sqlfiltrate.asp

安全中心整站系统是一个网络安全类整站系统。由七个模块组成

<%
act=request("act")
acct=request("acct")
'get注入拦截
dim sql_injdata
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")


If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=JavaScript>alert('安全中心整站系统欢迎安全测试，有漏洞请告诉我们，谢谢：bluephantom@sogou.com');history.back(-1)</Script>"
Response.end
end if
next
Next
End If
%>
<%
'post注入拦截
if act<>"addnew_finish" and act<>"addnew" and act<>"up_date_" and act<>"up_date_finish" and act<>"del_" and act<>"up_date" and act<>"up_us" and acct<>"up_member" and acct<>"add_finish" then

If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=JavaScript>alert('安全中心整站系统欢迎安全测试，有漏洞请告诉我们，谢谢：bluephantom@sogou.com');history.back(-1)</Script>"
Response.end
end if
next
next
end if

else:end if

if act="up_date" or act="up_us" or acct="up_member" or acct="add_finish" then
SQL_injdata2 = "'|<%|<?|?>|<script|</script"
SQL_inj2 = split(SQL_Injdata2,"|")

If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj2)
if instr(Request.Form(Sql_Post),Sql_Inj2(Sql_DATA))>0 Then
Response.Write "<Script Language=JavaScript>alert('本系统禁止写入任何脚本，以防止破坏程序');history.back(-1)</Script>"
Response.end
end if
next
next
end if

else:end if

on error resume next
%>