diff --git a/owasp_rules.json b/owasp_rules.json index 83910d8..29c47a7 100644 --- a/owasp_rules.json +++ b/owasp_rules.json @@ -1,4 +1,40 @@ [ + { + "category": "ENFORCEMENT", + "pattern": "@lt 1" + }, + { + "category": "ENFORCEMENT", + "pattern": "@lt 1" + }, + { + "category": "ENFORCEMENT", + "pattern": "!@within %{tx.allowed_methods}" + }, + { + "category": "ENFORCEMENT", + "pattern": "@lt 2" + }, + { + "category": "ENFORCEMENT", + "pattern": "@lt 2" + }, + { + "category": "ENFORCEMENT", + "pattern": "@lt 3" + }, + { + "category": "ENFORCEMENT", + "pattern": "@lt 3" + }, + { + "category": "ENFORCEMENT", + "pattern": "@lt 4" + }, + { + "category": "ENFORCEMENT", + "pattern": "@lt 4" + }, { "category": "INITIALIZATION", "pattern": "@eq 0" @@ -120,108 +156,112 @@ "pattern": "@lt %{tx.blocking_paranoia_level}" }, { - "category": "ATTACK", + "category": "LFI", "pattern": "@lt 1" }, { - "category": "ATTACK", + "category": "LFI", "pattern": "@lt 1" }, { - "category": "ATTACK", - "pattern": "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" + "category": "LFI", + "pattern": "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" }, { - "category": "ATTACK", - "pattern": "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" + "category": "LFI", + "pattern": "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))" }, { - "category": "ATTACK", - "pattern": "@rx (?:bhttp/d|<(?:html|meta)b)" + "category": "LFI", + "pattern": "@pmFromFile lfi-os-files.data" }, { - "category": "ATTACK", - "pattern": "@rx [nr]" + "category": "LFI", + "pattern": "@pmFromFile restricted-files.data" }, { - "category": "ATTACK", - "pattern": "@rx [nr]" + "category": "LFI", + "pattern": "@lt 2" }, { - "category": "ATTACK", - "pattern": "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" + "category": "LFI", + "pattern": "@lt 2" }, { - "category": "ATTACK", - "pattern": "@rx [nr]" + "category": "LFI", + "pattern": "@pmFromFile lfi-os-files.data" }, { - "category": "ATTACK", - "pattern": "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)" + "category": "LFI", + "pattern": "@lt 3" }, { - "category": "ATTACK", - "pattern": "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" + "category": "LFI", + "pattern": "@lt 3" }, { - "category": "ATTACK", - "pattern": "@rx unix:[^|]*|" + "category": "LFI", + "pattern": "@lt 4" }, { - "category": "ATTACK", - "pattern": "@lt 2" + "category": "LFI", + "pattern": "@lt 4" }, { "category": "ATTACK", - "pattern": "@lt 2" + "pattern": "!@eq 0" }, { "category": "ATTACK", - "pattern": "@rx [nr]" + "pattern": "!@within |%{tx.allowed_request_content_type_charset}|" }, { "category": "ATTACK", - "pattern": "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" + "pattern": "@rx ^content-types*:s*(.*)$" }, { "category": "ATTACK", - "pattern": "@lt 3" + "pattern": "!@rx ^(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" }, { "category": "ATTACK", - "pattern": "@lt 3" + "pattern": "@rx content-transfer-encoding:(.*)" }, { - "category": "ATTACK", - "pattern": "@gt 0" + "category": "DETECTION", + "pattern": "@lt 1" }, { - "category": "ATTACK", - "pattern": "@rx ." + "category": "DETECTION", + "pattern": "@lt 1" }, { - "category": "ATTACK", - "pattern": "@gt 1" + "category": "DETECTION", + "pattern": "@pmFromFile scanners-user-agents.data" }, { - "category": "ATTACK", - "pattern": "@rx TX:paramcounter_(.*)" + "category": "DETECTION", + "pattern": "@lt 2" }, { - "category": "ATTACK", - "pattern": "@rx (][^]]+$|][^]]+[)" + "category": "DETECTION", + "pattern": "@lt 2" }, { - "category": "ATTACK", - "pattern": "@lt 4" + "category": "DETECTION", + "pattern": "@lt 3" }, { - "category": "ATTACK", + "category": "DETECTION", + "pattern": "@lt 3" + }, + { + "category": "DETECTION", "pattern": "@lt 4" }, { - "category": "ATTACK", - "pattern": "@rx [" + "category": "DETECTION", + "pattern": "@lt 4" }, { "category": "EXCEPTIONS", @@ -244,39 +284,59 @@ "pattern": "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$" }, { - "category": "DETECTION", + "category": "FIXATION", "pattern": "@lt 1" }, { - "category": "DETECTION", + "category": "FIXATION", "pattern": "@lt 1" }, { - "category": "DETECTION", - "pattern": "@pmFromFile scanners-user-agents.data" + "category": "FIXATION", + "pattern": "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)" }, { - "category": "DETECTION", + "category": "FIXATION", + "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" + }, + { + "category": "FIXATION", + "pattern": "@rx ^(?:ht|f)tps?://(.*?)/" + }, + { + "category": "FIXATION", + "pattern": "!@endsWith %{request_headers.host}" + }, + { + "category": "FIXATION", + "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" + }, + { + "category": "FIXATION", + "pattern": "@eq 0" + }, + { + "category": "FIXATION", "pattern": "@lt 2" }, { - "category": "DETECTION", + "category": "FIXATION", "pattern": "@lt 2" }, { - "category": "DETECTION", + "category": "FIXATION", "pattern": "@lt 3" }, { - "category": "DETECTION", + "category": "FIXATION", "pattern": "@lt 3" }, { - "category": "DETECTION", + "category": "FIXATION", "pattern": "@lt 4" }, { - "category": "DETECTION", + "category": "FIXATION", "pattern": "@lt 4" }, { @@ -339,78 +399,6 @@ "category": "RFI", "pattern": "@lt 4" }, - { - "category": "LFI", - "pattern": "@lt 1" - }, - { - "category": "LFI", - "pattern": "@lt 1" - }, - { - "category": "LFI", - "pattern": "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" - }, - { - "category": "LFI", - "pattern": "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))" - }, - { - "category": "LFI", - "pattern": "@pmFromFile lfi-os-files.data" - }, - { - "category": "LFI", - "pattern": "@pmFromFile restricted-files.data" - }, - { - "category": "LFI", - "pattern": "@lt 2" - }, - { - "category": "LFI", - "pattern": "@lt 2" - }, - { - "category": "LFI", - "pattern": "@pmFromFile lfi-os-files.data" - }, - { - "category": "LFI", - "pattern": "@lt 3" - }, - { - "category": "LFI", - "pattern": "@lt 3" - }, - { - "category": "LFI", - "pattern": "@lt 4" - }, - { - "category": "LFI", - "pattern": "@lt 4" - }, - { - "category": "ATTACK", - "pattern": "!@eq 0" - }, - { - "category": "ATTACK", - "pattern": "!@within |%{tx.allowed_request_content_type_charset}|" - }, - { - "category": "ATTACK", - "pattern": "@rx ^content-types*:s*(.*)$" - }, - { - "category": "ATTACK", - "pattern": "!@rx ^(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" - }, - { - "category": "ATTACK", - "pattern": "@rx content-transfer-encoding:(.*)" - }, { "category": "ENFORCEMENT", "pattern": "@lt 1" @@ -824,311 +812,359 @@ "pattern": "@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]" }, { - "category": "PHP", - "pattern": "@lt 1" + "category": "EVALUATION", + "pattern": "@ge 1" }, { - "category": "PHP", - "pattern": "@lt 1" + "category": "EVALUATION", + "pattern": "@ge 1" }, { - "category": "PHP", - "pattern": "@rx (?:" + "category": "EVALUATION", + "pattern": "@lt 3" }, { - "category": "PHP", - "pattern": "@rx (?:((?:.+)(?:[\"'][-0-9A-Z_a-z]+[\"'])?(.+|[^)]*string[^)]*)[sv\"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|[\"'][-0-9A-Zx5c_a-z]+[\"'])(.+))(?:;|$)?" + "category": "EVALUATION", + "pattern": "@lt 3" }, { - "category": "PHP", + "category": "EVALUATION", "pattern": "@lt 4" }, { - "category": "PHP", + "category": "EVALUATION", "pattern": "@lt 4" }, { - "category": "ENFORCEMENT", + "category": "JAVA", "pattern": "@lt 1" }, { - "category": "ENFORCEMENT", + "category": "JAVA", "pattern": "@lt 1" }, { - "category": "ENFORCEMENT", - "pattern": "!@within %{tx.allowed_methods}" + "category": "JAVA", + "pattern": "@rx java.lang.(?:runtime|processbuilder)" }, { - "category": "ENFORCEMENT", - "pattern": "@lt 2" + "category": "JAVA", + "pattern": "@rx (?:runtime|processbuilder)" }, { - "category": "ENFORCEMENT", - "pattern": "@lt 2" + "category": "JAVA", + "pattern": "@rx (?:unmarshaller|base64data|java.)" }, { - "category": "ENFORCEMENT", - "pattern": "@lt 3" + "category": "JAVA", + "pattern": "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" }, { - "category": "ENFORCEMENT", - "pattern": "@lt 3" + "category": "JAVA", + "pattern": "@rx (?:runtime|processbuilder)" }, { - "category": "ENFORCEMENT", - "pattern": "@lt 4" + "category": "JAVA", + "pattern": "@pmFromFile java-classes.data" }, { - "category": "ENFORCEMENT", - "pattern": "@lt 4" + "category": "JAVA", + "pattern": "@rx .