patterns/waf_patterns/nginx/sqli.conf

# Nginx WAF rules for SQLI
# Automatically generated from OWASP rules.
# Include this file in your server or location block.

map $request_uri $waf_block_sqli {
    default 0;
    "~*[\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]" 1;
    "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){8})" 1;
    "~*@streq %{TX.2}" 1;
    "~*!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$" 1;
    "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){12})" 1;
    "~*^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$" 1;
    "~*(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b" 1;
    "~*(?:^s*[\"'`;]+|[\"'`]+s*$)" 1;
    "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){2})" 1;
    "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){6})" 1;
    "~*(?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)" 1;
    "~*(?i)[\"'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])" 1;
    "~*(?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))" 1;
    "~*^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b" 1;
    "~*(?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" 1;
    "~*(?i)W+d*?s*?bhavingbs*?[^s-]" 1;
    "~*(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b" 1;
    "~*(?i)union.*?select.*?from" 1;
    "~*!@streq %{TX.2}" 1;
    "~*(?i:^[Wd]+s*?(?:alter|union)b)" 1;
    "~*(?i:b0x[a-fd]{3,})" 1;
    "~*(?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]" 1;
    "~*(?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" 1;
    "~*@detectSQLi" 1;
    "~*(?i)1.e[(-),]" 1;
    "~*(?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+" 1;
    "~*^(?:and|or)$" 1;
    "~*(?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}" 1;
    "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){3})" 1;
    "~*(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b" 1;
    "~*';" 1;
    "~*^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;" 1;
    "~*(?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)" 1;
    "~*W{4}" 1;
    "~*(?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" 1;
}

if ($waf_block_sqli) {
    return 403;
    # Log the blocked request (optional)
    # access_log /var/log/nginx/waf_blocked.log;
}