up

3 years ago · f702f70f89
parent a8e6ee052c
commit f702f70f89
6 changed files with 9 additions and 180 deletions
--- a/plugins/op_waf/js/op_waf.js
+++ b/plugins/op_waf/js/op_waf.js
@ -884,7 +884,7 @@ function wafScreen(){
            <div class="line"><span class="name">Cookie渗透</span><span class="val">'+rdata.rules.cookie+'</span></div>\
            <div class="line"><span class="name">恶意扫描</span><span class="val">'+rdata.rules.scan+'</span></div>\
            <div class="line"><span class="name">恶意HEAD请求</span><span class="val">0</span></div>\
-            <div class="line"><span class="name">URI自定义拦截</span><span class="val">'+rdata.rules.args+'</span></div>\
+            <div class="line"><span class="name">URI自定义拦截</span><span class="val">'+rdata.rules.url+'</span></div>\
            <div class="line"><span class="name">URI保护</span><span class="val">'+rdata.rules.args+'</span></div>\
            <div class="line"><span class="name">恶意文件上传</span><span class="val">'+rdata.rules.upload_ext+'</span></div>\
            <div class="line"><span class="name">禁止的扩展名</span><span class="val">'+rdata.rules.path+'</span></div>\
--- a/plugins/op_waf/waf/lua/common.lua
+++ b/plugins/op_waf/waf/lua/common.lua
@ -517,52 +517,6 @@ function _M.is_ngx_match_post(self, rules, content)
 end
 function _M.is_ngx_match(self, rules, sbody, rule_name)
    if rules == nil or sbody == nil then return false end
    if type(sbody) == "string" then
        sbody = {sbody}
    end
    if type(rules) == "string" then
        rules = {rules}
    end
    for k,body in pairs(sbody)
    do
        if self:continue_key(k) then
            for i,rule in ipairs(rules)
            do
                if self.site_config[server_name] and rule_name then
                    local n = i - 1
                    for _,j in ipairs(self.site_config[server_name]['disable_rule'][rule_name])
                    do
                        if n == j then
                            rule = ""
                        end
                    end
                end
                if body and rule ~="" then
                    if type(body) == "string" then
                        if ngx_match(ngx.unescape_uri(body),rule,"isjo") then
                            error_rule = rule .. ' >> ' .. k .. ':' .. body
                            return true
                        end
                    end
                    if type(k) == "string" then
                        if ngx_match(ngx.unescape_uri(k),rule,"isjo") then
                            error_rule = rule .. ' >> ' .. k
                            return true
                        end
                    end
                end
            end
        end
    end
    return false
 end
 function _M.write_log(self, name, rule)
    local config = self.config
    local params = self.params
--- a/plugins/op_waf/waf/lua/init.lua
+++ b/plugins/op_waf/waf/lua/init.lua
@ -31,6 +31,7 @@ local scan_black_rules = require "rule_scan_black"
 local user_agent_rules = require "rule_user_agent"
 local post_rules = require "rule_post"
 local cookie_rules = require "rule_cookie"
 local url_rules = require "rule_url"
 local server_name = string.gsub(C:get_sn(config_domains),'_','.')
@ -355,7 +356,8 @@ end
 local function waf_url()
    if not config['get']['open'] or not C:is_site_config('get') then return false end
    --正则--
-    if C:is_ngx_match(url_rules, params["uri"], 'url') then
+    -- C:D("waf_url:"..json.encode(url_rules)..":uri:"..params["uri"])
    if C:ngx_match_list(url_rules, params["uri"]) then
        C:write_log('url','regular')
        C:return_html(config['get']['status'], get_html)
        return true
@ -424,67 +426,6 @@ local function waf_post()
    return false
 end
 local function  waf_post_data_check()
    if params['method'] == "POST" then
        C:D("post_data_check start")
        if C:return_post_data() then return false end
        ngx.req.read_body()
        local request_args = params['uri_request_args']
        if not request_args then return false end
        C:D("post_data_check:"..json.encode(params['request_header']))
        local av = nil
        if params['request_header'] then
            if not params['request_header']['content-type'] then return false end
            av = string.match(params['request_header']['content-type'], "=.+")
            C:D("post_data_check[av]:"..json.encode(av))
        end
        if not av then return false end
        ac = C:split(av,'=')
