For i=1 To Len(AsciiStr)
Str=AscW(Mid(AsciiStr,i,1))
If Str<0 Then
Str=Str+65536
End If
UnicodeStr=UnicodeStr&"&#"&Str&";"
Next
AsciiToUnicode=UnicodeStr
End Function
injection_i=0
For each item in Request.QueryString
for injection_i = 1 to Request.QueryString(item).Count
strInjection = strInjection & Request.QueryString(item)(injection_i)
tmpstring = replace(Request.QueryString(item)(injection_i)," ","")
if instr(UCASE(tmpstring),"'OR") > 0 or instr(UCASE(tmpstring),"'AND") > 0 then
%>
<script>
alert("SQL Injection hacking[page back]");
history.back();
</script>
<%
response.end
end if
strInjection = strInjection & item
next
next
injection_i=0
For each item in Request.Form
for injection_i = 1 to Request.Form(item).Count
strInjection = strInjection & Request.form(item)(injection_i)
tmpstring = replace(Request.form(item)(injection_i)," ","")
if instr(UCASE(tmpstring),"'OR") > 0 or instr(UCASE(tmpstring),"'AND") > 0 then
%>
<script>
alert("SQL Injection hacking[page back]");
history.back();
</script>
<%
response.end
end if
strInjection = strInjection & item
next
next
if instr(UCASE(strInjection),"CREATE") > 0 or instr(UCASE(strInjection),"DELETE")>0 or instr(UCASE(strInjection),"DROP")>0 or instr(UCASE(strInjection),"UPDATE")>0 or instr(UCASE(strInjection),"SELECT")>0 or instr(UCASE(strInjection),"UNION")>0 OR instr(UCASE(strInjection),"EXEC")>0 OR instr(UCASE(strInjection),"INSERT")>0 OR instr(UCASE(strInjection),"DECLARE")>0 or instr(UCASE(strInjection)," OR")>0 OR instr(UCASE(strInjection)," AND")>0 OR instr(UCASE(strInjection),"--")>0 OR instr(UCASE(strInjection),"'")>0 OR instr(UCASE(strInjection),"DBCC")>0 OR instr(UCASE(strInjection),"ALTER")>0 OR instr(UCASE(strInjection),"BACKUP")>0 OR instr(UCASE(strInjection),"SET")>0 OR instr(UCASE(strInjection),"CLOSE")>0 OR instr(UCASE(strInjection),"RETURN")>0 OR instr(UCASE(strInjection),"EXISTS")>0 OR instr(UCASE(strInjection),"TRUNCATE") > 0 then
%>
<script>
alert("Çã¿ëµÇÁö ¾Ê´Â ±ÛÀÚ°¡ Æ÷ÇԵǾî ÀÖ½À´Ï´Ù.SQL");
history.back();
</script>
<%
response.end
end if
if instr(UCASE(strInjection),"<SCRIPT")>0 or instr(UCASE(strInjection),"</SCRIPT")>0 or instr(UCASE(strInjection),"<HTML")>0 or instr(UCASE(strInjection),"</HTML")>0 or instr(UCASE(strInjection),"<META")>0 or instr(UCASE(strInjection),"<LINK")>0 or instr(UCASE(strInjection),"<HEAD")>0 or instr(UCASE(strInjection),"</HEAD")>0 or instr(UCASE(strInjection),"<BODY")>0 or instr(UCASE(strInjection),"</BODY")>0 or instr(UCASE(strInjection),"<FORM")>0 or instr(UCASE(strInjection),"</FORM")>0 or instr(UCASE(strInjection),"<STYLE")>0 or instr(UCASE(strInjection),"</STYLE")>0 or instr(UCASE(strInjection),"COOKIE")>0 or instr(UCASE(strInjection),"<DOCUMENT.")>0 or instr(UCASE(strInjection),"SCRIPT:")>0 or instr(UCASE(strInjection),"EMBED")>0 or instr(UCASE(strInjection),"<")>0 or instr(UCASE(strInjection),">")>0 or instr(UCASE(strInjection),"HTTP:")>0 or instr(UCASE(AsciiToUnicode(strInjection)), AsciiToUnicode("<"))>0 or instr(UCASE(AsciiToUnicode(strInjection)),AsciiToUnicode(">"))>0 or instr(UCASE(strInjection), "&#")>0 Then
%>
<script>
alert("½ºÅ©¸³Æ®³ª HTMLű״ »ç¿ëÇÏ½Ç ¼ö ¾ø½À´Ï´Ù.");
history.back();
</script>
<%
response.end
end if
%>
<%
'Ư¼ö¹®ÀÚ º¯°æÇϱâ
Function Checkot(CheckValue)
CheckValue = replace(CheckValue, "<", "<")
CheckValue = replace(CheckValue, ">", ">")
CheckValue = replace(CheckValue, "&", "&" )
Checkot = CheckValue
End Function
Function Checkit(CheckValue)
CheckValue = replace(CheckValue, "&" , "&")
CheckValue = replace(CheckValue, "<", "<")
CheckValue = replace(CheckValue, ">", ">")
CheckValue = replace(CheckValue, "'", "''")
Checkit = CheckValue
End Function
Function numdel(var)
If InStr(var,".") Then
a = Split(var,".")(0)
If Len(Left(Split(var,".")(1),2)) > 1 Then
b = Left(Split(var,".")(1),2)
ElseIf Len(Left(Split(var,".")(1),2)) > 0 Then
b = Left(Split(var,".")(1),2) & "0"
Else
b = "00"
End If
var = a & "." & b
Else
var = var & ".00"
End If
numdel = var
End Function
%>
Å×½ºÆ® »çÀÌÆ® °¢ Æû¿¡¼ ºÒ·¯¿À´Â sql injection ¹æ¾î ÀÔ´Ï´Ù.
ºÎÁ·ÇÑ°Ô ÀÖÀ»±î¿ä ? |
214, 
8/11 
