166 lines
6.6 KiB
C#
166 lines
6.6 KiB
C#
|
using System;
|
|||
|
|
using System.Collections.Generic;
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
namespace CYQ.Data.SQL
|
|||
|
|
{
|
|||
|
|
internal static class SqlInjection
|
|||
|
|
{
|
|||
|
|
//select;from,
|
|||
|
|
internal const string filterSqlInjection = "select;into,delete;from,drop;table,drop;database,update;set,truncate;table,create;table,exists;select,insert;into,xp_cmdshell,declare;@,exec;master,waitfor;delay";
|
|||
|
|
//internal const string replaceSqlInjection = "--";
|
|||
|
|
private static List<string> filterKeyList = new List<string>();
|
|||
|
|
private static readonly object lockObj = new object();
|
|||
|
|
/// <summary>
|
|||
|
|
/// <20><>List Ҳ<><D2B2><EFBFBD><EFBFBD>Ϊ<EFBFBD>ڴ<EFBFBD><DAB4><EFBFBD>д<EFBFBD>쳣<EFBFBD><ECB3A3><EFBFBD>⣨<EFBFBD><E2A3A8><EFBFBD>е<EFBFBD>[]<5D><><EFBFBD>飬<EFBFBD><E9A3AC><EFBFBD>ƶ<EFBFBD><C6B6><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>⣩
|
|||
|
|
/// </summary>
|
|||
|
|
internal static List<string> FilterKeyList
|
|||
|
|
{
|
|||
|
|
get
|
|||
|
|
{
|
|||
|
|
if (filterKeyList.Count == 0)
|
|||
|
|
{
|
|||
|
|
lock (lockObj)
|
|||
|
|
{
|
|||
|
|
if (filterKeyList.Count == 0)
|
|||
|
|
{
|
|||
|
|
filterKeyList.AddRange(filterSqlInjection.TrimEnd(',').Split(','));
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
return filterKeyList;
|
|||
|
|
}
|
|||
|
|
set
|
|||
|
|
{
|
|||
|
|
filterKeyList = value;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
public static string Filter(string text, DataBaseType dalType)
|
|||
|
|
{
|
|||
|
|
if (string.IsNullOrEmpty(text) || text == "1=1") { return text; }
|
|||
|
|
try
|
|||
|
|
{
|
|||
|
|
|
|||
|
|
if (text.IndexOf("--") > -1)
|
|||
|
|
{
|
|||
|
|
string[] ts = text.Split(new string[] { "--" }, StringSplitOptions.None);
|
|||
|
|
for (int i = 0; i < ts.Length - 1; i++)
|
|||
|
|
{
|
|||
|
|
if (ts[i].Split('\'').Length % 2 == (i == 0 ? 1 : 0))
|
|||
|
|
{
|
|||
|
|
text = text.Replace("--", string.Empty);//name like'% --aaa' --or name='--aa' ǰ<><C7B0><EFBFBD><EFBFBD> ' <20>ű<EFBFBD><C5B1><EFBFBD><EFBFBD>ǵ<EFBFBD><C7B5><EFBFBD>
|
|||
|
|
break;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
string[] items = text.Split(' ', '(', ')');
|
|||
|
|
if (items.Length == 1 && text.Length > 30)
|
|||
|
|
{
|
|||
|
|
if (text.IndexOf("%20") > -1 && text.IndexOf("%20") != text.LastIndexOf("%20"))
|
|||
|
|
{
|
|||
|
|
//<2F><><EFBFBD><EFBFBD>%20<32><30><EFBFBD><EFBFBD>
|
|||
|
|
Log.Write("SqlInjection %20 Error:" + text, LogType.Warn);
|
|||
|
|
Error.Throw("SqlInjection %20 Error:" + text);
|
|||
|
|
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
switch (dalType)
|
|||
|
|
{
|
|||
|
|
case DataBaseType.MySql:
|
|||
|
|
case DataBaseType.Oracle:
|
|||
|
|
case DataBaseType.SQLite:
|
|||
|
|
for (int j = 0; j < items.Length; j++)//ȥ<><C8A5><EFBFBD>ֶε<D6B6>[<5B>ֶ<EFBFBD>]<5D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
{
|
|||
|
|
