diff --git a/owasp_rules.json b/owasp_rules.json
index ff7bac4..3249960 100644
--- a/owasp_rules.json
+++ b/owasp_rules.json
@@ -1,56 +1,4 @@
[
- {
- "category": "LFI",
- "pattern": "@lt 1"
- },
- {
- "category": "LFI",
- "pattern": "@lt 1"
- },
- {
- "category": "LFI",
- "pattern": "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))"
- },
- {
- "category": "LFI",
- "pattern": "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))"
- },
- {
- "category": "LFI",
- "pattern": "@pmFromFile lfi-os-files.data"
- },
- {
- "category": "LFI",
- "pattern": "@pmFromFile restricted-files.data"
- },
- {
- "category": "LFI",
- "pattern": "@lt 2"
- },
- {
- "category": "LFI",
- "pattern": "@lt 2"
- },
- {
- "category": "LFI",
- "pattern": "@pmFromFile lfi-os-files.data"
- },
- {
- "category": "LFI",
- "pattern": "@lt 3"
- },
- {
- "category": "LFI",
- "pattern": "@lt 3"
- },
- {
- "category": "LFI",
- "pattern": "@lt 4"
- },
- {
- "category": "LFI",
- "pattern": "@lt 4"
- },
{
"category": "INITIALIZATION",
"pattern": "@eq 0"
@@ -207,6 +155,230 @@
"category": "DETECTION",
"pattern": "@lt 4"
},
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "!@within %{tx.allowed_methods}"
+ },
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "ENFORCEMENT",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "!@eq 0"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "!@within |%{tx.allowed_request_content_type_charset}|"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx ^content-types*:s*(.*)$"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "!@rx ^(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx content-transfer-encoding:(.*)"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@rx ^(?:ht|f)tps?://(.*?)/"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "!@endsWith %{request_headers.host}"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@eq 0"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@rx ^(?i:file|ftps?|https?).*??+$"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)"
+ },
+ {
+ "category": "RFI",
+ "pattern": "!@endsWith .%{request_headers.host}"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)"
+ },
+ {
+ "category": "RFI",
+ "pattern": "!@endsWith .%{request_headers.host}"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@pmFromFile lfi-os-files.data"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@pmFromFile restricted-files.data"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@pmFromFile lfi-os-files.data"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 4"
+ },
{
"category": "GENERIC",
"pattern": "@lt 1"
@@ -279,826 +451,6 @@
"category": "GENERIC",
"pattern": "@lt 4"
},
- {
- "category": "EXCEPTIONS",
- "pattern": "@streq GET /"
- },
- {
- "category": "EXCEPTIONS",
- "pattern": "@ipMatch 127.0.0.1,::1"
- },
- {
- "category": "EXCEPTIONS",
- "pattern": "@ipMatch 127.0.0.1,::1"
- },
- {
- "category": "EXCEPTIONS",
- "pattern": "@endsWith (internal dummy connection)"
- },
- {
- "category": "EXCEPTIONS",
- "pattern": "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$"
- },
- {
- "category": "RFI",
- "pattern": "@lt 1"
- },
- {
- "category": "RFI",
- "pattern": "@lt 1"
- },
- {
- "category": "RFI",
- "pattern": "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})"
- },
- {
- "category": "RFI",
- "pattern": "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://"
- },
- {
- "category": "RFI",
- "pattern": "@rx ^(?i:file|ftps?|https?).*??+$"
- },
- {
- "category": "RFI",
- "pattern": "@lt 2"
- },
- {
- "category": "RFI",
- "pattern": "@lt 2"
- },
- {
- "category": "RFI",
- "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)"
- },
- {
- "category": "RFI",
- "pattern": "!@endsWith .%{request_headers.host}"
- },
- {
- "category": "RFI",
- "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)"
- },
- {
- "category": "RFI",
- "pattern": "!@endsWith .%{request_headers.host}"
- },
- {
- "category": "RFI",
- "pattern": "@lt 3"
- },
- {
- "category": "RFI",
- "pattern": "@lt 3"
- },
- {
- "category": "RFI",
- "pattern": "@lt 4"
- },
- {
- "category": "RFI",
- "pattern": "@lt 4"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 1"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 1"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx (?:bhttp/d|<(?:html|meta)b)"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx [nr]"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx [nr]"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx [nr]"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx unix:[^|]*|"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 2"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 2"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx [nr]"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 3"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 3"
- },
- {
- "category": "ATTACK",
- "pattern": "@gt 0"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx ."
- },
- {
- "category": "ATTACK",
- "pattern": "@gt 1"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx TX:paramcounter_(.*)"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx (][^]]+$|][^]]+[)"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 4"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 4"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx ["
- },
- {
- "category": "PHP",
- "pattern": "@lt 1"
- },
- {
- "category": "PHP",
- "pattern": "@lt 1"
- },
- {
- "category": "PHP",
- "pattern": "@rx (?:"
- },
- {
- "category": "PHP",
- "pattern": "@rx (?:((?:.+)(?:[\"'][-0-9A-Z_a-z]+[\"'])?(.+|[^)]*string[^)]*)[sv\"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|[\"'][-0-9A-Zx5c_a-z]+[\"'])(.+))(?:;|$)?"
- },
- {
- "category": "PHP",
- "pattern": "@lt 4"
- },
- {
- "category": "PHP",
- "pattern": "@lt 4"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 1"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 1"
- },
- {
- "category": "FIXATION",
- "pattern": "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)"
- },
- {
- "category": "FIXATION",
- "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$"
- },
- {
- "category": "FIXATION",
- "pattern": "@rx ^(?:ht|f)tps?://(.*?)/"
- },
- {
- "category": "FIXATION",
- "pattern": "!@endsWith %{request_headers.host}"
- },
- {
- "category": "FIXATION",
- "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$"
- },
- {
- "category": "FIXATION",
- "pattern": "@eq 0"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 2"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 2"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 3"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 3"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 4"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 4"
- },
- {
- "category": "RCE",
- "pattern": "@lt 1"
- },
- {
- "category": "RCE",
- "pattern": "@lt 1"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:(?:b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|[ckz][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[&,<>|]|(?:[--.0-9A-Z_a-z][\"'[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#*-0-9?-@_a-{]*)?x5c?)+[sv&,<>|]).*|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:4|[sv&),<>|].*))|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*)?|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|(?:e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)b"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[sv&)<>|]|a(?:dd(?:group|user)|getty|l(?:ias|pine)[sv&)<>|]|nsible-playbook|pt(?:-get|itude[sv&)<>|])|r(?:ch[sv&)<>|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm|xel)|b(?:a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[sv&)<>|]|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[sv&)<>|]|on(?:tab)?)|s(?:plit|vtool)|u(?:psfilter|rl[sv&)<>|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[sv&)<>|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[sv&)<>|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r)))|f(?:acter|(?:etch|lock|unction)[sv&)<>|]|grep|i(?:le(?:[sv&)<>|]|test)|(?:n(?:d|ger)|sh)[sv&)<>|])|o(?:ld[sv&)<>|]|reach)|ping|tp(?:stats|who))|g(?:awk[sv&)<>|]|core|e(?:ni(?:e[sv&)<>|]|soimage)|tfacl[sv&)<>|])|hci|i(?:mp[sv&)<>|]|nsh)|r(?:ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[sv&)<>|]|onice|p(?:6?tables|config)|spell)|j(?:ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:ill(?:[sv&)<>|]|all)|nife[sv&)<>|]|sshell)|l(?:a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|dconfig|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[sv&)<>|]|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[sv&)<>q|]|x[sv&)<>|])|ke[sv&)<>|]|ster.passwd|wk)|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[sv&)<>|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[sv&)<>|]|sm|wk)|c(?:.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[sv&)<>|]|map|o(?:de[sv&)<>|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:f(?:la)?tex|ksh)|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[sv&)<>|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[sv&)<>|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[sv&)<>|]|shd)|wd.db|ython[^sv])|r(?:ak(?:e[sv&)<>|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[sv&)<>|]|stic)|l(?:ogin|wrap)|m(?:dir[sv&)<>|]|user)|nano|oute[sv&)<>|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[sv&)<>|]|c(?:hed|r(?:een|ipt)[sv&)<>|])|diff|e(?:(?:lf|rvice)[sv&)<>|]|ndmail|t(?:arch|env|facl[sv&)<>|]|sid))|ftp|h(?:.distrib|(?:adow|ells)[sv&)<>|]|u(?:f|tdown[sv&)<>|]))|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[sv&)<>|]|datectl)|mux|ouch[sv&)<>|]|r(?:aceroute6?|off)|shark)|u(?:limit[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[sv&)<>|]|gr|mdiff|pw|rsh)|olatility[sv&)<>|])|w(?:a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))"
- },
- {
- "category": "RCE",
- "pattern": "@pmFromFile windows-powershell-commands.data"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:(?:a[\"^]*(?:c|s[\"^]*n[\"^]*p)|e[\"^]*(?:b[\"^]*p|p[\"^]*(?:a[\"^]*l|c[\"^]*s[\"^]*v|s[\"^]*n)|[tx][\"^]*s[\"^]*n)|f[\"^]*(?:[cltw]|o[\"^]*r[\"^]*e[\"^]*a[\"^]*c[\"^]*h)|i[\"^]*(?:[cr][\"^]*m|e[\"^]*x|h[\"^]*y|i|p[\"^]*(?:a[\"^]*l|c[\"^]*s[\"^]*v|m[\"^]*o|s[\"^]*n)|s[\"^]*e|w[\"^]*(?:m[\"^]*i|r))|m[\"^]*(?:a[\"^]*n|[dipv]|o[\"^]*u[\"^]*n[\"^]*t)|o[\"^]*g[\"^]*v|p[\"^]*(?:o[\"^]*p|u[\"^]*s[\"^]*h)[\"^]*d|t[\"^]*r[\"^]*c[\"^]*m|w[\"^]*j[\"^]*b)[\"^]*[sv,.-/;-<>].*|c[\"^]*(?:(?:(?:d|h[\"^]*d[\"^]*i[\"^]*r|v[\"^]*p[\"^]*a)[\"^]*|p[\"^]*(?:[ip][\"^]*)?)[sv,.-/;-<>].*|l[\"^]*(?:(?:[cipv]|h[\"^]*y)[\"^]*[sv,.-/;-<>].*|s)|n[\"^]*s[\"^]*n)|d[\"^]*(?:(?:b[\"^]*p|e[\"^]*l|i[\"^]*(?:f[\"^]*f|r))[\"^]*[sv,.-/;-<>].*|n[\"^]*s[\"^]*n)|g[\"^]*(?:(?:(?:(?:a[\"^]*)?l|b[\"^]*p|d[\"^]*r|h[\"^]*y|(?:w[\"^]*m[\"^]*)?i|j[\"^]*b|[u-v])[\"^]*|c[\"^]*(?:[ims][\"^]*)?|m[\"^]*(?:o[\"^]*)?|s[\"^]*(?:n[\"^]*(?:p[\"^]*)?|v[\"^]*))[sv,.-/;-<>].*|e[\"^]*r[\"^]*r|p[\"^]*(?:(?:s[\"^]*)?[sv,.-/;-<>].*|v))|l[\"^]*s|n[\"^]*(?:(?:a[\"^]*l|d[\"^]*r|[iv]|m[\"^]*o|s[\"^]*n)[\"^]*[sv,.-/;-<>].*|p[\"^]*s[\"^]*s[\"^]*c)|r[\"^]*(?:(?:(?:(?:b[\"^]*)?p|e[\"^]*n|(?:w[\"^]*m[\"^]*)?i|j[\"^]*b|n[\"^]*[ip])[\"^]*|d[\"^]*(?:r[\"^]*)?|m[\"^]*(?:(?:d[\"^]*i[\"^]*r|o)[\"^]*)?|s[\"^]*n[\"^]*(?:p[\"^]*)?|v[\"^]*(?:p[\"^]*a[\"^]*)?)[sv,.-/;-<>].*|c[\"^]*(?:j[\"^]*b[\"^]*[sv,.-/;-<>].*|s[\"^]*n)|u[\"^]*j[\"^]*b)|s[\"^]*(?:(?:(?:a[\"^]*(?:j[\"^]*b|l|p[\"^]*s|s[\"^]*v)|b[\"^]*p|[civ]|w[\"^]*m[\"^]*i)[\"^]*|l[\"^]*(?:s[\"^]*)?|p[\"^]*(?:(?:j[\"^]*b|p[\"^]*s|s[\"^]*v)[\"^]*)?)[sv,.-/;-<>].*|h[\"^]*c[\"^]*m|u[\"^]*j[\"^]*b))(?:.[\"^]*[0-9A-Z_a-z]+)?b"
