update

6 years ago · f24c030a6b
parent c8ca8b60f8
commit f24c030a6b
5 changed files with 5 additions and 0 deletions
--- a/plugins/op_waf/waf/lua/init.lua
+++ b/plugins/op_waf/waf/lua/init.lua
@ -195,6 +195,7 @@ function waf_url()
 end


+local scan_black_rules = read_file('scan_black')
 function waf_scan_black()
    if not config['scan']['open'] or not C:is_site_config('scan') then return false end
    if C:is_ngx_match(scan_black_rules['cookie'],request_header['cookie'],false) then
--- a/plugins/op_waf/waf/rule/cookie.json
+++ b/plugins/op_waf/waf/rule/cookie.json
@ -0,0 +1 @@
+[[1, "\\.\\./\\.\\./", "\u76ee\u5f55\u4fdd\u62a41", 0], [1, "(?:etc\\/\\W*passwd)", "\u76ee\u5f55\u4fdd\u62a43", 0], [1, "(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 0], [1, "\\:\\$", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee41", 0], [1, "\\$\\{", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee42", 0], [1, "base64_decode\\(", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee43", 0], [1, "\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee45", 0], [1, "\\b(or|xor|and)\\b.*(=|<|>|'|\")", "SQL\u6ce8\u5165\u8fc7\u6ee41", 0], [1, "select.+(from|limit)", "SQL\u6ce8\u5165\u8fc7\u6ee42", 0], [1, "(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 0], [0, "having|load_file", "SQL\u6ce8\u5165\u8fc7\u6ee44", 0], [1, "sleep\\((\\s*)(\\d*)(\\s*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee45", 0], [1, "benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 0], [1, "(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 0], [1, "(?:(?:current_)user|database|schema|connection_id)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 0], [1, "into(\\s+)+(?:dump|out)file\\s*", "SQL\u6ce8\u5165\u8fc7\u6ee49", 0], [1, "group\\s+by.+\\(", "SQL\u6ce8\u5165\u8fc7\u6ee410", 0], [0, "\\<(iframe|script|body|img|layer|div|meta|style|base|object|input)", "XSS\u8fc7\u6ee41", 0], [1, "(onmouseover|onerror|onload)\\=", "XSS\u8fc7\u6ee42", 0]]
--- a/plugins/op_waf/waf/rule/post.json
+++ b/plugins/op_waf/waf/rule/post.json
@ -0,0 +1 @@
+[[1, "(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 0], [1, "base64_decode\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee41", 0], [1, "(?:define|eval|file_get_contents|include|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog|file_put_contents|fopen|urldecode|scandir)\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 0], [1, "\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee43", 0], [1, "\\s+(or|xor|and)\\s+(=|<|>|'|\")", "SQL\u6ce8\u5165\u8fc7\u6ee41", 0], [1, "select\\s+.+(from|limit)\\s+", "SQL\u6ce8\u5165\u8fc7\u6ee42", 0], [1, "(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 0], [1, "sleep\\((\\s*)(\\d*)(\\s*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee45", 0], [1, "benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 0], [1, "(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 0], [1, "(?:(?:current_)user|database|schema|connection_id)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 0], [1, "into(\\s+)+(?:dump|out)file\\s*", "SQL\u6ce8\u5165\u8fc7\u6ee49", 0], [1, "group\\s+by.