*.(?:jsp|jspx).*$" }, { - "category": "FIXATION", - "pattern": "@lt 1" + "category": "JAVA", + "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" }, { - "category": "FIXATION", - "pattern": "@lt 1" + "category": "JAVA", + "pattern": "@lt 2" }, { - "category": "FIXATION", - "pattern": "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)" + "category": "JAVA", + "pattern": "@lt 2" }, { - "category": "FIXATION", - "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" + "category": "JAVA", + "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" }, { - "category": "FIXATION", - "pattern": "@rx ^(?:ht|f)tps?://(.*?)/" + "category": "JAVA", + "pattern": "@rx xacxedx00x05" }, { - "category": "FIXATION", - "pattern": "!@endsWith %{request_headers.host}" + "category": "JAVA", + "pattern": "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" }, { - "category": "FIXATION", - "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" + "category": "JAVA", + "pattern": "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" }, { - "category": "FIXATION", - "pattern": "@eq 0" + "category": "JAVA", + "pattern": "@rx javab.+(?:runtime|processbuilder)" }, { - "category": "FIXATION", - "pattern": "@lt 2" + "category": "JAVA", + "pattern": "@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)" }, { - "category": "FIXATION", - "pattern": "@lt 2" + "category": "JAVA", + "pattern": "@lt 3" }, { - "category": "FIXATION", + "category": "JAVA", "pattern": "@lt 3" }, { - "category": "FIXATION", - "pattern": "@lt 3" + "category": "JAVA", + "pattern": "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" }, { - "category": "FIXATION", + "category": "JAVA", "pattern": "@lt 4" }, { - "category": "FIXATION", + "category": "JAVA", "pattern": "@lt 4" }, { - "category": "EVALUATION", - "pattern": "@ge 1" + "category": "JAVA", + "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)" }, { - "category": "EVALUATION", - "pattern": "@ge 1" + "category": "PHP", + "pattern": "@lt 1" }, { - "category": "EVALUATION", - "pattern": "@ge 2" + "category": "PHP", + "pattern": "@lt 1" }, { - "category": "EVALUATION", - "pattern": "@ge 2" + "category": "PHP", + "pattern": "@rx (?:" + }, + { + "category": "PHP", + "pattern": "@rx (?:((?:.+)(?:[\"'][-0-9A-Z_a-z]+[\"'])?(.+|[^)]*string[^)]*)[sv\"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|[\"'][-0-9A-Zx5c_a-z]+[\"'])(.+))(?:;|$)?" + }, + { + "category": "PHP", + "pattern": "@lt 4" + }, + { + "category": "PHP", + "pattern": "@lt 4" + }, + { + "category": "LEAKAGES", + "pattern": "@lt 1" + }, + { + "category": "LEAKAGES", + "pattern": "@lt 1" + }, + { + "category": "LEAKAGES", + "pattern": "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)" + }, + { + "category": "LEAKAGES", + "pattern": "@rx ^#!s?/" + }, + { + "category": "LEAKAGES", "pattern": "@lt 2" }, { - "category": "EVALUATION", + "category": "LEAKAGES", + "pattern": "@lt 2" + }, + { + "category": "LEAKAGES", + "pattern": "@rx ^5d{2}$" + }, + { + "category": "LEAKAGES", "pattern": "@lt 3" }, { - "category": "EVALUATION", + "category": "LEAKAGES", "pattern": "@lt 3" }, { - "category": "EVALUATION", + "category": "LEAKAGES", "pattern": "@lt 4" }, { - "category": "EVALUATION", + "category": "LEAKAGES", "pattern": "@lt 4" }, { @@ -1232,256 +1268,296 @@ "pattern": "@lt 4" }, { - "category": "JAVA", + "category": "SQLI", "pattern": "@lt 1" }, { - "category": "JAVA", + "category": "SQLI", "pattern": "@lt 1" }, { - "category": "JAVA", - "pattern": "@pmFromFile java-code-leakages.data" + "category": "SQLI", + "pattern": "@detectSQLi" }, { - "category": "JAVA", - "pattern": "@pmFromFile java-errors.data" + "category": "SQLI", + "pattern": "@rx (?i)b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*(|(?:information_schema|m(?:aster..sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql.db)|northwind|pg_(?:catalog|toast)|tempdb)b|s(?:chema(?:_nameb|[^0-9A-Z_a-z]*()|(?:qlite_(?:temp_)?master|ys(?:aux|.database_name))b))" }, { - "category": "JAVA", - "pattern": "@lt 2" + "category": "SQLI", + "pattern": "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(" }, { - "category": "JAVA", - "pattern": "@lt 2" + "category": "SQLI", + "pattern": "@rx (?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))" }, { - "category": "JAVA", - "pattern": "@lt 3" + "category": "SQLI", + "pattern": "@rx (?i)(?:select|;)[sv]+(?:benchmark|if|sleep)[sv]*?([sv]*?(?[sv]*?[0-9A-Z_a-z]+" }, { - "category": "JAVA", - "pattern": "@lt 3" + "category": "SQLI", + "pattern": "@rx (?i)[\"'`](?:[sv]*![sv]*[\"'0-9A-Z_-z]|;?[sv]*(?:having|select|unionb[sv]*(?:all|(?:distin|sele)ct))b[sv]*[^sv])|b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[sv]*?|select.*?[0-9A-Z_a-z]?user)(|exec(?:ute)?[sv]+master.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[sv+]+(?:dump|out)file[sv]*?[\"'`]|union(?:[sv]select[sv]@|[sv(0-9A-Z_a-z]*?select))|[sv]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[sv]*?(" }, { - "category": "JAVA", - "pattern": "@lt 4" + "category": "SQLI", + "pattern": "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$" }, { - "category": "JAVA", - "pattern": "@lt 4" + "category": "SQLI", + "pattern": "@rx (?i)[sv(-)]case[sv]+when.*?then|)[sv]*?like[sv]*?(|select.*?having[sv]*?[^sv]+[sv]*?[^sv0-9A-Z_a-z]|if[sv]?([0-9A-Z_a-z]+[sv]*?[<->~]" }, { - "category": "GENERIC", - "pattern": "@lt 1" + "category": "SQLI", + "pattern": "@rx (?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)" }, { - "category": "GENERIC", - "pattern": "@lt 1" + "category": "SQLI", + "pattern": "@rx (?i:merge.*?usings*?(|executes*?immediates*?[\"'`]|matchs*?[w(),+-]+s*?againsts*?()" }, { - "category": "GENERIC", - "pattern": "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[[\"'`](?:debug|error|info|trace|warn)[\"'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]])" + "category": "SQLI", + "pattern": "@rx (?i)union.*?select.*?from" }, { - "category": "GENERIC", - "pattern": "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(" + "category": "SQLI", + "pattern": "@rx (?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)" }, { - "category": "GENERIC", - "pattern": "@pmFromFile ssrf.data" + "category": "SQLI", + "pattern": "@rx (?i)[?$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)]?" }, { - "category": "GENERIC", - "pattern": "@rx (?:__proto__|constructors*(?:.|[)s*prototype)" + "category": "SQLI", + "pattern": "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" }, { - "category": "GENERIC", - "pattern": "@rx Process[sv]*.[sv]*spawn[sv]*(" + "category": "SQLI", + "pattern": "@rx (?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}" }, { - "category": "GENERIC", - "pattern": "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)" + "category": "SQLI", + "pattern": "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)b[sv]*(?|end[sv]*?);)|[sv(]load_file[sv]*?(|[\"'`][sv]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][sv]+asb[sv]*[\"'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]+[0-9A-Z_a-z]+|u(?:pdate[sv]+[0-9A-Z_a-z]+|nion[sv]*(?:all|(?:sele|distin)ct)b)|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject))b)" }, { - "category": "GENERIC", - "pattern": "@rx ^data:(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*" + "category": "SQLI", + "pattern": "@rx (?i:/*[!+](?:[ws=_-()]+)?*/)" }, { - "category": "GENERIC", - "pattern": "@lt 2" + "category": "SQLI", + "pattern": "@rx ^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;" }, { - "category": "GENERIC", - "pattern": "@lt 2" + "category": "SQLI", + "pattern": "@rx (?i)1.e[(-),]" }, { - "category": "GENERIC", - "pattern": "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))" + "category": "SQLI", + "pattern": "@rx [\"'`][[{].*[]}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)[\"'`][[{].*[]}][\"'`]|json_extract.*(.*)" }, { - "category": "GENERIC", - "pattern": "@rx [s*constructors*]" + "category": "SQLI", + "pattern": "@lt 2" }, { - "category": "GENERIC", - "pattern": "@rx @{.*}" + "category": "SQLI", + "pattern": "@lt 2" }, { - "category": "GENERIC", - "pattern": "@lt 3" + "category": "SQLI", + "pattern": "@rx (?:^s*[\"'`;]+|[\"'`]+s*$)" }, { - "category": "GENERIC", - "pattern": "@lt 3" + "category": "SQLI", + "pattern": "@rx (?i)!