通过HttpModule、httpHandlers防止SQL注入式攻击

Posted on 2011-07-26 17:53 飛雪飄寒阅读(400) 评论(0) 编辑收藏

1、通过HttpModule防止SQL注入式攻击，适用于.net1.1程序
（1）新建类文件SqlHttpModule.cs，具体代码类似如下：

SqlHttpModule.cs

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using System.Text.RegularExpressions;

namespace HttpModule.Class
{
 /// <summary>
 /// SqlInPost 的摘要说明
 /// </summary>
 public class SqlHttpModule : System.Web.IHttpModule
 {
 public SqlHttpModule()
 {
 }

 public void Dispose()
 {
 }

 public void Init(HttpApplication context)
 {
 context.AcquireRequestState += new EventHandler(context_AcquireRequestState);
 }

 private void context_AcquireRequestState(object sender, EventArgs e)
 {
 HttpContext context = ((HttpApplication)sender).Context;
 try
 {
 string getkeys = string.Empty;
 string keyvalue = string.Empty;
 string strErrorAlertScript = "<script type=\"text/javascript\">alert('字符串格式非法，请重新输入！');history.go(-1);</script>";
 string requestUrl = context.Request.Path.ToString();
 #region URL提交数据
 if (context.Request.QueryString != null)
 {
 for (int i = 0; i < context.Request.QueryString.Count; i++)
 {
 getkeys = context.Request.QueryString.Keys[i];
 keyvalue = context.Server.UrlDecode(context.Request.QueryString[getkeys]).Replace("'", "");

 if (!IsSafeString(keyvalue))
 {
 context.Response.Write(strErrorAlertScript);
 context.Response.End();
 break;
 }
 }
 }
 #endregion

 #region 表单提交数据
 if (context.Request.Form != null)
 {
 for (int i = 0; i < context.Request.Form.Count; i++)
 {
 getkeys = context.Request.Form.Keys[i].ToUpper();
 if (getkeys == "__VIEWSTATE" || getkeys == "__EVENTARGUMENT" || getkeys == "__EVENTTARGET" || getkeys == "__CLIENTPOSTDATA__") continue;

 keyvalue = context.Server.HtmlDecode(context.Request.Form[i]).Replace("'", "");
 if (!IsSafeString(keyvalue))
 {
 context.Response.Write(strErrorAlertScript);
 context.Response.End();
 break;
 }
 }
 }
 #endregion
 }
 catch (Exception ex)
 {
 }
 }

 //判断是否为安全字符串
 public bool IsSafeString(string strText)
 {
 bool bResult = true;
 //strText = Regex.Replace(strText, "[\\s]{1,}", ""); //two or more spaces
 strText = Regex.Replace(strText, "(<[b|B][r|R]/*>)+|(<[p|P](.|\\n)*?>)", "\n"); // 

 string FilterSql = System.Configuration.ConfigurationSettings.AppSettings["SqlHttpModule_KeyWord"];//将关键词组配置在webconfig中
 if(FilterSql==null || FilterSql=="")
 {
 string[] UnSafeArray = new string[23];
 UnSafeArray[0] = "'";
 UnSafeArray[1] = "xp_cmdshell ";
 UnSafeArray[2] = "declare";
 UnSafeArray[3] = "netlocalgroupadministrators ";
 UnSafeArray[4] = "delete ";
 UnSafeArray[5] = "truncate ";
 UnSafeArray[6] = "netuser ";
 UnSafeArray[7] = "/add ";
 UnSafeArray[8] = "drop ";
 UnSafeArray[9] = "update ";
 UnSafeArray[10] = "select ";
 UnSafeArray[11] = "union ";
 UnSafeArray[12] = "exec ";
 UnSafeArray[13] = "create ";
 UnSafeArray[14] = "insertinto ";
 UnSafeArray[15] = "sp_ ";
 UnSafeArray[16] = "exec ";
 UnSafeArray[17] = "create ";
 UnSafeArray[18] = "insert ";
 UnSafeArray[19] = "masterdbo ";
 UnSafeArray[20] = "sp_ ";
 UnSafeArray[21] = ";-- ";
 UnSafeArray[22] = "1= ";
 foreach (string strValue in UnSafeArray)
 {

 if (strText.ToLower().IndexOf(strValue) > -1)
 {
 bResult = false;
 break;
 }
 }
 }
 else
 {
 string sqlStr = FilterSql;
 string[] sqlStrs = sqlStr.Split('|');
 foreach (string ss in sqlStrs)
 {
 if (strText.ToLower().IndexOf(ss) >= 0)
 {
 bResult = false;
 break;
 }
 }
 }
 return bResult;
 }

 }
}

（2）在web.config文件中做以下配置
 </system.web>
 <httpModules>
 <add name="SqlHttpModule" type="HttpModule.Class.SqlHttpModule, HttpModule" />
 </httpModules>
 </system.web>

