From 3109e6ec1a2fbe4d3f8919d4cc3a9f4fe1966a6c Mon Sep 17 00:00:00 2001 From: penndu Date: Sat, 16 Dec 2023 02:40:58 +0800 Subject: [PATCH] a --- source/_posts/657.md | 140 +++++++ source/_posts/658.md | 183 +++++++++ source/_posts/659.md | 466 ++++++++++++++++++++++ source/_posts/660.md | 912 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 1701 insertions(+) create mode 100644 source/_posts/657.md create mode 100644 source/_posts/658.md create mode 100644 source/_posts/659.md create mode 100644 source/_posts/660.md diff --git a/source/_posts/657.md b/source/_posts/657.md new file mode 100644 index 00000000..32b0cba0 --- /dev/null +++ b/source/_posts/657.md @@ -0,0 +1,140 @@ +--- +title: Nginx 的 WAF 规则 LuaJIT 低危险版 +tags: + - 规则 +categories: + - 网络安全 +date: 2023-12-17 00:00:00 +--- + +> 前段时间杜老师发表了一篇《自建 CDN 服务器思路》其中介绍南墙 Web 应用防火墙,有些小伙伴们对其名字很感兴趣,而杜老师注意到了它的防护规则,感觉非常实用,顺手整理了下,分享给需要的小伙伴们。此篇为低危险防护规则! + + + +### 防CC攻击规则 + +过滤阶段:请求阶段 + +规则描述:当一分钟访问/api/路径频率超过360次,则在5分钟内拦截该ip访问 + +规则内容: + +``` +if not waf.startWith(waf.toLower(waf.uri), "/api/") then + return false +end + +local sh = ngx.shared.ipCache +local ccIp = 'cc-' .. waf.ip +local c, f = sh:get(ccIp) +if not c then + sh:set(ccIp, 1, 60, 1) -- 设置1分钟也就是60秒访问计数时间 +else + if f == 2 then + return waf.block(true) -- 重置TCP连接,不记录日志 + end + sh:incr(ccIp, 1) + if c + 1 >= 360 then + sh:set(ccIp, c + 1, 300, 2) -- 设置5分钟也就是300秒拦截时间 + return true, ccIp, true + end +end + +return false +``` + +### IIS报错检测 + +过滤阶段:返回页面 + +规则描述:IIS返回页面的报错可能会泄露服务器敏感信息 + +规则内容: + +``` +local rgx = waf.rgxMatch +local rb = waf.respBody + +local m = rgx(rb, "[a-z]:\\x5cinetpub\\b", "jo") +if m then + return m, rb, true +end + +if waf.status == 500 then + local m = rgx(rb, "Microsoft OLE DB Provider for SQL Server(?:.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \\(0x80040e31\\)
Timeout expired
)|

internal server error

.*?

part of the server has crashed or it has a configuration error\\.