=|&&||||>[=->]|<(?:<|=>?|>(?:[sv]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[sv]*()|r(?:egexp|like)[sv]+binary|not[sv]+between[sv]+(?:0[sv]+and|(?:'[^']*'|\"[^\"]*\")[sv]+and[sv]+(?:'[^']*'|\"[^\"]*\"))|is[sv]+null|like[sv]+(?:null|[0-9A-Z_a-z]+[sv]+escapeb)|(?:^|[^0-9A-Z_a-z])in[sv+]*([sv\"0-9]+[^(-)]*)|[!<->]{1,2}[sv]*allb" }, { - "category": "GENERIC", - "pattern": "@lt 4" + "category": "SQLI", + "pattern": "@rx (?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b" }, { - "category": "GENERIC", - "pattern": "@lt 4" + "category": "SQLI", + "pattern": "@streq %{TX.2}" }, { - "category": "LEAKAGES", - "pattern": "@lt 1" + "category": "SQLI", + "pattern": "@rx (?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b" }, { - "category": "LEAKAGES", - "pattern": "@lt 1" + "category": "SQLI", + "pattern": "!@streq %{TX.2}" }, { - "category": "LEAKAGES", - "pattern": "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)" + "category": "SQLI", + "pattern": "@rx (?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*(" }, { - "category": "LEAKAGES", - "pattern": "@rx ^#!s?/" + "category": "SQLI", + "pattern": "@rx (?i)(?:/*)+[\"'`]+[sv]?(?:--|[#{]|/*)?|[\"'`](?:[sv]*(?:(?:x?or|and|div|like|between)[sv-0-9A-Z_a-z]+[(-)+--<->][sv]*[\"'0-9`]|[!=|](?:[sv -!+-0-9=]+.*?[\"'-(`].*?|[sv -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'-(0-9A-Z_-z]|;)|(?:[<>~]+|[sv]*[^sv0-9A-Z_a-z]?=[sv]*|[^0-9A-Z_a-z]*?[+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][sv]+[\"'`][sv]+[0-9]|^admin[sv]*?[\"'`]|[sv\"'-(`][sv]*?glob[^0-9A-Z_a-z]+[\"'-(0-9A-Z_-z]|[sv]is[sv]*?0[^0-9A-Z_a-z]|where[sv][sv,-.0-9A-Z_a-z]+[sv]=" }, { - "category": "LEAKAGES", - "pattern": "@lt 2" + "category": "SQLI", + "pattern": "@rx (?i),.*?[\"')0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:r?n)?z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]*?([sv]*?space[sv]*?(" }, { - "category": "LEAKAGES", - "pattern": "@lt 2" + "category": "SQLI", + "pattern": "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sv(]+[0-9A-Z_a-z]+[sv)]*?[!+=]+[sv0-9]*?[\"'-)=`]|[0-9](?:[sv]*?(?:and|between|div|like|x?or)[sv]*?[0-9]+[sv]*?[+-]|[sv]+group[sv]+by.+()|/[0-9A-Z_a-z]+;?[sv]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[sv]*?(?:alter|drop|(?:insert|update)[sv]*?[0-9A-Z_a-z]{2,})|@.+=[sv]*?([sv]*?select|[^0-9A-Z_a-z]SET[sv]*?@[0-9A-Z_a-z]+" }, { - "category": "LEAKAGES", - "pattern": "@rx ^5d{2}$" + "category": "SQLI", + "pattern": "@rx (?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+" }, { - "category": "LEAKAGES", - "pattern": "@lt 3" + "category": "SQLI", + "pattern": "@rx (?i))[sv]*?when[sv]*?[0-9]+[sv]*?then|[\"'`][sv]*?(?:[#{]|--)|/*![sv]?[0-9]+|b(?:(?:binary|cha?r)[sv]*?([sv]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[sv]+[0-9A-Z_a-z]+()|(?:|||&&)[sv]*?[0-9A-Z_a-z]+(" }, { - "category": "LEAKAGES", - "pattern": "@lt 3" + "category": "SQLI", + "pattern": "@rx (?i)(?:([sv]*?select[sv]*?[0-9A-Z_a-z]+|coalesce|order[sv]+by[sv]+if[0-9A-Z_a-z]*?)[sv]*?(|*/from|+[sv]*?[0-9]+[sv]*?+[sv]*?@|[0-9A-Z_a-z][\"'`][sv]*?(?:(?:[+-=@|]+[sv]+?)+|[+-=@|]+)[(0-9]|@@[0-9A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[sv]*?(?:if|while|begin)|[sv0-9]+=[sv]*?[0-9])|[sv(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[sv(]" }, { - "category": "LEAKAGES", - "pattern": "@lt 4" + "category": "SQLI", + "pattern": "@rx (?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" }, { - "category": "LEAKAGES", - "pattern": "@lt 4" + "category": "SQLI", + "pattern": "@rx (?i)in[sv]*?(+[sv]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)[sv+0-9A-Z_a-z]+(?:regexp[sv]*?(|sounds[sv]+like[sv]*?[\"'`]|[0-9=]+x)|[\"'`](?:[sv]*?(?:[0-9][sv]*?(?:--|#)|is[sv]*?(?:[0-9].+[\"'`]?[0-9A-Z_a-z]|[.0-9]+[sv]*?[^0-9A-Z_a-z].*?[\"'`]))|[%-&<->^]+[0-9][sv]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[+-0-9A-Z_a-z]+[sv]*?=[sv]*?[0-9][^0-9A-Z_a-z]+||?[-0-9A-Z_a-z]{3,}[^sv,.0-9A-Z_a-z]+)[\"'`]|[sv]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)(?:array[sv]*[|[0-9A-Z_a-z]+(?:[sv]*!?~|[sv]+(?:not[sv]+)?similar[sv]+to[sv]+)|(?:tru|fals)eb))|bexcept[sv]+(?:selectb|values[sv]*?()" }, { - "category": "JAVA", - "pattern": "@lt 1" + "category": "SQLI", + "pattern": "@rx (?i:^[Wd]+s*?(?:alter|union)b)" }, { - "category": "JAVA", - "pattern": "@lt 1" + "category": "SQLI", + "pattern": "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)[sv]?(?|end[sv]*?);|[sv(]load_file[sv]*?(|[\"'`][sv]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][sv]+asb[sv]*[\"'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:create[sv]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[sv]*(?:all|(?:sele|distin)ct))|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject)))b)" }, { - "category": "JAVA", - "pattern": "@rx java.lang.(?:runtime|processbuilder)" + "category": "SQLI", + "pattern": "@rx (?i)[\"'`](?:[sv]*?(?:(?:*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\"'`]|(?:x?or|div|like|between|and)[sv][^0-9]+[-0-9A-Z_a-z]+.*?)[0-9]|[^sv0-9?A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]+[sv]*?[\"'`]|[^sv0-9A-Z_a-z]+[sv]*?[^A-Z_a-z].*?(?:#|--))|.*?*[sv]*?[0-9])|^[\"'`]|[%(-+-<>][-0-9A-Z_a-z]+[^sv0-9A-Z_a-z]+[\"'`][^,]" }, { - "category": "JAVA", - "pattern": "@rx (?:runtime|processbuilder)" + "category": "SQLI", + "pattern": "@rx (?i)b(?:havingb(?:[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')[sv]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-?[]+))|ex(?:ecute(?:(|[sv]{1,5}[$.0-9A-Z_a-z]{1,5}[sv]{0,3})|ists[sv]*?([sv]*?selectb)|(?:create[sv]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)()|select.*?case|from.*?limit|order[sv]by|exists[sv](?:[sv]select|s(?:elect[^sv](?:if(?:null)?[sv](|top|concat)|ystem[sv]()|bhavingb[sv]+[0-9]{1,10}|'[^=]{1,10}')" }, { - "category": "JAVA", - "pattern": "@rx (?:unmarshaller|base64data|java.)" + "category": "SQLI", + "pattern": "@rx (?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]" }, { - "category": "JAVA", - "pattern": "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" + "category": "SQLI", + "pattern": "@rx (?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" }, { - "category": "JAVA", - "pattern": "@rx (?:runtime|processbuilder)" + "category": "SQLI", + "pattern": "@rx (?i)b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[1-2]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?(" }, { - "category": "JAVA", - "pattern": "@pmFromFile java-classes.data" + "category": "SQLI", + "pattern": "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" }, { - "category": "JAVA", - "pattern": "@rx .*.(?:jsp|jspx).*$" + "category": "SQLI", + "pattern": "@rx (?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))'" }, { - "category": "JAVA", - "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" + "category": "SQLI", + "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){12})" }, { - "category": "JAVA", - "pattern": "@lt 2" + "category": "SQLI", + "pattern": "@rx /*!?|*/|[';]--|--(?:[sv]|[^-]*?-)|[^&-]#.*?[sv]|;?x00" }, { - "category": "JAVA", - "pattern": "@lt 2" + "category": "SQLI", + "pattern": "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$" }, { - "category": "JAVA", - "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" + "category": "SQLI", + "pattern": "@rx (?i:b0x[a-fd]{3,})" }, { - "category": "JAVA", - "pattern": "@rx xacxedx00x05" + "category": "SQLI", + "pattern": "@rx (?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)" }, { - "category": "JAVA", - "pattern": "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" + "category": "SQLI", + "pattern": "@rx (?i)[\"'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])" }, { - "category": "JAVA", - "pattern": "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" + "category": "SQLI", + "pattern": "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b" }, { - "category": "JAVA", - "pattern": "@rx javab.