2、通过httpHandlers防止SQL注入式攻击，适用于.net2.0及以上程序
（1）新建类文件SqlhttpHandlers.cs，具体代码类似如下：

SqlhttpHandlers.cs

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Text.RegularExpressions;
using System.Collections.Specialized;
namespace httpHandlers
{
 /// <summary>
 /// SqlInPost 的摘要说明
 /// </summary>
 public class SqlhttpHandlers : IHttpHandlerFactory
 {
 public SqlhttpHandlers()
 {
 //
 // TODO: 在此处添加构造函数逻辑
 //
 }

 public virtual IHttpHandler GetHandler(HttpContext context, string requestType, string url, string pathTranslated)
 {
 //得到编译实例(通过反射)
 PageHandlerFactory factory = (PageHandlerFactory)Activator.CreateInstance(typeof(PageHandlerFactory), true);
 IHttpHandler handler = factory.GetHandler(context, requestType, url, pathTranslated);
 //过滤字符串
 if (requestType == "POST")
 {
 Page page = handler as Page;
 if (page != null)
 page.PreLoad += new EventHandler(FormFilterStrFactoryHandler_PreLoad);
 }
 if (requestType == "GET")
 {
 Page page = handler as Page;
 if (page != null)
 page.PreLoad += new EventHandler(RequestFilterStrFactoryRHandler_PreLoad);
 }
 //返回
 return handler;
 }

 public virtual void ReleaseHandler(IHttpHandler handler)
 {

 }
 /// <summary>
 /// 过滤TextBox、Input和Textarea中非法字符
 /// </summary>
 /// <param name="sender"></param>
 /// <param name="e"></param>
 void FormFilterStrFactoryHandler_PreLoad(object sender, EventArgs e)
 {
 try
 {
 bool isSafe = true;
 Page page = sender as Page;
 NameValueCollection postData = page.Request.Form;
 foreach (string postKey in postData)
 {
 Control ctl = page.FindControl(postKey);
 if (ctl as TextBox != null)
 {
 ((TextBox)ctl).Text = ((TextBox)ctl).Text.Replace("'", "＇");
 string strValue = ((TextBox)ctl).Text.Trim();
 if (!IsSafeString(strValue))
 {
 isSafe = false;
 break;
 }

 continue;
 }
 if (ctl as HtmlInputControl != null)
 {

 ((HtmlInputControl)ctl).Value = ((HtmlInputControl)ctl).Value.Replace("'", "＇");
 string strValue = ((HtmlInputControl)ctl).Value.Trim();
 if (!IsSafeString(strValue))
 {
 isSafe = false;
 break;
 }
 continue;
 }
 if (ctl as HtmlTextArea != null)
 {
 ((HtmlTextArea)ctl).Value = ((HtmlTextArea)ctl).Value.Replace("'", "＇");
 string strValue = ((HtmlTextArea)ctl).Value.Trim();
 if (!IsSafeString(strValue))
 {
 isSafe = false;
 break;
 }
 continue;
 }
 }
 if (!isSafe)
 {
 page.Response.Write("字符串格式非法!");
 page.Response.End();
 }
 }
 catch(Exception ex)
 {
 string a = ex.Message;
 }
 }



 /// <summary>
 /// 过滤QueryString 中的非法字符串
 /// </summary>
 /// <param name="sender"></param>
 /// <param name="e"></param>
 protected void RequestFilterStrFactoryRHandler_PreLoad(object sender, EventArgs e)
 {
 try
 {
 Page page = sender as Page;
 NameValueCollection QueryNV = page.Request.QueryString;
 bool isSafe = true;
 for (int i = 0; i < QueryNV.Count; i++)
 {
 if (!IsSafeString(QueryNV.Get(i)))
 {
 isSafe = false;
 break;
 }
 }
 if (!isSafe)
 {
 page.Response.Write("字符串格式非法!");
 page.Response.End();
 }
 }
 catch { }
 }

 //判断是否为安全字符串
 public bool IsSafeString(string strText)
 {
 bool bResult = true;
 strText = Regex.Replace(strText, "[\\s]{1,}", ""); //two or more spaces
 strText = Regex.Replace(strText, "(<[b|B][r|R]/*>)+|(<[p|P](.|\\n)*?>)", "\n"); // 

 string[] UnSafeArray = new string[23];
 UnSafeArray[0] = "'";
 UnSafeArray[1] = "xp_cmdshell";
 UnSafeArray[2] = "declare";
 UnSafeArray[3] = "netlocalgroupadministrators";
 UnSafeArray[4] = "delete";
 UnSafeArray[5] = "truncate";
 UnSafeArray[6] = "netuser";
 UnSafeArray[7] = "/add";
 UnSafeArray[8] = "drop";
 UnSafeArray[9] = "update";
 UnSafeArray[10] = "select";
 UnSafeArray[11] = "union";
 UnSafeArray[12] = "exec";
 UnSafeArray[13] = "create";
 UnSafeArray[14] = "insertinto";
 UnSafeArray[15] = "sp_";
 UnSafeArray[16] = "exec";
 UnSafeArray[17] = "create";
 UnSafeArray[18] = "insertinto";
 UnSafeArray[19] = "masterdbo";
 UnSafeArray[20] = "sp_";
 UnSafeArray[21] = ";--";
 UnSafeArray[22] = "1=";
 foreach (string strValue in UnSafeArray)
 {

 if (strText.ToLower().IndexOf(strValue) > -1)
 {
 bResult = false;
 break;
 }
 }
 return bResult;
 }

 }
}

（2）在web.config文件中做以下配置
 </system.web>
 <httpHandlers>
 <add verb="*" path="*.aspx" type="httpHandlers.SqlhttpHandlers, httpHandlers"/>
 </httpHandlers>
 </system.web>