帮忙解asp的本机限制，谢谢

zfling · 2006-09-08, 18:17

down了一个多用户asp的商城系统，在本机上测试，可是一打开就提示本机ip非法登入等信息，我查看了一下index.asp的代码，top上有个link，到conn.asp文件
<%
'请填写数据库具体参数
'------------------------------------------------------------
'-----------------------------------------------------------
dbpath=dbdns&"/shop/mycartconn/shopcom.asa" 'dbdns 为各文件中设置的路径，请不要改动
connstr="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(""&dbpath&"")
'-----------------------------------------------------------
'打开数据库
response.buffer=true '启用缓冲处理
Set conn = Server.CreateObject("ADODB.Connection")
'conn.Open"Provider=sqloledb;user id="&SQLDBUserName&";password="&SQLDBPassword&";initial catalog="&SQLDBName&";data source="&SQLServerName&";"

conn.Open connstr
'防范未知IP访问及软件攻击
noip1 = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
noip2 = Request.ServerVariables("REMOTE_ADDR")
if noip1 = "" then
noip=noip2
else
noip=noip1
end if
if (noip1="unknown" or noip2="unknown") or (noip1="" and noip2="") then
Response.write "系统拒绝了你的来访IP不明访问请求，如有问题请与河南数据电子商务平台客服中心联系"
Response.end
end if
'SQL注入式攻击防范get及ID（not）代码
squery=lcase(Request.ServerVariables("QUERY_STRING"))
sURL=lcase(Request.ServerVariables("HTTP_HOST"))
allquery=squery+sURL
if InStr(allquery,"%20")<>0 or InStr(allquery," ")<>0 or InStr(allquery,"%27")<>0 or InStr(allquery,"'")<>0 or InStr(allquery,"%a1a1")<>0 or InStr(allquery,"　")<>0 or InStr(allquery,"%24")<>0 or InStr(allquery,"$")<>0 or InStr(allquery,"%3b")<>0 or InStr(allquery,";")<>0 or InStr(allquery,":")<>0 or InStr(allquery,"%%")<>0 or InStr(allquery,"%3c")<>0 or InStr(allquery,"<")<>0 or InStr(allquery,">")<>0 or InStr(allquery,"--")<>0 or InStr(allquery,"sp_")<>0 or InStr(allquery,"xp_")<>0 or InStr(allquery,"exec")<>0 or InStr(allquery,"\")<>0 or InStr(allquery,"delete")<>0 or InStr(allquery,"dir")<>0 or InStr(allquery,"exe")<>0 or InStr(allquery,"select")<>0 or InStr(allquery,"Update")<>0 or InStr(allquery,"cmd")<>0 or InStr(allquery,"*")<>0 or InStr(allquery,"^")<>0 or InStr(allquery,"(")<>0 or InStr(allquery,")")<>0 or InStr(allquery,"+")<>0 or InStr(allquery,"copy")<>0 or InStr(allquery,"format")<>0 or not(isnumeric(request("userid"))) or not(isnumeric(request("id"))) or not(isnumeric(request("lbid"))) or not(isnumeric(request("xlbid"))) or not(isnumeric(request("cpid"))) or not(isnumeric(request("cp_id"))) or not(isnumeric(request("page"))) then
win=Request.ServerVariables("HTTP_USER_AGENT")
set rs = conn.execute("select js from nosql where ip='"&noip&"'")
if not rs.eof then
conn.execute("Update nosql set js=js+1 where ip='"&noip&"'")
'反击开绐(调用了一个死循环)
Response.write "<script language='JavaScript'>"
Response.write "while (true)"
Response.write "window.alert('非法入侵，你的IP及其它信息已被记录，系统已启动低级入侵自卫反击！！！')</script>"
Response.end
'反击结束
else
conn.execute("Insert into nosql(ip)values('"&noip&"')")
Response.Write("<script>alert(""错误提示：系统拒绝了你的不法访问，请确认你的访问的网址是否正确，如有问题请与网站客服中心联系！你的真实IP地址："&noip&"，所用游览器："&win&"。如果你的不法访问达到二次系统将自动进入初级入侵自卫反击状态。超过3次不法访问，系统将自动进入中高级入侵自卫反击状态。由此造成的一切后果自负！"");location.href=""/"";</script>")
Response.End
end if
rs.close
end if
'完了
'//在线总人：online_line，在线会员：online_huiyuan，在线游客：online_youke，最高在线：online_s
if Request.ServerVariables("HTTP_X_FORWARDED_FOR") = "" then
ip=Request.ServerVariables("REMOTE_ADDR")
else
ip= Request.ServerVariables("HTTP_X_FORWARDED_FOR")
end if
conn.execute("delete from online where datediff('n',sj,now())>1000")
if session("huiyuan")="" then
set jilu=conn.execute("select ip from online where ip='"&ip&"'")
if jilu.eof then
conn.execute("insert into online (ip,name)VALUES('"&ip&"','游客')")
else
conn.execute("update online set sj='"&now()&"' where ip='"&ip&"'")
end if
jilu.close:set jilu=nothing
else
set jilu=conn.execute("select name from online where name='"&replace(session("huiyuan"),"'","''")&"'")
if jilu.eof then
conn.execute("Delete from online where ip='"&ip&"'")
conn.execute("insert into online (name,ip,pic)VALUES('"&replace(session("huiyuan"),"'","''")&"','"&ip&"',1)")
else
conn.execute("update online set sj='"&now()&"' where name='"&replace(session("huiyuan"),"'","''")&"'")
end if
jilu.close:set jilu=nothing
end if
online_huiyuan=conn.execute("Select count(id)from online where pic=1")(0)
online_line=conn.execute("Select count(id)from online")(0)
if int(online_line)>int(online_s) then
online_s=online_line
end if
online_youke=online_line-online_huiyuan
'====================================================================
%>
<%
response.buffer=true
squery=lcase(Request.ServerVariables("QUERY_STRING"))
sURL=lcase(Request.ServerVariables("HTTP_HOST"))
allquery=squery+sURL
if InStr(allquery,"%20")<>0 or InStr(allquery," ")<>0 or InStr(allquery,"%27")<>0 or InStr(allquery,"'")<>0 or InStr(allquery,"%a1a1")<>0 or InStr(allquery,"　")<>0 or InStr(allquery,"%24")<>0 or InStr(allquery,"$")<>0 or InStr(allquery,"%3b")<>0 or InStr(allquery,";")<>0 or InStr(allquery,"%%")<>0 or InStr(allquery,"%3c")<>0 or InStr(allquery,"<")<>0 or InStr(allquery,"%3e")<>0 or InStr(allquery,">")<>0 or InStr(allquery,"%28")<>0 or InStr(allquery,"(")<>0 or InStr(allquery,"%29")<>0 or InStr(allquery,")")<>0 or InStr(allquery,"%5c")<>0 or InStr(allquery,"\")<>0 then
response.write "非法访问"
Response.End
end if

