xinyilu/tijian_tieying
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
add3e2416c
tijian_tieying/web/cyqdata-master/SQL/SqlInjection.cs

132 lines
4.8 KiB
C#
Raw Normal View History

v1
2025-02-20 12:14:39 +08:00
using System;
using System.Collections.Generic;
namespace CYQ.Data.SQL
{
internal static class SqlInjection
{
//select;from,
internal const string filterSqlInjection = "select;into,delete;from,drop;table,drop;database,update;set,truncate;table,create;table,exists;select,insert;into,xp_cmdshell,declare;@,exec;master,waitfor;delay";
//internal const string replaceSqlInjection = "--";
private static List<string> filterKeyList = null;
/// <summary>
/// <20><>List Ҳ<><D2B2><EFBFBD><EFBFBD>Ϊ<EFBFBD>ڴ<EFBFBD><DAB4><EFBFBD>д<EFBFBD><EFBFBD><ECB3A3><EFBFBD><EFBFBD><E2A3A8><EFBFBD>е<EFBFBD>[]<5D><><EFBFBD><EFBFBD><E9A3AC><EFBFBD>ƶ<EFBFBD><C6B6><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
/// </summary>
internal static List<string> FilterKeyList
{
get
{
if (filterKeyList == null)
{
filterKeyList = new List<string>();
filterKeyList.AddRange(filterSqlInjection.TrimEnd(',').Split(','));
}
return filterKeyList;
}
set
{
filterKeyList = value;
}
}
public static string Filter(string text, DalType dalType)
{
string[] items = null;
if (text.IndexOf("--") > -1)
{
items = text.Split(new string[] { "--" }, StringSplitOptions.None);
for (int i = 0; i < items.Length - 1; i++)
{
if (items[i].Split('\'').Length % 2 == (i == 0 ? 1 : 0))
{
text = text.Replace("--", string.Empty);//name like'% --aaa' --or name='--aa' ǰ<><C7B0><EFBFBD><EFBFBD> ' <20>ű<EFBFBD><C5B1><EFBFBD><EFBFBD>ǵ<EFBFBD><C7B5><EFBFBD>
break;
}
}
items = null;
}
//foreach (string item in replaceSqlInjection.Split(','))
//{
// text = text.Replace(item, string.Empty);
//}
//text = text.Replace("--", "").Replace(";", "").Replace("&", "").Replace("*", "").Replace("||", "");
items = text.Split(' ', '(', ')');
if (items.Length == 1 && text.Length > 30)
{
if (text.IndexOf("%20") > -1)
{
Log.WriteLog(true, text);//<2F><>¼<EFBFBD><C2BC>־
return "SqlInjection error:" + text;
}
}
else
{
switch (dalType)
{
case DalType.MySql:
case DalType.Oracle:
case DalType.SQLite:
for (int i = 0; i < items.Length; i++)//ȥ<><C8A5><EFBFBD>ֶε<D6B6>[<5B>ֶ<EFBFBD>]<5D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
{
if (!items[i].StartsWith("[#") && items[i].StartsWith("[") && items[i].EndsWith("]"))
{
text = text.Replace(items[i], items[i].Replace("[", string.Empty).Replace("]", string.Empty));
}
}
break;
}
}
string lowerText = text.ToLower();
items = lowerText.Split(' ', '(', ')');
int keyIndex = -1;
bool isOK = false;
string tempKey = string.Empty;
string filterKey = string.Empty;
string[] filterSpitItems = null;
for (int i = 0; i < FilterKeyList.Count; i++)
{
filterSpitItems = filterKeyList[i].Split(';');//<2F>ָ<EFBFBD>
filterKey = filterSpitItems[0];//ȡ<><C8A1>һ<EFBFBD><D2BB>Ϊ<EFBFBD>ؼ<EFBFBD><D8BC><EFBFBD>
if (filterSpitItems.Length > 2)
{
continue;
}
else if (filterSpitItems.Length == 2) // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʵġ<CAB5>
{
keyIndex = Math.Min(lowerText.IndexOf(filterKey), lowerText.IndexOf(filterSpitItems[1]));
}
else
{
keyIndex = lowerText.IndexOf(filterKey);//<2F><><EFBFBD>˵Ĺؼ<C4B9><D8BC>ʻ<EFBFBD><CABB><EFBFBD><EFBFBD><EFBFBD>
}
if (keyIndex > -1)
{
foreach (string item in items) // <20>û<EFBFBD><C3BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ÿһ<C3BF><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ĵ<EFBFBD>
{
tempKey = item.Trim('\'', '|', '!', '%', '^');
if (tempKey.IndexOf(filterKey) > -1 && tempKey.Length > filterKey.Length)
{
isOK = true;
break;
}
}
if (!isOK)
{
Log.WriteLog(true, FilterKeyList[i] + ":" + text);//<2F><>¼<EFBFBD><C2BC>־
return "SqlInjection error:" + text;
}
else
{
isOK = false;
}
}
}
return text;
}
}
}
Reference in New Issue Copy Permalink