update

6 years ago · 5a52ed41ad
parent 875395ad4c
commit 5a52ed41ad
8 changed files with 248 additions and 20 deletions
--- a/plugins/op_waf/conf/luawaf.conf
+++ b/plugins/op_waf/conf/luawaf.conf
@ -1,4 +1,4 @@
 lua_shared_dict limit 10m;
-lua_package_path "{$WAF_PATH}/?.lua";
-init_by_lua_file  {$WAF_PATH}/init.lua;
-access_by_lua_file {$WAF_PATH}/waf.lua;
+lua_package_path "{$WAF_PATH}/lua/?.lua";
+init_by_lua_file  {$WAF_PATH}/lua/init.lua;
+access_by_lua_file {$WAF_PATH}/lua/waf.lua;
--- a/plugins/op_waf/index.py
+++ b/plugins/op_waf/index.py
@ -93,7 +93,7 @@ def initDreplace():
        cmd = 'cp -rf ' + sdir + ' ' + path
        public.execShell(cmd)

-    config = public.getServerDir() + "/openresty/nginx/conf/waf/config.lua"
+    config = public.getServerDir() + "/openresty/nginx/conf/waf/lua/init.lua"
    content = public.readFile(config)
    content = contentReplace(content)
    public.writeFile(config, content)
@ -118,7 +118,12 @@ def start():


 def stop():
-    initDreplace()
+    path = public.getServerDir() + "/openresty/nginx/conf/waf"
+    if os.path.exists(path):
+        cmd = 'rm -rf '+path
+        public.execShell(cmd)
+
+

    path = getConf()
    conf = public.readFile(path)
--- a/plugins/op_waf/js/op_waf.js
+++ b/plugins/op_waf/js/op_waf.js
@ -206,6 +206,68 @@ function setRetry(retry_cycle, retry, retry_time, siteName) {
    });
 }

+
+
+//设置规则
+function setObjConf(ruleName, type) {
+    if (type == undefined) {
+        create_l = layer.open({
+            type: 1,
+            title: "编辑规则【" + ruleName + "】",
+            area: ['700px', '530px'],
+            closeBtn: 2,
+            shadeClose: false,
+            content: '<div class="pd15">\
+                <div style="border-bottom:#ccc 1px solid;margin-bottom:10px;padding-bottom:10px">\
+                <input class="bt-input-text" name="ruleValue" type="text" value="" style="width:470px;margin-right:12px;" placeholder="规则内容,请使用正则表达式">\
+                <input class="bt-input-text mr5" name="rulePs" type="text" style="width:120px;" placeholder="描述">\
+                <button class="btn btn-success btn-sm va0 pull-right" onclick="add_rule(\''+ ruleName + '\');">添加</button>\</div>\
+                <div class="divtable">\
+                <div id="jc-file-table" class="table_head_fix" style="max-height:300px;overflow:auto;border:#ddd 1px solid">\
+                <table class="table table-hover" style="border:none">\
+                    <thead>\
+                        <tr>\
+                            <th width="360">规则</th>\
+                            <th>说明</th>\
+                            <th>操作</th>\
+                            <th style="text-align: right;">状态</th>\
+                        </tr>\
+                    </thead>\
+                    <tbody id="set_obj_conf_con" class="gztr"></tbody>\
+                </table>\
+                </div>\
+            </div>\
+            <ul class="help-info-text c7 ptb10">\
+                <li style="color:red;">注意:如果您不了解正则表达式,请不要随意修改规则内容</li>\
+                <li>您可以添加或修改规则内容,但请使用正则表达式</li>\
+                <li>内置规则允许修改,但不可以直接删除,您可以设置规则状态来定义防火墙是否使用此规则</li>\
+            </ul></div>'
+        });
+        tableFixed("jc-file-table")
+    }
+    var loadT = layer.msg('正在获取配置规则，请稍候..', { icon: 16, time: 0 });
+    $.post('/plugin?action=a&name=btwaf&s=get_rule', { ruleName: ruleName }, function (rdata) {
+        layer.close(loadT);
+        var tbody = ''
+        for (var i = 0; i < rdata.length; i++) {
+            var removeRule = ''
+            if (rdata[i][3] != 0) removeRule = ' | <a class="btlink" onclick="remove_rule(\'' + ruleName + '\',' + i + ')">删除</a>';
+            tbody += '<tr>\
+                    <td class="rule_body_'+ i + '">' + rdata[i][1] + '</td>\
+                    <td class="rule_ps_'+ i + '">' + rdata[i][2] + '</td>\
+                    <td class="rule_modify_'+ i + '"><a class="btlink" onclick="modify_rule(' + i + ',\'' + ruleName + '\')">编辑</a>' + removeRule + '</td>\
+                    <td class="text-right">\
+                        <div class="pull-right">\
+                        <input class="btswitch btswitch-ios" id="closeua_'+ i + '" type="checkbox" ' + (rdata[i][0] ? 'checked' : '') + '>\
+                        <label class="btswitch-btn" style="width:2.0em;height:1.2em;margin-bottom: 0" for="closeua_'+ i + '" onclick="set_rule_state(\'' + ruleName + '\',' + i + ')"></label>\
+                        </div>\
+                    </td>\
+                </tr>'
+        }
+        $("#set_obj_conf_con").html(tbody)
+    });
+}
+
 function wafScreen(){