|cannot connect to the server: timed out", "jo") + if m then + return m, rb, true + end + local m = rgx(rb, "\\b(?:A(?:DODB\\.Command\\b.{0,100}?\\b(?:Application uses a value of the wrong type for the current operation\\b|error')| trappable error occurred in an external object\\. The script cannot continue running\\b)|Microsoft VBScript (?:compilation (?:\\(0x8|error)|runtime (?:Error|\\(0x8))\\b|Object required: '|error '800)|Version Information:(?: |\\s)(?:Microsoft \\.NET Framework|ASP\\.NET) Version:|>error 'ASP\\b|An Error Has Occurred|>Syntax error in string in query expression|/[Ee]rror[Mm]essage\\.aspx?\\?[Ee]rror\\b", "jo") + if m then + return m, rb, true + end +end + +if waf.status == 404 then + local m = rgx(rb, "\\bServer Error in.{0,50}?\\bApplication\\b", "jo") + if m then + return m, rb, true + end +end + +return false +``` + +### php报错检测 + +过滤阶段:返回页面 + +规则描述:返回页面的php报错可能会泄露服务器敏感信息 + +规则内容: + +``` +local check = waf.plugins.phpErrorDetection.check +local rb = waf.respBody + +if waf.status == 500 then + local m, d = check(rb) + if m then + return m, "php error: " .. d, true + end +end + +return false +``` + +### Java报错检测 + +过滤阶段:返回页面 + +规则描述:返回页面的java报错可能会泄露服务器敏感信息 + +规则内容: + +``` +local check = waf.plugins.javaErrorDetection.check +local rb = waf.respBody + +if waf.status == 500 then + local m,d = check(rb) + if m then + return m, "Java error: " .. d, true + end +end + +return false +``` + +### 请求方法加强 + +过滤阶段:请求阶段 + +规则描述:不常用的http请求方法会出现一些安全漏洞,如:历史上Apache平台TRACE请求方法出现过XSS相关漏洞 + +规则内容: + +``` +if not waf.rgxMatch(waf.method, "^(?:GET|HEAD|POST|PUT|DELETE|OPTIONS)$") then + return true, waf.method, true +end +``` \ No newline at end of file diff --git a/source/_posts/658.md b/source/_posts/658.md new file mode 100644 index 00000000..52811743 --- /dev/null +++ b/source/_posts/658.md @@ -0,0 +1,183 @@ +--- +title: Nginx 的 WAF 规则 LuaJIT 中危险版 +tags: + - 规则 +categories: + - 网络安全 +date: 2023-12-20 00:00:00 +--- + +> 前段时间杜老师发表了一篇《自建 CDN 服务器思路》其中介绍南墙 Web 应用防火墙,有些小伙伴们对其名字很感兴趣,而杜老师注意到了它的防护规则,感觉非常实用,顺手整理了下,分享给需要的小伙伴们。此篇为中危险防护规则! + + + +### 机器人攻击防护 + +过滤阶段:请求阶段 + +规则描述:通过生成滑动旋转验证码来拦截机器人攻击,如漏洞扫描、网络爬虫、CC攻击等自动化攻击行为,Token有效期30分钟。 + +规则内容: + +``` +local sh = ngx.shared.ipCache +local robotIp = 'rb:' .. waf.ip +local c, f = sh:get(robotIp) + +-- 如果是静态页面且没有进行滑动旋转验证码验证则返回 +if not (waf.isQueryString or waf.reqContentLength > 0) and f ~= 2 then + return false +end + +if not c then + sh:set(robotIp, 1, 60, 1) -- 设置1分钟也就是60秒访问计数时间段 +else + if f == 2 then + return waf.checkRobot(waf) -- 启动机器人滑动旋转验证码验证 + end + sh:incr(robotIp, 1) + if c + 1 >= 360 then + sh:set(robotIp, c + 1, 1800, 2) -- 达到了60秒内请求超过360次的阈值,进入机器人验证模式 + return true, robotIp, true + end +end + +return false +``` + +### 弱口令检测 + +过滤阶段:请求阶段 + +规则描述:检测常见登录页面的弱口令问题 + +规则内容: + +``` +local check = waf.plugins.weakPwdDetection.check +local toLower = waf.toLower +local has = waf.contains + +local form = waf.form +local uri = toLower(waf.uri) +if form and (has(uri, "login") or has(uri, "logon") or has(uri, "signin")) then + local f = form["FORM"] + if f then + for k, v in pairs(f) do + k = toLower(k) + if (k == "pass" or has(k, "pwd") or