+\\(", "SQL\u6ce8\u5165\u8fc7\u6ee410", 0], [0, "\\<(iframe|script|body|img|layer|div|meta|style|base|object|input)", "XSS\u8fc7\u6ee41", 0], [0, "(onmouseover|onerror|onload)\\=", "XSS\u8fc7\u6ee42", 0], [1, "(extractvalue\\(|concat\\(0x|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 0], [1, "(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 0], [1, "(substr\\()", "SQL\u6ce8\u5165\u8fc7\u6ee410", 0], [1, "(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\))", "SQL\u6ce8\u5165\u8fc7\u6ee41", 0], [1, "(EXISTS\\(|SELECT\\#|\\(SELECT)", "SQL\u6ce8\u5165\u8fc7\u6ee41", 0], [1, "(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 0], [1, "(?:define|eval|file_get_contents|include|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog|file_put_contents|fopen|urldecode)\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 0]]
--- a/plugins/op_waf/waf/rule/scan_black.json
+++ b/plugins/op_waf/waf/rule/scan_black.json
@ -0,0 +1 @@
+{"header": "(Acunetix-Aspect|Acunetix-Aspect-Password|Acunetix-Aspect-Queries|X-WIPP|X-RequestManager-Memo|X-Request-Memo|X-Scan-Memo)", "args": "(/acunetix-wvs-test-for-some-inexistent-file|netsparker|acunetix_wvs_security_test|AppScan|XSS@HERE)", "cookie": "(CustomCookie|acunetixCookie)"}
--- a/plugins/op_waf/waf/rule/user_agent.json
+++ b/plugins/op_waf/waf/rule/user_agent.json
@ -0,0 +1 @@
+[[1, "(HTTrack|Apache-HttpClient|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF/)", "\u5173\u952e\u8bcd\u8fc7\u6ee41", 0]]
				`@ -0,0 +1 @@`
				[[1, "\\.\\./\\.\\./", "\u76ee\u5f55\u4fdd\u62a41", 0], [1, "(?:etc\\/\\Wpasswd)", "\u76ee\u5f55\u4fdd\u62a43", 0], [1, "(gopher\|doc\|php\|glob\|file\|phar\|zlib\|ftp\|ldap\|dict\|ogg\|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 0], [1, "\\:\\$", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee41", 0], [1, "\\$\\{", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee42", 0], [1, "base64_decode\\(", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee43", 0], [1, "\\$_(GET\|post\|cookie\|files\|session\|env\|phplib\|GLOBALS\|SERVER)\\[", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee45", 0], [1, "\\b(or\|xor\|and)\\b.(=\|<\|>\|'\|\")", "SQL\u6ce8\u5165\u8fc7\u6ee41", 0], [1, "select.+(from\|limit)", "SQL\u6ce8\u5165\u8fc7\u6ee42", 0], [1, "(?:(union(.?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 0], [0, "having\|load_file", "SQL\u6ce8\u5165\u8fc7\u6ee44", 0], [1, "sleep\\((\\s)(\\d)(\\s)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee45", 0], [1, "benchmark\\((.)\\,(.)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 0], [1, "(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 0], [1, "(?:(?:current_)user\|database\|schema\|connection_id)\\s\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 0], [1, "into(\\s+)+(?:dump\|out)file\\s", "SQL\u6ce8\u5165\u8fc7\u6ee49", 0], [1, "group\\s+by.+\\(", "SQL\u6ce8\u5165\u8fc7\u6ee410", 0], [0, "\\<(iframe\|script\|body\|img\|layer\|div\|meta\|style\|base\|object\|input)", "XSS\u8fc7\u6ee41", 0], [1, "(onmouseover\|onerror\|onload)\\=", "XSS\u8fc7\u6ee42", 0]]
				`@ -0,0 +1 @@`