        if not ac then return false end 
        list_list = nil
        for i,v in ipairs(ac)
        do
             list_list = '--'..v
        end
        if not list_list then return false end 
        aaa = nil
        for k,v in pairs(request_args)
        do
            aaa = v
        end
        if not aaa then return false end 
        if tostring(aaa) == 'true' then return false end
        if type(aaa) ~= "string" then return false end
        data_len = C:split(aaa, list_list)
        if not data_len then return false end
        if arrlen(data_len) == 0 then return false end
        C:D("post_rules:"..json.encode(post_rules).."data_len:"..json.encode(data_len))
        if C:is_ngx_match_post(post_rules , data_len) then
            C:write_log('post','regular')
            C:return_html(config['post']['status'], post_html)
            return true
        end
    end
 end
 local function X_Forwarded()
    if params['method'] ~= "GET" then return false end
@ -537,40 +478,26 @@ local function disable_upload_ext(ext)
        C:return_html(config['other']['status'],other_html)
        return true
    end
 end
 local function data_in_php(data)
    if not data then
        return false
    else
        if C:is_ngx_match('php', data, 'post') then
            C:write_log('upload_ext','上传扩展名黑名单')
            C:return_html(config['other']['status'], other_html)
            return true
        else
    return false
 end
    end
 end
 local function post_data()
    if params["method"] ~= "POST" then return false end
    -- C:D("content-length:"..params["request_header"]['content-length'])
    local content_length = tonumber(params["request_header"]['content-length'])
    if not content_length then return false end
    local max_len = 2560 * 1024000
    if content_length > max_len then return false end
    local boundary = C:get_boundary()
    -- C:D("boundary:".. tostring( boundary) )
    if boundary then
        ngx.req.read_body()
        local data = ngx.req.get_body_data()
        if not data then return false end
        local tmp = ngx.re.match(data,[[filename=\"(.+)\.(.*)\"]])
-        if not tmp then return false end
+        if not tmp or not tmp[2] then return false end
-        if not tmp[2] then return false end
+        -- C:D("upload_ext:".. tostring(tmp[2]) )
        local tmp2 = ngx.re.match(ngx.req.get_body_data(),[[Content-Type:[^\+]{45}]]) 
        disable_upload_ext(tmp[2])
        if tmp2 == nil then return false end 
        data_in_php(tmp2[0])
    end
    return false
 end
@ -619,7 +546,6 @@ function waf()
    if waf_scan_black() then return true end
    if waf_post() then return true end
    -- if waf_post_data_check() then return true end
    if site_config[server_name] and site_config[server_name]['open'] then
        if X_Forwarded() then return true end
--- a/plugins/op_waf/waf/wafconf/args
+++ b/plugins/op_waf/waf/wafconf/args
@ -1,24 +0,0 @@
 \.\./
 \:\$
 \$\{
 /\*|--
 \b(or|xor|and)\b.*(=|<|>|'|")
 select.+(from|limit)
 (?:(union(.*?)select))
 having|load_file
 sleep\((\s*)(\d*)(\s*)\)
 benchmark\((.*)\,(.*)\)
 base64_decode\(
 (?:from\W+information_schema\W)
 (?:(?:current_)user|database|schema|connection_id)\s*\(
 (?:etc\/\W*passwd)
 into(\s+)+(?:dump|out)file\s*
 group\s+by.+\(
 xwork.MethodAccessor
 (?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
 xwork\.MethodAccessor
 (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
 java\.lang
 \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
 \<(iframe|script|body|img|layer|div|meta|style|base|object|input)
 (onmouseover|onerror|onload)\=
--- a/plugins/op_waf/waf/wafconf/cookie
+++ b/plugins/op_waf/waf/wafconf/cookie
@ -1,20 +0,0 @@
 \.\./
 \:\$
 \$\{
 select.+(from|limit)
 (?:(union(.*?)select))
 having|rongjitest
 sleep\((\s*)(\d*)(\s*)\)
 benchmark\((.*)\,(.*)\)
 base64_decode\(
 (?:from\W+information_schema\W)
 (?:(?:current_)user|database|schema|connection_id)\s*\(
 (?:etc\/\W*passwd)
 into(\s+)+(?:dump|out)file\s*
 group\s+by.+\(
 xwork.MethodAccessor
 (?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
 xwork\.MethodAccessor
 (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
 java\.lang
 \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
--- a/plugins/op_waf/waf/wafconf/denycc
+++ b/plugins/op_waf/waf/wafconf/denycc
@ -1,7 +0,0 @@
 #ip 60/60 1800
 #ip+uri 60/60 1800
 #ip+domain+CookieParam:sessionid  60/60 1800
 #ip+GetParam:userid 60/60 1800
 #ip+PostParam:userid 60/60 1800
 #$ip+header:imei 30/60  1800
 ip+uri 60/60  3600