has(k, "passwd") or has(k, "password")) and check(v) then + return true, form["RAW"], false + end + end + end +end + +return false +``` + +### 敏感文件泄露检测 + +过滤阶段:请求阶段 + +规则描述:检测url中各种敏感泄露文件的路径,如svn、git、sql、log、bak等,防止被攻击者利用 + +规则内容: + +``` +local m, d = waf.plugins.fileLeakDetection.check() +if m then + return true, d, true +end +return false +``` + +### 请求body大小限制 + +过滤阶段:请求阶段 + +规则描述:限制请求body大小为8M以下,黑客会尝试大数据包绕过waf过滤 + +规则内容: + +``` +if waf.reqContentLength>8388608 then + return true,"reqBody length is "..waf.reqContentLength ,true +end +return false +``` + +### HTTP Parameter Pollution + +过滤阶段:请求阶段 + +规则描述:http参数污染攻击,该规则查找具有相同名称的多个参数,并检查一些后端参数弱校验时产生的绕过问题,如:foo[1]a=bar&foo[1]b=或foo[1]x[1]=bar&foo[1]x[2]=等。 + +规则内容: + +``` +local rgx = waf.rgxMatch + +local function rMatch(v) + local m = rgx(v, "(?:][^\\]]+$|][^\\]]+\\[)", "jos") + if m then + return m, v + end + return false +end + +local form = waf.form +if form then + for k, v in pairs(form["FORM"]) do + if type(v) == "table" then + return true, k.."="..table.concat(v, ","), true + end + local m, d = rMatch(k) + if m then + return m, d, true + end + end +end + +local queryString = waf.queryString +if queryString then + for k, v in pairs(queryString) do + if type(v) == "table" then + return true, k.."="..table.concat(v, ","), true + end + local m, d = rMatch(k) + if m then + return m, d, true + end + end +end + +local cookies = waf.cookies +if cookies then + for k, v in pairs(cookies) do + if type(v) == "table" then + return true, k.."="..table.concat(v, ","), true + end + local m, d = rMatch(k) + if m then + return m, d, true + end + end +end +return false +``` + +### 扫描器检测 + +过滤阶段:请求阶段 + +规则描述:检测常见的各种扫描器,如awvs、sqlmap、nessus、appscan、nmap等,拦截它们有助于减少黑客发现漏洞的风险 + +规则内容: + +``` +local m, d = waf.plugins.scannerDetection.check() +if m then + return true, d, true +end +return false +``` \ No newline at end of file diff --git a/source/_posts/659.md b/source/_posts/659.md new file mode 100644 index 00000000..53e9e890 --- /dev/null +++ b/source/_posts/659.md @@ -0,0 +1,466 @@ +--- +title: Nginx 的 WAF 规则 LuaJIT 高危险版 +tags: + - 规则 +categories: + - 网络安全 +date: 2023-12-23 00:00:00 +--- + +> 前段时间杜老师发表了一篇《自建 CDN 服务器思路》其中介绍南墙 Web 应用防火墙,有些小伙伴们对其名字很感兴趣,而杜老师注意到了它的防护规则,感觉非常实用,顺手整理了下,分享给需要的小伙伴们。此篇为高危险防护规则! + + + +### SQL报错检测 + +过滤阶段:返回页面 + +规则描述:返回页面的sql报错可能会泄露服务器敏感信息 + +规则内容: + +``` +local check = waf.plugins.sqlErrorDetection.check +local rb = waf.respBody +local rgx = waf.rgxMatch +local has = waf.contains + +if waf.status == 500 then + local m = check(rb) + if m then + if rgx(rb, "JET Database Engine|Access Database Engine|\\[Microsoft\\]\\[ODBC Microsoft Access Driver\\]", "jo") then + return m, "Microsoft Access SQL Information Leakage: " .. rb, true + end + if rgx(rb, "ORA-[0-9][0-9][0-9][0-9]|java\\.sql\\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*", "jo") then + return m, "Oracle SQL Information Leakage: " .. rb, true + end + if rgx(rb, "DB2 SQL error:|\\[IBM\\]\\[CLI Driver\\]\\[DB2/6000\\]|CLI Driver.