				[[1, "(gopher\|doc\|php\|glob\|file\|phar\|zlib\|ftp\|ldap\|dict\|ogg\|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 0], [1, "base64_decode\\(", "\u4e00\u53e5\u8bdd\u5c4f\u853d\u7684\u5173\u952e\u5b57\u8fc7\u6ee41", 0], [1, "(?:define\|eval\|file_get_contents\|include\|require_once\|shell_exec\|phpinfo\|system\|passthru\|chr\|char\|preg_\\w+\|execute\|echo\|print\|print_r\|var_dump\|(fp)open\|alert\|showmodaldialog\|file_put_contents\|fopen\|urldecode\|scandir)\\(", "\u4e00\u53e5\u8bdd\u5c4f\u853d\u7684\u5173\u952e\u5b57\u8fc7\u6ee42", 0], [1, "\\$_(GET\|post\|cookie\|files\|session\|env\|phplib\|GLOBALS\|SERVER)", "\u4e00\u53e5\u8bdd\u5c4f\u853d\u7684\u5173\u952e\u5b57\u8fc7\u6ee43", 0], [1, "\\s+(or\|xor\|and)\\s+(=\|<\|>\|'\|\")", "SQL\u6ce8\u5165\u8fc7\u6ee41", 0], [1, "select\\s+.+(from\|limit)\\s+", "SQL\u6ce8\u5165\u8fc7\u6ee42", 0], [1, "(?:(union(.?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 0], [1, "sleep\\((\\s)(\\d)(\\s)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee45", 0], [1, "benchmark\\((.)\\,(.)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 0], [1, "(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 0], [1, "(?:(?:current_)user\|database\|schema\|connection_id)\\s\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 0], [1, "into(\\s+)+(?:dump\|out)file\\s", "SQL\u6ce8\u5165\u8fc7\u6ee49", 0], [1, "group\\s+by.+\\(", "SQL\u6ce8\u5165\u8fc7\u6ee410", 0], [0, "\\<(iframe\|script\|body\|img\|layer\|div\|meta\|style\|base\|object\|input)", "XSS\u8fc7\u6ee41", 0], [0, "(onmouseover\|onerror\|onload)\\=", "XSS\u8fc7\u6ee42", 0], [1, "(extractvalue\\(\|concat\\(0x\|user\\(\\)\|substring\\(\|count\\(\\\\)\|substring\\(hex\\(\|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 0], [1, "(@@version\|load_file\\(\|NAME_CONST\\(\|exp\\(\\~\|floor\\(rand\\(\|geometrycollection\\(\|multipoint\\(\|polygon\\(\|multipolygon\\(\|linestring\\(\|multilinestring\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 0], [1, "(substr\\()", "SQL\u6ce8\u5165\u8fc7\u6ee410", 0], [1, "(ORD\\(\|MID\\(\|IFNULL\\(\|CAST\\(\|CHAR\\))", "SQL\u6ce8\u5165\u8fc7\u6ee41", 0], [1, "(EXISTS\\(\|SELECT\\#\|\\(SELECT)", "SQL\u6ce8\u5165\u8fc7\u6ee41", 0], [1, "(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 0], [1, "(?:define\|eval\|file_get_contents\|include\|require_once\|shell_exec\|phpinfo\|system\|passthru\|chr\|char\|preg_\\w+\|execute\|echo\|print\|print_r\|var_dump\|(fp)open\|alert\|showmodaldialog\|file_put_contents\|fopen\|urldecode)\\(", "\u4e00\u53e5\u8bdd\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 0]]
				`@ -0,0 +1 @@`
				`{"header": "(Acunetix-Aspect\|Acunetix-Aspect-Password\|Acunetix-Aspect-Queries\|X-WIPP\|X-RequestManager-Memo\|X-Request-Memo\|X-Scan-Memo)", "args": "(/acunetix-wvs-test-for-some-inexistent-file\|netsparker\|acunetix_wvs_security_test\|AppScan\|XSS@HERE)", "cookie": "(CustomCookie\|acunetixCookie)"}`
				`@ -0,0 +1 @@`
				`[[1, "(HTTrack\|Apache-HttpClient\|harvest\|audit\|dirbuster\|pangolin\|nmap\|sqln\|hydra\|Parser\|libwww\|BBBike\|sqlmap\|w3af\|owasp\|Nikto\|fimap\|havij\|zmeu\|BabyKrokodil\|netsparker\|httperf\| SF/)", "\u5173\u952e\u8bcd\u8fc7\u6ee41", 0]]`