if (!items[j].StartsWith("[#") && items[j].StartsWith("[") && items[j].EndsWith("]"))
|
|||
|
|
{
|
|||
|
|
text = text.Replace(items[j], items[j].Replace("[", string.Empty).Replace("]", string.Empty));
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
break;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
if (FilterKeyList.Count > 0 && filterKeyList.Count > 0)
|
|||
|
|
{
|
|||
|
|
#region Filter Keys
|
|||
|
|
|
|||
|
|
string lowerText = text.ToLower();
|
|||
|
|
items = lowerText.Split(' ', '(', ')', '/', ';', '=', '-', '\'', '|', '!', '%', '^');
|
|||
|
|
|
|||
|
|
int keyIndex = -1;
|
|||
|
|
bool isOK = false;
|
|||
|
|
for (int k = 0; k < filterKeyList.Count; k++)
|
|||
|
|
{
|
|||
|
|
if (k >= filterKeyList.Count)
|
|||
|
|
{
|
|||
|
|
Log.Write("No1:" + k + "," + filterKeyList.Count, LogType.Info);
|
|||
|
|
continue;
|
|||
|
|
}
|
|||
|
|
string filterKeyValue = filterKeyList[k];
|
|||
|
|
if (string.IsNullOrEmpty(filterKeyValue)) { continue; }
|
|||
|
|
|
|||
|
|
string[] filterSpitItems = filterKeyValue.Split(';');//<2F>ָ<EFBFBD>
|
|||
|
|
if (filterSpitItems != null && filterSpitItems.Length > 0)
|
|||
|
|
{
|
|||
|
|
string filterKey = filterSpitItems[0];//ȡ<><C8A1>һ<EFBFBD><D2BB>Ϊ<EFBFBD>ؼ<EFBFBD><D8BC><EFBFBD>
|
|||
|
|
if (filterSpitItems.Length > 2)
|
|||
|
|
{
|
|||
|
|
continue;
|
|||
|
|
}
|
|||
|
|
else if (filterSpitItems.Length == 2) // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʵġ<CAB5>
|
|||
|
|
{
|
|||
|
|
keyIndex = Math.Min(lowerText.IndexOf(filterKey), lowerText.IndexOf(filterSpitItems[1]));
|
|||
|
|
}
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
keyIndex = lowerText.IndexOf(filterKey);//<2F><><EFBFBD>˵Ĺؼ<C4B9><D8BC>ʻ<EFBFBD><CABB><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
}
|
|||
|
|
if (keyIndex > -1)
|
|||
|
|
{
|
|||
|
|
foreach (string item in items) // <20>û<EFBFBD><C3BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ÿһ<C3BF><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ĵ<EFBFBD>
|
|||
|
|
{
|
|||
|
|
if (string.IsNullOrEmpty(item))
|
|||
|
|
{
|
|||
|
|
continue;
|
|||
|
|
}
|
|||
|
|
if (item.IndexOf(filterKey) > -1 && item.Length > filterKey.Length)
|
|||
|
|
{
|
|||
|
|
isOK = true;
|
|||
|
|
break;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
if (!isOK)
|
|||
|
|
{
|
|||
|
|
Log.Write("SqlInjection FilterKey Error:" + filterKeyValue + ":" + text, LogType.Warn);
|
|||
|
|
Error.Throw("SqlInjection FilterKey Error:" + text);
|
|||
|
|
}
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
isOK = false;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
Log.Write("No2:" + filterKeyValue, LogType.Info);
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
#endregion
|
|||
|
|
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
catch (Exception err)
|
|||
|
|
{
|
|||
|
|
Log.Write("SqlInjection Error:" + err.Message + ":" + text, LogType.Warn);
|
|||
|
|
}
|
|||
|
|
return text;
|
|||
|
|
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|