<% '连接数据库 Set objConn = Server.CreateObject("ADODB.Connection") 'objConn.ConnectionString="Provider=SQLOLEDB.1;Password=1382929319;Persist Security Info=True;User ID=sa;Initial Catalog=CAME;Data Source=120.24.159.70;Connect Timeout=60" objConn.ConnectionString="Provider=SQLOLEDB.1;Password=camesa;Persist Security Info=True;User ID=camesa;Initial Catalog=CAME;Data Source=120.25.98.119,1432;Connect Timeout=60" objConn.Open '防护XSS，sql注射，代码执行，文件包含等多种高危漏洞 if request.querystring<>"" then call stophacker(request.querystring,"'|<[^>]*?>|^\+/v(8|9)|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)") if Request.ServerVariables("HTTP_REFERER")<>"" then call test(Request.ServerVariables("HTTP_REFERER"),"'|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)") if request.Cookies<>"" then call stophacker(request.Cookies,"\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)") call stophacker(request.Form,"^\+/v(8|9)|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)") function test(values,re) dim regex set regex=new regexp regex.ignorecase = true regex.global = true regex.pattern = re if regex.test(values) then IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR") If IP = "" Then IP=Request.ServerVariables("REMOTE_ADDR") end if 'slog("

操作IP: "&ip&"
操作时间: " & now() & "
操作页面："&Request.ServerVariables("URL")&"
提交方式: "&Request.ServerVariables("Request_Method")&"
提交参数: "&l_get&"
提交数据: "&l_get2) Response.Write("

您的提交带有不合法参数,谢谢合作!

") Response.end end if set regex = nothing end function function stophacker(values,re) dim l_get, l_get2,n_get,regex,IP for each n_get in values for each l_get in values l_get2 = values(l_get) set regex = new regexp regex.ignorecase = true regex.global = true regex.pattern = re if regex.test(l_get2) then IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR") If IP = "" Then IP=Request.ServerVariables("REMOTE_ADDR") end if 'slog("

操作IP: "&ip&"
操作时间: " & now() & "
操作页面："&Request.ServerVariables("URL")&"
提交方式: "&Request.ServerVariables("Request_Method")&"
提交参数: "&l_get&"
提交数据: "&l_get2) Response.Write("

您的提交带有不合法参数,谢谢合作!

") Response.end end if set regex = nothing next next end function sub slog(logs) dim toppath,fs,Ts toppath = Server.Mappath("/log.txt") Set fs = CreateObject("scripting.filesystemobject") If Not Fs.FILEEXISTS(toppath) Then Set Ts = fs.createtextfile(toppath, True) Ts.close end if Set Ts= Fs.OpenTextFile(toppath,8) Ts.writeline (logs) Ts.Close Set Ts=nothing Set fs=nothing end Sub OperationRecord="" UP_PicI=0 '验证字段 Function SafeRequest(ParaName) ParaValue=ParaName if not isnull(ParaValue) then ParaValue = trim(ParaValue) ParaValue = replace(ParaName,"'","''") ParaValue = replace(ParaValue,"""",""") end if OperationRecord=OperationRecord&ParaValue&";" SafeRequest=ParaValue End Function PositionURL=Request.ServerVariables("URL") '重复刷新禁止提示 If trim(Request("SystemMessageType"))="" then session("SMT_URL")="" End If '还回按键链接 ReturnURLID=trim(Request("ReturnURLID")) SystemMessageType=trim(Request("SystemMessageType")) PositionURLID=session("PositionURLID") if ReturnURLID<>"" then PositionURLID=ReturnURLID if Request.ServerVariables("QUERY_STRING")<>"" then PositionURLS=PositionURL&"?"&Request.ServerVariables("QUERY_STRING") if session("PositionURL"&PositionURLID)<>PositionURLS and ReturnURLID="" and SystemMessageType="" and PositionURL<>"/admin_save.gds" And left(PositionURL,8)<>"/weixin/" and PositionURL<>"/DispatchOrder_End.gds" and PositionURL<>"/DispatchOrder.gds" and PositionURL<>"/ServiceOrder.gds" then if PositionURLID="" or PositionURLID>=10 then PositionURLID=0 PositionURLID=PositionURLID+1 session("PositionURL"&PositionURLID)=PositionURLS 'Response.Write PositionURLID &"|"&PositionURL end if session("PositionURLID")=PositionURLID '网站主域名 WEBURL="https://sys.966120.com.cn" Function isDepartment(ModuleID) if InStr(admin_Power,","&ModuleID)>0 then isDepartment=1 else isDepartment=0 end if End Function '--------------------------OA操作记录---------------------begin Function OA_Running(Running) OAid=session("adminID") If OAid="" Then OAid=0 If Running="" Then Running="未知操作" sql="Insert into OA_Running (OAid,OA_IP,Running,Running_URL) values ("&OAid&",'"&Request.ServerVariables("REMOTE_ADDR")&"','"&Running&"','"&PositionURLS&"')" objConn.Execute sql End Function '--------------------------OA操作记录---------------------end '--------------------------合作操作校验---------------------begin 'session("adminID") '--------------------------合作操作校验---------------------end GPSKey = "wx966120" %>