+(?:runtime|processbuilder)" + "category": "SQLI", + "pattern": "@rx ^(?:and|or)$" }, { - "category": "JAVA", - "pattern": "@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)" + "category": "SQLI", + "pattern": "@rx ^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b" }, { - "category": "JAVA", + "category": "SQLI", + "pattern": "@detectSQLi" + }, + { + "category": "SQLI", + "pattern": "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(" + }, + { + "category": "SQLI", + "pattern": "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" + }, + { + "category": "SQLI", "pattern": "@lt 3" }, { - "category": "JAVA", + "category": "SQLI", "pattern": "@lt 3" }, { - "category": "JAVA", - "pattern": "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" + "category": "SQLI", + "pattern": "@rx (?i)W+d*?s*?bhavingbs*?[^s-]" }, { - "category": "JAVA", + "category": "SQLI", + "pattern": "@rx [\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]" + }, + { + "category": "SQLI", + "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){8})" + }, + { + "category": "SQLI", + "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){6})" + }, + { + "category": "SQLI", + "pattern": "@rx W{4}" + }, + { + "category": "SQLI", + "pattern": "@rx (?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')" + }, + { + "category": "SQLI", + "pattern": "@rx ';" + }, + { + "category": "SQLI", "pattern": "@lt 4" }, { - "category": "JAVA", + "category": "SQLI", "pattern": "@lt 4" }, { - "category": "JAVA", - "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)" + "category": "SQLI", + "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){3})" + }, + { + "category": "SQLI", + "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){2})" }, { "category": "XSS", @@ -1655,6 +1731,118 @@ "category": "XSS", "pattern": "@lt 4" }, + { + "category": "GENERIC", + "pattern": "@lt 1" + }, + { + "category": "GENERIC", + "pattern": "@lt 1" + }, + { + "category": "GENERIC", + "pattern": "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[[\"'`](?:debug|error|info|trace|warn)[\"'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]])" + }, + { + "category": "GENERIC", + "pattern": "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(" + }, + { + "category": "GENERIC", + "pattern": "@pmFromFile ssrf.data" + }, + { + "category": "GENERIC", + "pattern": "@rx (?:__proto__|constructors*(?:.|[)s*prototype)" + }, + { + "category": "GENERIC", + "pattern": "@rx Process[sv]*.[sv]*spawn[sv]*(" + }, + { + "category": "GENERIC", + "pattern": "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)" + }, + { + "category": "GENERIC", + "pattern": "@rx ^data:(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*" + }, + { + "category": "GENERIC", + "pattern": "@lt 2" + }, + { + "category": "GENERIC", + "pattern": "@lt 2" + }, + { + "category": "GENERIC", + "pattern": "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))" + }, + { + "category": "GENERIC", + "pattern": "@rx [s*constructors*]" + }, + { + "category": "GENERIC", + "pattern": "@rx @{.*}" + }, + { + "category": "GENERIC", + "pattern": "@lt 3" + }, + { + "category": "GENERIC", + "pattern": "@lt 3" + }, + { + "category": "GENERIC", + "pattern": "@lt 4" + }, + { + "category": "GENERIC", + "pattern": "@lt 4" + }, + { + "category": "JAVA", + "pattern": "@lt 1" + }, + { + "category": "JAVA", + "pattern": "@lt 1" + }, + { + "category": "JAVA", + "pattern": "@pmFromFile java-code-leakages.data" + }, + { + "category": "JAVA", + "pattern": "@pmFromFile java-errors.data" + }, + { + "category": "JAVA", + "pattern": "@lt 2" + }, + { + "category": "JAVA", + "pattern": "@lt 2" + }, + { + "category": "JAVA", + "pattern": "@lt 3" + }, + { + "category": "JAVA", + "pattern": "@lt 3" + }, + { + "category": "JAVA", + "pattern": "@lt 4" + }, + { + "category": "JAVA", + "pattern": "@lt 4" + }, { "category": "RCE", "pattern": "@lt 1" @@ -1808,459 +1996,115 @@ "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[\"-#%-&*--9A-Zx5c_a-z]+)?(?: ([ x5ca-z]+))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [+-][0-9]{4}\"?)? {[0-9]{1,20}+?}|UTHENTICATE [-0-9_a-z]{1,20}rn)|L(?:SUB (?:[\"-#*.-9A-Z_a-z~]+)? (?:[\"%-&*.-9A-Zx5c_a-z]+)?|ISTRIGHTS (?:[\"%-&*--9A-Zx5c_a-z]+)?)|S(?:TATUS (?:[\"%-&*--9A-Zx5c_a-z]+)? ((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+)|ETACL (?:[\"%-&*--9A-Zx5c_a-z]+)? [+-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%-&*--9A-Zx5c_a-z]+)?)" }, { - "category": "RCE", - "pattern": "@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))" - }, - { - "category": "RCE", - "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|inks|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[^sv])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash|nap)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:3m|c|a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))" - }, - { - "category": "RCE", - "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:c|a(?:ll|tch)[sv&)<>|]|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))" - }, - { - "category": "RCE", - "pattern": "@pmFromFile unix-shell.data" - }, - { - "category": "RCE", - "pattern": "@lt 3" - }, - { - "category": "RCE", - "pattern": "@lt 3" - }, - { - "category": "RCE", - "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))b" - }, - { - "category": "RCE", - "pattern": "@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:(?:itude)?[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|s(?:[sv&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[sv&)<>|]|m(?:[sv&)<>|]|diff)|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:[sv&)<>c|]|h(?:o(?:[sv&)<>|]|ami|is)?|iptail[sv&)<>|])|a(?:ll|tch)[sv&)<>|]|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))b" - }, - { - "category": "RCE", - "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))" - }, - { - "category": "RCE", - "pattern": "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" - }, - { - "category": "RCE", - "pattern": "@rx rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)" - }, - { - "category": "RCE", - "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)" - }, - { - "category": "RCE", - "pattern": "@rx rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)" - }, - { - "category": "RCE", - "pattern": "@rx !(?:d|!)" - }, - { - "category": "RCE", - "pattern": "@lt 4" - }, - { - "category": "RCE", - "pattern": "@lt 4" - }, - { - "category": "PHP", - "pattern": "@lt 1" - }, - { - "category": "PHP", - "pattern": "@lt 1" - }, - { - "category": "PHP", - "pattern": "@pmFromFile php-errors.data" - }, - { - "category": "PHP", - "pattern": "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b" - }, - { - "category": "PHP", - "pattern": "@rx (?i)~]" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)" - }, - { - "category": "SQLI", - "pattern": "@rx (?i:merge.*?usings*?(|executes*?immediates*?[\"'`]|matchs*?[w(),+-]+s*?againsts*?()" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)union.*?select.*?from" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)[?$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)]?" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)b[sv]*(?|end[sv]*?);)|[sv(]load_file[sv]*?(|[\"'`][sv]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][sv]+asb[sv]*[\"'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]+[0-9A-Z_a-z]+|u(?:pdate[sv]+[0-9A-Z_a-z]+|nion[sv]*(?:all|(?:sele|distin)ct)b)|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject))b)" - }, - { - "category": "SQLI", - "pattern": "@rx (?i:/*[!+](?:[ws=_-()]+)?*/)" - }, - { - "category": "SQLI", - "pattern": "@rx ^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)1.e[(-),]" - }, - { - "category": "SQLI", - "pattern": "@rx [\"'`][[{].*[]}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)[\"'`][[{].*[]}][\"'`]|json_extract.*(.*)" - }, - { - "category": "SQLI", - "pattern": "@lt 2" - }, - { - "category": "SQLI", - "pattern": "@lt 2" - }, - { - "category": "SQLI", - "pattern": "@rx (?:^s*[\"'`;]+|[\"'`]+s*$)" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)!=|&&||||>[=->]|<(?:<|=>?|>(?:[sv]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[sv]*()|r(?:egexp|like)[sv]+binary|not[sv]+between[sv]+(?:0[sv]+and|(?:'[^']*'|\"[^\"]*\")[sv]+and[sv]+(?:'[^']*'|\"[^\"]*\"))|is[sv]+null|like[sv]+(?:null|[0-9A-Z_a-z]+[sv]+escapeb)|(?:^|[^0-9A-Z_a-z])in[sv+]*([sv\"0-9]+[^(-)]*)|[!<->]{1,2}[sv]*allb" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b" - }, - { - "category": "SQLI", - "pattern": "@streq %{TX.2}" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b" - }, - { - "category": "SQLI", - "pattern": "!