*DB2|DB2 SQL error|db2_\\w+\\(", "jo") then + return m, "DB2 SQL Information Leakage: " .. rb, true + end + if rgx(rb, "\\[DM_QUERY_E_SYNTAX\\]|has occurred in the vicinity of:", "jo") then + return m, "EMC SQL Information Leakage: " .. rb, true + end + if has(rb, "Dynamic SQL Error") then + return m, "firebird SQL Information Leakage: " .. rb, true + end + if rgx(rb, "Exception (?:condition )?\\d+\\. Transaction rollback\\.", "jo") then + return m, "Frontbase SQL Information Leakage: " .. rb, true + end + if has(rb, "org.hsqldb.jdbc") then + return m, "hsqldb SQL Information Leakage: " .. rb, true + end + if rgx(rb, "An illegal character has been found in the statement|com\\.informix\\.jdbc|Exception.*Informix", "jo") then + return m, "informix SQL Information Leakage: " .. rb, true + end + if rgx(rb, "Warning.*ingres_|Ingres SQLSTATE|Ingres\\W.*Driver", "jo") then + return m, "ingres SQL Information Leakage: " .. rb, true + end + if rgx(rb, "Warning: ibase_|Unexpected end of command in statement", "jo") then + return m, "interbase SQL Information Leakage: " .. rb, true + end + if rgx(rb, "SQL error.*POS[0-9]+|Warning.*maxdb", "jo") then + return m, "maxDB SQL Information Leakage: " .. rb, true + end + if rgx(rb, "System\\.Data\\.OleDb\\.OleDbException|\\[Microsoft\\]\\[ODBC SQL Server Driver\\]|\\[Macromedia\\]\\[SQLServer JDBC Driver\\]|\\[SqlException|System\\.Data\\.SqlClient\\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\\(\\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\\.|ADODB\\.Field \\(0x800A0BCD\\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\\WSystem\\.Data\\.SqlClient\\.", "jo") then + return m, "Mssql SQL Information Leakage: " .. rb, true + end + if rgx(rb, "MyS(?:QL server version for the right syntax to use|qlClient\\.)|(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|You have an error in your SQL syntax(?: near|;)|Warning.{1,10}mysql_(?:[a-z_()]{1,26})?|ERROR [0-9]{4} \\([a-z0-9]{5}\\):|mysql_fetch_array\\(\\)|on MySQL result index|\\[MySQL\\]\\[ODBC", "jo") then + return m, "Mysql SQL Information Leakage: " .. rb, true + end + if rgx(rb, "PostgreSQL query failed:|pg_query\\(\\) \\[:|pg_exec\\(\\) \\[:|PostgreSQL.{1,20}ERROR|Warning.*\\bpg_.*|valid PostgreSQL result|Npgsql\\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server", "jo") then + return m, "Postgres SQL Information Leakage: " .. rb, true + end + if rgx(rb, "Warning.*sqlite_|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\\.Exception|System\\.Data\\.SQLite\\.SQLiteException", "jo") then + return m, "SQLite SQL Information Leakage: " .. rb, true + end + if rgx(rb, "Sybase message:|Warning.{2,20}sybase|Sybase.*Server message", "jo") then + return m, "Sybase SQL Information Leakage: " .. rb, true + end + end +end + +return false +``` + +### 数据泄露检测 + +过滤阶段:返回页面 + +规则描述:从返回页面检测列目录漏洞和源代码泄露问题 + +规则内容: + +``` +local rgx = waf.rgxMatch +local rb = waf.respBody + +local m = rgx(rb, "<(?:TITLE>Index of.*?Index of.*?Index of|>\\[To Parent Directory\\]
