上周问题总结与解决方案

 

 

1,代码冗余以及注释不详，代码有待进一步完善 （轻）

(1)    注释不详处添加注释

(2)    删除冗余代码

2，源码存在多出无用文件 （轻）

（1） 删除“粮油机械html”文件夹

（2） 删除“复件index.aspx”文件

 

3，editor过滤不严密，可使黑客上传恶意程序（高危漏洞）

漏洞地址：~/web/editor/fckeditor.html

解决方案：（1）<!--

   

     启用角色管理

     -->

    <roleManager enabled ="true">

     

</roleManager>

(2)//启用forms认证

<authentication mode ="Forms">

      <forms loginUrl ="Manage/Admin_login.aspx" name =".ASPXFORMSAUTH" defaultUrl ="Manage/admin_index.aspx">

       

      </forms>

    </authentication>

(3)在editor文件夹下新建web.config文件，拒绝匿名用户登录

<system.web>

      <authorization >

        <deny users ="?"/>

      </authorization>

    </system.web>

（4）    在登录事件中

string userRoles = "admin";

            //创建一个身份验证票 

            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, name, DateTime.Now, DateTime.Now.AddMinutes(30), false, userRoles);

            //将身份验证票加密 

            string EncrTicket = FormsAuthentication.Encrypt(ticket);

            //创建一个Cookie 

            HttpCookie myCookie = new HttpCookie(FormsAuthentication.FormsCookieName, EncrTicket);

            //将Cookie写入客户端 

            Response.Cookies.Add(myCookie);

 

4,后台万能密码可登录 （高危漏洞）

利用'or'='or' 可绕过验证

漏洞地址：（DAL——>ManagerService.cs）

源文件：

/// <summary>

        /// 根据用户名和密码判断管理员是否存在

        /// </summary>

        /// <param name="adminname">用户名</param>

        /// <param name="password">密码</param>

        /// <returns>存在返回true，否则返回false</returns>

        public bool Exists(string adminname, string password)

        {

            StringBuilder sql = new StringBuilder();

            sql.Append("Select count(*) from J_admin where ");

            sql.Append("[j_name]='"+ adminname +"' ");

            sql.Append("and [j_pass]='"+ password +"'");

           

            int i = Convert.ToInt32(SqlHelper.ExecuteScalar(CommandType.Text,sql.ToString(),new OleDbParameter[0]));

            if (i > 0)

            {

                return true;

            }

            else

            {

                return false;

            }

        }

 

解决方案：因为查询语句为Select count (*) from J_admin where [j_name]=”+adminname+” and [j_pass]=”+password+”

采取sql语句拼接，因此存在验证注入漏洞。

(1)    在登录页面cs代码中定义一个方法用来检测用户输入是否包含恶意程序，若包含则替换为空。public static string InputText(string text, int maxlength)

｛

text = text.ToLower().Trim();

            if (string.IsNullOrEmpty(text))

                return string.Empty;

            if (text.Length > maxlength)

                text = text.Substring(0, maxlength);

 

            text = Regex.Replace(text, "[\\s]{2,{", " ");

            text = Regex.Replace(text, "(<[b|B][r|R]/*>)+|(<[p|P](.|\\n)*?>)", "\n"); //<br>

            text = Regex.Replace(text, "(\\s*&[n|N][b|B][s|S][p|P];\\s*)+", " "); //&nbsp;

            text = Regex.Replace(text, "<(.|\\n)*?>", string.Empty); //any other tags

            text = Regex.Replace(text, "=", "");

            text = Regex.Replace(text, "%", "");

            text = Regex.Replace(text, "'", "");

            text = Regex.Replace(text, "select", "");

            text = Regex.Replace(text, "insert", "");

            text = Regex.Replace(text, "delete", "");

            text = Regex.Replace(text, "or", "");

            text = Regex.Replace(text, "exec", "");

            text = Regex.Replace(text, "--", "");

            text = Regex.Replace(text, "and", "");

            text = Regex.Replace(text, "where", "");

            text = Regex.Replace(text, "update", "");

            text = Regex.Replace(text, "script", "");

            text = Regex.Replace(text, "iframe", "");

            text = Regex.Replace(text, "master", "");

            text = Regex.Replace(text, "exec", "");

            text = Regex.Replace(text, "<", "");

            text = Regex.Replace(text, ">", "");

            text = Regex.Replace(text, "\r\n", "");

 

            return text;

｝

 

（2） 若用户输入恶意代码则提示错误。

 

//检查用户输入

            string name = InputText(LoginName.Text.Trim(), 50);

            string pass = InputText(LoginPassword.Text, 100);

            if (name==""||pass=="")

            {

                Response.Write("<script>alert('用户名或密码错误 ');history.go(-1);</script>");

               Response.Redirect("./Admin_login.aspx");            }

 

5，sql语句过滤不严，存在sql注入漏洞 （高危漏洞）

漏洞地址：sql查询语句过滤不严，可使黑客直接操作access数据库，添加帐号，删除产品等。

解决方案：在 Global.asax 中过滤出现在地址栏中的 SQL 敏感字符

 #region 防注入代码

        /// <summary>

        /// 处理用户提交的请求

        /// </summary>

        private void StartSqlinjionCheck()

        {

            try

            {

                string getkeys = "";

 

                if (System.Web.HttpContext.Current.Request.QueryString != null)

                {

 

                    for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)

                    {

                        getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];

                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))

                        {

                            System.Web.HttpContext.Current.Response.Write("<h3>不能包含执行语句</h3>");

                            System.Web.HttpContext.Current.Response.End();

                        }

                    }

                }

                if (System.Web.HttpContext.Current.Request.Form != null)

                {

                    for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)

                    {

                        getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];

                        if (getkeys == "__VIEWSTATE") continue;

                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))

                        {

                        

                            System.Web.HttpContext.Current.Response.Write("<h3>不能包含执行语句</h3>");

                            System.Web.HttpContext.Current.Response.End();

                        }

                    }

                }

            }

            catch

            {

 

            }

 

 

        }

 

        /// <summary>

        /// 分析用户请求是否正常

        /// </summary>

        /// <param name="Str">传入用户提交数据 </param>

        /// <returns>返回是否含有SQL注入式攻击代码</returns>

        private bool ProcessSqlStr(string Str)

        {

            bool ReturnValue = true;

            try

            {

                if (Str.Trim() != "")

                {

                    //string SqlStr = "and |exec |insert |select |delete |update |count |* |chr |mid |master |truncate |char |declare";

                    string SqlStr = "exec |insert |select |delete |update |mid |master |truncate |declare";

                    string[] anySqlStr = SqlStr.Split('|');

                    foreach (string ss in anySqlStr)

                    {

                        if (Str.ToLower().IndexOf(ss) >= 0)

                        {

                            ReturnValue = false;

                            break;

                        }

                    }

                }

            }

            catch

            {

                ReturnValue = false;

            }

            return ReturnValue;

        }

 

 

        #endregion

 

 

                                               技术部  Mxi4oyu

                                                  

 

 

 

转载于:https://www.cnblogs.com/secbook/archive/2011/12/08/2654915.html