网站如果过滤掉 ‘ and 等字符 是不是就完全没有办法注入了?
就是说 比如
xxx.asp?id=10'
xxx.asp?id=10 and 1=2
或者xxx.com/xxx.asp?id=10改成xxx.com%5cxxx.asp?id=10
全都没用
是我没问清楚 ???我问的不是如何防范 谢谢
在补充下 废话就不要说了
那还有什么办法呢?
第1个回答 2008-06-04
过滤掉所有:“‘'"等等,只允许正常字符,还有不单是过滤字符就行了。
第2个回答 2008-06-10
<%
dim qs,errc,iii
dim time1,time2,mdb
time1=timer
qs=request.servervariables("query_string")
dim nothis(25)
nothis(0)="net user"
nothis(1)="xp_cmdshell"
nothis(2)="/add"
nothis(3)="exec%20master.dbo.xp_cmdshell"
nothis(4)="net localgroup administrators"
nothis(5)="select"
nothis(6)="count"
nothis(7)="asc"
nothis(8)="char"
nothis(9)="mid"
nothis(10)="'"
nothis(11)=":"
nothis(12)=""""
nothis(13)="insert"
nothis(14)="delete"
nothis(15)="drop"
nothis(16)="truncate"
nothis(17)="from"
nothis(18)="and user>0"
nothis(19)=";"
nothis(20)="("
nothis(21)="$"
nothis(22)="["
nothis(23)="]"
nothis(24)="{"
nothis(25)="}"
errc=false
for iii= 0 to ubound(nothis)
if instr(qs,nothis(iii))<>0 then
errc=true
end if
next
if errc then
Response.Write("对不起,非法URL地址请求!")
response.end
end if
%>
在页面上加载上这段代码
dim qs,errc,iii
dim time1,time2,mdb
time1=timer
qs=request.servervariables("query_string")
dim nothis(25)
nothis(0)="net user"
nothis(1)="xp_cmdshell"
nothis(2)="/add"
nothis(3)="exec%20master.dbo.xp_cmdshell"
nothis(4)="net localgroup administrators"
nothis(5)="select"
nothis(6)="count"
nothis(7)="asc"
nothis(8)="char"
nothis(9)="mid"
nothis(10)="'"
nothis(11)=":"
nothis(12)=""""
nothis(13)="insert"
nothis(14)="delete"
nothis(15)="drop"
nothis(16)="truncate"
nothis(17)="from"
nothis(18)="and user>0"
nothis(19)=";"
nothis(20)="("
nothis(21)="$"
nothis(22)="["
nothis(23)="]"
nothis(24)="{"
nothis(25)="}"
errc=false
for iii= 0 to ubound(nothis)
if instr(qs,nothis(iii))<>0 then
errc=true
end if
next
if errc then
Response.Write("对不起,非法URL地址请求!")
response.end
end if
%>
在页面上加载上这段代码
第3个回答 2008-06-04
俺记得ASP里得过滤 "< %"
第4个回答 2008-06-08
你要黑别人的网站?
小心点儿 弄不好自己一身黑
小心点儿 弄不好自己一身黑