- },
- {
- "category": "RCE",
- "pattern": "@rx $(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]"
- },
- {
- "category": "RCE",
- "pattern": "@rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|[ckz][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)[sv&)<>|]"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:a(?:ddgroup|xel)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang++|oproc|ron)|d(?:iff[sv&)<>|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[sv&)<>|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|erl5?|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[sv&)<>|])|tar(?:diff|grep)?|wd.db|ython[2-3])|r(?:(?:bas|ealpat)h|m(?:dir[sv&)<>|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h.distri|pwd.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[sv&)<>|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))"
- },
- {
- "category": "RCE",
- "pattern": "!@rx [0-9]s*'s*[0-9]"
- },
- {
- "category": "RCE",
- "pattern": "@rx !-d"
- },
- {
- "category": "RCE",
- "pattern": "@pmFromFile unix-shell.data"
- },
- {
- "category": "RCE",
- "pattern": "@rx ^(s*)s+{"
- },
- {
- "category": "RCE",
- "pattern": "@rx ^(s*)s+{"
- },
- {
- "category": "RCE",
- "pattern": "@rx ba[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-\"%',0-9@-Z_a-z]+=[^sv]"
- },
- {
- "category": "RCE",
- "pattern": "@pmFromFile restricted-upload.data"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:t[\"^]*i[\"^]*m[\"^]*e|[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:a[\"^]*(?:c[\"^]*c[\"^]*c[\"^]*h[\"^]*e[\"^]*c[\"^]*k[\"^]*c[\"^]*o[\"^]*n[\"^]*s[\"^]*o[\"^]*l[\"^]*e|d[\"^]*(?:p[\"^]*l[\"^]*u[\"^]*s|v[\"^]*p[\"^]*a[\"^]*c[\"^]*k)|(?:g[\"^]*e[\"^]*n[\"^]*t[\"^]*e[\"^]*x[\"^]*e[\"^]*c[\"^]*u[\"^]*t[\"^]*o|s[\"^]*p[\"^]*n[\"^]*e[\"^]*t[\"^]*_[\"^]*c[\"^]*o[\"^]*m[\"^]*p[\"^]*i[\"^]*l[\"^]*e)[\"^]*r|p[\"^]*p[\"^]*(?:i[\"^]*n[\"^]*s[\"^]*t[\"^]*a[\"^]*l[\"^]*l[\"^]*e[\"^]*r|v[\"^]*l[\"^]*p)|t[\"^]*(?:[sv,.-/;-<>].*|b[\"^]*r[\"^]*o[\"^]*k[\"^]*e[\"^]*r))|b[\"^]*(?:a[\"^]*s[\"^]*h|g[\"^]*i[\"^]*n[\"^]*f[\"^]*o|i[\"^]*t[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|c[\"^]*(?:d[\"^]*b|e[\"^]*r[\"^]*t[\"^]*(?:o[\"^]*c|r[\"^]*e[\"^]*q|u[\"^]*t[\"^]*i[\"^]*l)|l[\"^]*_[\"^]*(?:i[\"^]*n[\"^]*v[\"^]*o[\"^]*c[\"^]*a[\"^]*t[\"^]*i[\"^]*o[\"^]*n|l[\"^]*o[\"^]*a[\"^]*d[\"^]*a[\"^]*s[\"^]*s[\"^]*e[\"^]*m[\"^]*b[\"^]*l[\"^]*y|m[\"^]*u[\"^]*t[\"^]*e[\"^]*x[\"^]*v[\"^]*e[\"^]*r[\"^]*i[\"^]*f[\"^]*i[\"^]*e[\"^]*r[\"^]*s)|m[\"^]*(?:d(?:[\"^]*(?:k[\"^]*e[\"^]*y|l[\"^]*3[\"^]*2))?|s[\"^]*t[\"^]*p)|o[\"^]*(?:m[\"^]*s[\"^]*v[\"^]*c[\"^]*s|n[\"^]*(?:f[\"^]*i[\"^]*g[\"^]*s[\"^]*e[\"^]*c[\"^]*u[\"^]*r[\"^]*i[\"^]*t[\"^]*y[\"^]*p[\"^]*o[\"^]*l[\"^]*i[\"^]*c[\"^]*y|h[\"^]*o[\"^]*s[\"^]*t|t[\"^]*r[\"^]*o[\"^]*l)|r[\"^]*e[\"^]*g[\"^]*e[\"^]*n)|r[\"^]*e[\"^]*a[\"^]*t[\"^]*e[\"^]*d[\"^]*u[\"^]*m[\"^]*p|s[\"^]*(?:c(?:[\"^]*r[\"^]*i[\"^]*p[\"^]*t)?|i)|u[\"^]*s[\"^]*t[\"^]*o[\"^]*m[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l[\"^]*h[\"^]*o[\"^]*s[\"^]*t)|d[\"^]*(?:a[\"^]*t[\"^]*a[\"^]*s[\"^]*v[\"^]*c[\"^]*u[\"^]*t[\"^]*i[\"^]*l|e[\"^]*(?:f[\"^]*a[\"^]*u[\"^]*l[\"^]*t[\"^]*p[\"^]*a[\"^]*c[\"^]*k|s[\"^]*k(?:[\"^]*t[\"^]*o[\"^]*p[\"^]*i[\"^]*m[\"^]*g[\"^]*d[\"^]*o[\"^]*w[\"^]*n[\"^]*l[\"^]*d[\"^]*r)?|v[\"^]*(?:i[\"^]*c[\"^]*e[\"^]*c[\"^]*r[\"^]*e[\"^]*d[\"^]*e[\"^]*n[\"^]*t[\"^]*i[\"^]*a[\"^]*l[\"^]*d[\"^]*e[\"^]*p[\"^]*l[\"^]*o[\"^]*y[\"^]*m[\"^]*e[\"^]*n[\"^]*t|t[\"^]*o[\"^]*o[\"^]*l[\"^]*s[\"^]*l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*e[\"^]*r))|f[\"^]*s[\"^]*(?:h[\"^]*i[\"^]*m|v[\"^]*c)|i[\"^]*(?:a[\"^]*n[\"^]*t[\"^]*z|s[\"^]*k[\"^]*s[\"^]*h[\"^]*a[\"^]*d[\"^]*o[\"^]*w)|n[\"^]*(?:s[\"^]*c[\"^]*m[\"^]*d|x)|o[\"^]*t[\"^]*n[\"^]*e[\"^]*t|u[\"^]*m[\"^]*p[\"^]*6[\"^]*4|x[\"^]*c[\"^]*a[\"^]*p)|e[\"^]*(?:s[\"^]*e[\"^]*n[\"^]*t[\"^]*u[\"^]*t[\"^]*l|v[\"^]*e[\"^]*n[\"^]*t[\"^]*v[\"^]*w[\"^]*r|x[\"^]*(?:c[\"^]*e[\"^]*l|p[\"^]*(?:a[\"^]*n[\"^]*d|l[\"^]*o[\"^]*r[\"^]*e[\"^]*r)|t[\"^]*(?:e[\"^]*x[\"^]*p[\"^]*o[\"^]*r[\"^]*t|r[\"^]*a[\"^]*c[\"^]*3[\"^]*2)))|f[\"^]*(?:i[\"^]*n[\"^]*(?:d[\"^]*s[\"^]*t|g[\"^]*e)[\"^]*r|l[\"^]*t[\"^]*m[\"^]*c|o[\"^]*r[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s|s[\"^]*(?:i(?:[\"^]*a[\"^]*n[\"^]*y[\"^]*c[\"^]*p[\"^]*u)?|u[\"^]*t[\"^]*i[\"^]*l)|t[\"^]*p)|g[\"^]*(?:f[\"^]*x[\"^]*d[\"^]*o[\"^]*w[\"^]*n[\"^]*l[\"^]*o[\"^]*a[\"^]*d[\"^]*w[\"^]*r[\"^]*a[\"^]*p[\"^]*p[\"^]*e[\"^]*r|p[\"^]*s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|h[\"^]*h|i[\"^]*(?:e[\"^]*(?:4[\"^]*u[\"^]*i[\"^]*n[\"^]*i[\"^]*t|a[\"^]*d[\"^]*v[\"^]*p[\"^]*a[\"^]*c[\"^]*k|e[\"^]*x[\"^]*e[\"^]*c|f[\"^]*r[\"^]*a[\"^]*m[\"^]*e)|l[\"^]*a[\"^]*s[\"^]*m|m[\"^]*e[\"^]*w[\"^]*d[\"^]*b[\"^]*l[\"^]*d|n[\"^]*(?:f[\"^]*d[\"^]*e[\"^]*f[\"^]*a[\"^]*u[\"^]*l[\"^]*t[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a[\"^]*l|s[\"^]*t[\"^]*a[\"^]*l[\"^]*l[\"^]*u[\"^]*t[\"^]*i)[\"^]*l)|j[\"^]*s[\"^]*c|l[\"^]*(?:a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*-[\"^]*v[\"^]*s[\"^]*d[\"^]*e[\"^]*v[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l|d[\"^]*i[\"^]*f[\"^]*d[\"^]*e)|m[\"^]*(?:a[\"^]*(?:k[\"^]*e[\"^]*c[\"^]*a[\"^]*b|n[\"^]*a[\"^]*g[\"^]*e[\"^]*-[\"^]*b[\"^]*d[\"^]*e|v[\"^]*i[\"^]*n[\"^]*j[\"^]*e[\"^]*c[\"^]*t)|f[\"^]*t[\"^]*r[\"^]*a[\"^]*c[\"^]*e|i[\"^]*c[\"^]*r[\"^]*o[\"^]*s[\"^]*o[\"^]*f[\"^]*t|m[\"^]*c|p[\"^]*c[\"^]*m[\"^]*d[\"^]*r[\"^]*u[\"^]*n|s[\"^]*(?:(?:b[\"^]*u[\"^]*i[\"^]*l|o[\"^]*h[\"^]*t[\"^]*m[\"^]*e)[\"^]*d|c[\"^]*o[\"^]*n[\"^]*f[\"^]*i[\"^]*g|d[\"^]*(?:e[\"^]*p[\"^]*l[\"^]*o[\"^]*y|t)|h[\"^]*t[\"^]*(?:a|m[\"^]*l)|i[\"^]*e[\"^]*x[\"^]*e[\"^]*c|p[\"^]*u[\"^]*b|x[\"^]*s[\"^]*l))|n[\"^]*(?:e[\"^]*t[\"^]*s[\"^]*h|t[\"^]*d[\"^]*s[\"^]*u[\"^]*t[\"^]*i[\"^]*l)|o[\"^]*(?:d[\"^]*b[\"^]*c[\"^]*c[\"^]*o[\"^]*n[\"^]*f|f[\"^]*f[\"^]*l[\"^]*i[\"^]*n[\"^]*e[\"^]*s[\"^]*c[\"^]*a[\"^]*n[\"^]*n[\"^]*e[\"^]*r[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l|n[\"^]*e[\"^]*d[\"^]*r[\"^]*i[\"^]*v[\"^]*e[\"^]*s[\"^]*t[\"^]*a[\"^]*n[\"^]*d[\"^]*a[\"^]*l[\"^]*o[\"^]*n[\"^]*e[\"^]*u[\"^]*p[\"^]*d[\"^]*a[\"^]*t[\"^]*e[\"^]*r|p[\"^]*e[\"^]*n[\"^]*c[\"^]*o[\"^]*n[\"^]*s[\"^]*o[\"^]*l[\"^]*e)|p[\"^]*(?:c[\"^]*(?:a[\"^]*l[\"^]*u[\"^]*a|w[\"^]*(?:r[\"^]*u[\"^]*n|u[\"^]*t[\"^]*l))|(?:e[\"^]*s[\"^]*t[\"^]*e|s)[\"^]*r|(?:k[\"^]*t[\"^]*m[\"^]*o|u[\"^]*b[\"^]*p[\"^]*r)[\"^]*n|n[\"^]*p[\"^]*u[\"^]*t[\"^]*i[\"^]*l|o[\"^]*w[\"^]*e[\"^]*r[\"^]*p[\"^]*n[\"^]*t|r[\"^]*(?:e[\"^]*s[\"^]*e[\"^]*n[\"^]*t[\"^]*a[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*h[\"^]*o[\"^]*s[\"^]*t|i[\"^]*n[\"^]*t(?:[\"^]*b[\"^]*r[\"^]*m)?|o[\"^]*(?:c[\"^]*d[\"^]*u[\"^]*m[\"^]*p|t[\"^]*o[\"^]*c[\"^]*o[\"^]*l[\"^]*h[\"^]*a[\"^]*n[\"^]*d[\"^]*l[\"^]*e[\"^]*r)))|r[\"^]*(?:a[\"^]*s[\"^]*a[\"^]*u[\"^]*t[\"^]*o[\"^]*u|c[\"^]*s[\"^]*i|(?:d[\"^]*r[\"^]*l[\"^]*e[\"^]*a[\"^]*k[\"^]*d[\"^]*i[\"^]*a|p[\"^]*c[\"^]*p[\"^]*i[\"^]*n)[\"^]*g|e[\"^]*(?:g(?:[\"^]*(?:a[\"^]*s[\"^]*m|e[\"^]*d[\"^]*i[\"^]*t|i[\"^]*(?:n[\"^]*i|s[\"^]*t[\"^]*e[\"^]*r[\"^]*-[\"^]*c[\"^]*i[\"^]*m[\"^]*p[\"^]*r[\"^]*o[\"^]*v[\"^]*i[\"^]*d[\"^]*e[\"^]*r)|s[\"^]*v[\"^]*(?:c[\"^]*s|r[\"^]*3[\"^]*2)))?|(?:m[\"^]*o[\"^]*t|p[\"^]*l[\"^]*a[\"^]*c)[\"^]*e)|u[\"^]*n[\"^]*(?:d[\"^]*l[\"^]*l[\"^]*3[\"^]*2|(?:e[\"^]*x[\"^]*e|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)[\"^]*h[\"^]*e[\"^]*l[\"^]*p[\"^]*e[\"^]*r|o[\"^]*n[\"^]*c[\"^]*e))|s[\"^]*(?:c[\"^]*(?:[sv,.-/;-<>].*|h[\"^]*t[\"^]*a[\"^]*s[\"^]*k[\"^]*s|r[\"^]*i[\"^]*p[\"^]*t[\"^]*r[\"^]*u[\"^]*n[\"^]*n[\"^]*e[\"^]*r)|e[\"^]*t[\"^]*(?:r[\"^]*e[\"^]*s|t[\"^]*i[\"^]*n[\"^]*g[\"^]*s[\"^]*y[\"^]*n[\"^]*c[\"^]*h[\"^]*o[\"^]*s[\"^]*t|u[\"^]*p[\"^]*a[\"^]*p[\"^]*i)|h[\"^]*(?:d[\"^]*o[\"^]*c[\"^]*v[\"^]*w|e[\"^]*l[\"^]*l[\"^]*3[\"^]*2)|q[\"^]*(?:l[\"^]*(?:d[\"^]*u[\"^]*m[\"^]*p[\"^]*e[\"^]*r|(?:t[\"^]*o[\"^]*o[\"^]*l[\"^]*s[\"^]*)?p[\"^]*s)|u[\"^]*i[\"^]*r[\"^]*r[\"^]*e[\"^]*l)|s[\"^]*h|t[\"^]*o[\"^]*r[\"^]*d[\"^]*i[\"^]*a[\"^]*g|y[\"^]*(?:n[\"^]*c[\"^]*a[\"^]*p[\"^]*p[\"^]*v[\"^]*p[\"^]*u[\"^]*b[\"^]*l[\"^]*i[\"^]*s[\"^]*h[\"^]*i[\"^]*n[\"^]*g[\"^]*s[\"^]*e[\"^]*r[\"^]*v[\"^]*e[\"^]*r|s[\"^]*s[\"^]*e[\"^]*t[\"^]*u[\"^]*p))|t[\"^]*(?:e[\"^]*[sv,.-/;-<>].*|r[\"^]*a[\"^]*c[\"^]*k[\"^]*e[\"^]*r|t[\"^]*(?:d[\"^]*i[\"^]*n[\"^]*j[\"^]*e[\"^]*c[\"^]*t|t[\"^]*r[\"^]*a[\"^]*c[\"^]*e[\"^]*r))|u[\"^]*(?:n[\"^]*r[\"^]*e[\"^]*g[\"^]*m[\"^]*p[\"^]*2|p[\"^]*d[\"^]*a[\"^]*t[\"^]*e|r[\"^]*l|t[\"^]*i[\"^]*l[\"^]*i[\"^]*t[\"^]*y[\"^]*f[\"^]*u[\"^]*n[\"^]*c[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*s)|v[\"^]*(?:b[\"^]*c|e[\"^]*r[\"^]*c[\"^]*l[\"^]*s[\"^]*i[\"^]*d|i[\"^]*s[\"^]*u[\"^]*a[\"^]*l[\"^]*u[\"^]*i[\"^]*a[\"^]*v[\"^]*e[\"^]*r[\"^]*i[\"^]*f[\"^]*y[\"^]*n[\"^]*a[\"^]*t[\"^]*i[\"^]*v[\"^]*e|s[\"^]*(?:i[\"^]*i[\"^]*s[\"^]*e[\"^]*x[\"^]*e[\"^]*l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h|j[\"^]*i[\"^]*t[\"^]*d[\"^]*e[\"^]*b[\"^]*u[\"^]*g[\"^]*g)[\"^]*e[\"^]*r)|w[\"^]*(?:a[\"^]*b|(?:f|m[\"^]*i)[\"^]*c|i[\"^]*n[\"^]*(?:g[\"^]*e[\"^]*t|r[\"^]*m|w[\"^]*o[\"^]*r[\"^]*d)|l[\"^]*r[\"^]*m[\"^]*d[\"^]*r|o[\"^]*r[\"^]*k[\"^]*f[\"^]*o[\"^]*l[\"^]*d[\"^]*e[\"^]*r[\"^]*s|s[\"^]*(?:(?:c[\"^]*r[\"^]*i[\"^]*p|r[\"^]*e[\"^]*s[\"^]*e)[\"^]*t|l)|t[\"^]*[sv,.-/;-<>].*|u[\"^]*a[\"^]*u[\"^]*c[\"^]*l[\"^]*t)|x[\"^]*w[\"^]*i[\"^]*z[\"^]*a[\"^]*r[\"^]*d|z[\"^]*i[\"^]*p[\"^]*f[\"^]*l[\"^]*d[\"^]*r)(?:.[\"^]*[0-9A-Z_a-z]+)?b"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:t[\"^]*i[\"^]*m[\"^]*e|[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:a[\"^]*(?:s[\"^]*s[\"^]*o[\"^]*c|t[\"^]*(?:m[\"^]*a[\"^]*d[\"^]*m|t[\"^]*r[\"^]*i[\"^]*b)|u[\"^]*(?:d[\"^]*i[\"^]*t[\"^]*p[\"^]*o[\"^]*l|t[\"^]*o[\"^]*(?:c[\"^]*(?:h[\"^]*k|o[\"^]*n[\"^]*v)|(?:f[\"^]*m|m[\"^]*o[\"^]*u[\"^]*n)[\"^]*t)))|b[\"^]*(?:c[\"^]*d[\"^]*(?:b[\"^]*o[\"^]*o|e[\"^]*d[\"^]*i)[\"^]*t|(?:d[\"^]*e[\"^]*h[\"^]*d|o[\"^]*o[\"^]*t)[\"^]*c[\"^]*f[\"^]*g|i[\"^]*t[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|c[\"^]*(?:a[\"^]*c[\"^]*l[\"^]*s|e[\"^]*r[\"^]*t[\"^]*(?:r[\"^]*e[\"^]*q|u[\"^]*t[\"^]*i[\"^]*l)|h[\"^]*(?:c[\"^]*p|d[\"^]*i[\"^]*r|g[\"^]*(?:l[\"^]*o[\"^]*g[\"^]*o[\"^]*n|p[\"^]*o[\"^]*r[\"^]*t|u[\"^]*s[\"^]*r)|k[\"^]*(?:d[\"^]*s[\"^]*k|n[\"^]*t[\"^]*f[\"^]*s))|l[\"^]*e[\"^]*a[\"^]*n[\"^]*m[\"^]*g[\"^]*r|m[\"^]*(?:d(?:[\"^]*k[\"^]*e[\"^]*y)?|s[\"^]*t[\"^]*p)|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|d[\"^]*(?:c[\"^]*(?:d[\"^]*i[\"^]*a[\"^]*g|g[\"^]*p[\"^]*o[\"^]*f[\"^]*i[\"^]*x)|e[\"^]*(?:f[\"^]*r[\"^]*a[\"^]*g|l)|f[\"^]*s[\"^]*(?:d[\"^]*i[\"^]*a|r[\"^]*m[\"^]*i)[\"^]*g|i[\"^]*(?:a[\"^]*n[\"^]*t[\"^]*z|r|s[\"^]*(?:k[\"^]*(?:c[\"^]*o[\"^]*(?:m[\"^]*p|p[\"^]*y)|p[\"^]*(?:a[\"^]*r[\"^]*t|e[\"^]*r[\"^]*f)|r[\"^]*a[\"^]*i[\"^]*d|s[\"^]*h[\"^]*a[\"^]*d[\"^]*o[\"^]*w)|p[\"^]*d[\"^]*i[\"^]*a[\"^]*g))|n[\"^]*s[\"^]*c[\"^]*m[\"^]*d|(?:o[\"^]*s[\"^]*k[\"^]*e|r[\"^]*i[\"^]*v[\"^]*e[\"^]*r[\"^]*q[\"^]*u[\"^]*e[\"^]*r)[\"^]*y)|e[\"^]*(?:n[\"^]*d[\"^]*l[\"^]*o[\"^]*c[\"^]*a[\"^]*l|v[\"^]*e[\"^]*n[\"^]*t[\"^]*c[\"^]*r[\"^]*e[\"^]*a[\"^]*t[\"^]*e)|E[\"^]*v[\"^]*n[\"^]*t[\"^]*c[\"^]*m[\"^]*d|f[\"^]*(?:c|i[\"^]*(?:l[\"^]*e[\"^]*s[\"^]*y[\"^]*s[\"^]*t[\"^]*e[\"^]*m[\"^]*s|n[\"^]*d[\"^]*s[\"^]*t[\"^]*r)|l[\"^]*a[\"^]*t[\"^]*t[\"^]*e[\"^]*m[\"^]*p|o[\"^]*r(?:[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s)?