From 9e207ad4d37f3f04d592bd4e3c8518f9211e3d6f Mon Sep 17 00:00:00 2001 From: midoks Date: Wed, 12 Oct 2022 00:38:23 +0800 Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=20=E5=BC=BA=E5=88=B6?= =?UTF-8?q?=E5=AE=89=E5=85=A8=E9=AA=8C=E8=AF=81=20=E5=8A=9F=E8=83=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- plugins/op_waf/index.py | 27 +++++ plugins/op_waf/js/op_waf.js | 103 +++++++++++++--- plugins/op_waf/t/index.py | 14 ++- plugins/op_waf/waf/config.json | 2 +- plugins/op_waf/waf/html/cookie.html | 2 +- plugins/op_waf/waf/html/get.html | 2 +- plugins/op_waf/waf/html/other.html | 2 +- plugins/op_waf/waf/html/post.html | 2 +- plugins/op_waf/waf/html/safe_js.html | 154 ++++++++++++++++++++++++ plugins/op_waf/waf/html/user_agent.html | 2 +- plugins/op_waf/waf/lua/init.lua | 70 +++++++++-- plugins/op_waf/waf/rule/ip_white.json | 2 +- 12 files changed, 343 insertions(+), 39 deletions(-) create mode 100755 plugins/op_waf/waf/html/safe_js.html diff --git a/plugins/op_waf/index.py b/plugins/op_waf/index.py index 980c3653f..629ff8480 100755 --- a/plugins/op_waf/index.py +++ b/plugins/op_waf/index.py @@ -120,6 +120,7 @@ def initSiteInfo(): tmp['user-agent'] = config_contents['user-agent'] tmp['cookie'] = config_contents['cookie'] tmp['scan'] = config_contents['scan'] + tmp['safe_verify'] = config_contents['safe_verify'] cdn_header = ['x-forwarded-for', 'x-real-ip', @@ -668,6 +669,30 @@ def setRetry(): return mw.returnJson(True, '设置成功!', []) +def setSafeVerify(): + args = getArgs() + data = checkArgs(args, ['auto', 'time', 'cpu']) + if not data[0]: + return data[1] + + conf = getJsonPath('config') + content = mw.readFile(conf) + cobj = json.loads(content) + + cobj['safe_verify']['time'] = args['time'] + cobj['safe_verify']['cpu'] = args['cpu'] + + if args['auto'] == '0': + cobj['safe_verify']['auto'] = False + else: + cobj['safe_verify']['auto'] = True + + cjson = mw.getJson(cobj) + mw.writeFile(conf, cjson) + + return mw.returnJson(True, '设置成功!', []) + + def setSiteRetry(): return mw.returnJson(True, '设置成功-?!', []) @@ -997,6 +1022,8 @@ if __name__ == "__main__": print(setSiteCcConf()) elif func == 'set_retry': print(setRetry()) + elif func == 'set_safe_verify': + print(setSafeVerify()) elif func == 'set_site_retry': print(setSiteRetry()) elif func == 'save_scan_rule': diff --git a/plugins/op_waf/js/op_waf.js b/plugins/op_waf/js/op_waf.js index da9650d8c..8fe0fe86a 100755 --- a/plugins/op_waf/js/op_waf.js +++ b/plugins/op_waf/js/op_waf.js @@ -69,8 +69,10 @@ function setObjOpen(ruleName){ owPost('set_obj_open', {obj:ruleName},function(data){ var rdata = $.parseJSON(data.data); if (rdata.status){ - layer.msg(rdata.msg,{icon:0,time:2000,shade: [0.3, '#000']}); - wafGloabl(); + + showMsg(rdata.msg, function(){ + wafGloabl(); + },{icon:1,time:2000,shade: [0.3, '#000']},2000); } else { layer.msg('设置失败!',{icon:0,time:2000,shade: [0.3, '#000']}); } @@ -84,7 +86,7 @@ function saveCcRule(siteName,is_open_global, type) { if(type == 2){ // set_aicc_open('start'); increase = "0"; - }else{ + } else { // set_aicc_open('stop'); increase = type; } @@ -164,7 +166,10 @@ function setCcRule(cycle, limit, endtime, siteName, increase){
  • 请不要设置过于严格的CC规则,以免影响正常用户体验
    • \