    owPost('waf_srceen', {}, function(data){
@ -278,7 +340,7 @@ function wafGloabl(){
                            <input class="btswitch btswitch-ios" id="closeget" type="checkbox" '+ (rdata.get.open ? 'checked' : '') + '>\
                            <label class="btswitch-btn" for="closeget" onclick="setObjOpen(\'get\')"></label>\
                        </div></td>\
-                        <td class="text-right"><a class="btlink" onclick="set_obj_conf(\'url\')">规则</a> | <a class="btlink" href="javascript:;" onclick="onlineEditFile(0,\'/www/server/btwaf/html/get.html\')">响应内容</a></td>\
+                        <td class="text-right"><a class="btlink" onclick="setObjConf(\'url\')">规则</a> | <a class="btlink" href="javascript:;" onclick="onlineEditFile(0,\'/www/server/btwaf/html/get.html\')">响应内容</a></td>\
                    </tr>\
                </tbody>\
            </table>\
--- a/plugins/op_waf/waf/config.lua
+++ b/plugins/op_waf/waf/config.lua
@ -1,13 +0,0 @@
-RulePath = "{$WAF_PATH}/wafconf"
-attacklog = "on"
-logdir = "{$ROOT_PATH}/wwwlogs/waf/"
-UrlDeny="on"
-Redirect="on"
-CookieMatch="off"
-postMatch="off" 
-whiteModule="on" 
-black_fileExt={"php","jsp"}
-ipWhitelist={"127.0.0.2"}
-ipBlocklist={"1.0.0.1"}
-CCDeny="off"
-CCrate="300/60"
--- a/plugins/op_waf/waf/lua/init.lua
+++ b/plugins/op_waf/waf/lua/init.lua
@ -1,3 +1,19 @@
+RulePath = "{$WAF_PATH}/wafconf"
+attacklog = "on"
+logdir = "{$ROOT_PATH}/wwwlogs/waf/"
+UrlDeny="on"
+Redirect="on"
+CookieMatch="off"
+postMatch="off" 
+whiteModule="on" 
+black_fileExt={"php","jsp"}
+ipWhitelist={"127.0.0.2"}
+ipBlocklist={"1.0.0.1"}
+CCDeny="off"
+CCrate="300/60"
+
+
+
 require 'config'
 local match = string.match
 local ngxmatch=ngx.re.find
--- a/plugins/op_waf/waf/lua/waf.lua
+++ b/plugins/op_waf/waf/lua/waf.lua
--- a/plugins/op_waf/waf/rule/args.json
+++ b/plugins/op_waf/waf/rule/args.json
@ -0,0 +1,158 @@
+[[
+    [
+        1,
+        "\\.\\./\\.\\./",
+        "目录保护1",
+        0
+    ],
+    [
+        1,
+        "/\\*",
+        "目录保护2",
+        0
+    ],
+    [
+        1,
+        "(?:etc\\/\\W*passwd)",
+        "目录保护3",
+        0
+    ],
+    [
+        1,
+        "(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/",
+        "PHP流协议过滤1",
+        0
+    ],
+    [
+        1,
+        "\\:\\$",
+        "一句话木马过滤1",
+        0
+    ],
+    [
+        1,
+        "\\$\\{",
+        "一句话木马过滤2",
+        0
+    ],
+    [
+        1,
+        "base64_decode\\(",
+        "一句话木马过滤3",
+        0
+    ],
+    [
+        1,
+        "(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|char|chr|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\\(",
+        "一句话木马过滤4",
+        0
+    ],
+    [
+        1,
+        "\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[",
+        "一句话木马过滤5",
+        0
+    ],
+    [
+        1,
+        "\\s+(or|xor|and)\\s+.*(=|<|>|'|\")",
+        "SQL注入过滤1",
+        0
+    ],
+    [
+        1,
+        "select.+(from|limit)",
+        "SQL注入过滤2",
+        0
+    ],
+    [
+        1,
+        "(?:(union(.*?)select))",
+        "SQL注入过滤3",
+        0
+    ],
+    [
+        1,
+        "sleep\\((\\s*)(\\d*)(\\s*)\\)",
+        "SQL注入过滤5",
+        0
+    ],
+    [
+        1,
+        "benchmark\\((.*)\\,(.*)\\)",
+        "SQL注入过滤6",
+        0
+    ],
+    [
+        1,
+        "(?:from\\W+information_schema\\W)",
+        "SQL注入过滤7",
+        0
+    ],
+    [
+        1,
+        "(?:(?:current_)user|database|schema|connection_id)\\s*\\(",
+        "SQL注入过滤8",
+        0
+    ],
+    [
+        1,
+        "into(\\s+)+(?:dump|out)file\\s*",
+        "SQL注入过滤9",
