<%
|
'连接数据库
|
Set objConn = Server.CreateObject("ADODB.Connection")
|
'objConn.ConnectionString="Provider=SQLOLEDB.1;Password=1382929319;Persist Security Info=True;User ID=sa;Initial Catalog=CAME;Data Source=120.24.159.70;Connect Timeout=60"
|
objConn.ConnectionString="Provider=SQLOLEDB.1;Password=camesa;Persist Security Info=True;User ID=camesa;Initial Catalog=CAME;Data Source=localhost;Connect Timeout=60"
|
objConn.Open
|
|
'防护XSS,sql注射,代码执行,文件包含等多种高危漏洞
|
if request.querystring<>"" then call stophacker(request.querystring,"'|<[^>]*?>|^\+/v(8|9)|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
|
if Request.ServerVariables("HTTP_REFERER")<>"" then call test(Request.ServerVariables("HTTP_REFERER"),"'|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
|
if request.Cookies<>"" then call stophacker(request.Cookies,"\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
|
call stophacker(request.Form,"^\+/v(8|9)|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
|
|
function test(values,re)
|
dim regex
|
set regex=new regexp
|
regex.ignorecase = true
|
regex.global = true
|
regex.pattern = re
|
if regex.test(values) then
|
IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR")
|
If IP = "" Then
|
IP=Request.ServerVariables("REMOTE_ADDR")
|
end if
|
'slog("<br><br>操作IP: "&ip&"<br>操作时间: " & now() & "<br>操作页面:"&Request.ServerVariables("URL")&"<br>提交方式: "&Request.ServerVariables("Request_Method")&"<br>提交参数: "&l_get&"<br>提交数据: "&l_get2)
|
Response.Write("<div style='position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;'><br>您的提交带有不合法参数,谢谢合作!<br></div>")
|
Response.end
|
end if
|
set regex = nothing
|
end function
|
|
|
function stophacker(values,re)
|
dim l_get, l_get2,n_get,regex,IP
|
for each n_get in values
|
for each l_get in values
|
l_get2 = values(l_get)
|
set regex = new regexp
|
regex.ignorecase = true
|
regex.global = true
|
regex.pattern = re
|
if regex.test(l_get2) then
|
IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR")
|
If IP = "" Then
|
IP=Request.ServerVariables("REMOTE_ADDR")
|
end if
|
'slog("<br><br>操作IP: "&ip&"<br>操作时间: " & now() & "<br>操作页面:"&Request.ServerVariables("URL")&"<br>提交方式: "&Request.ServerVariables("Request_Method")&"<br>提交参数: "&l_get&"<br>提交数据: "&l_get2)
|
Response.Write("<div style='position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;'><br>您的提交带有不合法参数,谢谢合作!<br></div>")
|
Response.end
|
end if
|
set regex = nothing
|
next
|
next
|
end function
|
|
sub slog(logs)
|
dim toppath,fs,Ts
|
toppath = Server.Mappath("/log.txt")
|
Set fs = CreateObject("scripting.filesystemobject")
|
If Not Fs.FILEEXISTS(toppath) Then
|
Set Ts = fs.createtextfile(toppath, True)
|
Ts.close
|
end if
|
Set Ts= Fs.OpenTextFile(toppath,8)
|
Ts.writeline (logs)
|
Ts.Close
|
Set Ts=nothing
|
Set fs=nothing
|
end Sub
|
|
OperationRecord=""
|
UP_PicI=0
|
'验证字段
|
Function SafeRequest(ParaName)
|
ParaValue=ParaName
|
if not isnull(ParaValue) then
|
ParaValue = trim(ParaValue)
|
ParaValue = replace(ParaName,"'","''")
|
ParaValue = replace(ParaValue,"""",""")
|
end if
|
OperationRecord=OperationRecord&ParaValue&";"
|
SafeRequest=ParaValue
|
End Function
|
|
PositionURL=Request.ServerVariables("URL")
|
|
'重复刷新禁止提示
|
If trim(Request("SystemMessageType"))="" then
|
session("SMT_URL")=""
|
End If
|
|
'还回按键链接
|
ReturnURLID=trim(Request("ReturnURLID"))
|
SystemMessageType=trim(Request("SystemMessageType"))
|
PositionURLID=session("PositionURLID")
|
if ReturnURLID<>"" then PositionURLID=ReturnURLID
|
if Request.ServerVariables("QUERY_STRING")<>"" then PositionURLS=PositionURL&"?"&Request.ServerVariables("QUERY_STRING")
|
if session("PositionURL"&PositionURLID)<>PositionURLS and ReturnURLID="" and SystemMessageType="" and PositionURL<>"/admin_save.gds" And left(PositionURL,8)<>"/weixin/" and PositionURL<>"/DispatchOrder_End.gds" and PositionURL<>"/DispatchOrder.gds" and PositionURL<>"/ServiceOrder.gds" then
|
if PositionURLID="" or PositionURLID>=10 then PositionURLID=0
|
PositionURLID=PositionURLID+1
|
session("PositionURL"&PositionURLID)=PositionURLS
|
'Response.Write PositionURLID &"|"&PositionURL
|
end if
|
session("PositionURLID")=PositionURLID
|
|
'网站主域名
|
WEBURL="http://au.v.com.cn:801"
|
|
Function isDepartment(ModuleID)
|
if InStr(admin_Power,","&ModuleID)>0 then
|
isDepartment=1
|
else
|
isDepartment=0
|
end if
|
End Function
|
|
'--------------------------OA操作记录---------------------begin
|
Function OA_Running(Running)
|
OAid=session("adminID")
|
If OAid="" Then OAid=0
|
If Running="" Then Running="未知操作"
|
sql="Insert into OA_Running (OAid,OA_IP,Running,Running_URL) values ("&OAid&",'"&Request.ServerVariables("REMOTE_ADDR")&"','"&Running&"','"&PositionURLS&"')"
|
objConn.Execute sql
|
End Function
|
'--------------------------OA操作记录---------------------end
|
%>
|