  • 全局应用:全局设置当前CC规则,且覆盖当前全部站点的CC规则
    • \ \ -
    \ +
    \ + \ + \ +
    \ ', success:function(layero,index){ $('.btn_cc_all').click(function(){ @@ -201,9 +206,12 @@ function setRetry(retry_cycle, retry, retry_time, siteName) { \ \ -
    \ +
    \ + \ + \ +
    \ ', success:function(){ $('.btn_retry_all').click(function(){ @@ -217,6 +225,65 @@ function setRetry(retry_cycle, retry, retry_time, siteName) { } + +//设置safe_verify规则 +function setSafeVerify(auto, cpu, time, siteName) { + var svlayer = layer.open({ + type: 1, + title: "设置强制安全验证", + area: '500px', + closeBtn: 1, + shadeClose: false, + content: '
    \ +
    \ + CPU\ +
    %
    \ +
    \ +
    \ + 通行时间\ +
    \ +
    \ +
    \ + 开启自动\ +
    \ + \ +
    \ +
    \ +
      \ +
    • 全局设置强制安全验证
      • \ +
    • 开启自动后:cpu超过['+cpu+'%]后,强制验证。
      • \ +
    \ +
    \ + \ +
    \ +
    ', + success:function(index){ + $('.btn_sv_present').click(function(){ + var pdata = { + siteName: siteName, + cpu: $("input[name='cpu']").val(), + auto: $("select[name='auto']").val(), + time: $("input[name='time']").val(), + } + var act = 'set_safe_verify'; + owPost(act, pdata, function(data){ + var rdata = $.parseJSON(data.data); + showMsg(rdata.msg, function() { + layer.close(svlayer); + wafGloabl(); + },{ icon: rdata.status ? 1 : 2 },1000); + }); + }); + + + }, + }); +} + + //保存retry规则 function saveRetry(siteName,type) { var pdata = { @@ -253,15 +320,6 @@ function addRule(ruleName) { },1000); } }); - - // var loadT = layer.msg('正在添加,请稍候..', { icon: 16, time: 0 }); - // $.post('/plugin?action=a&name=btwaf&s=add_rule', pdata, function (rdata) { - // layer.close(loadT); - // layer.msg(rdata.msg, { icon: rdata.status ? 1 : 2 }); - // if (rdata.status) { - // set_obj_conf(ruleName, 1); - // } - // }); } function modifyRule(index, ruleName) { @@ -878,6 +936,16 @@ function wafGloabl(){ --\ 初始规则\ \ + \ + 强制安全验证\ + '+rdata.safe_verify.ps+'\ + --\ +
    \ + \ +
    \ + \ + 设置 | 响应内容\ + \ \ GET-URI过滤\ '+ rdata.get.ps + '\ @@ -1612,10 +1680,7 @@ function wafSite(){ -function wafHistory(){ - - - +function wafHistory(){ var con = ''; con += '
    \ \ diff --git a/plugins/op_waf/t/index.py b/plugins/op_waf/t/index.py index 9cc22c080..6580d67c8 100644 --- a/plugins/op_waf/t/index.py +++ b/plugins/op_waf/t/index.py @@ -182,14 +182,26 @@ def test_url_ext(): print("url_ext end") +def test_OK(): + ''' + 目录保存 + ''' + url = TEST_URL + print("ok test start") + url_val = httpGet(url, 10) + print(url_val) + print("ok test end") + + def test_start(): + test_OK() # test_Dir() # test_UA() # test_POST() # test_scan() # test_CC() # test_url_ext() - test_cdn() + # test_cdn() if __name__ == "__main__": diff --git a/plugins/op_waf/waf/config.json b/plugins/op_waf/waf/config.json index c9835d484..aa9e71547 100755 --- a/plugins/op_waf/waf/config.json +++ b/plugins/op_waf/waf/config.json @@ -1 +1 @@ -{"reqfile_path": "{$WAF_PATH}/html", "retry": {"retry_time": 180, "is_open_global": 0, "retry": 6, "retry_cycle": 60}, "log": true, "scan": {"status": 444, "ps": "\u8fc7\u6ee4\u5e38\u89c1\u626b\u63cf\u6d4b\u8bd5\u5de5\u5177\u7684\u6e17\u900f\u6d4b\u8bd5", "open": true, "reqfile": ""}, "cc": {"status": 444, "ps": "\u8fc7\u8651CC\u653b\u51fb", "limit": 120, "endtime": 