", "jo") +if m then + return m, "Directory Listing: " .. rb, true +end + +m = rgx(rb, "^\\s*(?:#\\!\\s?/|<%|<\\?\\s*[^x]| 1) then + return true, rct, true + end +end +return false +``` + +### 代理头sql注入 + +过滤阶段:请求阶段 + +规则描述:过滤http请求中X-Forwarded-For、Client-IP请求头中单引号sql注入 + +规则内容: + +``` +local rip=waf.reqHeaders.x_forwarded_for +if rip then + if type(rip) ~= "string" then + return true,"Malform X-Forwarded-For",true + elseif waf.contains(rip,"'") then + return true,rip,true + end +end +rip=waf.reqHeaders.client_ip +if rip then + if type(rip) ~= "string" then + return true,"Malform Client-IP",true + elseif waf.contains(rip,"'") then + return true,rip,true + end +end +return false +``` + +### Invalid protocol + +过滤阶段:请求阶段 + +规则描述:cookie参数过多 + +规则内容: + +``` +if waf.cookies==nil then + return true,waf.cErr,true +end +return false +``` + +### Invalid protocol + +过滤阶段:请求阶段 + +规则描述:querystring参数过多 + +规则内容: + +``` +if waf.queryString==nil then + return true,waf.qErr,true +end +return false +``` \ No newline at end of file diff --git a/source/_posts/660.md b/source/_posts/660.md new file mode 100644 index 00000000..24cdf3e1 --- /dev/null +++ b/source/_posts/660.md @@ -0,0 +1,912 @@ +--- +title: Nginx 的 WAF 规则 LuaJIT 严重版本 +tags: + - 规则 +categories: + - 网络安全 +date: 2023-12-26 00:00:00 +--- + +> 前段时间杜老师发表了一篇《自建 CDN 服务器思路》其中介绍南墙 Web 应用防火墙,有些小伙伴们对其名字很感兴趣,而杜老师注意到了它的防护规则,感觉非常实用,顺手整理了下,分享给需要的小伙伴们。此篇为严重风险的防护规则! + + + +### fastjson漏洞拦截 + +过滤阶段:请求阶段 + +规则描述:拦截fastjson漏洞漏洞攻击 + +规则内容: + +``` +local jsonFilter = waf.jsonFilter + +local function rMatch(v) + if v == "@type" then + return true, v + end + return false +end + +local form = waf.form +if form then + local raw = form["RAW"] + local m = jsonFilter(raw, rMatch, false) + if m then + return m, raw, true + end +end + +return false +``` + +### json格式校验 + +过滤阶段:请求阶段 + +规则描述:高级攻击者会构造一些异常json绕过WAF检测,该规则对json格式进行安全校验,可以拦截异常json请求。 + +规则内容: + +``` +local form = waf.form +local rct = waf.reqContentType +local rgx = waf.rgxMatch + +if rct and waf.contains(waf.toLower(rct), "application/json") and form then + local raw = form["RAW"] + if raw then + if rgx(raw, "^\\s*$", "jos") then + return false + end + local err = waf.checkJson(raw) + if err then + return true, err .. ":" .. raw, true + end + end +end + +return false +``` + +### XSS跨站脚本攻击 + +过滤阶段:请求阶段 + +规则描述:攻击者通常会在有漏洞的程序中插入 JavaScript、VBScript、 ActiveX或Flash以欺骗用户。一旦得手,他们可以盗取用户帐户,修改用户设置,盗取/污染cookie,做虚假广告等。 + +规则内容: + +``` +local kvFilter = waf.kvFilter +local checkXSS = waf.checkXSS + + +local function sMatch(v) + if v then + local m = checkXSS(v) + if m then + return m, v + end + end + return false +end + +local form = waf.form +if form then + local m, d = kvFilter(form["FORM"], sMatch) + if m then + return m, d, true + end +end + +local queryString = waf.queryString +if queryString then + local m, d = kvFilter(queryString, sMatch) + if m then + return m, d, true + end +end + +local cookies = waf.cookies +if cookies then + local m, d = kvFilter(cookies, sMatch) + if m then + return m, d, true + end +end + +local m, d = sMatch(waf.userAgent) +if m then + return m, d, true +end + +local m, d = sMatch(waf.referer) +if m then + return m, d, true +end + +return false +``` + +### java安全规则集 + +过滤阶段:请求阶段 + +规则描述:检测spring、struts、java序列化等相关安全漏洞 + +规则内容: + +``` +local kvFilter = waf.kvFilter +local rgx = waf.rgxMatch +local urlDecode = waf.urlDecode +local requestLine = waf.requestLine +local check = waf.plugins.javaClassDetection.check + +local function sMatch(v) + local m = rgx(v, "(?:\\$\\{)+(?:j(?:n|\\$\\{)|\\$\\{(?:\\w*:)+)", "joi") + if m then + return m, "Potential Log4j / Log4shell Attack: " .. v + end + m = rgx(v, "\\xac\\xed\\x00\\x05|rO0ABQ|KztAAU|Cs7QAF", "jo") + if m then + return m, "Magic bytes Detected, probable java serialization Attack: " .. v + end + m = rgx(v, "classLoader\\s*\\.