|r[\"^]*e[\"^]*e[\"^]*d[\"^]*i[\"^]*s[\"^]*k|s[\"^]*u[\"^]*t[\"^]*i[\"^]*l|(?:t[\"^]*y[\"^]*p|v[\"^]*e[\"^]*u[\"^]*p[\"^]*d[\"^]*a[\"^]*t)[\"^]*e)|g[\"^]*(?:e[\"^]*t[\"^]*(?:m[\"^]*a[\"^]*c|t[\"^]*y[\"^]*p[\"^]*e)|o[\"^]*t[\"^]*o|p[\"^]*(?:f[\"^]*i[\"^]*x[\"^]*u[\"^]*p|(?:r[\"^]*e[\"^]*s[\"^]*u[\"^]*l[\"^]*)?t|u[\"^]*p[\"^]*d[\"^]*a[\"^]*t[\"^]*e)|r[\"^]*a[\"^]*f[\"^]*t[\"^]*a[\"^]*b[\"^]*l)|h[\"^]*(?:e[\"^]*l[\"^]*p[\"^]*c[\"^]*t[\"^]*r|o[\"^]*s[\"^]*t[\"^]*n[\"^]*a[\"^]*m[\"^]*e)|i[\"^]*(?:c[\"^]*a[\"^]*c[\"^]*l[\"^]*s|f|p[\"^]*(?:c[\"^]*o[\"^]*n[\"^]*f[\"^]*i[\"^]*g|x[\"^]*r[\"^]*o[\"^]*u[\"^]*t[\"^]*e)|r[\"^]*f[\"^]*t[\"^]*p)|j[\"^]*e[\"^]*t[\"^]*p[\"^]*a[\"^]*c[\"^]*k|k[\"^]*(?:l[\"^]*i[\"^]*s[\"^]*t|s[\"^]*e[\"^]*t[\"^]*u[\"^]*p|t[\"^]*(?:m[\"^]*u[\"^]*t[\"^]*i[\"^]*l|p[\"^]*a[\"^]*s[\"^]*s))|l[\"^]*(?:o[\"^]*(?:d[\"^]*c[\"^]*t[\"^]*r|g[\"^]*(?:m[\"^]*a[\"^]*n|o[\"^]*f[\"^]*f))|p[\"^]*[q-r])|m[\"^]*(?:a[\"^]*(?:c[\"^]*f[\"^]*i[\"^]*l[\"^]*e|k[\"^]*e[\"^]*c[\"^]*a[\"^]*b|p[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|k[\"^]*(?:d[\"^]*i[\"^]*r|l[\"^]*i[\"^]*n[\"^]*k)|m[\"^]*c|o[\"^]*u[\"^]*n[\"^]*t[\"^]*v[\"^]*o[\"^]*l|q[\"^]*(?:b[\"^]*k[\"^]*u[\"^]*p|(?:t[\"^]*g[\"^]*)?s[\"^]*v[\"^]*c)|s[\"^]*(?:d[\"^]*t|i[\"^]*(?:e[\"^]*x[\"^]*e[\"^]*c|n[\"^]*f[\"^]*o[\"^]*3[\"^]*2)|t[\"^]*s[\"^]*c))|n[\"^]*(?:b[\"^]*t[\"^]*s[\"^]*t[\"^]*a[\"^]*t|e[\"^]*t[\"^]*(?:c[\"^]*f[\"^]*g|d[\"^]*o[\"^]*m|s[\"^]*(?:h|t[\"^]*a[\"^]*t))|f[\"^]*s[\"^]*(?:a[\"^]*d[\"^]*m[\"^]*i[\"^]*n|s[\"^]*(?:h[\"^]*a[\"^]*r[\"^]*e|t[\"^]*a[\"^]*t))|l[\"^]*(?:b[\"^]*m[\"^]*g[\"^]*r|t[\"^]*e[\"^]*s[\"^]*t)|s[\"^]*l[\"^]*o[\"^]*o[\"^]*k[\"^]*u[\"^]*p|t[\"^]*(?:b[\"^]*a[\"^]*c[\"^]*k[\"^]*u[\"^]*p|c[\"^]*m[\"^]*d[\"^]*p[\"^]*r[\"^]*o[\"^]*m[\"^]*p[\"^]*t|f[\"^]*r[\"^]*s[\"^]*u[\"^]*t[\"^]*l))|o[\"^]*(?:f[\"^]*f[\"^]*l[\"^]*i[\"^]*n[\"^]*e|p[\"^]*e[\"^]*n[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s)|p[\"^]*(?:a[\"^]*(?:g[\"^]*e[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*c[\"^]*o[\"^]*n[\"^]*f[\"^]*i|t[\"^]*h[\"^]*p[\"^]*i[\"^]*n)[\"^]*g|(?:b[\"^]*a[\"^]*d[\"^]*m[\"^]*i|k[\"^]*t[\"^]*m[\"^]*o)[\"^]*n|e[\"^]*(?:n[\"^]*t[\"^]*n[\"^]*t|r[\"^]*f[\"^]*m[\"^]*o[\"^]*n)|n[\"^]*p[\"^]*u[\"^]*(?:n[\"^]*a[\"^]*t[\"^]*t[\"^]*e[\"^]*n[\"^]*d|t[\"^]*i[\"^]*l)|o[\"^]*(?:p[\"^]*d|w[\"^]*e[\"^]*r[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l)|r[\"^]*n[\"^]*(?:c[\"^]*n[\"^]*f[\"^]*g|(?:d[\"^]*r[\"^]*v|m[\"^]*n[\"^]*g)[\"^]*r|j[\"^]*o[\"^]*b[\"^]*s|p[\"^]*o[\"^]*r[\"^]*t|q[\"^]*c[\"^]*t[\"^]*l)|u[\"^]*(?:b[\"^]*p[\"^]*r[\"^]*n|s[\"^]*h[\"^]*(?:d|p[\"^]*r[\"^]*i[\"^]*n[\"^]*t[\"^]*e[\"^]*r[\"^]*c[\"^]*o[\"^]*n[\"^]*n[\"^]*e[\"^]*c[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*s))|w[\"^]*(?:l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*e[\"^]*r|s[\"^]*h))|q[\"^]*(?:a[\"^]*p[\"^]*p[\"^]*s[\"^]*r[\"^]*v|p[\"^]*r[\"^]*o[\"^]*c[\"^]*e[\"^]*s[\"^]*s|u[\"^]*s[\"^]*e[\"^]*r|w[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a)|r[\"^]*(?:d(?:[\"^]*p[\"^]*s[\"^]*i[\"^]*g[\"^]*n)?|e[\"^]*(?:f[\"^]*s[\"^]*u[\"^]*t[\"^]*i[\"^]*l|g(?:[\"^]*(?:i[\"^]*n[\"^]*i|s[\"^]*v[\"^]*r[\"^]*3[\"^]*2))?|l[\"^]*o[\"^]*g|(?:(?:p[\"^]*a[\"^]*d[\"^]*m[\"^]*i|s[\"^]*c[\"^]*a)[\"^]*)?n|x[\"^]*e[\"^]*c)|i[\"^]*s[\"^]*e[\"^]*t[\"^]*u[\"^]*p|m[\"^]*d[\"^]*i[\"^]*r|o[\"^]*b[\"^]*o[\"^]*c[\"^]*o[\"^]*p[\"^]*y|p[\"^]*c[\"^]*(?:i[\"^]*n[\"^]*f[\"^]*o|p[\"^]*i[\"^]*n[\"^]*g)|s[\"^]*h|u[\"^]*n[\"^]*d[\"^]*l[\"^]*l[\"^]*3[\"^]*2|w[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a)|s[\"^]*(?:a[\"^]*n|c[\"^]*(?:h[\"^]*t[\"^]*a[\"^]*s[\"^]*k[\"^]*s|w[\"^]*c[\"^]*m[\"^]*d)|e[\"^]*(?:c[\"^]*e[\"^]*d[\"^]*i[\"^]*t|r[\"^]*v[\"^]*e[\"^]*r[\"^]*(?:(?:c[\"^]*e[\"^]*i[\"^]*p|w[\"^]*e[\"^]*r)[\"^]*o[\"^]*p[\"^]*t[\"^]*i[\"^]*n|m[\"^]*a[\"^]*n[\"^]*a[\"^]*g[\"^]*e[\"^]*r[\"^]*c[\"^]*m[\"^]*d)|t[\"^]*x)|f[\"^]*c|(?:h[\"^]*o[\"^]*w[\"^]*m[\"^]*o[\"^]*u[\"^]*n|u[\"^]*b[\"^]*s)[\"^]*t|x[\"^]*s[\"^]*t[\"^]*r[\"^]*a[\"^]*c[\"^]*e|y[\"^]*s[\"^]*(?:o[\"^]*c[\"^]*m[\"^]*g[\"^]*r|t[\"^]*e[\"^]*m[\"^]*i[\"^]*n[\"^]*f[\"^]*o))|t[\"^]*(?:a[\"^]*(?:k[\"^]*e[\"^]*o[\"^]*w[\"^]*n|p[\"^]*i[\"^]*c[\"^]*f[\"^]*g|s[\"^]*k[\"^]*(?:k[\"^]*i[\"^]*l[\"^]*l|l[\"^]*i[\"^]*s[\"^]*t))|(?:c[\"^]*m[\"^]*s[\"^]*e[\"^]*t[\"^]*u|f[\"^]*t)[\"^]*p|(?:(?:e[\"^]*l[\"^]*n[\"^]*e|i[\"^]*m[\"^]*e[\"^]*o[\"^]*u)[\"^]*|r[\"^]*a[\"^]*c[\"^]*e[\"^]*r[\"^]*(?:p[\"^]*)?)t|l[\"^]*n[\"^]*t[\"^]*a[\"^]*d[\"^]*m[\"^]*n|p[\"^]*m[\"^]*(?:t[\"^]*o[\"^]*o[\"^]*l|v[\"^]*s[\"^]*c[\"^]*m[\"^]*g[\"^]*r)|s[\"^]*(?:(?:d[\"^]*i[\"^]*s[\"^]*)?c[\"^]*o[\"^]*n|e[\"^]*c[\"^]*i[\"^]*m[\"^]*p|k[\"^]*i[\"^]*l[\"^]*l|p[\"^]*r[\"^]*o[\"^]*f)|y[\"^]*p[\"^]*e[\"^]*p[\"^]*e[\"^]*r[\"^]*f|z[\"^]*u[\"^]*t[\"^]*i[\"^]*l)|u[\"^]*n[\"^]*(?:e[\"^]*x[\"^]*p[\"^]*o[\"^]*s[\"^]*e|i[\"^]*q[\"^]*u[\"^]*e[\"^]*i[\"^]*d|l[\"^]*o[\"^]*d[\"^]*c[\"^]*t[\"^]*r)|v[\"^]*(?:o[\"^]*l|s[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|w[\"^]*(?:a[\"^]*i[\"^]*t[\"^]*f[\"^]*o[\"^]*r|b[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n|(?:d[\"^]*s|e[\"^]*(?:c|v[\"^]*t))[\"^]*u[\"^]*t[\"^]*i[\"^]*l|h[\"^]*(?:e[\"^]*r[\"^]*e|o[\"^]*a[\"^]*m[\"^]*i)|i[\"^]*n[\"^]*(?:n[\"^]*t(?:[\"^]*3[\"^]*2)?|r[\"^]*s)|m[\"^]*i[\"^]*c|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|x[\"^]*c[\"^]*o[\"^]*p[\"^]*y)(?:.[\"^]*[0-9A-Z_a-z]+)?b"
- },
- {
- "category": "RCE",
- "pattern": "@lt 2"
- },
- {
- "category": "RCE",
- "pattern": "@lt 2"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*.[sv].*b"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])"
- },
- {
- "category": "RCE",
- "pattern": "@rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]"
- },
- {
- "category": "RCE",
- "pattern": "@rx /"
- },
- {
- "category": "RCE",
- "pattern": "@rx s"
- },
- {
- "category": "RCE",
- "pattern": "@rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))"
- },
- {
- "category": "RCE",
- "pattern": "@rx /"
- },
- {
- "category": "RCE",
- "pattern": "@rx s"
- },
- {
- "category": "RCE",
- "pattern": "@rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])"
- },
- {
- "category": "RCE",
- "pattern": "@rx /"
- },
- {
- "category": "RCE",
- "pattern": "@rx s"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i).|(?:[sv]*|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|G[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?E[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?T|a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:b|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?t|r(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[jp])?|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ks])|b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[8-9][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?9|[au][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|c|(?:m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?p|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dfu]|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[gr])|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[bdx]|n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|q[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[c-dgi]|m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[chr][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|o|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dp]|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b)|j[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:j[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|q)|k[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)?|[nps]|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a|z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|v)|n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[cl]|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|o[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[at][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?x|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|f|(?:k[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?g|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cp]|r(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?y)?|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dv]|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dt]|[g-hu]|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cr]|b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l|[co][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ex]|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c)|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|l)|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|c)|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|z)|y[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)|z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h))"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)[-0-9_a-z]+(?:[\"'[-]]+|$+[!#*-0-9?-@x5c_a-{]+|``|[$<>]())[sv]*[-0-9_a-z]+"
- },
- {
- "category": "RCE",
- "pattern": "!@rx [0-9]s*'s*[0-9]"
- },
- {
- "category": "RCE",
- "pattern": "@rx ;[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)"
- },
- {
- "category": "RCE",
- "pattern": "@rx rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[\"-#%-&*--9A-Zx5c_a-z]+)?(?: ([ x5ca-z]+))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [+-][0-9]{4}\"?)? {[0-9]{1,20}+?}|UTHENTICATE [-0-9_a-z]{1,20}rn)|L(?:SUB (?:[\"-#*.-9A-Z_a-z~]+)? (?:[\"%-&*.-9A-Zx5c_a-z]+)?|ISTRIGHTS (?:[\"%-&*--9A-Zx5c_a-z]+)?)|S(?:TATUS (?:[\"%-&*--9A-Zx5c_a-z]+)? ((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+)|ETACL (?:[\"%-&*--9A-Zx5c_a-z]+)? [+-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%-&*--9A-Zx5c_a-z]+)?)"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|inks|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[^sv])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash|nap)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:3m|c|a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:c|a(?:ll|tch)[sv&)<>|]|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))"
- },
- {
- "category": "RCE",
- "pattern": "@pmFromFile unix-shell.data"
- },
- {
- "category": "RCE",
- "pattern": "@lt 3"
- },
- {
- "category": "RCE",
- "pattern": "@lt 3"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))b"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:(?:itude)?[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|s(?:[sv&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[sv&)<>|]|m(?:[sv&)<>|]|diff)|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:[sv&)<>c|]|h(?:o(?:[sv&)<>|]|ami|is)?|iptail[sv&)<>|])|a(?:ll|tch)[sv&)<>|]|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))b"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))"
- },
- {
- "category": "RCE",
- "pattern": "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)"
- },
- {
- "category": "RCE",
- "pattern": "@rx rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)"
- },
- {
- "category": "RCE",
- "pattern": "@rx rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)"
- },
- {
- "category": "RCE",
- "pattern": "@rx !(?:d|!)"