300, "open": true, "reqfile": "", "cycle": 60}, "get": {"status": 403, "ps": "\u8fc7\u6ee4uri\u3001uri\u53c2\u6570\u4e2d\u5e38\u89c1sql\u6ce8\u5165\u3001xss\u7b49\u653b\u51fb", "open": true, "reqfile": "get.html"}, "log_save": 30, "user-agent": {"status": 403, "ps": "\u901a\u5e38\u7528\u4e8e\u8fc7\u6ee4\u6d4f\u89c8\u5668\u3001\u8718\u86db\u53ca\u4e00\u4e9b\u81ea\u52a8\u626b\u63cf\u5668", "open": true, "reqfile": "user_agent.html"}, "other": {"status": 403, "ps": "\u5176\u5b83\u975e\u901a\u7528\u8fc7\u6ee4", "reqfile": "other.html"}, "cookie": {"status": 403, "ps": "\u8fc7\u6ee4\u5229\u7528Cookie\u53d1\u8d77\u7684\u6e17\u900f\u653b\u51fb", "open": true, "reqfile": "cookie.html"}, "logs_path": "/www/wwwlogs/waf", "post": {"status": 403, "ps": "\u8fc7\u6ee4POST\u53c2\u6570\u4e2d\u5e38\u89c1sql\u6ce8\u5165\u3001xss\u7b49\u653b\u51fb", "open": true, "reqfile": "post.html"}, "open": true} \ No newline at end of file +{"reqfile_path": "{$WAF_PATH}/html", "retry": {"retry_time": 180, "is_open_global": 0, "retry": 6, "retry_cycle": 60}, "log": true, "scan": {"status": 444, "ps": "过滤常见扫描测试工具的渗透测试", "open": true, "reqfile": ""}, "cc": {"status": 444, "ps": "过虑CC攻击", "limit": 120, "endtime": 300, "open": true, "reqfile": "safe_js.html", "cycle": 60}, "safe_verify":{"status": 200,"ps": "强制安全校验", "reqfile": "safe_js.html","open": false,"cpu":75,"auto":true,"time":86400 },"get": {"status": 403, "ps": "过滤uri、uri参数中常见sql注入、xss等攻击", "open": true, "reqfile": "get.html"}, "log_save": 30, "user-agent": {"status": 403, "ps": "通常用于过滤浏览器、蜘蛛及一些自动扫描器", "open": true, "reqfile": "user_agent.html"}, "other": {"status": 403, "ps": "其它非通用过滤", "reqfile": "other.html"}, "cookie": {"status": 403, "ps": "过滤利用Cookie发起的渗透攻击", "open": true, "reqfile": "cookie.html"}, "logs_path": "/www/wwwlogs/waf", "post": {"status": 403, "ps": "过滤POST参数中常见sql注入、xss等攻击", "open": true, "reqfile": "post.html"}, "open": true} \ No newline at end of file diff --git a/plugins/op_waf/waf/html/cookie.html b/plugins/op_waf/waf/html/cookie.html index 6c91a2efa..b0e79a85e 100755 --- a/plugins/op_waf/waf/html/cookie.html +++ b/plugins/op_waf/waf/html/cookie.html @@ -7,7 +7,7 @@ *{margin:0;padding:0;color:#444} body{font-size:14px;font-family:"宋体"} .main{width:600px;margin:10% auto;} -.title{background: #20a53a;color: #fff;font-size: 16px;height: 40px;line-height: 40px;padding-left: 20px;} +.title{background: #20a53a;color: #fff;font-size: 16px;height: 40px;line-height: 40px;text-align: center;} .content{background-color:#f3f7f9; height:280px;border:1px dashed #c6d9b6;padding:20px} .t1{border-bottom: 1px dashed #c6d9b6;color: #ff4000;font-weight: bold; margin: 0 0 20px; padding-bottom: 18px;} .t2{margin-bottom:8px; font-weight:bold} diff --git a/plugins/op_waf/waf/html/get.html b/plugins/op_waf/waf/html/get.html index 6c91a2efa..b0e79a85e 100755 --- a/plugins/op_waf/waf/html/get.html +++ b/plugins/op_waf/waf/html/get.html @@ -7,7 +7,7 @@ *{margin:0;padding:0;color:#444} body{font-size:14px;font-family:"宋体"} .main{width:600px;margin:10% auto;} -.title{background: #20a53a;color: #fff;font-size: 16px;height: 40px;line-height: 40px;padding-left: 20px;} +.title{background: #20a53a;color: #fff;font-size: 16px;height: 