\\s*resources\\s*\\.\\s*context\\s*\\.\\s*parent\\s*\\.\\s*pipeline|springframework\\s*\\.\\s*context\\s*\\.\\s*support\\s*\\.\\s*FileSystemXmlApplicationContext", "jos") + if m then + return m, "Spring Framework RCE(CVE-2022-22965): " .. v + end + m = check(v) + if m then + return m, "Potential dangerous java class: " .. v + end + return false +end + +local form = waf.form +if form then + local m, d = kvFilter(form["FORM"], sMatch) + if m then + return m, d, true + end + local raw = form["RAW"] + m = rgx(raw, "\\xac\\xed\\x00\\x05|rO0ABQ|KztAAU|Cs7QAF", "jo") + if m then + return m, raw, true + end + m = check(raw) + if m then + return m, raw, true + end +end + +local queryString = waf.queryString +if queryString then + local m, d = kvFilter(queryString, sMatch) + if m then + return m, d, true + end +end + +local cookies = waf.cookies +if cookies then + local m, d = kvFilter(cookies, sMatch) + if m then + return m, d, true + end +end + +local m, d = kvFilter(waf.reqHeaders, sMatch) +if m then + return m, d, true +end + +local m = rgx(urlDecode(requestLine), "(?:\\$\\{)+(?:j(?:n|\\$\\{)|\\$\\{(?:\\w*:)+)", "joi") +if m then + return m, requestLine, true +end + +return false +``` + +### Shellshock漏洞 + +过滤阶段:请求阶段 + +规则描述:检测对“Shellshock”(CVE-2014-6271和CVE-2014-7169) GNU Bash RCE漏洞的攻击。 + +规则内容: + +``` +local kvFilter = waf.kvFilter +local rgx = waf.rgxMatch +local requestLine = waf.requestLine +local urlDecode = waf.urlDecode + +local function rMatch(v) + local m = rgx(urlDecode(v), "\\(\\s*\\)\\s+{", "jos") + if m then + return m, v + end + return false +end + +local m, d = kvFilter(waf.reqHeaders, rMatch) +if m then + return m, d, true +end + +local m, d = rMatch(requestLine) +if m then + return m, d, true +end + +return false +``` + +### 远程文件包含 (RFI) + +过滤阶段:请求阶段 + +规则描述:该规则寻找常见类型的远程文件包含(RFI)攻击方法。 #-PHP“include()”函数 #-JSP ]+?\\bSYSTEM\\b", "jos") + if m then + return m, waf.form["RAW"], true + end +end +return false +``` + +### ImageMagick漏洞 + +过滤阶段:请求阶段 + +规则描述:ImageMagick是一个功能强大的开源图形处理软件,该漏洞可以执行任意命令和读写文件 + +规则内容: + +``` +local rgx = waf.rgxMatch +local function imgContentMatch(v) + local m = rgx(v, "\\bpush\\s+graphic-context\\b|\\<\\s*image\\b", "joi") + if m then + return m, v + end + return false +end +if waf.form then + local m, d = waf.knFilter(waf.form["FILES"], imgContentMatch, 0) + return m, d, true +end +return false +``` + +### header头漏洞 + +过滤阶段:请求阶段 + +规则描述:httpoxy漏洞可被用来针对CGI环境设置非法代理,从而窃取服务器敏感数据。在CVE-2017-7269(IIS 6.0 WebDAV远程代码执行漏洞)中if和lock_token http头会造成溢出攻击。 + +规则内容: + +``` +if waf.reqHeaders.proxy ~= nil then + return true, "Proxy: " .. waf.reqHeaders.proxy, true +end + +if waf.reqHeaders.lock_token ~= nil then + return true, "Lock-Token: " .. waf.reqHeaders.lock_token, true +end + +if waf.reqHeaders["If"] ~= nil then + return true, "If: " .. waf.reqHeaders["If"], true +end + +return false +``` + +### LDAP Injection + +过滤阶段:请求阶段 + +规则描述:拦截LDAP注入攻击 + +规则内容: + +``` +local kvFilter = waf.kvFilter +local rgx = waf.rgxMatch +local htmlEntityDecode = waf.htmlEntityDecode + +local function rMatch(v) + local m = rgx(htmlEntityDecode(v), "^[^:\\(\\)\\&\\|\\!\\<\\>\\~]*\\)\\s*(?:\\((?:[^,\\(\\)\\=\\&\\|\\!\\<\\>\\~]+[><~]?=|\\s*[&!|]\\s*(?:\\)|\\()?\\s*)|\\)\\s*\\(\\s*[\\&\\|\\!]\\s*|[&!|]\\s*\\([^\\(\\)\\=\\&\\|\\!\\<\\>\\~]+[><~]?=[^:\\(\\)\\&\\|\\!\\<\\>\\~]*)", "jos") + if m then + return m, v + end + return false +end + +local form = waf.form +if form then + local m, d = kvFilter(form["FORM"], rMatch) + if m then + return m, d, true + end +end + +local queryString = waf.queryString +if queryString then + local m, d = kvFilter(queryString, rMatch) + if m then + return m, d, true + end +end + +local cookies = waf.cookies +if cookies then + local m, d = kvFilter(cookies, rMatch) + if m then + return m, d, true + end +end +return false +``` + +### HTTP Splitting + +过滤阶段:请求阶段 + +规则描述:此规则检测请求文件名中的\n或\r。参考:https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) + +规则内容: + +``` +local rgx = waf.rgxMatch +local function fMatch(v) + local m = rgx(v, "[\\n\\r]", "jo") + if m then + return m, v + end + return false +end +local m, d = fMatch(waf.uri) +if m then + return m, d, true +end +return false +``` + +### HTTP Header Injection + +过滤阶段:请求阶段 + +规则描述:HTTP头注入查找回车符(CR)%0d和换行符(LF)%0a字符,单独或与header字段名称组合使用。如果数据在响应头中返回并由客户端解释,这些字符可能会导致问题。 + +规则内容: + +``` +local rgx = waf.rgxMatch +local htmlEntityDecode = waf.htmlEntityDecode +local concat = table.concat + +local function hMatch(v) + local m = rgx(htmlEntityDecode(v), "[\\n\\r]", "jo") + if m then + return m, v + end + return false +end + +local function vMatch(v) + local m = rgx(htmlEntityDecode(v), "[\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:", "josi") + if m then + return m, v + end + return false +end + +local m, d = waf.kvFilter(waf.reqHeaders, hMatch) +if m then + return m, d, true +end + +local queryString = waf.queryString +if queryString then + for k, v in pairs(waf.queryString) do + m, d = hMatch(k) + if m then + return m, d, true + end + if type(v)=="table" then + v = concat(v,",") + end + m, d = vMatch(v) + if m then + return m, d, true + end + end +end + +local form = waf.form +if form then + for k, _ in pairs(form["FORM"]) do + m, d = hMatch(k) + if m then + return m, d, true + end + end +end + +return false +``` + +### boundary异常拦截 + +过滤阶段:请求阶段 + +规则描述:拦截请求content type头中multipart/form-data的异常boundary,如php在上传解析boundary时没有符合rfc规范,对逗号产生了错误解析。 + +规则内容: + +``` +local ct = waf.reqContentType + +if ct then + if type(ct) ~= "string" then + return true, "Malform Content-Type", true + elseif waf.contains(ct, "boundary") and (waf.strCounter(ct, "boundary") > 1 or not waf.rgxMatch(ct, "boundary=[\\w\\-]+$", "jo")) then + return true, ct, true + end +end + +return false +``` + +### asp畸形编码过滤 + +过滤阶段:请求阶段 + +规则描述:asp中unicode畸形编码会造成waf绕过危害 + +规则内容: + +``` +if waf.rgxMatch(waf.reqUri,"%u00(?:aa|ba|d0|de|e2|f0|fe)","i") then + return true,waf.reqUri,true +end +return false +``` + +### HTTP Response Splitting + +过滤阶段:请求阶段 + +规则描述:该规则查找回车符(CR)%0d和换行符(LF)%0a字符。