├── .gitattributes ├── .gitignore ├── README.md ├── config.lua ├── init.lua ├── install.sh ├── waf.lua └── wafconf ├── args ├── cookie ├── post ├── url ├── user-agent └── whiteurl /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | *.sln merge=union 7 | *.csproj merge=union 8 | *.vbproj merge=union 9 | *.fsproj merge=union 10 | *.dbproj merge=union 11 | 12 | # Standard to msysgit 13 | *.doc diff=astextplain 14 | *.DOC diff=astextplain 15 | *.docx diff=astextplain 16 | *.DOCX diff=astextplain 17 | *.dot diff=astextplain 18 | *.DOT diff=astextplain 19 | *.pdf diff=astextplain 20 | *.PDF diff=astextplain 21 | *.rtf diff=astextplain 22 | *.RTF diff=astextplain 23 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ################# 2 | ## Eclipse 3 | ################# 4 | 5 | *.pydevproject 6 | .project 7 | .metadata 8 | bin/ 9 | tmp/ 10 | *.tmp 11 | *.bak 12 | *.swp 13 | *~.nib 14 | local.properties 15 | .classpath 16 | .settings/ 17 | .loadpath 18 | 19 | # External tool builders 20 | .externalToolBuilders/ 21 | 22 | # Locally stored "Eclipse launch configurations" 23 | *.launch 24 | 25 | # CDT-specific 26 | .cproject 27 | 28 | # PDT-specific 29 | .buildpath 30 | 31 | 32 | ################# 33 | ## Visual Studio 34 | ################# 35 | 36 | ## Ignore Visual Studio temporary files, build results, and 37 | ## files generated by popular Visual Studio add-ons. 38 | 39 | # User-specific files 40 | *.suo 41 | *.user 42 | *.sln.docstates 43 | 44 | # Build results 45 | [Dd]ebug/ 46 | [Rr]elease/ 47 | *_i.c 48 | *_p.c 49 | *.ilk 50 | *.meta 51 | *.obj 52 | *.pch 53 | *.pdb 54 | *.pgc 55 | *.pgd 56 | *.rsp 57 | *.sbr 58 | *.tlb 59 | *.tli 60 | *.tlh 61 | *.tmp 62 | *.vspscc 63 | .builds 64 | *.dotCover 65 | 66 | ## TODO: If you have NuGet Package Restore enabled, uncomment this 67 | #packages/ 68 | 69 | # Visual C++ cache files 70 | ipch/ 71 | *.aps 72 | *.ncb 73 | *.opensdf 74 | *.sdf 75 | 76 | # Visual Studio profiler 77 | *.psess 78 | *.vsp 79 | 80 | # ReSharper is a .NET coding add-in 81 | _ReSharper* 82 | 83 | # Installshield output folder 84 | [Ee]xpress 85 | 86 | # DocProject is a documentation generator add-in 87 | DocProject/buildhelp/ 88 | DocProject/Help/*.HxT 89 | DocProject/Help/*.HxC 90 | DocProject/Help/*.hhc 91 | DocProject/Help/*.hhk 92 | DocProject/Help/*.hhp 93 | DocProject/Help/Html2 94 | DocProject/Help/html 95 | 96 | # Click-Once directory 97 | publish 98 | 99 | # Others 100 | [Bb]in 101 | [Oo]bj 102 | sql 103 | TestResults 104 | *.Cache 105 | ClientBin 106 | stylecop.