Set conn = Server.CreateObject("ADODB.Connection")
'conn.ConnectionTimeout = 10 '设置connection对象连接数据库的逾期时间
'conn.CommandTimeout = 20 '设置执行execute方法时间
'conn.CursorLocation = 3 '将记录存放在游览器端

'打开数据库
response.buffer=true '启用缓冲处理
Set conn = Server.CreateObject("ADODB.Connection")
'conn.Open"Provider=sqloledb;user id="&SQLDBUserName&";password="&SQLDBPassword&";initial catalog="&SQLDBName&";data source="&SQLServerName&";"

conn.Open connstr

FUNCTION nohack(String)
dim noyes,nono
nono="'|\|;|(|)| |%20|<|>"
if not isnull(String) then
noyes = split(nono, "|")
for i = 0 to ubound(noyes)
String = Replace(String, noyes(i),"")
next
nohack = String
end if
END FUNCTION
%>
<%'post过滤sql注入代防范及HTML防护开始
function nosql(str)
if isnull(str) then
str = ""
exit function
end if
str=trim(str)
str=replace(str,"&","&") '&
str=replace(str,";",";") '分号
str=replace(str,"'","'") '单引号
str=replace(str,"""",""") '双引号
str=replace(str,"chr(9)"," ") '空格
str=replace(str,"chr(10)","<br>") '回车
str=replace(str,"chr(13)","<br>") '回车
str=replace(str,"chr(32)"," ") '空格
str=replace(str,"chr(34)",""") '双引号
str=replace(str,"chr(39)","'") '单引号
str=Replace(str, "script", "&#115cript")'script
str=replace(str,"<","<") '左<
str=replace(str,">",">") '右>
str=replace(str,"(","(") '左(
str=replace(str,")",")") '右)
str=replace(str,"*","*") '*
str=replace(str,"--","--") 'SQL注释符
nosql=str
end function%>

如何解除这样的限制？？？
本人不懂asp 哪位asp高手帮看看，解解。多多谢谢！！

双至强仅二千,企商在线,最早租用商	魔兽世界私服魔兽世界私服	此文字广告位招租	天龙八部私服传奇世界私服新开传奇私服
传奇私服热血江湖私服	全球最新的创意科技产品	魔域私服魔域私服	新开传奇私服魔域私服传奇私服

