patterns/waf_patterns/nginx/sqli.conf

# Nginx WAF rules for SQLI
location / {
    set $attack_detected 0;

    if ($request_uri ~* "(?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)W+d*?s*?bhavingbs*?[^s-]") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){8})") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)[\"'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){2})") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@detectSQLi") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?:^s*[\"'`;]+|[\"'`]+s*$)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){12})") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "^(?:and|or)$") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)1.e[(-),]") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "!@streq %{TX.2}") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i:b0x[a-fd]{3,})") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "';") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "[\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){6})") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i:^[Wd]+s*?(?:alter|union)b)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){3})") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)union.*?select.*?from") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@streq %{TX.2}") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "W{4}") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]") {
        set $attack_detected 1;
    }

    if ($attack_detected = 1) {
        return 403;
    }
}