如果在响应报头中返回数据,这些字符可能会导致问题,并且可能会被中间代理服务器解释并被视为两个单独的响应。参考:http://projects.webappsec.org/HTTP-Response-Splitting + +规则内容: + +``` +local kvFilter = waf.kvFilter +local rgx = waf.rgxMatch +local htmlEntityDecode = waf.htmlEntityDecode + +local function rMatch(v) + local m = rgx(v, "[\\r\\n]\\W*?(?:content-(?:type|length)|set-cookie|location):\\s*\\w", "josi") + if m then + return m, v + end + return false +end + +local function hMatch(v) + local m = rgx(htmlEntityDecode(v), "(?:\\bhttp/\\d|<(?:html|meta)\\b)", "josi") + if m then + return m, v + end + return false +end + +local form = waf.form +if form then + local m, d = kvFilter(form["FORM"], rMatch) + if m then + return m, d, true + end + m, d = kvFilter(form["FORM"], hMatch) + if m then + return m, d, true + end +end + +local queryString = waf.queryString +if queryString then + local m, d = kvFilter(queryString, rMatch) + if m then + return m, d, true + end + m, d = kvFilter(queryString, hMatch) + if m then + return m, d, true + end +end + +local cookies = waf.cookies +if cookies then + local m, d = kvFilter(cookies, rMatch) + if m then + return m, d, true + end + m, d = kvFilter(cookies, hMatch) + if m then + return m, d, true + end +end +return false +``` + +### HTTP Request Smuggling + +过滤阶段:请求阶段 + +规则描述:此规则查找与单词HTTP/\d或CR/LF字符组合的HTTP/WEBDAV方法名。这将指向试图将第二个请求注入到请求中,从而绕过对主请求执行的测试,如CVE-2019-20372(Nginx<1.17.7 请求走私漏洞)。参考:http://projects.webappsec.org/HTTP-Request-Smuggling + +规则内容: + +``` +local kvFilter = waf.kvFilter +local rgx = waf.rgxMatch +local htmlEntityDecode = waf.htmlEntityDecode + +local function rMatch(v) + local m = rgx(htmlEntityDecode(v), "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d", "josi") + if m then + return m, v + end + return false +end + +local form = waf.form +if form then + local m, d = kvFilter(form["FORM"], rMatch) + if m then + return m, d, true + end + m, d = rMatch(form["RAW"]) + if m then + return m, d, true + end +end + +local queryString = waf.queryString +if queryString then + local m, d = kvFilter(queryString, rMatch) + if m then + return m, d, true + end +end + +local cookies = waf.cookies +if cookies then + local m, d = kvFilter(cookies, rMatch) + if m then + return m, d, true + end +end +return false +``` + +### 上传文件内容过滤 + +过滤阶段:请求阶段 + +规则描述:过滤上传的文件内容,拦截webshell上传 + +规则内容: + +``` +local rgx = waf.rgxMatch +local function fileContentMatch(v) + local m = rgx(v, "<\\?.+?\\$(?:GLOBALS|_(?:GET|POST|COOKIE|REQUEST|SERVER|FILES|SESSION|ENV))|<\\?php|= 100 then + ib:set(waf.ip, c, 600, 1) + return true, "ip blocked for continue attack: " .. waf.ip, true +end +return false +``` + +### Invalid protocol + +过滤阶段:请求阶段 + +规则描述:非法post协议 + +规则内容: + +``` +if waf.form == nil then + if waf.contains(waf.fErr, "content_type") then + return true, waf.fErr .. ": " .. waf.reqContentType, true + end + return true, waf.fErr, true +end +return false +``` \ No newline at end of file