<%
'连接数据库
Set objConn = Server.CreateObject("ADODB.Connection")
'objConn.ConnectionString="Provider=SQLOLEDB.1;Password=1382929319;Persist Security Info=True;User ID=sa;Initial Catalog=CAME;Data Source=120.24.159.70;Connect Timeout=60"
objConn.ConnectionString="Provider=SQLOLEDB.1;Password=camesa;Persist Security Info=True;User ID=camesa;Initial Catalog=CAME;Data Source=localhost;Connect Timeout=60"
objConn.Open
'防护XSS,sql注射,代码执行,文件包含等多种高危漏洞
if request.querystring<>"" then call stophacker(request.querystring,"'|<[^>]*?>|^\+/v(8|9)|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
if Request.ServerVariables("HTTP_REFERER")<>"" then call test(Request.ServerVariables("HTTP_REFERER"),"'|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
if request.Cookies<>"" then call stophacker(request.Cookies,"\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
'call stophacker(request.Form,"^\+/v(8|9)|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
SQL_injdata = "'| and |exec|insert|select|delete|update |count|chr|master|truncate|char|declare| or "
SQL_inj = split(SQL_Injdata,"|")
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
If instr(LCase(Request.Form(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then
'Response.Write Request.Form(Sql_Post)
Response.Write("
您的提交带有不合法参数1,谢谢合作!
")
Response.end
end if
next
next
end If
function test(values,re)
dim regex
set regex=new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = re
if regex.test(values) then
IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If IP = "" Then
IP=Request.ServerVariables("REMOTE_ADDR")
end if
'slog("
操作IP: "&ip&"
操作时间: " & now() & "
操作页面:"&Request.ServerVariables("URL")&"
提交方式: "&Request.ServerVariables("Request_Method")&"
提交参数: "&l_get&"
提交数据: "&l_get2)
Response.Write("
您的提交带有不合法参数2,谢谢合作!
")
Response.end
end if
set regex = nothing
end function
function stophacker(values,re)
dim l_get, l_get2,n_get,regex,IP
for each n_get in values
for each l_get in values
l_get2 = values(l_get)
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = re
if regex.test(l_get2) then
IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If IP = "" Then
IP=Request.ServerVariables("REMOTE_ADDR")
end if
'slog("
操作IP: "&ip&"
操作时间: " & now() & "
操作页面:"&Request.ServerVariables("URL")&"
提交方式: "&Request.ServerVariables("Request_Method")&"
提交参数: "&l_get&"
提交数据: "&l_get2)
Response.Write("
您的提交带有不合法参数3,谢谢合作!
")
Response.end
end if
set regex = nothing
next
next
end function
sub slog(logs)
dim toppath,fs,Ts
toppath = Server.Mappath("/log.txt")
Set fs = CreateObject("scripting.filesystemobject")
If Not Fs.FILEEXISTS(toppath) Then
Set Ts = fs.createtextfile(toppath, True)
Ts.close
end if
Set Ts= Fs.OpenTextFile(toppath,8)
Ts.writeline (logs)
Ts.Close
Set Ts=nothing
Set fs=nothing
end Sub
OperationRecord=""
UP_PicI=0
'验证字段
Function SafeRequest(ParaName)
ParaValue=ParaName
if not isnull(ParaValue) then
ParaValue = trim(ParaValue)
ParaValue = replace(ParaName,"'","''")
ParaValue = replace(ParaValue,"""",""")
end if
OperationRecord=OperationRecord&ParaValue&";"
SafeRequest=ParaValue
End Function
PositionURL=Request.ServerVariables("URL")
'重复刷新禁止提示
If trim(Request("SystemMessageType"))="" then
session("SMT_URL")=""
End If
'还回按键链接
ReturnURLID=trim(Request("ReturnURLID"))
SystemMessageType=trim(Request("SystemMessageType"))
PositionURLID=session("PositionURLID")
if ReturnURLID<>"" then PositionURLID=ReturnURLID
if Request.ServerVariables("QUERY_STRING")<>"" then PositionURLS=PositionURL&"?"&Request.ServerVariables("QUERY_STRING")
if session("PositionURL"&PositionURLID)<>PositionURLS and ReturnURLID="" and SystemMessageType="" and PositionURL<>"/admin_save.gds" And left(PositionURL,8)<>"/weixin/" and PositionURL<>"/DispatchOrder_End.gds" and PositionURL<>"/DispatchOrder_DKP.gds" and PositionURL<>"/DispatchOrder.gds" and PositionURL<>"/ServiceOrder.gds" then
if PositionURLID="" or PositionURLID>=10 then PositionURLID=0
PositionURLID=PositionURLID+1
session("PositionURL"&PositionURLID)=PositionURLS
'Response.Write PositionURLID &"|"&PositionURL
end if
session("PositionURLID")=PositionURLID
'网站主域名
WEBURL="https://sys.966120.com.cn"
'员工照片网址
OAImgURL="https://api.966120.com.cn/OA_img/"
Function isDepartment(ModuleID)
if InStr(admin_Power,","&ModuleID)>0 then
isDepartment=1
else
isDepartment=0
end if
End Function
'--------------------------OA操作记录---------------------begin
Function OA_Running(Running)
OA_RunningOAid=session("adminID")
If OA_RunningOAid="" Then OA_RunningOAid=Request.Cookies("CAME")("adminID")
If OA_RunningOAid="" Then OA_RunningOAid=0
If Running="" Then Running="未知操作"
If Len(PositionURLS)>200 Then PositionURLS=Left(PositionURLS,200)
If InStr(Running,":10")>1 Then
Running_ID=Mid(Running,InStr(Running,":10")+1,10)
ElseIf InStr(Running,":30")>1 Then
Running_ID=Mid(Running,InStr(Running,":30")+1,10)
End If
sql="Insert into OA_Running (OAid,OA_IP,Running,Running_URL,Running_ID) values ("&OA_RunningOAid&",'"&Request.ServerVariables("REMOTE_ADDR")&"','"&Running&"','"&PositionURLS&"','"&Running_ID&"')"
objConn.Execute sql
End Function
'--------------------------OA操作记录---------------------end
'--------------------------合作操作校验---------------------begin
'session("adminID")
'--------------------------合作操作校验---------------------end
%>