este é o nosso blog

Aqui você encontrará um conteúdo bastante interessante, sobre temas variádos dentro de tecnologia, informática, internet e claro sobre o dia-a-dia da nossa empresa!

Comentários

.26/05/2008

ASP – ANTI-SQL INJECTION

Postado por:

Abaixo segue um script para a linguagem ASP – CLASSIC.

Esse arquivo deve ser incluído dentro do arquivo onde é feita a conexão do banco de dados, ou em um include global.

fix_injection.asp

<%
‘  fix_injection.asp

‘  Author: Nazim Lala, Codificar (http://www.codificar.com.br)
‘  Modified Date: 26-05-2008
‘  This is the include file to use with your asp pages to
‘  validate input for SQL injection.

Dim BlackList, ErrorPage


‘  Below is a black list that will block certain SQL commands and
‘  sequences used in SQL injection will help with i\0 putaput sanitization

‘  However this is may not suffice, because:
‘  1) These might not cover all the cases (like encoded characters)
‘  2) This may disallow legitimate input

‘  Creating a raw sql query strings by concatenating user input is
‘  unsafe programming practice. It is advised that you use parameterized
‘  SQL instead. Check http://support.microsoft.com/kb/q164485/ for information
‘  on how to do this using ADO from ASP.

‘  Moreover, you need to also implement a white list for your parameters.
‘  For example, if you are expecting input for a zipcode you should create
‘  a validation rule that will only allow 5 characters in [0-9].

BlackList = Array(“–”, “;”, “/*”, “*/”, “@@”, “@”,_
“char”, “nchar”, “varchar”, “nvarchar”,_
“alter”, “begin”, “cast”, “create”, “cursor”,_
“declare”, “delete”, “drop”, “end”, “exec”,_
“execute”, “fetch”, “insert”, “kill”, “open”,_
“select”, “sys”, “sysobjects”, “syscolumns”,_
“table”, “update”)

‘  Populate the error page you want to redirect to in case the
‘  check fails.

ErrorPage = “/fix_injection/error_page.asp”

”””””””””””””””””””””””””’
‘  This function does not check for encoded characters
‘  since we do not know the form of encoding your application
‘  uses. Add the appropriate logic to deal with encoded characters
‘  in here
”””””””””””””””””””””””””’
Function CheckStringForSQL(str)
On Error Resume Next

Dim lstr

‘ If the string is empty, return true
If ( IsEmpty(str) ) Then
CheckStringForSQL = false
Exit Function
ElseIf ( StrComp(str, “”) = 0 ) Then
CheckStringForSQL = false
Exit Function
End If

lstr = LCase(str)

‘ Check if the string contains any patterns in our
‘ black list
For Each s in BlackList

If ( InStr (lstr, s) <> 0 ) Then
CheckStringForSQL = true
Exit Function
End If

Next

CheckStringForSQL = false

End Function

Public Function CheckString (strEntrada)
Dim objRegExp
Set objRegExp = Server.CreateObject(“VBScript.RegExp”)

Dim strExpressao

strExpressao = “(<\s*/*(script|object|applet|embed|form|img)\s*.*>)” ‘< [/] script ou object ou applet ou embed ou form >
strExpressao = strExpressao & “|” & “(\s+eval\s*\()” ‘ EVAL(
strExpressao = strExpressao & “|” & “(\s+event\s*=)” ‘ Event=
strExpressao = Replace(strExpressao, “<”, “(<|%60|<)”) ‘Garantir < ou < em HTML ENCODE
strExpressao = Replace(strExpressao, “>”, “(>|%62|>)”) ‘Garantir > ou > em HTML ENCODE

objRegExp.IgnoreCase = True ‘Ignorar caixa “ALTA” ou “baixa”
objRegExp.Global = False ‘Para na hora que encontrar (velocidade)

objRegExp.Pattern = strExpressao ‘Define a expressão

CheckString = objRegExp.Test(strEntrada) ‘testa

Set objRegExp = Nothing

End Function

”””””””””””””””””””””””””’
‘  Check forms data
”””””””””””””””””””””””””’
Dim s
For Each s in Request.Form
If ( CheckString(Request.Form(s)) ) Then

‘ Redirect to an error page
Response.Redirect(ErrorPage)

End If
Next

”””””””””””””””””””””””””’
‘  Check query string
”””””””””””””””””””””””””’

For Each s in Request.QueryString
If ( CheckString(Request.QueryString(s)) ) Then

‘ Redirect to error page
Response.Redirect(ErrorPage)

End If

Next

”””””””””””””””””””””””””’
‘  Check cookies
”””””””””””””””””””””””””’

For Each s in Request.Cookies
If ( CheckString(Request.Cookies(s)) ) Then

‘ Redirect to error page
Response.Redirect(ErrorPage)

End If

Next

”””””””””””””””””””””””””’
‘  Add additional checks for input that your application
‘  uses. (for example various request headers your app
‘  might use)
”””””””””””””””””””””””””’

%>

error_page.asp

<%@LANGUAGE=”VBSCRIPT” CODEPAGE=”65001″%>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />
<title>SQL INJECTION</title>
<style type=”text/css”>
<!–
.style1 {color: #FF0000}
–>
</style>
</head>

<body>
<h1 class=”style1″>Tentativa de exploração de falha de segurança!!!</h1>
<p class=”style1″>Verifique os dados inseridos.</p>
</body>
</html>
os Arquivos fix_injection.

Comentários (2)

Permalink

2 Responses to ASP – ANTI-SQL INJECTION

  1. Car Hire Alicante says:
    28/03/2011 at 13:28

    I think you'll want to add a twitter icon to your site. I just marked down this article, although I had to complete this manually. Simply my 2 cents.

    Responder

  2. Pingback: Vírus nas Páginas da prefeitura de Belo Horizonte (PBH) – SQL Injection | Codificar Sistemas Tecnológicos

Deixe um Comentário

O seu endereço de email não será publicado Campos obrigatórios são marcados *

*

Você pode usar estas tags e atributos de HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">

© copyright 2011 Codificar Sistemas Tecnológicos | Todos os direitos reservados.