* 107 | ~$* 108 | *.dbmdl 109 | Generated_Code #added for RIA/Silverlight projects 110 | 111 | # Backup & report files from converting an old project file to a newer 112 | # Visual Studio version. Backup files are not needed, because we have git ;-) 113 | _UpgradeReport_Files/ 114 | Backup*/ 115 | UpgradeLog*.XML 116 | 117 | 118 | 119 | ############ 120 | ## Windows 121 | ############ 122 | 123 | # Windows image file caches 124 | Thumbs.db 125 | 126 | # Folder config file 127 | Desktop.ini 128 | 129 | 130 | ############# 131 | ## Python 132 | ############# 133 | 134 | *.py[co] 135 | 136 | # Packages 137 | *.egg 138 | *.egg-info 139 | dist 140 | build 141 | eggs 142 | parts 143 | bin 144 | var 145 | sdist 146 | develop-eggs 147 | .installed.cfg 148 | 149 | # Installer logs 150 | pip-log.txt 151 | 152 | # Unit test / coverage reports 153 | .coverage 154 | .tox 155 | 156 | #Translations 157 | *.mo 158 | 159 | #Mr Developer 160 | .mr.developer.cfg 161 | 162 | # Mac crap 163 | .DS_Store 164 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ##ngx_lua_waf 2 | 3 | ngx_lua_waf是我刚入职趣游时候开发的一个基于ngx_lua的web应用防火墙。 4 | 5 | 代码很简单,开发初衷主要是使用简单,高性能和轻量级。 6 | 7 | 现在开源出来,遵从MIT许可协议。其中包含我们的过滤规则。如果大家有什么建议和想fa,欢迎和我一起完善。 8 | 9 | ###用途: 10 | 11 | 防止sql注入,本地包含,部分溢出,fuzzing测试,xss,SSRF等web攻击 12 | 防止svn/备份之类文件泄漏 13 | 防止ApacheBench之类压力测试工具的攻击 14 | 屏蔽常见的扫描黑客工具,扫描器 15 | 屏蔽异常的网络请求 16 | 屏蔽图片附件类目录php执行权限 17 | 防止webshell上传 18 | 19 | ###推荐安装: 20 | 21 | 推荐使用lujit2.1做lua支持 22 | 23 | ngx_lua如果是0.9.2以上版本,建议正则过滤函数改为ngx.re.find,匹配效率会提高三倍左右。 24 | 25 | 26 | ###使用说明: 27 | 28 | nginx安装路径假设为:/usr/local/nginx/conf/ 29 | 30 | 把ngx_lua_waf下载到conf目录下,解压命名为waf 31 | 32 | 在nginx.conf的http段添加 33 | 34 | lua_package_path "/usr/local/nginx/conf/waf/?.lua"; 35 | lua_shared_dict limit 10m; 36 | init_by_lua_file /usr/local/nginx/conf/waf/init.lua; 37 | access_by_lua_file /usr/local/nginx/conf/waf/waf.lua; 38 | 39 | 配置config.lua里的waf规则目录(一般在waf/conf/目录下) 40 | 41 | RulePath = "/usr/local/nginx/conf/waf/wafconf/" 42 | 43 | 绝对路径如有变动,需对应修改 44 | 45 | 然后重启nginx即可 46 | 47 | 48 | ###配置文件详细说明: 49 | 50 | RulePath = "/usr/local/nginx/conf/waf/wafconf/" 51 | --规则存放目录 52 | attacklog = "off" 53 | --是否开启攻击信息记录,需要配置logdir 54 | logdir = "/usr/local/nginx/logs/hack/" 55 | --log存储目录,该目录需要用户自己新建,切需要nginx用户的可写权限 56 | UrlDeny="on" 57 | --是否拦截url访问 58 | Redirect="on" 59 | --是否拦截后重定向 60 | CookieMatch = "on" 61 | --是否拦截cookie攻击 62 | postMatch = "on" 63 | --是否拦截post攻击 64 | whiteModule = "on" 65 | --是否开启URL白名单 66 | black_fileExt={"php","jsp"} 67 | --填写不允许上传文件后缀类型 68 | ipWhitelist={"127.0.0.1"} 69 | --ip白名单,多个ip用逗号分隔 70 | ipBlocklist={"1.0.0.1"} 71 | --ip黑名单,多个ip用逗号分隔 72 | CCDeny="on" 73 | --是否开启拦截cc攻击(需要nginx.conf的http段增加lua_shared_dict limit 10m;) 74 | CCrate = "100/60" 75 | --设置cc攻击频率,单位为秒. 76 | --默认1分钟同一个IP只能请求同一个地址100次 77 | html=[[Please go away~~]] 78 | --警告内容,可在中括号内自定义 79 | 备注:不要乱动双引号,区分大小写 80 | 81 | ###检查规则是否生效 82 | 83 | 部署完毕可以尝试如下命令: 84 | 85 | curl http://xxxx/test.php?id=../etc/passwd 86 | 返回"Please go away~~"字样,说明规则生效。 87 | 88 | 注意:默认,本机在白名单不过滤,可自行调整config.lua配置 89 | 90 | 91 | ###效果图如下: 92 | 93 | ![sec](http://i.imgur.com/wTgOcm2.png) 94 | 95 | ![sec](http://i.imgur.com/DqU30au.png) 96 | 97 | ###规则更新: 98 | 99 | 考虑到正则的缓存问题,动态规则会影响性能,所以暂没用共享内存字典和redis之类东西做动态管理。 100 | 101 | 规则更新可以把规则文件放置到其他服务器,通过crontab任务定时下载来更新规则,nginx reload即可生效。以保障ngx lua waf的高性能。 102 | 103 | 只记录过滤日志,不开启过滤,在代码里在check前面加上--注释即可,如果需要过滤,反之 104 | 105 | ###一些说明: 106 | 107 | 过滤规则在wafconf下,可根据需求自行调整,每条规则需换行,或者用|分割 108 | 109 | args里面的规则get参数进行过滤的 110 | url是只在get请求url过滤的规则 111 | post是只在post请求过滤的规则 112 | whitelist是白名单,里面的url匹配到不做过滤 113 | user-agent是对user-agent的过滤规则 114 | 115 | 116 | 默认开启了get和post过滤,需要开启cookie过滤的,编辑waf.lua取消部分--注释即可 117 | 118 | 日志文件名称格式如下:虚拟主机名_sec.log 119 | 120 | 121 | ## Copyright 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 |
Weibo神奇的魔法师
Forumhttp://bbs.linuxtone.org/
CopyrightCopyright (c) 2013- loveshell
LicenseMIT License
137 | 138 | 感谢ngx_lua模块的开发者[@agentzh](https://github.com/agentzh/),春哥是我所接触过开源精神最好的人 139 | -------------------------------------------------------------------------------- /config.lua: -------------------------------------------------------------------------------- 1 | RulePath = "/usr/local/nginx/conf/waf/wafconf/" 2 | attacklog = "on" 3 | logdir = "/usr/local/nginx/logs/hack/" 4 | UrlDeny="on" 5 | Redirect="on" 6 | CookieMatch="on" 7 | postMatch="on" 8 | whiteModule="on" 9 | black_fileExt={"php","jsp"} 10 | ipWhitelist={"127.0.0.1"} 11 | ipBlocklist={"1.0.0.1"} 12 | CCDeny="off" 13 | CCrate="100/60" 14 | html=[[ 15 | 16 | 17 | 网站防火墙 18 | 25 | 26 | 27 | 28 | 29 |
30 | 31 | 32 |
33 |
网站防火墙
34 |
35 |

您的请求带有不合法参数,已被网站管理员设置拦截!