- },
- {
- "category": "RCE",
- "pattern": "@lt 4"
- },
- {
- "category": "RCE",
- "pattern": "@lt 4"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 1"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 1"
- },
- {
- "category": "JAVA",
- "pattern": "@pmFromFile java-code-leakages.data"
- },
- {
- "category": "JAVA",
- "pattern": "@pmFromFile java-errors.data"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 2"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 2"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 3"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 3"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 4"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 4"
- },
- {
- "category": "SQL",
- "pattern": "@lt 1"
- },
- {
- "category": "SQL",
- "pattern": "@lt 1"
- },
- {
- "category": "SQL",
- "pattern": "!@pmFromFile sql-errors.data"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)Dynamic SQL Error"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)Exception (?:condition )?d+. Transaction rollback."
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)org.hsqldb.jdbc"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:Warning: ibase_|Unexpected end of command in statement)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[(-)_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)() [:|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)"
- },
- {
- "category": "SQL",
- "pattern": "@lt 2"
- },
- {
- "category": "SQL",
- "pattern": "@lt 2"
- },
- {
- "category": "SQL",
- "pattern": "@lt 3"
- },
- {
- "category": "SQL",
- "pattern": "@lt 3"
- },
- {
- "category": "SQL",
- "pattern": "@lt 4"
- },
- {
- "category": "SQL",
- "pattern": "@lt 4"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 1"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 1"
- },
- {
- "category": "JAVA",
- "pattern": "@rx java.lang.(?:runtime|processbuilder)"
- },
- {
- "category": "JAVA",
- "pattern": "@rx (?:runtime|processbuilder)"
- },
- {
- "category": "JAVA",
- "pattern": "@rx (?:unmarshaller|base64data|java.)"
- },
- {
- "category": "JAVA",
- "pattern": "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)"
- },
- {
- "category": "JAVA",
- "pattern": "@rx (?:runtime|processbuilder)"
- },
- {
- "category": "JAVA",
- "pattern": "@pmFromFile java-classes.data"
- },
- {
- "category": "JAVA",
- "pattern": "@rx .*.(?:jsp|jspx).*$"
- },
- {
- "category": "JAVA",
- "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 2"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 2"
- },
- {
- "category": "JAVA",
- "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)"
- },
- {
- "category": "JAVA",
- "pattern": "@rx xacxedx00x05"
- },
- {
- "category": "JAVA",
- "pattern": "@rx (?:rO0ABQ|KztAAU|Cs7QAF)"
- },
- {
- "category": "JAVA",
- "pattern": "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)"
- },
- {
- "category": "JAVA",
- "pattern": "@rx javab.+(?:runtime|processbuilder)"
- },
- {
- "category": "JAVA",
- "pattern": "@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 3"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 3"
- },
- {
- "category": "JAVA",
- "pattern": "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 4"
- },
- {
- "category": "JAVA",
- "pattern": "@lt 4"
- },
- {
- "category": "JAVA",
- "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)"
- },
- {
- "category": "ATTACK",
- "pattern": "!@eq 0"
- },
- {
- "category": "ATTACK",
- "pattern": "!@within |%{tx.allowed_request_content_type_charset}|"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx ^content-types*:s*(.*)$"
- },
- {
- "category": "ATTACK",
- "pattern": "!@rx ^(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx content-transfer-encoding:(.*)"
- },
{
"category": "EVALUATION",
"pattern": "@ge 1"
@@ -1208,375 +560,103 @@
"pattern": "@lt 4"
},
{
- "category": "SQLI",
+ "category": "SQL",
"pattern": "@lt 1"
},
{
- "category": "SQLI",
+ "category": "SQL",
"pattern": "@lt 1"
},
{
- "category": "SQLI",
- "pattern": "@detectSQLi"
+ "category": "SQL",
+ "pattern": "!@pmFromFile sql-errors.data"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*(|(?:information_schema|m(?:aster..sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql.db)|northwind|pg_(?:catalog|toast)|tempdb)b|s(?:chema(?:_nameb|[^0-9A-Z_a-z]*()|(?:qlite_(?:temp_)?master|ys(?:aux|.database_name))b))"
+ "category": "SQL",
+ "pattern": "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*("
+ "category": "SQL",
+ "pattern": "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))"
+ "category": "SQL",
+ "pattern": "@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)(?:select|;)[sv]+(?:benchmark|if|sleep)[sv]*?([sv]*?(?[sv]*?[0-9A-Z_a-z]+"
+ "category": "SQL",
+ "pattern": "@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)[\"'`](?:[sv]*![sv]*[\"'0-9A-Z_-z]|;?[sv]*(?:having|select|unionb[sv]*(?:all|(?:distin|sele)ct))b[sv]*[^sv])|b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[sv]*?|select.*?[0-9A-Z_a-z]?user)(|exec(?:ute)?[sv]+master.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[sv+]+(?:dump|out)file[sv]*?[\"'`]|union(?:[sv]select[sv]@|[sv(0-9A-Z_a-z]*?select))|[sv]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[sv]*?("
+ "category": "SQL",
+ "pattern": "@rx (?i)Dynamic SQL Error"
},
{
- "category": "SQLI",
- "pattern": "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$"
+ "category": "SQL",
+ "pattern": "@rx (?i)Exception (?:condition )?d+. Transaction rollback."
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)[sv(-)]case[sv]+when.*?then|)[sv]*?like[sv]*?(|select.*?having[sv]*?[^sv]+[sv]*?[^sv0-9A-Z_a-z]|if[sv]?([0-9A-Z_a-z]+[sv]*?[<->~]"
+ "category": "SQL",
+ "pattern": "@rx (?i)org.hsqldb.jdbc"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)"
+ "category": "SQL",
+ "pattern": "@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i:merge.*?usings*?(|executes*?immediates*?[\"'`]|matchs*?[w(),+-]+s*?againsts*?()"
+ "category": "SQL",
+ "pattern": "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)union.*?select.*?from"
+ "category": "SQL",
+ "pattern": "@rx (?i:Warning: ibase_|Unexpected end of command in statement)"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)"
+ "category": "SQL",
+ "pattern": "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)[?$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)]?"
+ "category": "SQL",
+ "pattern": "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)"
+ "category": "SQL",
+ "pattern": "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[(-)_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}"
+ "category": "SQL",
+ "pattern": "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)() [:|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)b[sv]*(?|end[sv]*?);)|[sv(]load_file[sv]*?(|[\"'`][sv]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][sv]+asb[sv]*[\"'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]+[0-9A-Z_a-z]+|u(?:pdate[sv]+[0-9A-Z_a-z]+|nion[sv]*(?:all|(?:sele|distin)ct)b)|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject))b)"
+ "category": "SQL",
+ "pattern": "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i:/*[!+](?:[ws=_-()]+)?*/)"
+ "category": "SQL",
+ "pattern": "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)"
},
{
- "category": "SQLI",
- "pattern": "@rx ^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)1.e[(-),]"
- },
- {
- "category": "SQLI",
- "pattern": "@rx [\"'`][[{].*[]}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)[\"'`][[{].*[]}][\"'`]|json_extract.*(.*)"
- },
- {
- "category": "SQLI",
+ "category": "SQL",
"pattern": "@lt 2"
},
{
- "category": "SQLI",
+ "category": "SQL",
"pattern": "@lt 2"
},
{
- "category": "SQLI",
- "pattern": "@rx (?:^s*[\"'`;]+|[\"'`]+s*$)"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)!=|&&||||>[=->]|<(?:<|=>?|>(?:[sv]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[sv]*()|r(?:egexp|like)[sv]+binary|not[sv]+between[sv]+(?:0[sv]+and|(?:'[^']*'|\"[^\"]*\")[sv]+and[sv]+(?:'[^']*'|\"[^\"]*\"))|is[sv]+null|like[sv]+(?:null|[0-9A-Z_a-z]+[sv]+escapeb)|(?:^|[^0-9A-Z_a-z])in[sv+]*([sv\"0-9]+[^(-)]*)|[!<->]{1,2}[sv]*allb"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b"
- },
- {
- "category": "SQLI",
- "pattern": "@streq %{TX.2}"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b"
- },
- {
- "category": "SQLI",
- "pattern": "!@streq %{TX.2}"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*("
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)(?:/*)+[\"'`]+[sv]?(?:--|[#{]|/*)?|[\"'`](?:[sv]*(?:(?:x?or|and|div|like|between)[sv-0-9A-Z_a-z]+[(-)+--<->][sv]*[\"'0-9`]|[!=|](?:[sv -!+-0-9=]+.*?[\"'-(`].*?|[sv -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'-(0-9A-Z_-z]|;)|(?:[<>~]+|[sv]*[^sv0-9A-Z_a-z]?=[sv]*|[^0-9A-Z_a-z]*?[+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][sv]+[\"'`][sv]+[0-9]|^admin[sv]*?[\"'`]|[sv\"'-(`][sv]*?glob[^0-9A-Z_a-z]+[\"'-(0-9A-Z_-z]|[sv]is[sv]*?0[^0-9A-Z_a-z]|where[sv][sv,-.0-9A-Z_a-z]+[sv]="
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i),.*?[\"')0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:r?n)?z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]*?([sv]*?space[sv]*?("
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sv(]+[0-9A-Z_a-z]+[sv)]*?[!+=]+[sv0-9]*?[\"'-)=`]|[0-9](?:[sv]*?(?:and|between|div|like|x?or)[sv]*?[0-9]+[sv]*?[+-]|[sv]+group[sv]+by.+()|/[0-9A-Z_a-z]+;?[sv]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[sv]*?(?:alter|drop|(?:insert|update)[sv]*?[0-9A-Z_a-z]{2,})|@.+=[sv]*?([sv]*?select|[^0-9A-Z_a-z]SET[sv]*?@[0-9A-Z_a-z]+"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i))[sv]*?when[sv]*?[0-9]+[sv]*?then|[\"'`][sv]*?(?:[#{]|--)|/*![sv]?[0-9]+|b(?:(?:binary|cha?r)[sv]*?([sv]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[sv]+[0-9A-Z_a-z]+()|(?:|||&&)[sv]*?[0-9A-Z_a-z]+("
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)(?:([sv]*?select[sv]*?[0-9A-Z_a-z]+|coalesce|order[sv]+by[sv]+if[0-9A-Z_a-z]*?)[sv]*?(|*/from|+[sv]*?[0-9]+[sv]*?+[sv]*?@|[0-9A-Z_a-z][\"'`][sv]*?(?:(?:[+-=@|]+[sv]+?)+|[+-=@|]+)[(0-9]|@@[0-9A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[sv]*?(?:if|while|begin)|[sv0-9]+=[sv]*?[0-9])|[sv(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[sv(]"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)in[sv]*?(+[sv]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)[sv+0-9A-Z_a-z]+(?:regexp[sv]*?(|sounds[sv]+like[sv]*?[\"'`]|[0-9=]+x)|[\"'`](?:[sv]*?(?:[0-9][sv]*?(?:--|#)|is[sv]*?(?:[0-9].+[\"'`]?[0-9A-Z_a-z]|[.0-9]+[sv]*?[^0-9A-Z_a-z].*?[\"'`]))|[%-&<->^]+[0-9][sv]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[+-0-9A-Z_a-z]+[sv]*?=[sv]*?[0-9][^0-9A-Z_a-z]+||?[-0-9A-Z_a-z]{3,}[^sv,.0-9A-Z_a-z]+)[\"'`]|[sv]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)(?:array[sv]*[|[0-9A-Z_a-z]+(?:[sv]*!?~|[sv]+(?:not[sv]+)?similar[sv]+to[sv]+)|(?:tru|fals)eb))|bexcept[sv]+(?:selectb|values[sv]*?()"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i:^[Wd]+s*?(?:alter|union)b)"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)[sv]?(?|end[sv]*?);|[sv(]load_file[sv]*?(|[\"'`][sv]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][sv]+asb[sv]*[\"'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:create[sv]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[sv]*(?:all|(?:sele|distin)ct))|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject)))b)"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)[\"'`](?:[sv]*?(?:(?:*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\"'`]|(?:x?or|div|like|between|and)[sv][^0-9]+[-0-9A-Z_a-z]+.*?)[0-9]|[^sv0-9?A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]+[sv]*?[\"'`]|[^sv0-9A-Z_a-z]+[sv]*?[^A-Z_a-z].*?(?:#|--))|.*?*[sv]*?[0-9])|^[\"'`]|[%(-+-<>][-0-9A-Z_a-z]+[^sv0-9A-Z_a-z]+[\"'`][^,]"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:havingb(?:[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')[sv]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-?[]+))|ex(?:ecute(?:(|[sv]{1,5}[$.0-9A-Z_a-z]{1,5}[sv]{0,3})|ists[sv]*?([sv]*?selectb)|(?:create[sv]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)()|select.*?case|from.*?limit|order[sv]by|exists[sv](?:[sv]select|s(?:elect[^sv](?:if(?:null)?[sv](|top|concat)|ystem[sv]()|bhavingb[sv]+[0-9]{1,10}|'[^=]{1,10}')"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[1-2]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?("
