External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

nginx generation improved

Browse Source
This commit is contained in:
fabriziosalmi
2025-01-16 13:49:54 +01:00
parent de35fec973
commit 1da19ed802
22 changed files with 515 additions and 1105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
waf_patterns/nginx/shells.conf
View File

@@ -1,108 +1,39 @@
# Nginx WAF rules for SHELLS
location / {
set $attack_detected 0;
# Automatically generated from OWASP rules.
# Include this file in your server or location block.
if ($request_uri ~* "^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^ *<html>n[ ]+<head>n[ ]+<title>lostDC -") {
set $attack_detected 1;
}
if ($request_uri ~* "(<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)") {
set $attack_detected 1;
}
if ($request_uri ~* "B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>rn<head>rn<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">rn<title>PhpSpy Ver [0-9]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>rn<head>rn<title>GRP WebShell [0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<head>n<title>Ru24PostWebShell -") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <title>punkholicshell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>CasuS [0-9.]+ by MafiABoY</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<title>.*? ~ Shell I</title>n<head>n<style>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$") {
set $attack_detected 1;
}
if ($request_uri ~* "^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1>") {
set $attack_detected 1;
}
if ($request_uri ~* "^ <html>nn<head>nn<title>g00nshell v[0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<head>n<div align=\"left\"><font size=\"1\">Input command :</font></div>n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>Mini Shell</title>.*Developed By LameHacker") {
set $attack_detected 1;
}
if ($request_uri ~* ">SmEvK_PaThAn Shell v[0-9]+ coded by <a href=") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>Symlink_Sa [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>lama's'hell v. [0-9.]+</title>") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
map $request_uri $waf_block_shells {
default 0;
"~*^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>" 1;
"~*(<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)" 1;
"~*^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" 1;
"~*@contains <title>punkholicshell</title>" 1;
"~*^<html>n<title>.*? ~ Shell I</title>n<head>n<style>" 1;
"~*<title>Mini Shell</title>.*Developed By LameHacker" 1;
"~*<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -" 1;
"~*^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->" 1;
"~*^<html>rn<head>rn<title>GRP WebShell [0-9.]+" 1;
"~*<title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" 1;
"~*^ *<html>n[ ]+<head>n[ ]+<title>lostDC -" 1;
"~*<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$" 1;
"~*>SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" 1;
"~*B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>" 1;
"~*^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>" 1;
"~*<title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>" 1;
"~*^<html>rn<head>rn<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">rn<title>PhpSpy Ver [0-9]+</title>" 1;
"~*^<html>n<head>n<title>Ru24PostWebShell -" 1;
"~*<title>CasuS [0-9.]+ by MafiABoY</title>" 1;
"~*@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1>" 1;
"~*^<html>n<head>n<div align=\"left\"><font size=\"1\">Input command :</font></div>n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">" 1;
"~*^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" 1;
"~*<title>Symlink_Sa [0-9.]+</title>" 1;
"~*<title>lama's'hell v. [0-9.]+</title>" 1;
"~*^ <html>nn<head>nn<title>g00nshell v[0-9.]+" 1;
}
if ($waf_block_shells) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}