的 &#
        strInput = regEx.Replace(strInput, "$1&amp;#$2")
        regEx.Pattern = "(<[^>]+style[\x00-\x20]*=[\x00-\x20]*[^>]*?)\\([^>]*>)"   '替换掉style中的 "\" 
        strInput = regEx.Replace(strInput, "$1/$2")  
    Loop
    ' 替换以on和xmlns开头的属性,动易系统的几个JS需要保留
    regEx.Pattern = "on(load\s*=\s*""*'*resizepic\(this\)'*""*)"
    strInput = regEx.Replace(strInput, "off$1")
    regEx.Pattern = "on(mousewheel\s*=\s*""*'*return\s*bbimg\(this\)'*""*)"
    strInput = regEx.Replace(strInput, "off$1")
    regEx.Pattern = "(<[^>]+[\x00-\x20""'/])(on|xmlns)([^>]*)>"
    strInput = regEx.Replace(strInput, "$1pe$3>")
    regEx.Pattern = "off(load\s*=\s*""*'*resizepic\(this\)'*""*)"
    strInput = regEx.Replace(strInput, "on$1")
    regEx.Pattern = "off(mousewheel\s*=\s*""*'*return\s*bbimg\(this\)'*""*)"
    strInput = regEx.Replace(strInput, "on$1")
    ' 替换javascript
    regEx.Pattern = "([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`'""]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:"
    strInput = regEx.Replace(strInput, "$1=$2nojavascript...")
    ' 替换vbscript
    regEx.Pattern = "([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`'""]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:"
    strInput = regEx.Replace(strInput, "$1=$2novbscript...")
    '替换style中的注释部分,比如:<div style="xss:expres/*comment*/sion(alert(x))">
    regEx.Pattern = "(<[^>]+style[\x00-\x20]*=[\x00-\x20]*[^>]*?)/\*[^>]*\*/([^>]*>)"
    strInput = regEx.Replace(strInput, "$1$2")
    ' 替换expression
    regEx.Pattern = "(<[^>]+)style[\x00-\x20]*=[\x00-\x20]*([`'""]*).*[eeE][xxX][ppP][rrR][eeE][ssS][ssS][iiI][ooO][nnN][\x00-\x20]*[\(\(][^>]*>"
    strInput = regEx.Replace(strInput, "$1>")
    ' 替换behaviour
    regEx.Pattern = "(<[^>]+)style[\x00-\x20]*=[\x00-\x20]*([`'""]*).*behaviour[^>]*>>"
    strInput = regEx.Replace(strInput, "$1>")
    ' 替换behavior
    regEx.Pattern = "(<[^>]+)style[\x00-\x20]*=[\x00-\x20]*([`'""]*).*behavior[^>]*>>"
    strInput = regEx.Replace(strInput, "$1>")
    ' 替换script
    regEx.Pattern = "(<[^>]+)style[\x00-\x20]*=[\x00-\x20]*([`'""]*).*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*>"
    strInput = regEx.Replace(strInput, "$1>")
    ' 替换namespaced elements 不需要
    regEx.Pattern = "</*\w+:\w[^>]*>"
    strInput = regEx.Replace(strInput, " ")
    Dim oldhtmlString
    oldhtmlString = ""
    Do While oldhtmlString <> strInput
        oldhtmlString = strInput
        '实行严格过滤
        regEx.Pattern = "</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>?"
        strInput = regEx.Replace(strInput, " ")
        '过滤掉SHTML的Include包含文件漏洞
        regEx.Pattern = "<!--\s*#include[^>]*>"
        strInput = regEx.Replace(strInput, "noshtml")
        'If FilterLevel > 0 Then
        '   '实行严格过滤
        '   RegEx.Pattern = "</*(embed|object)[^>]*>"
        '   strInput = RegEx.Replace(strInput, "")
        'End If
    Loop
    FilterJS = strInput
End Function
Private Function RemoveStr(str1, str2, strSplit)
    If IsNull(str1) Or str1 = "" Then
        RemoveStr = ""
        Exit Function
    End If
    If IsNull(str2) Or str2 = "" Then
        RemoveStr = str1
        Exit Function
    End If
    If InStr(str1, strSplit) > 0 Then
        Dim arrStr, tempStr, i
        arrStr = Split(str1, strSplit)
        For i = 0 To UBound(arrStr)
            If arrStr(i) <> str2 Then
                If tempStr = "" Then
                    tempStr = arrStr(i)
                Else
                    tempStr = tempStr & strSplit & arrStr(i)
                End If
            End If
        Next
        RemoveStr = tempStr
    Else
        If str1 = str2 Then
            RemoveStr = ""
        Else
            RemoveStr = str1
        End If
    End If
End Function
Private Function AppendStr(str1, str2, strSplit)
    If IsNull(str2) Or str2 = "" Then
        AppendStr = str1
        Exit Function
    End If
    If IsNull(str1) Or str1 = "" Then
        AppendStr = str2
        Exit Function
    End If
    Dim Foundstr, arrStr, i
    Foundstr = False
    If InStr(str1, strSplit) > 0 Then
        arrStr = Split(str1, strSplit)
        For i = 0 To UBound(arrStr)
            If arrStr(i) = str2 Then
                Foundstr = True
                Exit For
            End If
        Next
    Else
        If str1 = str2 Then
            Foundstr = True
        End If
    End If
    If Foundstr = False Then
        AppendStr = str1 & strSplit & str2
    Else
        AppendStr = str1
    End If
End Function
Private Function StyleDisplay(Compare1, Compare2)
    If Compare1 = Compare2 Then
        StyleDisplay = ""
    Else
        StyleDisplay = "none"
    End If
End Function
Private Function IsRadioChecked(Compare1, Compare2)
    If Compare1 = Compare2 Then
        IsRadioChecked = " checked"
    Else
        IsRadioChecked = ""
    End If
End Function
Private Function IsOptionSelected(Compare1, Compare2)
    If Compare1 = Compare2 Then
        IsOptionSelected = " selected"
    Else
        IsOptionSelected = ""
    End If
End Function
Private Function FixJs(str)
    If str <> "" Then
        str = Replace(str, "&#39;", "'")
        str = Replace(str, "\", "\\")
        str = Replace(str, Chr(34), "\""")
        str = Replace(str, Chr(39), "\'")
        str = Replace(str, Chr(13), "\n")
        str = Replace(str, Chr(10), "\r")
        str = Replace(str, "'", "&#39;")
        str = Replace(str, """", "&quot;")
    End If
    FixJs = str
End Function
Private Function Html2Js(str)
    If str <> "" Then
        str = Replace(str, Chr(34), "\""")
        str = Replace(str, Chr(39), "\'")
        str = Replace(str, Chr(13), "\n")
        str = Replace(str, Chr(10), "\r")
    End If
    Html2Js = str
End Function
%>
 

评论

发表新评论

此内容将保密,不会被其他人看见。
点击刷新验证码
  • 可用的 UBB 标签:
  • 留言最长字数:1000。