ASP.NET(C#)バックグラウンドセキュリティログインコード(XSS攻撃防止/万能パスワードホール)
3444 ワード
string ispostback = Context.Request["ispostbask"];
string k8user = this.txtUser.Text.Trim();
string k8pwd = this.txtPwd.Text.Trim();
string k8md5pwd = FormsAuthentication.HashPasswordForStoringInConfigFile(k8pwd, "MD5").ToLower();
//
if (ispostback == "true")
{
//
if (k8user != "" || k8pwd != "")
{
//
// =
//XSS < %
// 4-8
Regex k8chkName = new Regex("^[[a-zA-Z0-9]{4,8}$");
// 7-12
Regex k8chkpwd1 = new Regex(@"\d+");
Regex k8chkpwd2 = new Regex(@"[a-zA-Z]+");
Regex k8chkpwd3 = new Regex(@"^[a-zA-Z0-9]{7,12}$");
//
if (k8chkName.IsMatch(k8user))
{
//
if (k8chkpwd1.IsMatch(k8pwd) && k8chkpwd2.IsMatch(k8pwd) && k8chkpwd3.IsMatch(k8pwd))
{
//ClientScript.RegisterStartupScript(GetType(), "", "alert(' ');", true);
//
try
{
OleDbConnection K8conn = new OleDbConnection();
K8conn.ConnectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data source=" + Server.MapPath("K8Data/k8access.mdb");
K8conn.Open(); //
//
string k8sql = "select count(*) from K8admin where User='" + txtUser.Text.Trim() + "' and Pass='" + k8md5pwd + "'";// sql
OleDbCommand cmd = new OleDbCommand(k8sql, K8conn);//
int state = Convert.ToInt32(cmd.ExecuteScalar());// sql ,
if (state == 0 || state > 1)//
{
ClientScript.RegisterStartupScript(GetType(), "", "alert(' ');", true);
}
else//
{
//Session["k8user"] = k8user;
//Session["k8pass"] = k8md5pwd;
Response.Cookies.Add(new HttpCookie(k8user, k8md5pwd));
Response.Redirect("admin.aspx");//
}
K8conn.Close();//
}
catch
{
ClientScript.RegisterStartupScript(GetType(), "", "alert(' ');", true);
}
return;
}
}
}
//
ClientScript.RegisterStartupScript(GetType(), "", "alert(' ');", true);
}
原文:http://qqhack8.blog.163.com/blog/static/114147985201162172136155/