2006-09-08, 18:17	#1 (页面定位)
zfling 注册日期: 2006-04-29 帖子: 9	帮忙解asp的本机限制，谢谢 down了一个多用户asp的商城系统，在本机上测试，可是一打开就提示本机ip非法登入等信息，我查看了一下index.asp的代码，top上有个link，到conn.asp文件 <% '请填写数据库具体参数 '------------------------------------------------------------ '----------------------------------------------------------- dbpath=dbdns&"/shop/mycartconn/shopcom.asa" 'dbdns 为各文件中设置的路径，请不要改动 connstr="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(""&dbpath&"") '----------------------------------------------------------- '打开数据库 response.buffer=true '启用缓冲处理 Set conn = Server.CreateObject("ADODB.Connection") 'conn.Open"Provider=sqloledb;user id="&SQLDBUserName&";password="&SQLDBPassword&";initial catalog="&SQLDBName&";data source="&SQLServerName&";" conn.Open connstr '防范未知IP访问及软件攻击 noip1 = Request.ServerVariables("HTTP_X_FORWARDED_FOR") noip2 = Request.ServerVariables("REMOTE_ADDR") if noip1 = "" then noip=noip2 else noip=noip1 end if if (noip1="unknown" or noip2="unknown") or (noip1="" and noip2="") then Response.write "系统拒绝了你的来访IP不明访问请求，如有问题请与河南数据电子商务平台客服中心联系" Response.end end if 'SQL注入式攻击防范get及ID（not）代码 squery=lcase(Request.ServerVariables("QUERY_STRING")) sURL=lcase(Request.ServerVariables("HTTP_HOST")) allquery=squery+sURL if InStr(allquery,"%20")<>0 or InStr(allquery," ")<>0 or InStr(allquery,"%27")<>0 or InStr(allquery,"'")<>0 or InStr(allquery,"%a1a1")<>0 or InStr(allquery,"　")<>0 or InStr(allquery,"%24")<>0 or InStr(allquery,"$")<>0 or InStr(allquery,"%3b")<>0 or InStr(allquery,";")<>0 or InStr(allquery,":")<>0 or InStr(allquery,"%%")<>0 or InStr(allquery,"%3c")<>0 or InStr(allquery,"<")<>0 or InStr(allquery,">")<>0 or InStr(allquery,"--")<>0 or InStr(allquery,"sp_")<>0 or InStr(allquery,"xp_")<>0 or InStr(allquery,"exec")<>0 or InStr(allquery,"\")<>0 or InStr(allquery,"delete")<>0 or InStr(allquery,"dir")<>0 or InStr(allquery,"exe")<>0 or InStr(allquery,"select")<>0 or InStr(allquery,"Update")<>0 or InStr(allquery,"cmd")<>0 or InStr(allquery,"")<>0 or InStr(allquery,"^")<>0 or InStr(allquery,"(")<>0 or InStr(allquery,")")<>0 or InStr(allquery,"+")<>0 or InStr(allquery,"copy")<>0 or InStr(allquery,"format")<>0 or not(isnumeric(request("userid"))) or not(isnumeric(request("id"))) or not(isnumeric(request("lbid"))) or not(isnumeric(request("xlbid"))) or not(isnumeric(request("cpid"))) or not(isnumeric(request("cp_id"))) or not(isnumeric(request("page"))) then win=Request.ServerVariables("HTTP_USER_AGENT") set rs = conn.execute("select js from nosql where ip='"&noip&"'") if not rs.eof then conn.execute("Update nosql set js=js+1 where ip='"&noip&"'") '反击开绐(调用了一个死循环) Response.write "<script language='JavaScript'>" Response.write "while (true)" Response.write "window.alert('非法入侵，你的IP及其它信息已被记录，系统已启动低级入侵自卫反击！！！')</script>" Response.end '反击结束 else conn.execute("Insert into nosql(ip)values('"&noip&"')") Response.Write("<script>alert(""错误提示：系统拒绝了你的不法访问，请确认你的访问的网址是否正确，如有问题请与网站客服中心联系！你的真实IP地址："&noip&"，所用游览器："&win&"。如果你的不法访问达到二次系统将自动进入初级入侵自卫反击状态。超过3次不法访问，系统将自动进入中高级入侵自卫反击状态。