@streq %{TX.2}" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*(" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)(?:/*)+[\"'`]+[sv]?(?:--|[#{]|/*)?|[\"'`](?:[sv]*(?:(?:x?or|and|div|like|between)[sv-0-9A-Z_a-z]+[(-)+--<->][sv]*[\"'0-9`]|[!=|](?:[sv -!+-0-9=]+.*?[\"'-(`].*?|[sv -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'-(0-9A-Z_-z]|;)|(?:[<>~]+|[sv]*[^sv0-9A-Z_a-z]?=[sv]*|[^0-9A-Z_a-z]*?[+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][sv]+[\"'`][sv]+[0-9]|^admin[sv]*?[\"'`]|[sv\"'-(`][sv]*?glob[^0-9A-Z_a-z]+[\"'-(0-9A-Z_-z]|[sv]is[sv]*?0[^0-9A-Z_a-z]|where[sv][sv,-.0-9A-Z_a-z]+[sv]=" - }, - { - "category": "SQLI", - "pattern": "@rx (?i),.*?[\"')0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:r?n)?z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]*?([sv]*?space[sv]*?(" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sv(]+[0-9A-Z_a-z]+[sv)]*?[!+=]+[sv0-9]*?[\"'-)=`]|[0-9](?:[sv]*?(?:and|between|div|like|x?or)[sv]*?[0-9]+[sv]*?[+-]|[sv]+group[sv]+by.+()|/[0-9A-Z_a-z]+;?[sv]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[sv]*?(?:alter|drop|(?:insert|update)[sv]*?[0-9A-Z_a-z]{2,})|@.+=[sv]*?([sv]*?select|[^0-9A-Z_a-z]SET[sv]*?@[0-9A-Z_a-z]+" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+" - }, - { - "category": "SQLI", - "pattern": "@rx (?i))[sv]*?when[sv]*?[0-9]+[sv]*?then|[\"'`][sv]*?(?:[#{]|--)|/*![sv]?[0-9]+|b(?:(?:binary|cha?r)[sv]*?([sv]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[sv]+[0-9A-Z_a-z]+()|(?:|||&&)[sv]*?[0-9A-Z_a-z]+(" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)(?:([sv]*?select[sv]*?[0-9A-Z_a-z]+|coalesce|order[sv]+by[sv]+if[0-9A-Z_a-z]*?)[sv]*?(|*/from|+[sv]*?[0-9]+[sv]*?+[sv]*?@|[0-9A-Z_a-z][\"'`][sv]*?(?:(?:[+-=@|]+[sv]+?)+|[+-=@|]+)[(0-9]|@@[0-9A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[sv]*?(?:if|while|begin)|[sv0-9]+=[sv]*?[0-9])|[sv(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[sv(]" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)in[sv]*?(+[sv]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)[sv+0-9A-Z_a-z]+(?:regexp[sv]*?(|sounds[sv]+like[sv]*?[\"'`]|[0-9=]+x)|[\"'`](?:[sv]*?(?:[0-9][sv]*?(?:--|#)|is[sv]*?(?:[0-9].+[\"'`]?[0-9A-Z_a-z]|[.0-9]+[sv]*?[^0-9A-Z_a-z].*?[\"'`]))|[%-&<->^]+[0-9][sv]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[+-0-9A-Z_a-z]+[sv]*?=[sv]*?[0-9][^0-9A-Z_a-z]+||?[-0-9A-Z_a-z]{3,}[^sv,.0-9A-Z_a-z]+)[\"'`]|[sv]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)(?:array[sv]*[|[0-9A-Z_a-z]+(?:[sv]*!?~|[sv]+(?:not[sv]+)?similar[sv]+to[sv]+)|(?:tru|fals)eb))|bexcept[sv]+(?:selectb|values[sv]*?()" - }, - { - "category": "SQLI", - "pattern": "@rx (?i:^[Wd]+s*?(?:alter|union)b)" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)[sv]?(?|end[sv]*?);|[sv(]load_file[sv]*?(|[\"'`][sv]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][sv]+asb[sv]*[\"'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:create[sv]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[sv]*(?:all|(?:sele|distin)ct))|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject)))b)" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)[\"'`](?:[sv]*?(?:(?:*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\"'`]|(?:x?or|div|like|between|and)[sv][^0-9]+[-0-9A-Z_a-z]+.*?)[0-9]|[^sv0-9?A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]+[sv]*?[\"'`]|[^sv0-9A-Z_a-z]+[sv]*?[^A-Z_a-z].*?(?:#|--))|.*?*[sv]*?[0-9])|^[\"'`]|[%(-+-<>][-0-9A-Z_a-z]+[^sv0-9A-Z_a-z]+[\"'`][^,]" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)b(?:havingb(?:[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')[sv]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-?[]+))|ex(?:ecute(?:(|[sv]{1,5}[$.0-9A-Z_a-z]{1,5}[sv]{0,3})|ists[sv]*?([sv]*?selectb)|(?:create[sv]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)()|select.*?case|from.*?limit|order[sv]by|exists[sv](?:[sv]select|s(?:elect[^sv](?:if(?:null)?[sv](|top|concat)|ystem[sv]()|bhavingb[sv]+[0-9]{1,10}|'[^=]{1,10}')" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[1-2]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?(" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))'" - }, - { - "category": "SQLI", - "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){12})" - }, - { - "category": "SQLI", - "pattern": "@rx /*!?|*/|[';]--|--(?:[sv]|[^-]*?-)|[^&-]#.*?[sv]|;?x00" - }, - { - "category": "SQLI", - "pattern": "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$" - }, - { - "category": "SQLI", - "pattern": "@rx (?i:b0x[a-fd]{3,})" - }, - { - "category": "SQLI", - "pattern": "@rx (?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)[\"'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])" - }, - { - "category": "SQLI", - "pattern": "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b" - }, - { - "category": "SQLI", - "pattern": "@rx ^(?:and|or)$" - }, - { - "category": "SQLI", - "pattern": "@rx ^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b" + "category": "RCE", + "pattern": "@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))" }, { - "category": "SQLI", - "pattern": "@detectSQLi" + "category": "RCE", + "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|inks|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[^sv])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash|nap)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:3m|c|a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))" }, { - "category": "SQLI", - "pattern": "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(" + "category": "RCE", + "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:c|a(?:ll|tch)[sv&)<>|]|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))" }, { - "category": "SQLI", - "pattern": "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" + "category": "RCE", + "pattern": "@pmFromFile unix-shell.data" }, { - "category": "SQLI", + "category": "RCE", "pattern": "@lt 3" }, { - "category": "SQLI", + "category": "RCE", "pattern": "@lt 3" }, { - "category": "SQLI", - "pattern": "@rx (?i)W+d*?s*?bhavingbs*?[^s-]" + "category": "RCE", + "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))b" }, { - "category": "SQLI", - "pattern": "@rx [\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]" + "category": "RCE", + "pattern": "@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:(?:itude)?[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|s(?:[sv&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[sv&)<>|]|m(?:[sv&)<>|]|diff)|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:[sv&)<>c|]|h(?:o(?:[sv&)<>|]|ami|is)?|iptail[sv&)<>|])|a(?:ll|tch)[sv&)<>|]|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))b" }, { - "category": "SQLI", - "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){8})" + "category": "RCE", + "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))" }, { - "category": "SQLI", - "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){6})" + "category": "RCE", + "pattern": "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" }, { - "category": "SQLI", - "pattern": "@rx W{4}" + "category": "RCE", + "pattern": "@rx rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)" }, { - "category": "SQLI", - "pattern": "@rx (?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')" + "category": "RCE", + "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)" }, { - "category": "SQLI", - "pattern": "@rx ';" + "category": "RCE", + "pattern": "@rx rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)" }, { - "category": "SQLI", - "pattern": "@lt 4" + "category": "RCE", + "pattern": "@rx !(?:d|!)" }, { - "category": "SQLI", + "category": "RCE", "pattern": "@lt 4" }, { - "category": "SQLI", - "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){3})" - }, - { - "category": "SQLI", - "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){2})" + "category": "RCE", + "pattern": "@lt 4" }, { - "category": "IIS", + "category": "PHP", "pattern": "@lt 1" }, { - "category": "IIS", + "category": "PHP", "pattern": "@lt 1" }, { - "category": "IIS", - "pattern": "@rx [a-z]:x5cinetpubb" - }, - { - "category": "IIS", - "pattern": "@rx (?:Microsoft OLE DB Provider for SQL Server(?:.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)
Timeout expired
)|