36 |

可能原因:您提交的内容包含危险的攻击请求

37 |

如何解决:

38 |
  • 1)检查提交内容;
    • 39 |
  • 2)如网站托管,请联系空间提供商;
    • 40 |
  • 3)普通网站访客,请联系网站管理员;
41 |
42 |
43 |
44 | 45 | ]] 46 | -------------------------------------------------------------------------------- /init.lua: -------------------------------------------------------------------------------- 1 | require 'config' 2 | local match = string.match 3 | local ngxmatch=ngx.re.match 4 | local unescape=ngx.unescape_uri 5 | local get_headers = ngx.req.get_headers 6 | local optionIsOn = function (options) return options == "on" and true or false end 7 | logpath = logdir 8 | rulepath = RulePath 9 | UrlDeny = optionIsOn(UrlDeny) 10 | PostCheck = optionIsOn(postMatch) 11 | CookieCheck = optionIsOn(cookieMatch) 12 | WhiteCheck = optionIsOn(whiteModule) 13 | PathInfoFix = optionIsOn(PathInfoFix) 14 | attacklog = optionIsOn(attacklog) 15 | CCDeny = optionIsOn(CCDeny) 16 | Redirect=optionIsOn(Redirect) 17 | function getClientIp() 18 | IP = ngx.var.remote_addr 19 | if IP == nil then 20 | IP = "unknown" 21 | end 22 | return IP 23 | end 24 | function write(logfile,msg) 25 | local fd = io.open(logfile,"ab") 26 | if fd == nil then return end 27 | fd:write(msg) 28 | fd:flush() 29 | fd:close() 30 | end 31 | function log(method,url,data,ruletag) 32 | if attacklog then 33 | local realIp = getClientIp() 34 | local ua = ngx.var.http_user_agent 35 | local servername=ngx.var.server_name 36 | local time=ngx.localtime() 37 | if ua then 38 | line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n" 39 | else 40 | line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n" 41 | end 42 | local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log" 43 | write(filename,line) 44 | end 45 | end 46 | ------------------------------------规则读取函数------------------------------------------------------------------- 47 | function read_rule(var) 48 | file = io.open(rulepath..'/'..var,"r") 49 | if file==nil then 50 | return 51 | end 52 | t = {} 53 | for line in file:lines() do 54 | table.insert(t,line) 55 | end 56 | file:close() 57 | return(t) 58 | end 59 | 60 | urlrules=read_rule('url') 61 | argsrules=read_rule('args') 62 | uarules=read_rule('user-agent') 63 | wturlrules=read_rule('whiteurl') 64 | postrules=read_rule('post') 65 | ckrules=read_rule('cookie') 66 | 67 | 68 | function say_html() 69 | if Redirect then 70 | ngx.header.content_type = "text/html" 71 | ngx.status = ngx.HTTP_FORBIDDEN 72 | ngx.say(html) 73 | ngx.exit(ngx.status) 74 | end 75 | end 76 | 77 | function whiteurl() 78 | if WhiteCheck then 79 | if wturlrules ~=nil then 80 | for _,rule in pairs(wturlrules) do 81 | if ngxmatch(ngx.var.uri,rule,"isjo") then 82 | return true 83 | end 84 | end 85 | end 86 | end 87 | return false 88 | end 89 | function fileExtCheck(ext) 90 | local items = Set(black_fileExt) 91 | ext=string.lower(ext) 92 | if ext then 93 | for rule in pairs(items) do 94 | if ngx.re.match(ext,rule,"isjo") then 95 | log('POST',ngx.var.request_uri,"-","file attack with ext "..ext) 96 | say_html() 97 | end 98 | end 99 | end 100 | return false 101 | end 102 | function Set (list) 103 | local set = {} 104 | for _, l in ipairs(list) do set[l] = true end 105 | return set 106 | end 107 | function args() 108 | for _,rule in pairs(argsrules) do 109 | local args = ngx.req.get_uri_args() 110 | for key, val in pairs(args) do 111 | if type(val)=='table' then 112 | local t={} 113 | for k,v in pairs(val) do 114 | if v == true then 115 | v="" 116 | end 117 | table.insert(t,v) 118 | end 119 | data=table.concat(t, " ") 120 | else 