日期:2014-05-17  浏览次数:20993 次

asp.net 仿SQL注入
using System;   
using System.Data;   
using System.Configuration;   
using System.Web;   
using System.Web.Security;   
using System.Web.UI;   
using System.Web.UI.WebControls;   
using System.Web.UI.WebControls.WebParts;   
using System.Web.UI.HtmlControls;   
using System.Data.SqlClient;   
/// <summary>   
/// SqlCheck 的摘要说明   
/// </summary>   
///    
namespace cofcms   
{   
    public class SqlCheck   
    {   
         
        public void CheckSql()   
        {   
             
            string jk1986_sql = "exec↓select↓drop↓alter↓exists↓union↓and↓or↓xor↓order↓mid↓asc↓execute↓xp_cmdshell↓insert↓update↓delete↓join↓declare↓char↓sp_oacreate↓wscript.shell↓xp_regwrite↓'↓;↓--";   
            string[] jk_sql = jk1986_sql.Split('↓');   
            foreach (string jk in jk_sql)   
            {   
                // -----------------------防 Post 注入-----------------------   
                if (System.Web.HttpContext.Current.Request.Form != null)   
                {   
                    for (int k = 0; k < System.Web.HttpContext.Current.Request.Form.Count; k++)   
                    {   
                        string getsqlkey = System.Web.HttpContext.Current.Request.Form.Keys[k];   
                        string getip;   
                        if (System.Web.HttpContext.Current.Request.Form[getsqlkey].ToLower().Contains(jk) == true)   
                        {   
                            System.Web.HttpContext.Current.Response.Write("<script Language=JavaScript>alert('请勿提交非法字符!');</" + "script>");   
                            System.Web.HttpContext.Current.Response.Write("非法操作!系统做了如下记录 ↓" + "<br>");   
                            if (System.Web.HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null)   
                            {   
                                getip = System.Web.HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];   
                            }   
                            else  
                            {   
                                getip = System.Web.HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"];   
                            }   
                            System.Web.HttpContext.Current.Response.Write("操 作 I  P :" + getip + "<br>");   
                            System.Web.HttpContext.Current.Response.Write("操 作 时 间:" + DateTime.Now.ToString() + "<br>");   
                            System.Web.HttpContext.Current.Response.Write("操 作 页 面:" + System.Web.HttpContext.Current.Request.ServerVariables["URL"] + "<br>");   
                            System.Web.HttpContext.Current.Response.Write("提 交 方 式:P O S T " + "<br>");   
                            System.Web.HttpContext.Current.Response.Write("提 交 参 数:" + jk + "<br>");   
                            System.Web.HttpContext.Current.Response.Write("提 交 数 据:" + System.Web.HttpContext.Current.Request.Form[getsqlkey].ToLower() + "<br>");   
                            System.Web.HttpContext.Current.Response.End();   
                        }   
                    }   
                }   
                // -----------------------防 GET 注入-----------------------   
                if (System.Web.HttpContext.Current.Request.QueryString != null)   
                {   
                    for (int k = 0; k < System.Web.HttpContext.Current.Request.QueryString.Count; k++)   
                    {   
                        string getsqlkey = System.Web.HttpContext.Current.Request.QueryString.Keys[k];   
                        string getip;   
                        if (System.Web.HttpContext.Current.Request.QueryString[getsqlkey].ToLower().Contains(jk) == true)   
                        {   
                            System.Web.HttpContext.Current.Response.Write("<script Language=JavaScript>alert('请勿提交非法字符!');</" + "script>");