由此造成的一切后果自负！"");location.href=""/"";</script>") Response.End end if rs.close end if '完了 '//在线总人：online_line，在线会员：online_huiyuan，在线游客：online_youke，最高在线：online_s if Request.ServerVariables("HTTP_X_FORWARDED_FOR") = "" then ip=Request.ServerVariables("REMOTE_ADDR") else ip= Request.ServerVariables("HTTP_X_FORWARDED_FOR") end if conn.execute("delete from online where datediff('n',sj,now())>1000") if session("huiyuan")="" then set jilu=conn.execute("select ip from online where ip='"&ip&"'") if jilu.eof then conn.execute("insert into online (ip,name)VALUES('"&ip&"','游客')") else conn.execute("update online set sj='"&now()&"' where ip='"&ip&"'") end if jilu.close:set jilu=nothing else set jilu=conn.execute("select name from online where name='"&replace(session("huiyuan"),"'","''")&"'") if jilu.eof then conn.execute("Delete from online where ip='"&ip&"'") conn.execute("insert into online (name,ip,pic)VALUES('"&replace(session("huiyuan"),"'","''")&"','"&ip&"',1)") else conn.execute("update online set sj='"&now()&"' where name='"&replace(session("huiyuan"),"'","''")&"'") end if jilu.close:set jilu=nothing end if online_huiyuan=conn.execute("Select count(id)from online where pic=1")(0) online_line=conn.execute("Select count(id)from online")(0) if int(online_line)>int(online_s) then online_s=online_line end if online_youke=online_line-online_huiyuan '==================================================================== %> <% response.buffer=true squery=lcase(Request.ServerVariables("QUERY_STRING")) sURL=lcase(Request.ServerVariables("HTTP_HOST")) allquery=squery+sURL if InStr(allquery,"%20")<>0 or InStr(allquery," ")<>0 or InStr(allquery,"%27")<>0 or InStr(allquery,"'")<>0 or InStr(allquery,"%a1a1")<>0 or InStr(allquery,"　")<>0 or InStr(allquery,"%24")<>0 or InStr(allquery,"$")<>0 or InStr(allquery,"%3b")<>0 or InStr(allquery,";")<>0 or InStr(allquery,"%%")<>0 or InStr(allquery,"%3c")<>0 or InStr(allquery,"<")<>0 or InStr(allquery,"%3e")<>0 or InStr(allquery,">")<>0 or InStr(allquery,"%28")<>0 or InStr(allquery,"(")<>0 or InStr(allquery,"%29")<>0 or InStr(allquery,")")<>0 or InStr(allquery,"%5c")<>0 or InStr(allquery,"\")<>0 then response.write "非法访问" Response.End end if Set conn = Server.CreateObject("ADODB.Connection") 'conn.ConnectionTimeout = 10 '设置connection对象连接数据库的逾期时间 'conn.CommandTimeout = 20 '设置执行execute方法时间 'conn.CursorLocation = 3 '将记录存放在游览器端 '打开数据库 response.buffer=true '启用缓冲处理 Set conn = Server.CreateObject("ADODB.Connection") 'conn.Open"Provider=sqloledb;user id="&SQLDBUserName&";password="&SQLDBPassword&";initial catalog="&SQLDBName&";data source="&SQLServerName&";" conn.Open connstr FUNCTION nohack(String) dim noyes,nono nono="'\|\\|;\|(\|)\| \|%20\|<\|>" if not isnull(String) then noyes = split(nono, "\|") for i = 0 to ubound(noyes) String = Replace(String, noyes(i),"") next nohack = String end if END FUNCTION %> <%'post过滤sql注入代防范及HTML防护开始 function nosql(str) if isnull(str) then str = "" exit function end if str=trim(str) str=replace(str,"&","&") '& str=replace(str,";",";") '分号 str=replace(str,"'","'") '单引号 str=replace(str,"""",""") '双引号 str=replace(str,"chr(9)"," ") '空格 str=replace(str,"chr(10)","<br>") '回车 str=replace(str,"chr(13)","<br>") '回车 str=replace(str,"chr(32)"," ") '空格 str=replace(str,"chr(34)",""") '双引号 str=replace(str,"chr(39)","'") '单引号 str=Replace(str, "script", "&#115cript")'script str=replace(str,"<","<") '左< str=replace(str,">",">") '右> str=replace(str,"(","(") '左( str=replace(str,")",")") '右) str=replace(str,"","") ' str=replace(str,"--","--") 'SQL注释符 nosql=str end function%> 如何解除这样的限制？？？本人不懂asp 哪位asp高手帮看看，解解。多多谢谢！！

主题工具
显示可打印版本邮寄本页给好友
显示模式	对此主题评分
平板模式切换到混合模式切换到树形模式	对此主题评分: