External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Mon Jan 13 00:29:11 UTC 2025]

Browse Source
This commit is contained in:
github-actions[bot]
2025-01-13 00:29:11 +00:00
parent c59456bd3e
commit 505af665ab
39 changed files with 3241 additions and 3241 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
waf_patterns/nginx/rce.conf
View File

@@ -2,11 +2,11 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "s") {
if ($request_uri ~* ";[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)") {
set $attack_detected 1;
}
if ($request_uri ~* ";[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)") {
if ($request_uri ~* "!-d") {
set $attack_detected 1;
}
@@ -14,11 +14,19 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx [0-9]s*'s*[0-9]") {
set $attack_detected 1;
}
if ($request_uri ~* "(?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))") {
if ($request_uri ~* "$(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]") {
set $attack_detected 1;
}
if ($request_uri ~* "^(s*)s+{") {
set $attack_detected 1;
}
@@ -30,11 +38,7 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "$(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]") {
set $attack_detected 1;
}
if ($request_uri ~* "['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]") {
if ($request_uri ~* "rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)") {
set $attack_detected 1;
}
@@ -42,43 +46,39 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "/(?:[?*]+[a-z/]+|[a-z/]+[?*]+)") {
set $attack_detected 1;
}
if ($request_uri ~* "b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))") {
set $attack_detected 1;
}
if ($request_uri ~* "!-d") {
set $attack_detected 1;
}
if ($request_uri ~* "^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))") {
set $attack_detected 1;
}
if ($request_uri ~* "rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)") {
set $attack_detected 1;
}
if ($request_uri ~* "!(?:d|!)") {
set $attack_detected 1;
}
if ($request_uri ~* "/") {
set $attack_detected 1;
}
if ($request_uri ~* "rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)") {
set $attack_detected 1;
}
if ($request_uri ~* "^(s*)s+{") {
if ($request_uri ~* "(?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))") {
set $attack_detected 1;
}
if ($request_uri ~* "rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)") {
if ($request_uri ~* "/(?:[?*]+[a-z/]+|[a-z/]+[?*]+)") {
set $attack_detected 1;
}
if ($request_uri ~* "['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]") {
set $attack_detected 1;
}
if ($request_uri ~* "/") {
set $attack_detected 1;
}
if ($request_uri ~* "s") {
set $attack_detected 1;
}
if ($request_uri ~* "!(?:d|!)") {
set $attack_detected 1;
}
if ($request_uri ~* "rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)") {
set $attack_detected 1;
}