121 | data=val 122 | end 123 | if data and type(data) ~= "boolean" and rule ~="" and ngxmatch(unescape(data),rule,"isjo") then 124 | log('GET',ngx.var.request_uri,"-",rule) 125 | say_html() 126 | return true 127 | end 128 | end 129 | end 130 | return false 131 | end 132 | 133 | 134 | function url() 135 | if UrlDeny then 136 | for _,rule in pairs(urlrules) do 137 | if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then 138 | log('GET',ngx.var.request_uri,"-",rule) 139 | say_html() 140 | return true 141 | end 142 | end 143 | end 144 | return false 145 | end 146 | 147 | function ua() 148 | local ua = ngx.var.http_user_agent 149 | if ua ~= nil then 150 | for _,rule in pairs(uarules) do 151 | if rule ~="" and ngxmatch(ua,rule,"isjo") then 152 | log('UA',ngx.var.request_uri,"-",rule) 153 | say_html() 154 | return true 155 | end 156 | end 157 | end 158 | return false 159 | end 160 | function body(data) 161 | for _,rule in pairs(postrules) do 162 | if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then 163 | log('POST',ngx.var.request_uri,data,rule) 164 | say_html() 165 | return true 166 | end 167 | end 168 | return false 169 | end 170 | function cookie() 171 | local ck = ngx.var.http_cookie 172 | if CookieCheck and ck then 173 | for _,rule in pairs(ckrules) do 174 | if rule ~="" and ngxmatch(ck,rule,"isjo") then 175 | log('Cookie',ngx.var.request_uri,"-",rule) 176 | say_html() 177 | return true 178 | end 179 | end 180 | end 181 | return false 182 | end 183 | 184 | function denycc() 185 | if CCDeny then 186 | local uri=ngx.var.uri 187 | CCcount=tonumber(string.match(CCrate,'(.*)/')) 188 | CCseconds=tonumber(string.match(CCrate,'/(.*)')) 189 | local token = getClientIp()..uri 190 | local limit = ngx.shared.limit 191 | local req,_=limit:get(token) 192 | if req then 193 | if req > CCcount then 194 | ngx.exit(503) 195 | return true 196 | else 197 | limit:incr(token,1) 198 | end 199 | else 200 | limit:set(token,1,CCseconds) 201 | end 202 | end 203 | return false 204 | end 205 | 206 | function get_boundary() 207 | local header = get_headers()["content-type"] 208 | if not header then 209 | return nil 210 | end 211 | 212 | if type(header) == "table" then 213 | header = header[1] 214 | end 215 | 216 | local m = match(header, ";%s*boundary=\"([^\"]+)\"") 217 | if m then 218 | return m 219 | end 220 | 221 | return match(header, ";%s*boundary=([^\",;]+)") 222 | end 223 | 224 | function whiteip() 225 | if next(ipWhitelist) ~= nil then 226 | for _,ip in pairs(ipWhitelist) do 227 | if getClientIp()==ip then 228 | return true 229 | end 230 | end 231 | end 232 | return false 233 | end 234 | 235 | function blockip() 236 | if next(ipBlocklist) ~= nil then 237 | for _,ip in pairs(ipBlocklist) do 238 | if getClientIp()==ip then 239 | ngx.exit(403) 240 | return true 241 | end 242 | end 243 | end 244 | return false 245 | end 246 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | mkdir -p /data/src 2 | cd /data/src 3 | if [ ! -x "LuaJIT-2.0.0.tar.gz" ]; then 4 | wget http://luajit.org/download/LuaJIT-2.0.0.tar.gz 5 | fi 6 | tar zxvf LuaJIT-2.0.0.tar.gz 7 | cd LuaJIT-2.0.0 8 | make 9 | make install PREFIX=/usr/local/lj2 10 | ln -s /usr/local/lj2/lib/libluajit-5.1.so.2 /lib64/ 11 | cd /data/src 12 | if [ ! -x "v0.2.17rc2.zip" ]; then 13 | wget https://github.com/simpl/ngx_devel_kit/archive/v0.2.17rc2.zip 14 | fi 15 | unzip v0.2.17rc2 16 | if [ ! -x "v0.7.4.zip" ]; then 17 | wget https://github.com/chaoslawful/lua-nginx-module/archive/v0.7.4.zip 18 | fi 19 | unzip v0.7.4 20 | cd /data/src 21 | if [ ! -x "pcre-8.10.tar.gz" ]; then 22 | wget http://blog.s135.com/soft/linux/nginx_php/pcre/pcre-8.10.tar.gz 23 | fi 24 | tar zxvf pcre-8.10.tar.gz 25 | cd pcre-8.10/ 26 | ./configure 27 | make && make install 28 | cd .. 