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))'"
- },
- {
- "category": "SQLI",
- "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){12})"
- },
- {
- "category": "SQLI",
- "pattern": "@rx /*!?|*/|[';]--|--(?:[sv]|[^-]*?-)|[^&-]#.*?[sv]|;?x00"
- },
- {
- "category": "SQLI",
- "pattern": "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i:b0x[a-fd]{3,})"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)[\"'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b"
- },
- {
- "category": "SQLI",
- "pattern": "@rx ^(?:and|or)$"
- },
- {
- "category": "SQLI",
- "pattern": "@rx ^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b"
- },
- {
- "category": "SQLI",
- "pattern": "@detectSQLi"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*("
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)"
- },
- {
- "category": "SQLI",
+ "category": "SQL",
"pattern": "@lt 3"
},
{
- "category": "SQLI",
+ "category": "SQL",
"pattern": "@lt 3"
},
{
- "category": "SQLI",
- "pattern": "@rx (?i)W+d*?s*?bhavingbs*?[^s-]"
- },
- {
- "category": "SQLI",
- "pattern": "@rx [\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]"
- },
- {
- "category": "SQLI",
- "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){8})"
- },
- {
- "category": "SQLI",
- "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){6})"
- },
- {
- "category": "SQLI",
- "pattern": "@rx W{4}"
- },
- {
- "category": "SQLI",
- "pattern": "@rx (?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')"
- },
- {
- "category": "SQLI",
- "pattern": "@rx ';"
- },
- {
- "category": "SQLI",
+ "category": "SQL",
"pattern": "@lt 4"
},
{
- "category": "SQLI",
- "pattern": "@lt 4"
- },
- {
- "category": "SQLI",
- "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){3})"
- },
- {
- "category": "SQLI",
- "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){2})"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 1"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 1"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@rx ^#!s?/"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 2"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 2"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@rx ^5d{2}$"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 3"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 3"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 4"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 4"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 1"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 1"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "!@within %{tx.allowed_methods}"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 2"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 2"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 3"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 3"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 4"
- },
- {
- "category": "ENFORCEMENT",
+ "category": "SQL",
"pattern": "@lt 4"
},
{
@@ -1991,6 +1071,66 @@
"category": "ENFORCEMENT",
"pattern": "@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]"
},
+ {
+ "category": "JAVA",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@pmFromFile java-code-leakages.data"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@pmFromFile java-errors.data"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@streq GET /"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@ipMatch 127.0.0.1,::1"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@ipMatch 127.0.0.1,::1"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@endsWith (internal dummy connection)"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$"
+ },
{
"category": "XSS",
"pattern": "@lt 1"
@@ -2163,6 +1303,870 @@
"category": "XSS",
"pattern": "@lt 4"
},
+ {
+ "category": "PHP",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@rx (?:"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@rx (?:((?:.+)(?:[\"'][-0-9A-Z_a-z]+[\"'])?(.+|[^)]*string[^)]*)[sv\"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|[\"'][-0-9A-Zx5c_a-z]+[\"'])(.+))(?:;|$)?"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@pmFromFile php-errors.data"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@rx (?i)~]"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i:merge.*?usings*?(|executes*?immediates*?[\"'`]|matchs*?[w(),+-]+s*?againsts*?()"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)union.*?select.*?from"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)[?$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)]?"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)b[sv]*(?|end[sv]*?);)|[sv(]load_file[sv]*?(|[\"'`][sv]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][sv]+asb[sv]*[\"'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]+[0-9A-Z_a-z]+|u(?:pdate[sv]+[0-9A-Z_a-z]+|nion[sv]*(?:all|(?:sele|distin)ct)b)|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject))b)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i:/*[!+](?:[ws=_-()]+)?*/)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx ^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)1.e[(-),]"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx [\"'`][[{].*[]}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)[\"'`][[{].*[]}][\"'`]|json_extract.*(.*)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?:^s*[\"'`;]+|[\"'`]+s*$)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)!=|&&||||>[=->]|<(?:<|=>?|>(?:[sv]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[sv]*()|r(?:egexp|like)[sv]+binary|not[sv]+between[sv]+(?:0[sv]+and|(?:'[^']*'|\"[^\"]*\")[sv]+and[sv]+(?:'[^']*'|\"[^\"]*\"))|is[sv]+null|like[sv]+(?:null|[0-9A-Z_a-z]+[sv]+escapeb)|(?:^|[^0-9A-Z_a-z])in[sv+]*([sv\"0-9]+[^(-)]*)|[!<->]{1,2}[sv]*allb"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@streq %{TX.2}"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "!@streq %{TX.2}"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*("
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)(?:/*)+[\"'`]+[sv]?(?:--|[#{]|/*)?|[\"'`](?:[sv]*(?:(?:x?or|and|div|like|between)[sv-0-9A-Z_a-z]+[(-)+--<->][sv]*[\"'0-9`]|[!=|](?:[sv -!+-0-9=]+.*?[\"'-(`].*?|[sv -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'-(0-9A-Z_-z]|;)|(?:[<>~]+|[sv]*[^sv0-9A-Z_a-z]?=[sv]*|[^0-9A-Z_a-z]*?[+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][sv]+[\"'`][sv]+[0-9]|^admin[sv]*?[\"'`]|[sv\"'-(`][sv]*?glob[^0-9A-Z_a-z]+[\"'-(0-9A-Z_-z]|[sv]is[sv]*?0[^0-9A-Z_a-z]|where[sv][sv,-.0-9A-Z_a-z]+[sv]="
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i),.*?[\"')0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:r?n)?z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]*?([sv]*?space[sv]*?("
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sv(]+[0-9A-Z_a-z]+[sv)]*?[!+=]+[sv0-9]*?[\"'-)=`]|[0-9](?:[sv]*?(?:and|between|div|like|x?or)[sv]*?[0-9]+[sv]*?[+-]|[sv]+group[sv]+by.+()|/[0-9A-Z_a-z]+;?[sv]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[sv]*?(?:alter|drop|(?:insert|update)[sv]*?[0-9A-Z_a-z]{2,})|@.+=[sv]*?([sv]*?select|[^0-9A-Z_a-z]SET[sv]*?@[0-9A-Z_a-z]+"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i))[sv]*?when[sv]*?[0-9]+[sv]*?then|[\"'`][sv]*?(?:[#{]|--)|/*![sv]?[0-9]+|b(?:(?:binary|cha?r)[sv]*?([sv]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[sv]+[0-9A-Z_a-z]+()|(?:|||&&)[sv]*?[0-9A-Z_a-z]+("
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)(?:([sv]*?select[sv]*?[0-9A-Z_a-z]+|coalesce|order[sv]+by[sv]+if[0-9A-Z_a-z]*?)[sv]*?(|*/from|+[sv]*?[0-9]+[sv]*?+[sv]*?@|[0-9A-Z_a-z][\"'`][sv]*?(?:(?:[+-=@|]+[sv]+?)+|[+-=@|]+)[(0-9]|@@[0-9A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[sv]*?(?:if|while|begin)|[sv0-9]+=[sv]*?[0-9])|[sv(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[sv(]"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)in[sv]*?(+[sv]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)[sv+0-9A-Z_a-z]+(?:regexp[sv]*?(|sounds[sv]+like[sv]*?[\"'`]|[0-9=]+x)|[\"'`](?:[sv]*?(?:[0-9][sv]*?(?:--|#)|is[sv]*?(?:[0-9].+[\"'`]?[0-9A-Z_a-z]|[.0-9]+[sv]*?[^0-9A-Z_a-z].*?[\"'`]))|[%-&<->^]+[0-9][sv]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[+-0-9A-Z_a-z]+[sv]*?=[sv]*?[0-9][^0-9A-Z_a-z]+||?[-0-9A-Z_a-z]{3,}[^sv,.0-9A-Z_a-z]+)[\"'`]|[sv]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)(?:array[sv]*[|[0-9A-Z_a-z]+(?:[sv]*!?~|[sv]+(?:not[sv]+)?similar[sv]+to[sv]+)|(?:tru|fals)eb))|bexcept[sv]+(?:selectb|values[sv]*?()"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i:^[Wd]+s*?(?:alter|union)b)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)[sv]?(?|end[sv]*?);|[sv(]load_file[sv]*?(|[\"'`][sv]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][sv]+asb[sv]*[\"'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:create[sv]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[sv]*(?:all|(?:sele|distin)ct))|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject)))b)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)[\"'`](?:[sv]*?(?:(?:*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\"'`]|(?:x?or|div|like|between|and)[sv][^0-9]+[-0-9A-Z_a-z]+.*?)[0-9]|[^sv0-9?A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]+[sv]*?[\"'`]|[^sv0-9A-Z_a-z]+[sv]*?[^A-Z_a-z].*?(?:#|--))|.*?*[sv]*?[0-9])|^[\"'`]|[%(-+-<>][-0-9A-Z_a-z]+[^sv0-9A-Z_a-z]+[\"'`][^,]"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)b(?:havingb(?:[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')[sv]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-?[]+))|ex(?:ecute(?:(|[sv]{1,5}[$.0-9A-Z_a-z]{1,5}[sv]{0,3})|ists[sv]*?([sv]*?selectb)|(?:create[sv]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)()|select.*?case|from.*?limit|order[sv]by|exists[sv](?:[sv]select|s(?:elect[^sv](?:if(?:null)?[sv](|top|concat)|ystem[sv]()|bhavingb[sv]+[0-9]{1,10}|'[^=]{1,10}')"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[1-2]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?("
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))'"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){12})"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx /*!?|*/|[';]--|--(?:[sv]|[^-]*?-)|[^&-]#.*?[sv]|;?x00"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i:b0x[a-fd]{3,})"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)[\"'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx ^(?:and|or)$"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx ^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@detectSQLi"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*("
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?i)W+d*?s*?bhavingbs*?[^s-]"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx [\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){8})"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){6})"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx W{4}"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx (?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx ';"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){3})"
+ },
+ {
+ "category": "SQLI",
+ "pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){2})"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx java.lang.(?:runtime|processbuilder)"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx (?:runtime|processbuilder)"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx (?:unmarshaller|base64data|java.)"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx (?:runtime|processbuilder)"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@pmFromFile java-classes.data"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx .*.(?:jsp|jspx).*$"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx xacxedx00x05"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx (?:rO0ABQ|KztAAU|Cs7QAF)"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx javab.+(?:runtime|processbuilder)"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "JAVA",