internal server error

.*?

part of the server has crashed or it has a configuration error.

|cannot connect to the server: timed out)" + "category": "PHP", + "pattern": "@pmFromFile php-errors.data" }, { - "category": "IIS", - "pattern": "@pmFromFile iis-errors.data" + "category": "PHP", + "pattern": "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b" }, { - "category": "IIS", - "pattern": "!@rx ^404$" + "category": "PHP", + "pattern": "@rx (?i).{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)
Timeout expired
)|

internal server error

.*?

part of the server has crashed or it has a configuration error.

|cannot connect to the server: timed out)" + }, + { + "category": "IIS", + "pattern": "@pmFromFile iis-errors.data" + }, + { + "category": "IIS", + "pattern": "!@rx ^404$" + }, + { + "category": "IIS", + "pattern": "@rx bServer Error in.{0,50}?bApplicationb" + }, + { + "category": "IIS", + "pattern": "@lt 2" + }, + { + "category": "IIS", + "pattern": "@lt 2" + }, + { + "category": "IIS", + "pattern": "@lt 3" + }, + { + "category": "IIS", + "pattern": "@lt 3" + }, + { + "category": "IIS", + "pattern": "@lt 4" + }, + { + "category": "IIS", + "pattern": "@lt 4" + }, { "category": "CORRELATION", "pattern": "@eq 0" @@ -2582,5 +2478,109 @@ { "category": "EVALUATION", "pattern": "@lt 4" + }, + { + "category": "ATTACK", + "pattern": "@lt 1" + }, + { + "category": "ATTACK", + "pattern": "@lt 1" + }, + { + "category": "ATTACK", + "pattern": "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" + }, + { + "category": "ATTACK", + "pattern": "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" + }, + { + "category": "ATTACK", + "pattern": "@rx (?:bhttp/d|<(?:html|meta)b)" + }, + { + "category": "ATTACK", + "pattern": "@rx [nr]" + }, + { + "category": "ATTACK", + "pattern": "@rx [nr]" + }, + { + "category": "ATTACK", + "pattern": "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" + }, + { + "category": "ATTACK", + "pattern": "@rx [nr]" + }, + { + "category": "ATTACK", + "pattern": "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)" + }, + { + "category": "ATTACK", + "pattern": "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" + }, + { + "category": "ATTACK", + "pattern": "@rx unix:[^|]*|" + }, + { + "category": "ATTACK", + "pattern": "@lt 2" + }, + { + "category": "ATTACK", + "pattern": "@lt 2" + }, + { + "category": "ATTACK", + "pattern": "@rx [nr]" + }, + { + "category": "ATTACK", + "pattern": "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" + }, + { + "category": "ATTACK", + "pattern": "@lt 3" + }, + { + "category": "ATTACK", + "pattern": "@lt 3" + }, + { + "category": "ATTACK", + "pattern": "@gt 0" + }, + { + "category": "ATTACK", + "pattern": "@rx ." + }, + { + "category": "ATTACK", + "pattern": "@gt 1" + }, + { + "category": "ATTACK", + "pattern": "@rx TX:paramcounter_(.*)" + }, + { + "category": "ATTACK", + "pattern": "@rx (][^]]+$|][^]]+[)" + }, + { + "category": "ATTACK", + "pattern": "@lt 4" + }, + { + "category": "ATTACK", + "pattern": "@lt 4" + }, + { + "category": "ATTACK", + "pattern": "@rx [" } ] \ No newline at end of file diff --git a/waf_patterns/apache/attack.conf b/waf_patterns/apache/attack.conf index 55c22fa..82bcc01 100644 --- a/waf_patterns/apache/attack.conf +++ b/waf_patterns/apache/attack.conf @@ -1,20 +1,20 @@ # Apache ModSecurity rules for ATTACK SecRuleEngine On -SecRule REQUEST_URI "\[nr\]" "id:1037,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1038,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1035,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1033,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1052,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "\[nr\]" "id:1032,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "@gt\ 0" "id:1039,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1029,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "@gt\ 1" "id:1041,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1030,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1028,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "\[nr\]" "id:1031,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1053,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "\[nr\]" "id:1034,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1036,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "\." "id:1040,phase:1,deny,status:403,log,msg:'attack attack detected'" -SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1042,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "\." "id:1344,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "\[nr\]" "id:1336,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1030,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1332,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1339,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1334,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1333,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1342,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1337,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "\[nr\]" "id:1338,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "@gt\ 1" "id:1345,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1346,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "\[nr\]" "id:1335,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "\[nr\]" "id:1341,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "@gt\ 0" "id:1343,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1029,phase:1,deny,status:403,log,msg:'attack attack detected'" +SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1340,phase:1,deny,status:403,log,msg:'attack attack detected'" diff --git a/waf_patterns/apache/correlation.conf b/waf_patterns/apache/correlation.conf index 1498786..4117757 100644 --- a/waf_patterns/apache/correlation.conf +++ b/waf_patterns/apache/correlation.conf @@ -1,11 +1,11 @@ # Apache ModSecurity rules for CORRELATION SecRuleEngine On -SecRule REQUEST_URI "@gt\ 0" "id:1327,phase:1,deny,status:403,log,msg:'correlation attack detected'" -SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1326,phase:1,deny,status:403,log,msg:'correlation attack detected'" -SecRule REQUEST_URI "@ge\ 5" "id:1321,phase:1,deny,status:403,log,msg:'correlation attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1320,phase:1,deny,status:403,log,msg:'correlation attack detected'" -SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1323,phase:1,deny,status:403,log,msg:'correlation attack detected'" -SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1324,phase:1,deny,status:403,log,msg:'correlation attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1322,phase:1,deny,status:403,log,msg:'correlation attack detected'" -SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1325,phase:1,deny,status:403,log,msg:'correlation attack detected'" +SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1309,phase:1,deny,status:403,log,msg:'correlation attack detected'" +SecRule REQUEST_URI "@ge\ 5" "id:1306,phase:1,deny,status:403,log,msg:'correlation attack detected'" +SecRule REQUEST_URI "@gt\ 0" "id:1312,phase:1,deny,status:403,log,msg:'correlation attack detected'" +SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1308,phase:1,deny,status:403,log,msg:'correlation attack detected'" +SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1311,phase:1,deny,status:403,log,msg:'correlation attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1305,phase:1,deny,status:403,log,msg:'correlation attack detected'" +SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1310,phase:1,deny,status:403,log,msg:'correlation attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1307,phase:1,deny,status:403,log,msg:'correlation attack detected'" diff --git a/waf_patterns/apache/enforcement.conf b/waf_patterns/apache/enforcement.conf index af857df..1babc78 100644 --- a/waf_patterns/apache/enforcement.conf +++ b/waf_patterns/apache/enforcement.conf @@ -1,82 +1,82 @@ # Apache ModSecurity rules for ENFORCEMENT SecRuleEngine On -SecRule REQUEST_URI "x25" "id:1063,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@validateByteRange\ 32\-36,38\-126" "id:1121,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@within\ %\{tx\.restricted_extensions\}" "id:1100,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@validateUrlEncoding" "id:1066,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@gt\ %\{tx\.max_file_size\}" "id:1092,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1128,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "x25" "id:1065,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_extended\}" "id:1120,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 1" "id:1087,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@gt\ %\{tx\.max_num_args\}" "id:1084,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1074,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@streq\ JSON" "id:1105,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@gt\ %\{tx\.arg_name_length\}" "id:1086,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" "id:1112,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@validateUtf8Encoding" "id:1068,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1055,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@rx\ \^0\$" "id:1080,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\^\$" "id:1079,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1078,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 1" "id:1089,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" "id:1132,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" "id:1101,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\^\$" "id:1072,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" "id:1082,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1071,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1057,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@rx\ \^0\?\$" "id:1056,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 1" "id:1091,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@validateByteRange\ 9,10,13,32\-126,128\-255" "id:1114,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\(\?i\)x5cu\[0\-9a\-f\]\{4\}" "id:1106,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1109,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@streq\ POST" "id:1058,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@gt\ 1" "id:1108,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 1" "id:1093,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\^\$" "id:1076,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" "id:1131,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\^\.\*\$" "id:1119,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" "id:1123,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1111,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1059,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" "id:1095,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" "id:1069,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "%\[0\-9a\-fA\-F\]\{2\}" "id:1113,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@gt\ 50" "id:1104,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\(d\+\)\-\(d\+\)" "id:1061,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@gt\ %\{tx\.combined_file_sizes\}" "id:1094,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "charset\.\*\?charset" "id:1098,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@validateByteRange\ 1\-255" "id:1070,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_basic\}" "id:1103,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" "id:1130,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@gt\ %\{tx\.total_arg_length\}" "id:1090,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@endsWith\ \.pdf" "id:1110,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" "id:1127,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1118,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\^\$" "id:1073,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "charsets\*=s\*\["'\]\?\(\[\^;"'s\]\+\)" "id:1097,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@ge\ 1" "id:1125,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1129,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 1" "id:1083,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@gt\ 0" "id:1126,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 1" "id:1067,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android" "id:1124,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\^\[\^;s\]\+" "id:1096,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@rx\ \^d\+\$" "id:1054,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 1" "id:1085,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" "id:1075,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1122,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\^\.\*\$" "id:1102,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@rx\ \^0\$" "id:1117,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@gt\ %\{tx\.arg_length\}" "id:1088,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1115,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1060,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\.\(\[\^\.\]\+\)\$" "id:1099,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1077,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1081,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@contains\ \#" "id:1107,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" "id:1062,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "@validateUrlEncoding" "id:1064,phase:1,deny,status:403,log,msg:'enforcement attack detected'" -SecRule REQUEST_URI "\['";=\]" "id:1116,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@validateByteRange\ 1\-255" "id:1061,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@gt\ 1" "id:1099,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "%\[0\-9a\-fA\-F\]\{2\}" "id:1104,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@validateByteRange\ 9,10,13,32\-126,128\-255" "id:1105,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@contains\ \#" "id:1098,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@streq\ JSON" "id:1096,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_basic\}" "id:1094,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\(\?i\)x5cu\[0\-9a\-f\]\{4\}" "id:1097,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1050,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\^\.\*\$" "id:1093,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@validateUrlEncoding" "id:1055,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@gt\ %\{tx\.arg_name_length\}" "id:1077,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "charset\.