40px;line-height: 40px;text-align: center;} .content{background-color:#f3f7f9; height:280px;border:1px dashed #c6d9b6;padding:20px} .t1{border-bottom: 1px dashed #c6d9b6;color: #ff4000;font-weight: bold; margin: 0 0 20px; padding-bottom: 18px;} .t2{margin-bottom:8px; font-weight:bold} diff --git a/plugins/op_waf/waf/html/other.html b/plugins/op_waf/waf/html/other.html index 6c91a2efa..b0e79a85e 100755 --- a/plugins/op_waf/waf/html/other.html +++ b/plugins/op_waf/waf/html/other.html @@ -7,7 +7,7 @@ *{margin:0;padding:0;color:#444} body{font-size:14px;font-family:"宋体"} .main{width:600px;margin:10% auto;} -.title{background: #20a53a;color: #fff;font-size: 16px;height: 40px;line-height: 40px;padding-left: 20px;} +.title{background: #20a53a;color: #fff;font-size: 16px;height: 40px;line-height: 40px;text-align: center;} .content{background-color:#f3f7f9; height:280px;border:1px dashed #c6d9b6;padding:20px} .t1{border-bottom: 1px dashed #c6d9b6;color: #ff4000;font-weight: bold; margin: 0 0 20px; padding-bottom: 18px;} .t2{margin-bottom:8px; font-weight:bold} diff --git a/plugins/op_waf/waf/html/post.html b/plugins/op_waf/waf/html/post.html index 6c91a2efa..b0e79a85e 100755 --- a/plugins/op_waf/waf/html/post.html +++ b/plugins/op_waf/waf/html/post.html @@ -7,7 +7,7 @@ *{margin:0;padding:0;color:#444} body{font-size:14px;font-family:"宋体"} .main{width:600px;margin:10% auto;} -.title{background: #20a53a;color: #fff;font-size: 16px;height: 40px;line-height: 40px;padding-left: 20px;} +.title{background: #20a53a;color: #fff;font-size: 16px;height: 40px;line-height: 40px;text-align: center;} .content{background-color:#f3f7f9; height:280px;border:1px dashed #c6d9b6;padding:20px} .t1{border-bottom: 1px dashed #c6d9b6;color: #ff4000;font-weight: bold; margin: 0 0 20px; padding-bottom: 18px;} .t2{margin-bottom:8px; font-weight:bold} diff --git a/plugins/op_waf/waf/html/safe_js.html b/plugins/op_waf/waf/html/safe_js.html new file mode 100755 index 000000000..963a6df63 --- /dev/null +++ b/plugins/op_waf/waf/html/safe_js.html @@ -0,0 +1,154 @@ + + + + +OP网站防火墙|安全校验 + + + + +
    +
    OP网站防火墙|安全校验
    +
    +

    5

    +
    + +
    + + + + + diff --git a/plugins/op_waf/waf/html/user_agent.html b/plugins/op_waf/waf/html/user_agent.html index 6c91a2efa..b0e79a85e 100755 --- a/plugins/op_waf/waf/html/user_agent.html +++ b/plugins/op_waf/waf/html/user_agent.html @@ -7,7 +7,7 @@ *{margin:0;padding:0;color:#444} body{font-size:14px;font-family:"宋体"} .main{width:600px;margin:10% auto;} -.title{background: #20a53a;color: #fff;font-size: 16px;height: 40px;line-height: 40px;padding-left: 20px;} +.title{background: #20a53a;color: #fff;font-size: 16px;height: 40px;line-height: 40px;text-align: center;} .content{background-color:#f3f7f9; height:280px;border:1px dashed #c6d9b6;padding:20px} .t1{border-bottom: 1px dashed #c6d9b6;color: #ff4000;font-weight: bold; margin: 0 0 20px; padding-bottom: 18px;} .t2{margin-bottom:8px; font-weight:bold} diff --git a/plugins/op_waf/waf/lua/init.lua b/plugins/op_waf/waf/lua/init.lua index 06b590782..7a569209c 100644 --- a/plugins/op_waf/waf/lua/init.lua +++ b/plugins/op_waf/waf/lua/init.lua @@ -15,6 +15,7 @@ C:setDebug(true) local get_html = C:read_file_body(config["reqfile_path"] .. '/' .. config["get"]["reqfile"]) local post_html = C:read_file_body(config["reqfile_path"] .. '/' .. config["post"]["reqfile"]) local user_agent_html = C:read_file_body(config["reqfile_path"] .. '/' .. config["user-agent"]["reqfile"]) +local cc_safe_js_html = C:read_file_body(config["reqfile_path"] .. '/' .. config["cc"]["reqfile"]) local args_rules = C:read_file_table('args') local ip_white_rules = C:read_file('ip_white') local ip_black_rules = C:read_file('ip_black') @@ -58,6 +59,25 @@ function get_waf_drop_ip() end +math.randomseed(os.time()) + +function get_random(n) + local t = { + "0","1","2","3","4","5","6","7","8","9", + "a","b","c","d","e","f","g","h","i","j", + "k","l","m","n","o","p","q","r","s","t", + "u","v","w","x","y","z", + "A","B","C","D","E","F","G","H","I","J", + "K","L","M","N","O","P","Q","R","S","T", + "U","V","W","X","Y","Z", + } + local s = "" + for i =1, n do + s = s .. t[math.random(#t)] + end + return s +end + function is_chekc_table(data,strings) if type(data) ~= 'table' then return 1 end if not data then return 1 end @@ -258,22 +278,47 @@ function waf_cc() return false end +-- 是否符合开强制验证条件 +function is_open_waf_cc_increase() + + if config['safe_verify']['open'] then + return true + end + + if site_config[server_name]['safe_verify']['open'] then + return true + end + return false +end + + --强制验证是否使用正常浏览器访问网站 function waf_cc_increase() - - if not config['cc']['open'] or not site_cc then return false end - if not site_config[server_name] then return false end - if not site_config[server_name]['cc']['increase'] then return false end + local ip = params['ip'] + local uri = params['uri'] + + if not is_open_waf_cc_increase() then return false end local cache_token = ngx.md5(ip .. '_' .. server_name) + --判断是否已经通过验证 - if ngx.shared.btwaf:get(cache_token) then return false end - if cc_uri_white() then - ngx.shared.btwaf:delete(cache_token .. '_key') - ngx.shared.btwaf:set(cache_token,1,60) - return false - end - if security_verification() then return false end - send_check_heml(cache_token) + if ngx.shared.limit:get(cache_token) then return false end + + local cache_rand_key = ip..':rand' + local cache_rand = ngx.shared.limit:get(cache_rand_key) + if not cache_rand then + cache_rand = get_random(8) + ngx.shared.limit:set(cache_rand_key,cache_rand,10) + end + + make_uri_str = "unbind_"..cache_rand.."_"..cache_token + make_uri = "/"..make_uri_str + if uri == make_uri then + ngx.shared.limit:set(cache_token,1, config['safe_verify']['time']) + C:return_message(200, get_return_state(0,'ok')) + end + + local cc_html = string.gsub(cc_safe_js_html, "{uri}", make_uri_str) + C:return_html(200, cc_html) end @@ -586,6 +631,7 @@ function waf() -- cc setting if waf_drop() then return true end + if waf_cc_increase() then return true end if waf_cc() then return true end -- ua check diff --git a/plugins/op_waf/waf/rule/ip_white.json b/plugins/op_waf/waf/rule/ip_white.json index 2fae3655e..0e7bf1e17 100755 --- a/plugins/op_waf/waf/rule/ip_white.json +++ b/plugins/op_waf/waf/rule/ip_white.json @@ -1 +1 @@ -[[[127, 0, 0, 1], [127, 0, 0, 255]]] \ No newline at end of file +[[[127, 0, 0, 2], [127, 0, 0, 255]]] \ No newline at end of file