29 | if [ ! -x "nginx-1.2.4.tar.gz" ]; then 30 | wget 'http://nginx.org/download/nginx-1.2.4.tar.gz' 31 | fi 32 | tar -xzvf nginx-1.2.4.tar.gz 33 | cd nginx-1.2.4/ 34 | export LUAJIT_LIB=/usr/local/lj2/lib/ 35 | export LUAJIT_INC=/usr/local/lj2/include/luajit-2.0/ 36 | ./configure --user=daemon --group=daemon --prefix=/usr/local/nginx/ --with-http_stub_status_module --with-http_sub_module --with-http_gzip_static_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --add-module=../ngx_devel_kit-0.2.17rc2/ --add-module=../lua-nginx-module-0.7.4/ 37 | make -j8 38 | make install 39 | #rm -rf /data/src 40 | cd /usr/local/nginx/conf/ 41 | wget https://github.com/loveshell/ngx_lua_waf/archive/master.zip --no-check-certificate 42 | unzip master.zip 43 | mv ngx_lua_waf-master/* /usr/local/nginx/conf/ 44 | rm -rf ngx_lua_waf-master 45 | rm -rf /data/src 46 | mkdir -p /data/logs/hack 47 | chmod -R 775 /data/logs/hack 48 | -------------------------------------------------------------------------------- /waf.lua: -------------------------------------------------------------------------------- 1 | local content_length=tonumber(ngx.req.get_headers()['content-length']) 2 | local method=ngx.req.get_method() 3 | local ngxmatch=ngx.re.match 4 | if whiteip() then 5 | elseif blockip() then 6 | elseif denycc() then 7 | elseif ngx.var.http_Acunetix_Aspect then 8 | ngx.exit(444) 9 | elseif ngx.var.http_X_Scan_Memo then 10 | ngx.exit(444) 11 | elseif whiteurl() then 12 | elseif ua() then 13 | elseif url() then 14 | elseif args() then 15 | elseif cookie() then 16 | elseif PostCheck then 17 | if method=="POST" then 18 | local boundary = get_boundary() 19 | if boundary then 20 | local len = string.len 21 | local sock, err = ngx.req.socket() 22 | if not sock then 23 | return 24 | end 25 | ngx.req.init_body(128 * 1024) 26 | sock:settimeout(0) 27 | local content_length = nil 28 | content_length=tonumber(ngx.req.get_headers()['content-length']) 29 | local chunk_size = 4096 30 | if content_length < chunk_size then 31 | chunk_size = content_length 32 | end 33 | local size = 0 34 | while size < content_length do 35 | local data, err, partial = sock:receive(chunk_size) 36 | data = data or partial 37 | if not data then 38 | return 39 | end 40 | ngx.req.append_body(data) 41 | if body(data) then 42 | return true 43 | end 44 | size = size + len(data) 45 | local m = ngxmatch(data,[[Content-Disposition: form-data;(.+)filename="(.+)\\.(.*)"]],'ijo') 46 | if m then 47 | fileExtCheck(m[3]) 48 | filetranslate = true 49 | else 50 | if ngxmatch(data,"Content-Disposition:",'isjo') then 51 | filetranslate = false 52 | end 53 | if filetranslate==false then 54 | if body(data) then 55 | return true 56 | end 57 | end 58 | end 59 | local less = content_length - size 60 | if less < chunk_size then 61 | chunk_size = less 62 | end 63 | end 64 | ngx.req.finish_body() 65 | else 66 | ngx.req.read_body() 67 | local args = ngx.req.get_post_args() 68 | if not args then 69 | return 70 | end 71 | for key, val in pairs(args) do 72 | if type(val) == "table" then 73 | if type(val[1]) == "boolean" then 74 | return 75 | end 76 | data=table.concat(val, ", ") 77 | else 78 | data=val 79 | end 80 | if data and type(data) ~= "boolean" and body(data) then 81 | body(key) 82 | end 83 | end 84 | end 85 | end 86 | else 87 | return 88 | end 89 | -------------------------------------------------------------------------------- /wafconf/args: -------------------------------------------------------------------------------- 1 | \.