\*\?charset" "id:1089,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" "id:1123,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" "id:1086,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" "id:1066,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\^\$" "id:1070,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@streq\ POST" "id:1049,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\['";=\]" "id:1107,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" "id:1053,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1065,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@rx\ \^0\$" "id:1071,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@validateUrlEncoding" "id:1057,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1120,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 1" "id:1082,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\^\$" "id:1063,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\^\[\^;s\]\+" "id:1087,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "x25" "id:1054,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@gt\ %\{tx\.arg_length\}" "id:1079,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@gt\ 50" "id:1095,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_extended\}" "id:1111,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1102,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 1" "id:1084,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "x25" "id:1056,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\^\$" "id:1067,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" "id:1114,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@gt\ %\{tx\.combined_file_sizes\}" "id:1085,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\(d\+\)\-\(d\+\)" "id:1052,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "charsets\*=s\*\["'\]\?\(\[\^;"'s\]\+\)" "id:1088,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" "id:1073,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@endsWith\ \.pdf" "id:1101,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1109,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" "id:1118,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1072,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" "id:1122,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android" "id:1115,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@rx\ \^d\+\$" "id:1045,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@gt\ %\{tx\.max_num_args\}" "id:1075,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 1" "id:1074,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" "id:1092,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" "id:1060,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1046,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 1" "id:1058,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1113,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\.\(\[\^\.\]\+\)\$" "id:1090,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 1" "id:1076,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\^\.\*\$" "id:1110,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@gt\ %\{tx\.total_arg_length\}" "id:1081,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" "id:1121,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@gt\ 0" "id:1117,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1048,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@validateUtf8Encoding" "id:1059,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1106,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1051,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1069,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 1" "id:1078,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@validateByteRange\ 32\-36,38\-126" "id:1112,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1100,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@within\ %\{tx\.restricted_extensions\}" "id:1091,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@ge\ 1" "id:1116,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@gt\ %\{tx\.max_file_size\}" "id:1083,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@rx\ \^0\?\$" "id:1047,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1062,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@eq\ 1" "id:1080,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" "id:1103,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "\^\$" "id:1064,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@rx\ \^0\$" "id:1108,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1119,phase:1,deny,status:403,log,msg:'enforcement attack detected'" +SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1068,phase:1,deny,status:403,log,msg:'enforcement attack detected'" diff --git a/waf_patterns/apache/evaluation.conf b/waf_patterns/apache/evaluation.conf index 72a537a..61401f1 100644 --- a/waf_patterns/apache/evaluation.conf +++ b/waf_patterns/apache/evaluation.conf @@ -1,41 +1,41 @@ # Apache ModSecurity rules for EVALUATION SecRuleEngine On -SecRule REQUEST_URI "@ge\ 1" "id:1148,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 4" "id:1154,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 3" "id:1160,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 1" "id:1328,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 4" "id:1334,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 1" "id:1157,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 4" "id:1163,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 2" "id:1150,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 2" "id:1330,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 1" "id:1337,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 3" "id:1340,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 4" "id:1343,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 2" "id:1159,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 2" "id:1339,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 3" "id:1153,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 3" "id:1333,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1346,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1164,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1344,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 1" "id:1156,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 2" "id:1158,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 4" "id:1162,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 1" "id:1336,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 2" "id:1338,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 4" "id:1342,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@eq\ 1" "id:1345,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 3" "id:1152,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 3" "id:1332,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 2" "id:1151,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 1" "id:1149,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 4" "id:1155,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 3" "id:1161,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1166,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 1" "id:1329,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 2" "id:1331,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 4" "id:1335,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@ge\ 3" "id:1341,phase:1,deny,status:403,log,msg:'evaluation attack detected'" -SecRule REQUEST_URI "@eq\ 1" "id:1165,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 4" "id:1130,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 4" "id:1139,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 4" "id:1319,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 2" "id:1127,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 4" "id:1328,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 1" "id:1132,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 2" "id:1316,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1329,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 1" "id:1321,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1142,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 3" "id:1136,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 3" "id:1325,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 4" "id:1138,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 2" "id:1126,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 1" "id:1125,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 4" "id:1327,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 1" "id:1314,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 2" "id:1135,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 2" "id:1315,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1331,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@eq\ 1" "id:1141,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 2" "id:1324,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 3" "id:1129,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@eq\ 1" "id:1330,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 3" "id:1318,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 4" "id:1131,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 4" "id:1320,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 1" "id:1124,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 2" "id:1134,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 1" "id:1133,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 1" "id:1313,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 2" "id:1323,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 1" "id:1322,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1140,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 3" "id:1128,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 3" "id:1317,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 3" "id:1137,phase:1,deny,status:403,log,msg:'evaluation attack detected'" +SecRule REQUEST_URI "@ge\ 3" "id:1326,phase:1,deny,status:403,log,msg:'evaluation attack detected'" diff --git a/waf_patterns/apache/exceptions.conf b/waf_patterns/apache/exceptions.conf index 819dcc3..e3ccf2b 100644 --- a/waf_patterns/apache/exceptions.conf +++ b/waf_patterns/apache/exceptions.conf @@ -1,8 +1,8 @@ # Apache ModSecurity rules for EXCEPTIONS SecRuleEngine On -SecRule REQUEST_URI "@endsWith\ \(internal\ dummy\ connection\)" "id:1046,phase:1,deny,status:403,log,msg:'exceptions attack detected'" -SecRule REQUEST_URI "\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" "id:1047,phase:1,deny,status:403,log,msg:'exceptions attack detected'" -SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1044,phase:1,deny,status:403,log,msg:'exceptions attack detected'" -SecRule REQUEST_URI "@streq\ GET\ /" "id:1043,phase:1,deny,status:403,log,msg:'exceptions attack detected'" -SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1045,phase:1,deny,status:403,log,msg:'exceptions attack detected'" +SecRule REQUEST_URI "\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" "id:1035,phase:1,deny,status:403,log,msg:'exceptions attack detected'" +SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1033,phase:1,deny,status:403,log,msg:'exceptions attack detected'" +SecRule REQUEST_URI "@streq\ GET\ /" "id:1031,phase:1,deny,status:403,log,msg:'exceptions attack detected'" +SecRule REQUEST_URI "@endsWith\ \(internal\ dummy\ connection\)" "id:1034,phase:1,deny,status:403,log,msg:'exceptions attack detected'" +SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1032,phase:1,deny,status:403,log,msg:'exceptions attack detected'" diff --git a/waf_patterns/apache/fixation.conf b/waf_patterns/apache/fixation.conf index d7392c4..a80074b 100644 --- a/waf_patterns/apache/fixation.conf +++ b/waf_patterns/apache/fixation.conf @@ -1,9 +1,9 @@ # Apache ModSecurity rules for FIXATION SecRuleEngine On -SecRule REQUEST_URI "!@endsWith\ %\{request_headers\.host\}" "id:1145,phase:1,deny,status:403,log,msg:'fixation attack detected'" -SecRule REQUEST_URI "\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" "id:1142,phase:1,deny,status:403,log,msg:'fixation attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1147,phase:1,deny,status:403,log,msg:'fixation attack detected'" -SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1143,phase:1,deny,status:403,log,msg:'fixation attack detected'" -SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1146,phase:1,deny,status:403,log,msg:'fixation attack detected'" -SecRule REQUEST_URI "\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" "id:1144,phase:1,deny,status:403,log,msg:'fixation attack detected'" +SecRule REQUEST_URI "\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" "id:1036,phase:1,deny,status:403,log,msg:'fixation attack detected'" +SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1037,phase:1,deny,status:403,log,msg:'fixation attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1041,phase:1,deny,status:403,log,msg:'fixation attack detected'" +SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1040,phase:1,deny,status:403,log,msg:'fixation attack detected'" +SecRule REQUEST_URI "\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" "id:1038,phase:1,deny,status:403,log,msg:'fixation attack detected'" +SecRule REQUEST_URI "!@endsWith\ %\{request_headers\.host\}" "id:1039,phase:1,deny,status:403,log,msg:'fixation attack detected'" diff --git a/waf_patterns/apache/generic.conf b/waf_patterns/apache/generic.conf index 6820947..81b151f 100644 --- a/waf_patterns/apache/generic.conf +++ b/waf_patterns/apache/generic.conf @@ -1,6 +1,6 @@ # Apache ModSecurity rules for GENERIC SecRuleEngine On -SecRule REQUEST_URI "while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|"\[\^"\]\+"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" "id:1180,phase:1,deny,status:403,log,msg:'generic attack detected'" -SecRule REQUEST_URI "@\{\.\*\}" "id:1182,phase:1,deny,status:403,log,msg:'generic attack detected'" -SecRule REQUEST_URI "\[s\*constructors\*\]" "id:1181,phase:1,deny,status:403,log,msg:'generic attack detected'" +SecRule REQUEST_URI "while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|"\[\^"\]\+"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" "id:1245,phase:1,deny,status:403,log,msg:'generic attack detected'" +SecRule REQUEST_URI "\[s\*constructors\*\]" "id:1246,phase:1,deny,status:403,log,msg:'generic attack detected'" +SecRule REQUEST_URI "@\{\.\*\}" "id:1247,phase:1,deny,status:403,log,msg:'generic attack detected'" diff --git a/waf_patterns/apache/iis.conf b/waf_patterns/apache/iis.conf index ea4bf40..9a3afe9 100644 --- a/waf_patterns/apache/iis.conf +++ b/waf_patterns/apache/iis.conf @@ -1,7 +1,7 @@ # Apache ModSecurity rules for IIS SecRuleEngine On -SecRule REQUEST_URI "\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)
Timeout\ expired
\)\|