+ "pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:(?:b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|[ckz][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[&,<>|]|(?:[--.0-9A-Z_a-z][\"'[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#*-0-9?-@_a-{]*)?x5c?)+[sv&,<>|]).*|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:4|[sv&),<>|].*))|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*)?|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|(?:e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[sv&)<>|]|a(?:dd(?:group|user)|getty|l(?:ias|pine)[sv&)<>|]|nsible-playbook|pt(?:-get|itude[sv&)<>|])|r(?:ch[sv&)<>|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm|xel)|b(?:a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[sv&)<>|]|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[sv&)<>|]|on(?:tab)?)|s(?:plit|vtool)|u(?:psfilter|rl[sv&)<>|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[sv&)<>|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[sv&)<>|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r)))|f(?:acter|(?:etch|lock|unction)[sv&)<>|]|grep|i(?:le(?:[sv&)<>|]|test)|(?:n(?:d|ger)|sh)[sv&)<>|])|o(?:ld[sv&)<>|]|reach)|ping|tp(?:stats|who))|g(?:awk[sv&)<>|]|core|e(?:ni(?:e[sv&)<>|]|soimage)|tfacl[sv&)<>|])|hci|i(?:mp[sv&)<>|]|nsh)|r(?:ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[sv&)<>|]|onice|p(?:6?tables|config)|spell)|j(?:ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:ill(?:[sv&)<>|]|all)|nife[sv&)<>|]|sshell)|l(?:a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|dconfig|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[sv&)<>|]|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[sv&)<>q|]|x[sv&)<>|])|ke[sv&)<>|]|ster.passwd|wk)|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[sv&)<>|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[sv&)<>|]|sm|wk)|c(?:.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[sv&)<>|]|map|o(?:de[sv&)<>|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:f(?:la)?tex|ksh)|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[sv&)<>|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[sv&)<>|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[sv&)<>|]|shd)|wd.db|ython[^sv])|r(?:ak(?:e[sv&)<>|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[sv&)<>|]|stic)|l(?:ogin|wrap)|m(?:dir[sv&)<>|]|user)|nano|oute[sv&)<>|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[sv&)<>|]|c(?:hed|r(?:een|ipt)[sv&)<>|])|diff|e(?:(?:lf|rvice)[sv&)<>|]|ndmail|t(?:arch|env|facl[sv&)<>|]|sid))|ftp|h(?:.distrib|(?:adow|ells)[sv&)<>|]|u(?:f|tdown[sv&)<>|]))|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[sv&)<>|]|datectl)|mux|ouch[sv&)<>|]|r(?:aceroute6?|off)|shark)|u(?:limit[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[sv&)<>|]|gr|mdiff|pw|rsh)|olatility[sv&)<>|])|w(?:a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@pmFromFile windows-powershell-commands.data"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:(?:a[\"^]*(?:c|s[\"^]*n[\"^]*p)|e[\"^]*(?:b[\"^]*p|p[\"^]*(?:a[\"^]*l|c[\"^]*s[\"^]*v|s[\"^]*n)|[tx][\"^]*s[\"^]*n)|f[\"^]*(?:[cltw]|o[\"^]*r[\"^]*e[\"^]*a[\"^]*c[\"^]*h)|i[\"^]*(?:[cr][\"^]*m|e[\"^]*x|h[\"^]*y|i|p[\"^]*(?:a[\"^]*l|c[\"^]*s[\"^]*v|m[\"^]*o|s[\"^]*n)|s[\"^]*e|w[\"^]*(?:m[\"^]*i|r))|m[\"^]*(?:a[\"^]*n|[dipv]|o[\"^]*u[\"^]*n[\"^]*t)|o[\"^]*g[\"^]*v|p[\"^]*(?:o[\"^]*p|u[\"^]*s[\"^]*h)[\"^]*d|t[\"^]*r[\"^]*c[\"^]*m|w[\"^]*j[\"^]*b)[\"^]*[sv,.-/;-<>].*|c[\"^]*(?:(?:(?:d|h[\"^]*d[\"^]*i[\"^]*r|v[\"^]*p[\"^]*a)[\"^]*|p[\"^]*(?:[ip][\"^]*)?)[sv,.-/;-<>].*|l[\"^]*(?:(?:[cipv]|h[\"^]*y)[\"^]*[sv,.-/;-<>].*|s)|n[\"^]*s[\"^]*n)|d[\"^]*(?:(?:b[\"^]*p|e[\"^]*l|i[\"^]*(?:f[\"^]*f|r))[\"^]*[sv,.-/;-<>].*|n[\"^]*s[\"^]*n)|g[\"^]*(?:(?:(?:(?:a[\"^]*)?l|b[\"^]*p|d[\"^]*r|h[\"^]*y|(?:w[\"^]*m[\"^]*)?i|j[\"^]*b|[u-v])[\"^]*|c[\"^]*(?:[ims][\"^]*)?|m[\"^]*(?:o[\"^]*)?|s[\"^]*(?:n[\"^]*(?:p[\"^]*)?|v[\"^]*))[sv,.-/;-<>].*|e[\"^]*r[\"^]*r|p[\"^]*(?:(?:s[\"^]*)?[sv,.-/;-<>].*|v))|l[\"^]*s|n[\"^]*(?:(?:a[\"^]*l|d[\"^]*r|[iv]|m[\"^]*o|s[\"^]*n)[\"^]*[sv,.-/;-<>].*|p[\"^]*s[\"^]*s[\"^]*c)|r[\"^]*(?:(?:(?:(?:b[\"^]*)?p|e[\"^]*n|(?:w[\"^]*m[\"^]*)?i|j[\"^]*b|n[\"^]*[ip])[\"^]*|d[\"^]*(?:r[\"^]*)?|m[\"^]*(?:(?:d[\"^]*i[\"^]*r|o)[\"^]*)?|s[\"^]*n[\"^]*(?:p[\"^]*)?|v[\"^]*(?:p[\"^]*a[\"^]*)?)[sv,.-/;-<>].*|c[\"^]*(?:j[\"^]*b[\"^]*[sv,.-/;-<>].*|s[\"^]*n)|u[\"^]*j[\"^]*b)|s[\"^]*(?:(?:(?:a[\"^]*(?:j[\"^]*b|l|p[\"^]*s|s[\"^]*v)|b[\"^]*p|[civ]|w[\"^]*m[\"^]*i)[\"^]*|l[\"^]*(?:s[\"^]*)?|p[\"^]*(?:(?:j[\"^]*b|p[\"^]*s|s[\"^]*v)[\"^]*)?)[sv,.-/;-<>].*|h[\"^]*c[\"^]*m|u[\"^]*j[\"^]*b))(?:.[\"^]*[0-9A-Z_a-z]+)?b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx $(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|[ckz][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)[sv&)<>|]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:a(?:ddgroup|xel)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang++|oproc|ron)|d(?:iff[sv&)<>|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[sv&)<>|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|erl5?|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[sv&)<>|])|tar(?:diff|grep)?|wd.db|ython[2-3])|r(?:(?:bas|ealpat)h|m(?:dir[sv&)<>|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h.distri|pwd.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[sv&)<>|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "!@rx [0-9]s*'s*[0-9]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx !-d"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@pmFromFile unix-shell.data"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ^(s*)s+{"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ^(s*)s+{"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ba[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-\"%',0-9@-Z_a-z]+=[^sv]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@pmFromFile restricted-upload.data"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:t[\"^]*i[\"^]*m[\"^]*e|[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:a[\"^]*(?:c[\"^]*c[\"^]*c[\"^]*h[\"^]*e[\"^]*c[\"^]*k[\"^]*c[\"^]*o[\"^]*n[\"^]*s[\"^]*o[\"^]*l[\"^]*e|d[\"^]*(?:p[\"^]*l[\"^]*u[\"^]*s|v[\"^]*p[\"^]*a[\"^]*c[\"^]*k)|(?:g[\"^]*e[\"^]*n[\"^]*t[\"^]*e[\"^]*x[\"^]*e[\"^]*c[\"^]*u[\"^]*t[\"^]*o|s[\"^]*p[\"^]*n[\"^]*e[\"^]*t[\"^]*_[\"^]*c[\"^]*o[\"^]*m[\"^]*p[\"^]*i[\"^]*l[\"^]*e)[\"^]*r|p[\"^]*p[\"^]*(?:i[\"^]*n[\"^]*s[\"^]*t[\"^]*a[\"^]*l[\"^]*l[\"^]*e[\"^]*r|v[\"^]*l[\"^]*p)|t[\"^]*(?:[sv,.-/;-<>].*|b[\"^]*r[\"^]*o[\"^]*k[\"^]*e[\"^]*r))|b[\"^]*(?:a[\"^]*s[\"^]*h|g[\"^]*i[\"^]*n[\"^]*f[\"^]*o|i[\"^]*t[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|c[\"^]*(?:d[\"^]*b|e[\"^]*r[\"^]*t[\"^]*(?:o[\"^]*c|r[\"^]*e[\"^]*q|u[\"^]*t[\"^]*i[\"^]*l)|l[\"^]*_[\"^]*(?:i[\"^]*n[\"^]*v[\"^]*o[\"^]*c[\"^]*a[\"^]*t[\"^]*i[\"^]*o[\"^]*n|l[\"^]*o[\"^]*a[\"^]*d[\"^]*a[\"^]*s[\"^]*s[\"^]*e[\"^]*m[\"^]*b[\"^]*l[\"^]*y|m[\"^]*u[\"^]*t[\"^]*e[\"^]*x[\"^]*v[\"^]*e[\"^]*r[\"^]*i[\"^]*f[\"^]*i[\"^]*e[\"^]*r[\"^]*s)|m[\"^]*(?:d(?:[\"^]*(?:k[\"^]*e[\"^]*y|l[\"^]*3[\"^]*2))?|s[\"^]*t[\"^]*p)|o[\"^]*(?:m[\"^]*s[\"^]*v[\"^]*c[\"^]*s|n[\"^]*(?:f[\"^]*i[\"^]*g[\"^]*s[\"^]*e[\"^]*c[\"^]*u[\"^]*r[\"^]*i[\"^]*t[\"^]*y[\"^]*p[\"^]*o[\"^]*l[\"^]*i[\"^]*c[\"^]*y|h[\"^]*o[\"^]*s[\"^]*t|t[\"^]*r[\"^]*o[\"^]*l)|r[\"^]*e[\"^]*g[\"^]*e[\"^]*n)|r[\"^]*e[\"^]*a[\"^]*t[\"^]*e[\"^]*d[\"^]*u[\"^]*m[\"^]*p|s[\"^]*(?:c(?:[\"^]*r[\"^]*i[\"^]*p[\"^]*t)?|i)|u[\"^]*s[\"^]*t[\"^]*o[\"^]*m[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l[\"^]*h[\"^]*o[\"^]*s[\"^]*t)|d[\"^]*(?:a[\"^]*t[\"^]*a[\"^]*s[\"^]*v[\"^]*c[\"^]*u[\"^]*t[\"^]*i[\"^]*l|e[\"^]*(?:f[\"^]*a[\"^]*u[\"^]*l[\"^]*t[\"^]*p[\"^]*a[\"^]*c[\"^]*k|s[\"^]*k(?:[\"^]*t[\"^]*o[\"^]*p[\"^]*i[\"^]*m[\"^]*g[\"^]*d[\"^]*o[\"^]*w[\"^]*n[\"^]*l[\"^]*d[\"^]*r)?|v[\"^]*(?:i[\"^]*c[\"^]*e[\"^]*c[\"^]*r[\"^]*e[\"^]*d[\"^]*e[\"^]*n[\"^]*t[\"^]*i[\"^]*a[\"^]*l[\"^]*d[\"^]*e[\"^]*p[\"^]*l[\"^]*o[\"^]*y[\"^]*m[\"^]*e[\"^]*n[\"^]*t|t[\"^]*o[\"^]*o[\"^]*l[\"^]*s[\"^]*l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*e[\"^]*r))|f[\"^]*s[\"^]*(?:h[\"^]*i[\"^]*m|v[\"^]*c)|i[\"^]*(?:a[\"^]*n[\"^]*t[\"^]*z|s[\"^]*k[\"^]*s[\"^]*h[\"^]*a[\"^]*d[\"^]*o[\"^]*w)|n[\"^]*(?:s[\"^]*c[\"^]*m[\"^]*d|x)|o[\"^]*t[\"^]*n[\"^]*e[\"^]*t|u[\"^]*m[\"^]*p[\"^]*6[\"^]*4|x[\"^]*c[\"^]*a[\"^]*p)|e[\"^]*(?:s[\"^]*e[\"^]*n[\"^]*t[\"^]*u[\"^]*t[\"^]*l|v[\"^]*e[\"^]*n[\"^]*t[\"^]*v[\"^]*w[\"^]*r|x[\"^]*(?:c[\"^]*e[\"^]*l|p[\"^]*(?:a[\"^]*n[\"^]*d|l[\"^]*o[\"^]*r[\"^]*e[\"^]*r)|t[\"^]*(?:e[\"^]*x[\"^]*p[\"^]*o[\"^]*r[\"^]*t|r[\"^]*a[\"^]*c[\"^]*3[\"^]*2)))|f[\"^]*(?:i[\"^]*n[\"^]*(?:d[\"^]*s[\"^]*t|g[\"^]*e)[\"^]*r|l[\"^]*t[\"^]*m[\"^]*c|o[\"^]*r[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s|s[\"^]*(?:i(?:[\"^]*a[\"^]*n[\"^]*y[\"^]*c[\"^]*p[\"^]*u)?|u[\"^]*t[\"^]*i[\"^]*l)|t[\"^]*p)|g[\"^]*(?:f[\"^]*x[\"^]*d[\"^]*o[\"^]*w[\"^]*n[\"^]*l[\"^]*o[\"^]*a[\"^]*d[\"^]*w[\"^]*r[\"^]*a[\"^]*p[\"^]*p[\"^]*e[\"^]*r|p[\"^]*s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|h[\"^]*h|i[\"^]*(?:e[\"^]*(?:4[\"^]*u[\"^]*i[\"^]*n[\"^]*i[\"^]*t|a[\"^]*d[\"^]*v[\"^]*p[\"^]*a[\"^]*c[\"^]*k|e[\"^]*x[\"^]*e[\"^]*c|f[\"^]*r[\"^]*a[\"^]*m[\"^]*e)|l[\"^]*a[\"^]*s[\"^]*m|m[\"^]*e[\"^]*w[\"^]*d[\"^]*b[\"^]*l[\"^]*d|n[\"^]*(?:f[\"^]*d[\"^]*e[\"^]*f[\"^]*a[\"^]*u[\"^]*l[\"^]*t[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a[\"^]*l|s[\"^]*t[\"^]*a[\"^]*l[\"^]*l[\"^]*u[\"^]*t[\"^]*i)[\"^]*l)|j[\"^]*s[\"^]*c|l[\"^]*(?:a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*-[\"^]*v[\"^]*s[\"^]*d[\"^]*e[\"^]*v[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l|d[\"^]*i[\"^]*f[\"^]*d[\"^]*e)|m[\"^]*(?:a[\"^]*(?:k[\"^]*e[\"^]*c[\"^]*a[\"^]*b|n[\"^]*a[\"^]*g[\"^]*e[\"^]*-[\"^]*b[\"^]*d[\"^]*e|v[\"^]*i[\"^]*n[\"^]*j[\"^]*e[\"^]*c[\"^]*t)|f[\"^]*t[\"^]*r[\"^]*a[\"^]*c[\"^]*e|i[\"^]*c[\"^]*r[\"^]*o[\"^]*s[\"^]*o[\"^]*f[\"^]*t|m[\"^]*c|p[\"^]*c[\"^]*m[\"^]*d[\"^]*r[\"^]*u[\"^]*n|s[\"^]*(?:(?:b[\"^]*u[\"^]*i[\"^]*l|o[\"^]*h[\"^]*t[\"^]*m[\"^]*e)[\"^]*d|c[\"^]*o[\"^]*n[\"^]*f[\"^]*i[\"^]*g|d[\"^]*(?:e[\"^]*p[\"^]*l[\"^]*o[\"^]*y|t)|h[\"^]*t[\"^]*(?:a|m[\"^]*l)|i[\"^]*e[\"^]*x[\"^]*e[\"^]*c|p[\"^]*u[\"^]*b|x[\"^]*s[\"^]*l))|n[\"^]*(?:e[\"^]*t[\"^]*s[\"^]*h|t[\"^]*d[\"^]*s[\"^]*u[\"^]*t[\"^]*i[\"^]*l)|o[\"^]*(?:d[\"^]*b[\"^]*c[\"^]*c[\"^]*o[\"^]*n[\"^]*f|f[\"^]*f[\"^]*l[\"^]*i[\"^]*n[\"^]*e[\"^]*s[\"^]*c[\"^]*a[\"^]*n[\"^]*n[\"^]*e[\"^]*r[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l|n[\"^]*e[\"^]*d[\"^]*r[\"^]*i[\"^]*v[\"^]*e[\"^]*s[\"^]*t[\"^]*a[\"^]*n[\"^]*d[\"^]*a[\"^]*l[\"^]*o[\"^]*n[\"^]*e[\"^]*u[\"^]*p[\"^]*d[\"^]*a[\"^]*t[\"^]*e[\"^]*r|p[\"^]*e[\"^]*n[\"^]*c[\"^]*o[\"^]*n[\"^]*s[\"^]*o[\"^]*l[\"^]*e)|p[\"^]*(?:c[\"^]*(?:a[\"^]*l[\"^]*u[\"^]*a|w[\"^]*(?:r[\"^]*u[\"^]*n|u[\"^]*t[\"^]*l))|(?:e[\"^]*s[\"^]*t[\"^]*e|s)[\"^]*r|(?:k[\"^]*t[\"^]*m[\"^]*o|u[\"^]*b[\"^]*p[\"^]*r)[\"^]*n|n[\"^]*p[\"^]*u[\"^]*t[\"^]*i[\"^]*l|o[\"^]*w[\"^]*e[\"^]*r[\"^]*p[\"^]*n[\"^]*t|r[\"^]*(?:e[\"^]*s[\"^]*e[\"^]*n[\"^]*t[\"^]*a[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*h[\"^]*o[\"^]*s[\"^]*t|i[\"^]*n[\"^]*t(?:[\"^]*b[\"^]*r[\"^]*m)?|o[\"^]*(?:c[\"^]*d[\"^]*u[\"^]*m[\"^]*p|t[\"^]*o[\"^]*c[\"^]*o[\"^]*l[\"^]*h[\"^]*a[\"^]*n[\"^]*d[\"^]*l[\"^]*e[\"^]*r)))|r[\"^]*(?:a[\"^]*s[\"^]*a[\"^]*u[\"^]*t[\"^]*o[\"^]*u|c[\"^]*s[\"^]*i|(?:d[\"^]*r[\"^]*l[\"^]*e[\"^]*a[\"^]*k[\"^]*d[\"^]*i[\"^]*a|p[\"^]*c[\"^]*p[\"^]*i[\"^]*n)[\"^]*g|e[\"^]*(?:g(?:[\"^]*(?:a[\"^]*s[\"^]*m|e[\"^]*d[\"^]*i[\"^]*t|i[\"^]*(?:n[\"^]*i|s[\"^]*t[\"^]*e[\"^]*r[\"^]*-[\"^]*c[\"^]*i[\"^]*m[\"^]*p[\"^]*r[\"^]*o[\"^]*v[\"^]*i[\"^]*d[\"^]*e[\"^]*r)|s[\"^]*v[\"^]*(?:c[\"^]*s|r[\"^]*3[\"^]*2)))?|(?:m[\"^]*o[\"^]*t|p[\"^]*l[\"^]*a[\"^]*c)[\"^]*e)|u[\"^]*n[\"^]*(?:d[\"^]*l[\"^]*l[\"^]*3[\"^]*2|(?:e[\"^]*x[\"^]*e|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)[\"^]*h[\"^]*e[\"^]*l[\"^]*p[\"^]*e[\"^]*r|o[\"^]*n[\"^]*c[\"^]*e))|s[\"^]*(?:c[\"^]*(?:[sv,.-/;-<>].