\./ 2 | \:\$ 3 | \$\{ 4 | select.+(from|limit) 5 | (?:(union(.*?)select)) 6 | having|rongjitest 7 | sleep\((\s*)(\d*)(\s*)\) 8 | benchmark\((.*)\,(.*)\) 9 | base64_decode\( 10 | (?:from\W+information_schema\W) 11 | (?:(?:current_)user|database|schema|connection_id)\s*\( 12 | (?:etc\/\W*passwd) 13 | into(\s+)+(?:dump|out)file\s* 14 | group\s+by.+\( 15 | xwork.MethodAccessor 16 | (?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\( 17 | xwork\.MethodAccessor 18 | (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/ 19 | java\.lang 20 | \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[ 21 | \<(iframe|script|body|img|layer|div|meta|style|base|object|input) 22 | (onmouseover|onerror|onload)\= 23 | -------------------------------------------------------------------------------- /wafconf/cookie: -------------------------------------------------------------------------------- 1 | \.\./ 2 | \:\$ 3 | \$\{ 4 | select.+(from|limit) 5 | (?:(union(.*?)select)) 6 | having|rongjitest 7 | sleep\((\s*)(\d*)(\s*)\) 8 | benchmark\((.*)\,(.*)\) 9 | base64_decode\( 10 | (?:from\W+information_schema\W) 11 | (?:(?:current_)user|database|schema|connection_id)\s*\( 12 | (?:etc\/\W*passwd) 13 | into(\s+)+(?:dump|out)file\s* 14 | group\s+by.+\( 15 | xwork.MethodAccessor 16 | (?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\( 17 | xwork\.MethodAccessor 18 | (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/ 19 | java\.lang 20 | \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[ 21 | -------------------------------------------------------------------------------- /wafconf/post: -------------------------------------------------------------------------------- 1 | select.+(from|limit) 2 | (?:(union(.*?)select)) 3 | having|rongjitest 4 | sleep\((\s*)(\d*)(\s*)\) 5 | benchmark\((.*)\,(.*)\) 6 | base64_decode\( 7 | (?:from\W+information_schema\W) 8 | (?:(?:current_)user|database|schema|connection_id)\s*\( 9 | (?:etc\/\W*passwd) 10 | into(\s+)+(?:dump|out)file\s* 11 | group\s+by.+\( 12 | xwork.MethodAccessor 13 | (?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\( 14 | xwork\.MethodAccessor 15 | (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/ 16 | java\.lang 17 | \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[ 18 | \<(iframe|script|body|img|layer|div|meta|style|base|object|input) 19 | (onmouseover|onerror|onload)\= 20 | -------------------------------------------------------------------------------- /wafconf/url: -------------------------------------------------------------------------------- 1 | \.(svn|htaccess|bash_history) 2 | \.(bak|inc|old|mdb|sql|backup|java|class)$ 3 | (vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar 4 | (phpmyadmin|jmx-console|jmxinvokerservlet) 5 | java\.lang 6 | /(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(php|jsp) 7 | -------------------------------------------------------------------------------- /wafconf/user-agent: -------------------------------------------------------------------------------- 1 | (HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench| SF/) 2 | -------------------------------------------------------------------------------- /wafconf/whiteurl: -------------------------------------------------------------------------------- 1 | ^/123/$ 2 | --------------------------------------------------------------------------------