internal\ server\ error

\.\*\?

part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.

\|cannot\ connect\ to\ the\ server:\ timed\ out\)" "id:1292,phase:1,deny,status:403,log,msg:'iis attack detected'" -SecRule REQUEST_URI "!@rx\ \^404\$" "id:1293,phase:1,deny,status:403,log,msg:'iis attack detected'" -SecRule REQUEST_URI "bServer\ Error\ in\.\{0,50\}\?bApplicationb" "id:1294,phase:1,deny,status:403,log,msg:'iis attack detected'" -SecRule REQUEST_URI "\[a\-z\]:x5cinetpubb" "id:1291,phase:1,deny,status:403,log,msg:'iis attack detected'" +SecRule REQUEST_URI "!@rx\ \^404\$" "id:1303,phase:1,deny,status:403,log,msg:'iis attack detected'" +SecRule REQUEST_URI "bServer\ Error\ in\.\{0,50\}\?bApplicationb" "id:1304,phase:1,deny,status:403,log,msg:'iis attack detected'" +SecRule REQUEST_URI "\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)
Timeout\ expired
\)\|

internal\ server\ error

\.\*\?

part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.

\|cannot\ connect\ to\ the\ server:\ timed\ out\)" "id:1302,phase:1,deny,status:403,log,msg:'iis attack detected'" +SecRule REQUEST_URI "\[a\-z\]:x5cinetpubb" "id:1301,phase:1,deny,status:403,log,msg:'iis attack detected'" diff --git a/waf_patterns/apache/initialization.conf b/waf_patterns/apache/initialization.conf index e66c031..7176461 100644 --- a/waf_patterns/apache/initialization.conf +++ b/waf_patterns/apache/initialization.conf @@ -1,31 +1,31 @@ # Apache ModSecurity rules for INITIALIZATION SecRuleEngine On -SecRule REQUEST_URI "@eq\ 0" "id:1010,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1016,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1025,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1019,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 1" "id:1021,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 1" "id:1024,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" "id:1027,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1006,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1003,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1009,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1015,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1012,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1018,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "\^\.\*\$" "id:1022,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 100" "id:1026,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1005,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1002,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1008,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1005,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1025,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1011,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1017,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1014,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1020,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1023,phase:1,deny,status:403,log,msg:'initialization attack detected'" -SecRule REQUEST_URI "@eq\ 0" "id:1017,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1001,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1004,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1010,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1007,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1013,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" "id:1027,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1016,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1019,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "\^\.\*\$" "id:1022,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 100" "id:1026,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1003,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1023,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1006,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 1" "id:1021,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1009,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1015,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 1" "id:1024,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1012,phase:1,deny,status:403,log,msg:'initialization attack detected'" +SecRule REQUEST_URI "@eq\ 0" "id:1018,phase:1,deny,status:403,log,msg:'initialization attack detected'" diff --git a/waf_patterns/apache/java.conf b/waf_patterns/apache/java.conf index 6c4a4b3..787ba58 100644 --- a/waf_patterns/apache/java.conf +++ b/waf_patterns/apache/java.conf @@ -1,18 +1,18 @@ # Apache ModSecurity rules for JAVA SecRuleEngine On -SecRule REQUEST_URI "\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" "id:1199,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1187,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" "id:1198,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "\.\*\.\(\?:jsp\|jspx\)\.\*\$" "id:1191,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1190,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "xacxedx00x05" "id:1194,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1193,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" "id:1195,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1192,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1196,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "javab\.\+\(\?:runtime\|processbuilder\)" "id:1197,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1189,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" "id:1200,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "\(\?:unmarshaller\|base64data\|java\.\)" "id:1188,phase:1,deny,status:403,log,msg:'java attack detected'" -SecRule REQUEST_URI "java\.lang\.\(\?:runtime\|processbuilder\)" "id:1186,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "xacxedx00x05" "id:1151,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" "id:1156,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1144,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1147,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1149,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "java\.lang\.\(\?:runtime\|processbuilder\)" "id:1143,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1150,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "javab\.\+\(\?:runtime\|processbuilder\)" "id:1154,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" "id:1152,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1153,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" "id:1155,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "\.\*\.\(\?:jsp\|jspx\)\.\*\$" "id:1148,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1146,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "\(\?:unmarshaller\|base64data\|java\.\)" "id:1145,phase:1,deny,status:403,log,msg:'java attack detected'" +SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" "id:1157,phase:1,deny,status:403,log,msg:'java attack detected'" diff --git a/waf_patterns/apache/leakages.conf b/waf_patterns/apache/leakages.conf index eceac6a..184e00e 100644 --- a/waf_patterns/apache/leakages.conf +++ b/waf_patterns/apache/leakages.conf @@ -1,6 +1,6 @@ # Apache ModSecurity rules for LEAKAGES SecRuleEngine On -SecRule REQUEST_URI "\^\#!s\?/" "id:1184,phase:1,deny,status:403,log,msg:'leakages attack detected'" -SecRule REQUEST_URI "\^5d\{2\}\$" "id:1185,phase:1,deny,status:403,log,msg:'leakages attack detected'" -SecRule REQUEST_URI "\(\?:<\(\?:TITLE>Index\ of\.\*\?Index\ of\.\*\?Index\ of\|>\[To\ Parent\ Directory\]
\)" "id:1183,phase:1,deny,status:403,log,msg:'leakages attack detected'" +SecRule REQUEST_URI "\^5d\{2\}\$" "id:1169,phase:1,deny,status:403,log,msg:'leakages attack detected'" +SecRule REQUEST_URI "\(\?:<\(\?:TITLE>Index\ of\.\*\?Index\ of\.\*\?Index\ of\|>\[To\ Parent\ Directory\]
\)" "id:1167,phase:1,deny,status:403,log,msg:'leakages attack detected'" +SecRule REQUEST_URI "\^\#!s\?/" "id:1168,phase:1,deny,status:403,log,msg:'leakages attack detected'" diff --git a/waf_patterns/apache/lfi.conf b/waf_patterns/apache/lfi.conf index 959ad63..4556589 100644 --- a/waf_patterns/apache/lfi.conf +++ b/waf_patterns/apache/lfi.conf @@ -1,4 +1,4 @@ # Apache ModSecurity rules for LFI SecRuleEngine On -SecRule REQUEST_URI "\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" "id:1051,phase:1,deny,status:403,log,msg:'lfi attack detected'" +SecRule REQUEST_URI "\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" "id:1028,phase:1,deny,status:403,log,msg:'lfi attack detected'" diff --git a/waf_patterns/apache/php.conf b/waf_patterns/apache/php.conf index ae1badf..86ded4f 100644 --- a/waf_patterns/apache/php.conf +++ b/waf_patterns/apache/php.conf @@ -1,14 +1,14 @@ # Apache ModSecurity rules for PHP SecRuleEngine On -SecRule REQUEST_URI "@pm\ \?>" "id:1141,phase:1,deny,status:403,log,msg:'php attack detected'" -SecRule REQUEST_URI "\[oOcC\]:d\+:"\.\+\?":d\+:\{\.\*\}" "id:1138,phase:1,deny,status:403,log,msg:'php attack detected'" -SecRule REQUEST_URI "\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" "id:1140,phase:1,deny,status:403,log,msg:'php attack detected'" -SecRule REQUEST_URI "\(\?i\)<\?\(\?:=\|php\)\?s\+" "id:1254,phase:1,deny,status:403,log,msg:'php attack detected'" -SecRule REQUEST_URI "\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" "id:1137,phase:1,deny,status:403,log,msg:'php attack detected'" -SecRule REQUEST_URI "\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" "id:1136,phase:1,deny,status:403,log,msg:'php attack detected'" -SecRule REQUEST_URI "AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" "id:1139,phase:1,deny,status:403,log,msg:'php attack detected'" -SecRule REQUEST_URI "\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" "id:1134,phase:1,deny,status:403,log,msg:'php attack detected'" -SecRule REQUEST_URI "\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" "id:1133,phase:1,deny,status:403,log,msg:'php attack detected'" -SecRule REQUEST_URI "\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" "id:1253,phase:1,deny,status:403,log,msg:'php attack detected'" -SecRule REQUEST_URI "@pm\ =" "id:1135,phase:1,deny,status:403,log,msg:'php attack detected'" +SecRule REQUEST_URI "\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" "id:1162,phase:1,deny,status:403,log,msg:'php attack detected'" +SecRule REQUEST_URI "\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" "id:1159,phase:1,deny,status:403,log,msg:'php attack detected'" +SecRule REQUEST_URI "\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" "id:1158,phase:1,deny,status:403,log,msg:'php attack detected'" +SecRule REQUEST_URI "@pm\ \?>" "id:1166,phase:1,deny,status:403,log,msg:'php attack detected'" +SecRule REQUEST_URI "\[oOcC\]:d\+:"\.\+\?":d\+:\{\.\*\}" "id:1163,phase:1,deny,status:403,log,msg:'php attack detected'" +SecRule REQUEST_URI "\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" "id:1165,phase:1,deny,status:403,log,msg:'php attack detected'" +SecRule REQUEST_URI "\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" "id:1161,phase:1,deny,status:403,log,msg:'php attack detected'" +SecRule REQUEST_URI "\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" "id:1274,phase:1,deny,status:403,log,msg:'php attack detected'" +SecRule REQUEST_URI "@pm\ =" "id:1160,phase:1,deny,status:403,log,msg:'php attack detected'" +SecRule REQUEST_URI "\(\?i\)<\?\(\?:=\|php\)\?s\+" "id:1275,phase:1,deny,status:403,log,msg:'php attack detected'" +SecRule REQUEST_URI "AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" "id:1164,phase:1,deny,status:403,log,msg:'php attack detected'" diff --git a/waf_patterns/apache/rce.conf b/waf_patterns/apache/rce.conf index 2a71e6f..6cde074 100644 --- a/waf_patterns/apache/rce.conf +++ b/waf_patterns/apache/rce.conf @@ -1,29 +1,29 @@ # Apache ModSecurity rules for RCE SecRuleEngine On -SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1244,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" "id:1227,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" "id:1235,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" "id:1249,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" "id:1246,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "/" "id:1239,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "/" "id:1236,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "/" "id:1242,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "!\-d" "id:1230,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \["\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ "\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" "id:1250,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" "id:1251,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" "id:1248,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" "id:1238,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1232,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI ";\[sv\]\*\.\[sv\]\*\["'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" "id:1245,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" "id:1247,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "s" "id:1240,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "s" "id:1237,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "s" "id:1243,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" "id:1234,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1231,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1229,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "!\(\?:d\|!\)" "id:1252,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" "id:1241,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "ba\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" "id:1233,phase:1,deny,status:403,log,msg:'rce attack detected'" -SecRule REQUEST_URI "b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" "id:1228,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "/" "id:1260,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "/" "id:1263,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \["\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ "\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" "id:1271,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" "id:1255,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" "id:1262,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "ba\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" "id:1254,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "s" "id:1261,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "s" "id:1258,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "s" "id:1264,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "!\-d" "id:1251,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" "id:1267,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" "id:1249,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" "id:1268,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" "id:1272,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" "id:1269,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1250,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" "id:1270,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1253,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1265,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" "id:1256,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI ";\[sv\]\*\.\[sv\]\*\["'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" "id:1266,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" "id:1259,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "!\(\?:d\|!\)" "id:1273,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" "id:1248,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1252,phase:1,deny,status:403,log,msg:'rce attack detected'" +SecRule REQUEST_URI "/" "id:1257,phase:1,deny,status:403,log,msg:'rce attack detected'" diff --git a/waf_patterns/apache/rfi.conf b/waf_patterns/apache/rfi.conf index 640e1d8..e3608e8 100644 --- a/waf_patterns/apache/rfi.conf +++ b/waf_patterns/apache/rfi.conf @@ -1,6 +1,6 @@ # Apache ModSecurity rules for RFI SecRuleEngine On -SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1049,phase:1,deny,status:403,log,msg:'rfi attack detected'" -SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1050,phase:1,deny,status:403,log,msg:'rfi attack detected'" -SecRule REQUEST_URI "\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" "id:1048,phase:1,deny,status:403,log,msg:'rfi attack detected'" +SecRule REQUEST_URI "\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" "id:1042,phase:1,deny,status:403,log,msg:'rfi attack detected'" +SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1043,phase:1,deny,status:403,log,msg:'rfi attack detected'" +SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1044,phase:1,deny,status:403,log,msg:'rfi attack detected'" diff --git a/waf_patterns/apache/shells.conf b/waf_patterns/apache/shells.conf index 0824405..830464f 100644 --- a/waf_patterns/apache/shells.conf +++ b/waf_patterns/apache/shells.conf @@ -1,28 +1,28 @@ # Apache ModSecurity rules for SHELLS SecRuleEngine On -SecRule REQUEST_URI "CasuS\ \[0\-9\.\]\+\ by\ MafiABoY" "id:1301,phase:1,deny,status:403,log,msg:'shells attack detected'" -SecRule REQUEST_URI "\^nnWeb\ Shell" "id:1305,phase:1,deny,status:403,log,msg:'shells attack detected'" -SecRule REQUEST_URI "\^n\ \ \ \ \ \ n\ \ \ \ \ \ \ \ \ \ \ \ \ azrail\ \[0\-9\.\]\+\ by\ C\-W\-M" "id:1315,phase:1,deny,status:403,log,msg:'shells attack detected'" -SecRule REQUEST_URI "\^\.\*\?\ \-\ WSO\ \[0\-9\.\]\+" "id:1296,phase:1,deny,status:403,log,msg:'shells attack detected'" -SecRule REQUEST_URI "\^rnrnGRP\ WebShell\ \[0\-9\.\]\+" "id:1302,phase:1,deny,status:403,log,msg:'shells attack detected'" -SecRule REQUEST_URI "\^<html>n<head>n<title>Ru24PostWebShell\ \-" "id:1310,phase:1,deny,status:403,log,msg:'shells attack detected'" -SecRule REQUEST_URI "\^<html>n<head>n<div\ align="left"><font\ size="1">Input\ command\ :</font></div>n<form\ name="cmd"\ method="POST"\ enctype="multipart/form\-data">" "id:1309,phase:1,deny,status:403,log,msg:'shells attack detected'" -SecRule REQUEST_URI "\^<html>n<title>\.\*\?\ \~\ Shell\ Inn