*|h[\"^]*t[\"^]*a[\"^]*s[\"^]*k[\"^]*s|r[\"^]*i[\"^]*p[\"^]*t[\"^]*r[\"^]*u[\"^]*n[\"^]*n[\"^]*e[\"^]*r)|e[\"^]*t[\"^]*(?:r[\"^]*e[\"^]*s|t[\"^]*i[\"^]*n[\"^]*g[\"^]*s[\"^]*y[\"^]*n[\"^]*c[\"^]*h[\"^]*o[\"^]*s[\"^]*t|u[\"^]*p[\"^]*a[\"^]*p[\"^]*i)|h[\"^]*(?:d[\"^]*o[\"^]*c[\"^]*v[\"^]*w|e[\"^]*l[\"^]*l[\"^]*3[\"^]*2)|q[\"^]*(?:l[\"^]*(?:d[\"^]*u[\"^]*m[\"^]*p[\"^]*e[\"^]*r|(?:t[\"^]*o[\"^]*o[\"^]*l[\"^]*s[\"^]*)?p[\"^]*s)|u[\"^]*i[\"^]*r[\"^]*r[\"^]*e[\"^]*l)|s[\"^]*h|t[\"^]*o[\"^]*r[\"^]*d[\"^]*i[\"^]*a[\"^]*g|y[\"^]*(?:n[\"^]*c[\"^]*a[\"^]*p[\"^]*p[\"^]*v[\"^]*p[\"^]*u[\"^]*b[\"^]*l[\"^]*i[\"^]*s[\"^]*h[\"^]*i[\"^]*n[\"^]*g[\"^]*s[\"^]*e[\"^]*r[\"^]*v[\"^]*e[\"^]*r|s[\"^]*s[\"^]*e[\"^]*t[\"^]*u[\"^]*p))|t[\"^]*(?:e[\"^]*[sv,.-/;-<>].*|r[\"^]*a[\"^]*c[\"^]*k[\"^]*e[\"^]*r|t[\"^]*(?:d[\"^]*i[\"^]*n[\"^]*j[\"^]*e[\"^]*c[\"^]*t|t[\"^]*r[\"^]*a[\"^]*c[\"^]*e[\"^]*r))|u[\"^]*(?:n[\"^]*r[\"^]*e[\"^]*g[\"^]*m[\"^]*p[\"^]*2|p[\"^]*d[\"^]*a[\"^]*t[\"^]*e|r[\"^]*l|t[\"^]*i[\"^]*l[\"^]*i[\"^]*t[\"^]*y[\"^]*f[\"^]*u[\"^]*n[\"^]*c[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*s)|v[\"^]*(?:b[\"^]*c|e[\"^]*r[\"^]*c[\"^]*l[\"^]*s[\"^]*i[\"^]*d|i[\"^]*s[\"^]*u[\"^]*a[\"^]*l[\"^]*u[\"^]*i[\"^]*a[\"^]*v[\"^]*e[\"^]*r[\"^]*i[\"^]*f[\"^]*y[\"^]*n[\"^]*a[\"^]*t[\"^]*i[\"^]*v[\"^]*e|s[\"^]*(?:i[\"^]*i[\"^]*s[\"^]*e[\"^]*x[\"^]*e[\"^]*l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h|j[\"^]*i[\"^]*t[\"^]*d[\"^]*e[\"^]*b[\"^]*u[\"^]*g[\"^]*g)[\"^]*e[\"^]*r)|w[\"^]*(?:a[\"^]*b|(?:f|m[\"^]*i)[\"^]*c|i[\"^]*n[\"^]*(?:g[\"^]*e[\"^]*t|r[\"^]*m|w[\"^]*o[\"^]*r[\"^]*d)|l[\"^]*r[\"^]*m[\"^]*d[\"^]*r|o[\"^]*r[\"^]*k[\"^]*f[\"^]*o[\"^]*l[\"^]*d[\"^]*e[\"^]*r[\"^]*s|s[\"^]*(?:(?:c[\"^]*r[\"^]*i[\"^]*p|r[\"^]*e[\"^]*s[\"^]*e)[\"^]*t|l)|t[\"^]*[sv,.-/;-<>].*|u[\"^]*a[\"^]*u[\"^]*c[\"^]*l[\"^]*t)|x[\"^]*w[\"^]*i[\"^]*z[\"^]*a[\"^]*r[\"^]*d|z[\"^]*i[\"^]*p[\"^]*f[\"^]*l[\"^]*d[\"^]*r)(?:.[\"^]*[0-9A-Z_a-z]+)?b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:t[\"^]*i[\"^]*m[\"^]*e|[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:a[\"^]*(?:s[\"^]*s[\"^]*o[\"^]*c|t[\"^]*(?:m[\"^]*a[\"^]*d[\"^]*m|t[\"^]*r[\"^]*i[\"^]*b)|u[\"^]*(?:d[\"^]*i[\"^]*t[\"^]*p[\"^]*o[\"^]*l|t[\"^]*o[\"^]*(?:c[\"^]*(?:h[\"^]*k|o[\"^]*n[\"^]*v)|(?:f[\"^]*m|m[\"^]*o[\"^]*u[\"^]*n)[\"^]*t)))|b[\"^]*(?:c[\"^]*d[\"^]*(?:b[\"^]*o[\"^]*o|e[\"^]*d[\"^]*i)[\"^]*t|(?:d[\"^]*e[\"^]*h[\"^]*d|o[\"^]*o[\"^]*t)[\"^]*c[\"^]*f[\"^]*g|i[\"^]*t[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|c[\"^]*(?:a[\"^]*c[\"^]*l[\"^]*s|e[\"^]*r[\"^]*t[\"^]*(?:r[\"^]*e[\"^]*q|u[\"^]*t[\"^]*i[\"^]*l)|h[\"^]*(?:c[\"^]*p|d[\"^]*i[\"^]*r|g[\"^]*(?:l[\"^]*o[\"^]*g[\"^]*o[\"^]*n|p[\"^]*o[\"^]*r[\"^]*t|u[\"^]*s[\"^]*r)|k[\"^]*(?:d[\"^]*s[\"^]*k|n[\"^]*t[\"^]*f[\"^]*s))|l[\"^]*e[\"^]*a[\"^]*n[\"^]*m[\"^]*g[\"^]*r|m[\"^]*(?:d(?:[\"^]*k[\"^]*e[\"^]*y)?|s[\"^]*t[\"^]*p)|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|d[\"^]*(?:c[\"^]*(?:d[\"^]*i[\"^]*a[\"^]*g|g[\"^]*p[\"^]*o[\"^]*f[\"^]*i[\"^]*x)|e[\"^]*(?:f[\"^]*r[\"^]*a[\"^]*g|l)|f[\"^]*s[\"^]*(?:d[\"^]*i[\"^]*a|r[\"^]*m[\"^]*i)[\"^]*g|i[\"^]*(?:a[\"^]*n[\"^]*t[\"^]*z|r|s[\"^]*(?:k[\"^]*(?:c[\"^]*o[\"^]*(?:m[\"^]*p|p[\"^]*y)|p[\"^]*(?:a[\"^]*r[\"^]*t|e[\"^]*r[\"^]*f)|r[\"^]*a[\"^]*i[\"^]*d|s[\"^]*h[\"^]*a[\"^]*d[\"^]*o[\"^]*w)|p[\"^]*d[\"^]*i[\"^]*a[\"^]*g))|n[\"^]*s[\"^]*c[\"^]*m[\"^]*d|(?:o[\"^]*s[\"^]*k[\"^]*e|r[\"^]*i[\"^]*v[\"^]*e[\"^]*r[\"^]*q[\"^]*u[\"^]*e[\"^]*r)[\"^]*y)|e[\"^]*(?:n[\"^]*d[\"^]*l[\"^]*o[\"^]*c[\"^]*a[\"^]*l|v[\"^]*e[\"^]*n[\"^]*t[\"^]*c[\"^]*r[\"^]*e[\"^]*a[\"^]*t[\"^]*e)|E[\"^]*v[\"^]*n[\"^]*t[\"^]*c[\"^]*m[\"^]*d|f[\"^]*(?:c|i[\"^]*(?:l[\"^]*e[\"^]*s[\"^]*y[\"^]*s[\"^]*t[\"^]*e[\"^]*m[\"^]*s|n[\"^]*d[\"^]*s[\"^]*t[\"^]*r)|l[\"^]*a[\"^]*t[\"^]*t[\"^]*e[\"^]*m[\"^]*p|o[\"^]*r(?:[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s)?|r[\"^]*e[\"^]*e[\"^]*d[\"^]*i[\"^]*s[\"^]*k|s[\"^]*u[\"^]*t[\"^]*i[\"^]*l|(?:t[\"^]*y[\"^]*p|v[\"^]*e[\"^]*u[\"^]*p[\"^]*d[\"^]*a[\"^]*t)[\"^]*e)|g[\"^]*(?:e[\"^]*t[\"^]*(?:m[\"^]*a[\"^]*c|t[\"^]*y[\"^]*p[\"^]*e)|o[\"^]*t[\"^]*o|p[\"^]*(?:f[\"^]*i[\"^]*x[\"^]*u[\"^]*p|(?:r[\"^]*e[\"^]*s[\"^]*u[\"^]*l[\"^]*)?t|u[\"^]*p[\"^]*d[\"^]*a[\"^]*t[\"^]*e)|r[\"^]*a[\"^]*f[\"^]*t[\"^]*a[\"^]*b[\"^]*l)|h[\"^]*(?:e[\"^]*l[\"^]*p[\"^]*c[\"^]*t[\"^]*r|o[\"^]*s[\"^]*t[\"^]*n[\"^]*a[\"^]*m[\"^]*e)|i[\"^]*(?:c[\"^]*a[\"^]*c[\"^]*l[\"^]*s|f|p[\"^]*(?:c[\"^]*o[\"^]*n[\"^]*f[\"^]*i[\"^]*g|x[\"^]*r[\"^]*o[\"^]*u[\"^]*t[\"^]*e)|r[\"^]*f[\"^]*t[\"^]*p)|j[\"^]*e[\"^]*t[\"^]*p[\"^]*a[\"^]*c[\"^]*k|k[\"^]*(?:l[\"^]*i[\"^]*s[\"^]*t|s[\"^]*e[\"^]*t[\"^]*u[\"^]*p|t[\"^]*(?:m[\"^]*u[\"^]*t[\"^]*i[\"^]*l|p[\"^]*a[\"^]*s[\"^]*s))|l[\"^]*(?:o[\"^]*(?:d[\"^]*c[\"^]*t[\"^]*r|g[\"^]*(?:m[\"^]*a[\"^]*n|o[\"^]*f[\"^]*f))|p[\"^]*[q-r])|m[\"^]*(?:a[\"^]*(?:c[\"^]*f[\"^]*i[\"^]*l[\"^]*e|k[\"^]*e[\"^]*c[\"^]*a[\"^]*b|p[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|k[\"^]*(?:d[\"^]*i[\"^]*r|l[\"^]*i[\"^]*n[\"^]*k)|m[\"^]*c|o[\"^]*u[\"^]*n[\"^]*t[\"^]*v[\"^]*o[\"^]*l|q[\"^]*(?:b[\"^]*k[\"^]*u[\"^]*p|(?:t[\"^]*g[\"^]*)?s[\"^]*v[\"^]*c)|s[\"^]*(?:d[\"^]*t|i[\"^]*(?:e[\"^]*x[\"^]*e[\"^]*c|n[\"^]*f[\"^]*o[\"^]*3[\"^]*2)|t[\"^]*s[\"^]*c))|n[\"^]*(?:b[\"^]*t[\"^]*s[\"^]*t[\"^]*a[\"^]*t|e[\"^]*t[\"^]*(?:c[\"^]*f[\"^]*g|d[\"^]*o[\"^]*m|s[\"^]*(?:h|t[\"^]*a[\"^]*t))|f[\"^]*s[\"^]*(?:a[\"^]*d[\"^]*m[\"^]*i[\"^]*n|s[\"^]*(?:h[\"^]*a[\"^]*r[\"^]*e|t[\"^]*a[\"^]*t))|l[\"^]*(?:b[\"^]*m[\"^]*g[\"^]*r|t[\"^]*e[\"^]*s[\"^]*t)|s[\"^]*l[\"^]*o[\"^]*o[\"^]*k[\"^]*u[\"^]*p|t[\"^]*(?:b[\"^]*a[\"^]*c[\"^]*k[\"^]*u[\"^]*p|c[\"^]*m[\"^]*d[\"^]*p[\"^]*r[\"^]*o[\"^]*m[\"^]*p[\"^]*t|f[\"^]*r[\"^]*s[\"^]*u[\"^]*t[\"^]*l))|o[\"^]*(?:f[\"^]*f[\"^]*l[\"^]*i[\"^]*n[\"^]*e|p[\"^]*e[\"^]*n[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s)|p[\"^]*(?:a[\"^]*(?:g[\"^]*e[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*c[\"^]*o[\"^]*n[\"^]*f[\"^]*i|t[\"^]*h[\"^]*p[\"^]*i[\"^]*n)[\"^]*g|(?:b[\"^]*a[\"^]*d[\"^]*m[\"^]*i|k[\"^]*t[\"^]*m[\"^]*o)[\"^]*n|e[\"^]*(?:n[\"^]*t[\"^]*n[\"^]*t|r[\"^]*f[\"^]*m[\"^]*o[\"^]*n)|n[\"^]*p[\"^]*u[\"^]*(?:n[\"^]*a[\"^]*t[\"^]*t[\"^]*e[\"^]*n[\"^]*d|t[\"^]*i[\"^]*l)|o[\"^]*(?:p[\"^]*d|w[\"^]*e[\"^]*r[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l)|r[\"^]*n[\"^]*(?:c[\"^]*n[\"^]*f[\"^]*g|(?:d[\"^]*r[\"^]*v|m[\"^]*n[\"^]*g)[\"^]*r|j[\"^]*o[\"^]*b[\"^]*s|p[\"^]*o[\"^]*r[\"^]*t|q[\"^]*c[\"^]*t[\"^]*l)|u[\"^]*(?:b[\"^]*p[\"^]*r[\"^]*n|s[\"^]*h[\"^]*(?:d|p[\"^]*r[\"^]*i[\"^]*n[\"^]*t[\"^]*e[\"^]*r[\"^]*c[\"^]*o[\"^]*n[\"^]*n[\"^]*e[\"^]*c[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*s))|w[\"^]*(?:l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*e[\"^]*r|s[\"^]*h))|q[\"^]*(?:a[\"^]*p[\"^]*p[\"^]*s[\"^]*r[\"^]*v|p[\"^]*r[\"^]*o[\"^]*c[\"^]*e[\"^]*s[\"^]*s|u[\"^]*s[\"^]*e[\"^]*r|w[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a)|r[\"^]*(?:d(?:[\"^]*p[\"^]*s[\"^]*i[\"^]*g[\"^]*n)?|e[\"^]*(?:f[\"^]*s[\"^]*u[\"^]*t[\"^]*i[\"^]*l|g(?:[\"^]*(?:i[\"^]*n[\"^]*i|s[\"^]*v[\"^]*r[\"^]*3[\"^]*2))?|l[\"^]*o[\"^]*g|(?:(?:p[\"^]*a[\"^]*d[\"^]*m[\"^]*i|s[\"^]*c[\"^]*a)[\"^]*)?n|x[\"^]*e[\"^]*c)|i[\"^]*s[\"^]*e[\"^]*t[\"^]*u[\"^]*p|m[\"^]*d[\"^]*i[\"^]*r|o[\"^]*b[\"^]*o[\"^]*c[\"^]*o[\"^]*p[\"^]*y|p[\"^]*c[\"^]*(?:i[\"^]*n[\"^]*f[\"^]*o|p[\"^]*i[\"^]*n[\"^]*g)|s[\"^]*h|u[\"^]*n[\"^]*d[\"^]*l[\"^]*l[\"^]*3[\"^]*2|w[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a)|s[\"^]*(?:a[\"^]*n|c[\"^]*(?:h[\"^]*t[\"^]*a[\"^]*s[\"^]*k[\"^]*s|w[\"^]*c[\"^]*m[\"^]*d)|e[\"^]*(?:c[\"^]*e[\"^]*d[\"^]*i[\"^]*t|r[\"^]*v[\"^]*e[\"^]*r[\"^]*(?:(?:c[\"^]*e[\"^]*i[\"^]*p|w[\"^]*e[\"^]*r)[\"^]*o[\"^]*p[\"^]*t[\"^]*i[\"^]*n|m[\"^]*a[\"^]*n[\"^]*a[\"^]*g[\"^]*e[\"^]*r[\"^]*c[\"^]*m[\"^]*d)|t[\"^]*x)|f[\"^]*c|(?:h[\"^]*o[\"^]*w[\"^]*m[\"^]*o[\"^]*u[\"^]*n|u[\"^]*b[\"^]*s)[\"^]*t|x[\"^]*s[\"^]*t[\"^]*r[\"^]*a[\"^]*c[\"^]*e|y[\"^]*s[\"^]*(?:o[\"^]*c[\"^]*m[\"^]*g[\"^]*r|t[\"^]*e[\"^]*m[\"^]*i[\"^]*n[\"^]*f[\"^]*o))|t[\"^]*(?:a[\"^]*(?:k[\"^]*e[\"^]*o[\"^]*w[\"^]*n|p[\"^]*i[\"^]*c[\"^]*f[\"^]*g|s[\"^]*k[\"^]*(?:k[\"^]*i[\"^]*l[\"^]*l|l[\"^]*i[\"^]*s[\"^]*t))|(?:c[\"^]*m[\"^]*s[\"^]*e[\"^]*t[\"^]*u|f[\"^]*t)[\"^]*p|(?:(?:e[\"^]*l[\"^]*n[\"^]*e|i[\"^]*m[\"^]*e[\"^]*o[\"^]*u)[\"^]*|r[\"^]*a[\"^]*c[\"^]*e[\"^]*r[\"^]*(?:p[\"^]*)?)t|l[\"^]*n[\"^]*t[\"^]*a[\"^]*d[\"^]*m[\"^]*n|p[\"^]*m[\"^]*(?:t[\"^]*o[\"^]*o[\"^]*l|v[\"^]*s[\"^]*c[\"^]*m[\"^]*g[\"^]*r)|s[\"^]*(?:(?:d[\"^]*i[\"^]*s[\"^]*)?c[\"^]*o[\"^]*n|e[\"^]*c[\"^]*i[\"^]*m[\"^]*p|k[\"^]*i[\"^]*l[\"^]*l|p[\"^]*r[\"^]*o[\"^]*f)|y[\"^]*p[\"^]*e[\"^]*p[\"^]*e[\"^]*r[\"^]*f|z[\"^]*u[\"^]*t[\"^]*i[\"^]*l)|u[\"^]*n[\"^]*(?:e[\"^]*x[\"^]*p[\"^]*o[\"^]*s[\"^]*e|i[\"^]*q[\"^]*u[\"^]*e[\"^]*i[\"^]*d|l[\"^]*o[\"^]*d[\"^]*c[\"^]*t[\"^]*r)|v[\"^]*(?:o[\"^]*l|s[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|w[\"^]*(?:a[\"^]*i[\"^]*t[\"^]*f[\"^]*o[\"^]*r|b[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n|(?:d[\"^]*s|e[\"^]*(?:c|v[\"^]*t))[\"^]*u[\"^]*t[\"^]*i[\"^]*l|h[\"^]*(?:e[\"^]*r[\"^]*e|o[\"^]*a[\"^]*m[\"^]*i)|i[\"^]*n[\"^]*(?:n[\"^]*t(?:[\"^]*3[\"^]*2)?|r[\"^]*s)|m[\"^]*i[\"^]*c|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|x[\"^]*c[\"^]*o[\"^]*p[\"^]*y)(?:.[\"^]*[0-9A-Z_a-z]+)?b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*.[sv].*b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx /"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx s"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx /"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx s"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx /"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx s"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i).|(?:[sv]*|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|G[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?E[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?T|a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:b|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?t|r(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[jp])?|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ks])|b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[8-9][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?9|[au][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|c|(?:m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?p|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dfu]|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[gr])|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[bdx]|n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|q[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[c-dgi]|m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[chr][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|o|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dp]|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b)|j[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:j[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|q)|k[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)?|[nps]|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a|z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|v)|n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[cl]|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|o[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[at][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?x|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|f|(?:k[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?g|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cp]|r(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?y)?|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dv]|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dt]|[g-hu]|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cr]|b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l|[co][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ex]|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c)|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|l)|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|c)|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|z)|y[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)|z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)[-0-9_a-z]+(?:[\"'[-]]+|$+[!#*-0-9?-@x5c_a-{]+|``|[$<>]())[sv]*[-0-9_a-z]+"