+        0
+    ],
+    [
+        1,
+        "group\\s+by.+\\(",
+        "SQL注入过滤10",
+        0
+    ],
+    [
+        1,
+        "\\<(iframe|script|body|img|layer|div|meta|style|base|object|input)",
+        "XSS过滤1",
+        0
+    ],
+    [
+        0,
+        "(onmouseover|onerror|onload)\\=",
+        "XSS过滤2",
+        0
+    ],
+    [
+        1,
+        "(invokefunction|call_user_func_array|\\\\think\\\\)",
+        "ThinkPHP payload封堵",
+        0
+    ],
+    [
+        1,
+        "^url_array\\[.*\\]$",
+        "Metinfo6.x XSS漏洞",
+        0
+    ],
+    [
+        1,
+        "(extractvalue\\(|concat\\(0x|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()",
+        "SQL报错注入过滤01",
+        0
+    ],
+    [
+        1,
+        "(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\()",
+        "SQL报错注入过滤02",
+        0
+    ],
+    [
+        1,
+        "(substr\\()",
+        "SQL注入过滤10",
+        0
+    ],
+    [
+        1,
+        "\\|+\\s+[\\w\\W]+=[\\w\\W]+",
+        "SQL注入过滤1",
+        0
+    ]
+]]
--- a/plugins/op_waf/waf/site.json
+++ b/plugins/op_waf/waf/site.json
@ -1 +1 @@
-{"www.khxs.org": {"scan": true, "cc": {"limit": 120, "endtime": 300, "open": true, "cycle": 60}, "disable_php_path": [], "cdn": false, "cc_uri_white": [], "open": true, "retry": 6, "log": true, "disable_ext": [], "user-agent": true, "disable_upload_ext": ["php", "jsp"], "body_character_string": [], "get": true, "drop_abroad": false, "retry_cycle": 60, "url_tell": [], "cdn_header": ["x-forwarded-for", "x-real-ip"], "url_rule": [], "cookie": true, "retry_time": 180, "post": true, "url_white": [], "disable_rule": {"url": [], "post": [], "args": [], "cookie": [], "user_agent": []}, "project": "", "disable_path": []}, "gae.cachecha.com": {"scan": true, "cc": {"limit": 120, "endtime": 300, "open": true, "cycle": 60}, "disable_php_path": [], "cdn": false, "cc_uri_white": [], "open": true, "retry": 6, "log": true, "disable_ext": [], "user-agent": true, "disable_upload_ext": ["php", "jsp"], "body_character_string": [], "get": true, "drop_abroad": false, "retry_cycle": 60, "url_tell": [], "cdn_header": ["x-forwarded-for", "x-real-ip"], "url_rule": [], "cookie": true, "retry_time": 180, "post": true, "url_white": [], "disable_rule": {"url": [], "post": [], "args": [], "cookie": [], "user_agent": []}, "project": "", "disable_path": []}}
+{{"www.khxs.org": {"scan": true, "cc": {"limit": 120, "endtime": 300, "open": true, "cycle": 60}, "disable_php_path": [], "cdn": false, "cc_uri_white": [], "open": true, "retry": 6, "log": true, "disable_ext": [], "user-agent": true, "disable_upload_ext": ["php", "jsp"], "body_character_string": [], "get": true, "drop_abroad": false, "retry_cycle": 60, "url_tell": [], "cdn_header": ["x-forwarded-for", "x-real-ip"], "url_rule": [], "cookie": true, "retry_time": 180, "post": true, "url_white": [], "disable_rule": {"url": [], "post": [], "args": [], "cookie": [], "user_agent": []}, "project": "", "disable_path": []}, "gae.cachecha.com": {"scan": true, "cc": {"limit": 120, "endtime": 300, "open": true, "cycle": 60}, "disable_php_path": [], "cdn": false, "cc_uri_white": [], "open": true, "retry": 6, "log": true, "disable_ext": [], "user-agent": true, "disable_upload_ext": ["php", "jsp"], "body_character_string": [], "get": true, "drop_abroad": false, "retry_cycle": 60, "url_tell": [], "cdn_header": ["x-forwarded-for", "x-real-ip"], "url_rule": [], "cookie": true, "retry_time": 180, "post": true, "url_white": [], "disable_rule": {"url": [], "post": [], "args": [], "cookie": [], "user_agent": []}, "project": "", "disable_path": []}}}