+ },
+ {
+ "category": "RCE",
+ "pattern": "!@rx [0-9]s*'s*[0-9]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ;[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[\"-#%-&*--9A-Zx5c_a-z]+)?(?: ([ x5ca-z]+))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [+-][0-9]{4}\"?)? {[0-9]{1,20}+?}|UTHENTICATE [-0-9_a-z]{1,20}rn)|L(?:SUB (?:[\"-#*.-9A-Z_a-z~]+)? (?:[\"%-&*.-9A-Zx5c_a-z]+)?|ISTRIGHTS (?:[\"%-&*--9A-Zx5c_a-z]+)?)|S(?:TATUS (?:[\"%-&*--9A-Zx5c_a-z]+)? ((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+)|ETACL (?:[\"%-&*--9A-Zx5c_a-z]+)? [+-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%-&*--9A-Zx5c_a-z]+)?)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|inks|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[^sv])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash|nap)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:3m|c|a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:c|a(?:ll|tch)[sv&)<>|]|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@pmFromFile unix-shell.data"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:(?:itude)?[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|s(?:[sv&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[sv&)<>|]|m(?:[sv&)<>|]|diff)|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:[sv&)<>c|]|h(?:o(?:[sv&)<>|]|ami|is)?|iptail[sv&)<>|])|a(?:ll|tch)[sv&)<>|]|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx !(?:d|!)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx (?:bhttp/d|<(?:html|meta)b)"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx [nr]"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx [nr]"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx [nr]"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx unix:[^|]*|"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx [nr]"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@gt 0"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx ."
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@gt 1"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx TX:paramcounter_(.*)"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx (][^]]+$|][^]]+[)"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx ["
+ },
{
"category": "IIS",
"pattern": "@lt 1"
@@ -2215,6 +2219,82 @@
"category": "IIS",
"pattern": "@lt 4"
},
+ {
+ "category": "CORRELATION",
+ "pattern": "@eq 0"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@ge 5"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@eq 0"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@ge %{tx.outbound_anomaly_score_threshold}"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@ge %{tx.outbound_anomaly_score_threshold}"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@gt 0"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 4"
+ },
{
"category": "EVALUATION",
"pattern": "@ge 1"
@@ -2323,130 +2403,6 @@
"category": "EVALUATION",
"pattern": "@lt 4"
},
- {
- "category": "CORRELATION",
- "pattern": "@eq 0"
- },
- {
- "category": "CORRELATION",
- "pattern": "@ge 5"
- },
- {
- "category": "CORRELATION",
- "pattern": "@eq 0"
- },
- {
- "category": "CORRELATION",
- "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
- },
- {
- "category": "CORRELATION",
- "pattern": "@ge %{tx.outbound_anomaly_score_threshold}"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 2"
- },
- {
- "category": "CORRELATION",
- "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
- },
- {
- "category": "CORRELATION",
- "pattern": "@ge %{tx.outbound_anomaly_score_threshold}"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 3"
- },
- {
- "category": "CORRELATION",
- "pattern": "@gt 0"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 4"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 1"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 1"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 2"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 2"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 3"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 3"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 4"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 4"
- },
- {
- "category": "PHP",
- "pattern": "@lt 1"
- },
- {
- "category": "PHP",
- "pattern": "@lt 1"
- },
- {
- "category": "PHP",
- "pattern": "@pmFromFile php-errors.data"
- },
- {
- "category": "PHP",
- "pattern": "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b"
- },
- {
- "category": "PHP",
- "pattern": "@rx (?i)Index of.*?Index of.*?Index of|>[To Parent Directory]
)"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@rx ^#!s?/"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@rx ^5d{2}$"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 4"
}
]
\ No newline at end of file
diff --git a/waf_patterns/apache/bots.conf b/waf_patterns/apache/bots.conf
index 0f4a5fc..e9de346 100644
--- a/waf_patterns/apache/bots.conf
+++ b/waf_patterns/apache/bots.conf
@@ -618,6 +618,7 @@ SecRule REQUEST_HEADERS:User-Agent "@contains MTRobot" "id:3000,phase:1,deny,sta
SecRule REQUEST_HEADERS:User-Agent "@contains MVAClient" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains MacOutlook\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Mag-Net" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains MagentaNews\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Magnet" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains MagpieRSS" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains Mail.RU_Bot" "id:3000,phase:1,deny,status:403"
@@ -1572,6 +1573,7 @@ SecRule REQUEST_HEADERS:User-Agent "@contains jobo" "id:3000,phase:1,deny,status
SecRule REQUEST_HEADERS:User-Agent "@contains khttp\/" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains knows\.is" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains kouio" "id:3000,phase:1,deny,status:403"
+SecRule REQUEST_HEADERS:User-Agent "@contains krawler\.dk" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains kube-probe" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains kubectl" "id:3000,phase:1,deny,status:403"
SecRule REQUEST_HEADERS:User-Agent "@contains kulturarw3" "id:3000,phase:1,deny,status:403"
diff --git a/waf_patterns/haproxy/bots.acl b/waf_patterns/haproxy/bots.acl
index 034230f..082ac8c 100644
--- a/waf_patterns/haproxy/bots.acl
+++ b/waf_patterns/haproxy/bots.acl
@@ -618,6 +618,7 @@ acl bad_bot hdr_sub(User-Agent) -i MTRobot
acl bad_bot hdr_sub(User-Agent) -i MVAClient
acl bad_bot hdr_sub(User-Agent) -i MacOutlook\/
acl bad_bot hdr_sub(User-Agent) -i Mag-Net
+acl bad_bot hdr_sub(User-Agent) -i MagentaNews\/
acl bad_bot hdr_sub(User-Agent) -i Magnet
acl bad_bot hdr_sub(User-Agent) -i MagpieRSS
acl bad_bot hdr_sub(User-Agent) -i Mail.RU_Bot
@@ -1572,6 +1573,7 @@ acl bad_bot hdr_sub(User-Agent) -i jobo
acl bad_bot hdr_sub(User-Agent) -i khttp\/
acl bad_bot hdr_sub(User-Agent) -i knows\.is
acl bad_bot hdr_sub(User-Agent) -i kouio
+acl bad_bot hdr_sub(User-Agent) -i krawler\.dk
acl bad_bot hdr_sub(User-Agent) -i kube-probe
acl bad_bot hdr_sub(User-Agent) -i kubectl
acl bad_bot hdr_sub(User-Agent) -i kulturarw3
diff --git a/waf_patterns/haproxy/waf.acl b/waf_patterns/haproxy/waf.acl
index 4db945f..368bc88 100644
--- a/waf_patterns/haproxy/waf.acl
+++ b/waf_patterns/haproxy/waf.acl
@@ -1,8 +1,5 @@
# HAProxy WAF ACL rules
-acl block_lfi hdr_sub(User-Agent) -i ((^|[x5c/;])\.{2,3}[x5c/;]|[x5c/;]\.{2,3}([x5c/;]|$))
-http-request deny if block_lfi
-
acl block_initialization hdr_sub(User-Agent) -i ^\.*$
http-request deny if block_initialization
@@ -12,90 +9,12 @@ http-request deny if block_initialization
acl block_initialization hdr_sub(User-Agent) -i ^[a-f]*([0-9])[a-f]*([0-9])
http-request deny if block_initialization
-acl block_generic hdr_sub(User-Agent) -i while[sv]*([sv(]*(!+(false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(!!)*((t(rue|his)|[+-]?(Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(Boolea|Functio)n|Object|Array)b|{\.*}|[\.*]|"[^"]+"|'[^']+'|`[^`]+`))\.*)
-http-request deny if block_generic
-
-acl block_generic hdr_sub(User-Agent) -i [s*constructors*]
-http-request deny if block_generic
-
-acl block_generic hdr_sub(User-Agent) -i @{\.*}
-http-request deny if block_generic
-
-acl block_exceptions hdr_sub(User-Agent) -i @streq GET /
-http-request deny if block_exceptions
-
-acl block_exceptions hdr_sub(User-Agent) -i @ipMatch 127.0.0.1,::1
-http-request deny if block_exceptions
-
-acl block_exceptions hdr_sub(User-Agent) -i @endsWith (internal dummy connection)
-http-request deny if block_exceptions
-
-acl block_exceptions hdr_sub(User-Agent) -i ^(GET /|OPTIONS *) HTTP/[12]\.[01]$
-http-request deny if block_exceptions
-
-acl block_rfi hdr_sub(User-Agent) -i ^(?i:file|ftps?|https?)://(d{1,3}.d{1,3}.d{1,3}.d{1,3})
-http-request deny if block_rfi
-
-acl block_rfi hdr_sub(User-Agent) -i !@endsWith \.%{request_headers.host}
-http-request deny if block_rfi
-
-acl block_attack hdr_sub(User-Agent) -i (get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d
+acl block_attack hdr_sub(User-Agent) -i ^content-types*:s*(\.*)$
http-request deny if block_attack
-acl block_attack hdr_sub(User-Agent) -i [rn]W*?(content-(type|length)|set-cookie|location):s*w
+acl block_attack hdr_sub(User-Agent) -i content-transfer-encoding:(\.*)
http-request deny if block_attack
-acl block_attack hdr_sub(User-Agent) -i (bhttp/d|<(html|meta)b)
-http-request deny if block_attack
-
-acl block_attack hdr_sub(User-Agent) -i [nr]
-http-request deny if block_attack
-
-acl block_attack hdr_sub(User-Agent) -i [nr]+(s|location|refresh|(set-)?cookie|(x-)?(forwarded-(for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:
-http-request deny if block_attack
-
-acl block_attack hdr_sub(User-Agent) -i ^[^sv,;]+[sv,;]\.*?(application/(\.++)?json|(application/(soap+)?|text/)xml)
-http-request deny if block_attack
-
-acl block_attack hdr_sub(User-Agent) -i unix:[^|]*|
-http-request deny if block_attack
-
-acl block_attack hdr_sub(User-Agent) -i ^[^sv,;]+[sv,;]\.*?b(((tex|multipar)t|application)|((audi|vide)o|image|cs[sv]|(vn|relate)d|p(df|lain)|json|(soa|cs)p|x(ml|-www-form-urlencoded)|form-data|x-amf|(octe|repor)t|stream)|([+/]))b
-http-request deny if block_attack
-
-acl block_attack hdr_sub(User-Agent) -i \.
-http-request deny if block_attack
-
-acl block_attack hdr_sub(User-Agent) -i TX:paramcounter_(\.*)
-http-request deny if block_attack
-
-acl block_php hdr_sub(User-Agent) -i (
-http-request deny if block_php
-
acl block_fixation hdr_sub(User-Agent) -i (?i:.cookieb\.*?;W*?(expires|domain)W*?=|bhttp-equivW+set-cookieb)
http-request deny if block_fixation
@@ -108,65 +27,23 @@ http-request deny if block_fixation
acl block_fixation hdr_sub(User-Agent) -i !@endsWith %{request_headers.host}
http-request deny if block_fixation
-acl block_rce hdr_sub(User-Agent) -i $(((\.*|(\.*)))|{\.*})|[<>](\.*)|/[0-9A-Z_a-z]*[!?\.+]
-http-request deny if block_rce
+acl block_rfi hdr_sub(User-Agent) -i ^(?i:file|ftps?|https?)://(d{1,3}.d{1,3}.d{1,3}.d{1,3})
+http-request deny if block_rfi
-acl block_rce hdr_sub(User-Agent) -i b(for(/[dflr]\.*)? %+[^ ]+ in(\.*)[sv]?do|if(/i)?( not)?( (e(xist|rrorlevel)|defined|cmdextversion)b|[ (]\.*(b(g(eq|tr)|equ|neq|l(eq|ss))b|==)))
-http-request deny if block_rce
+acl block_rfi hdr_sub(User-Agent) -i !@endsWith \.%{request_headers.host}
+http-request deny if block_rfi
-acl block_rce hdr_sub(User-Agent) -i ![0-9]s*'s*[0-9]
-http-request deny if block_rce
+acl block_lfi hdr_sub(User-Agent) -i ((^|[x5c/;])\.{2,3}[x5c/;]|[x5c/;]\.{2,3}([x5c/;]|$))
+http-request deny if block_lfi
-acl block_rce hdr_sub(User-Agent) -i !-d
-http-request deny if block_rce
+acl block_generic hdr_sub(User-Agent) -i while[sv]*([sv(]*(!+(false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(!!)*((t(rue|his)|[+-]?(Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(Boolea|Functio)n|Object|Array)b|{\.*}|[\.*]|"[^"]+"|'[^']+'|`[^`]+`))\.*)
+http-request deny if block_generic
-acl block_rce hdr_sub(User-Agent) -i ^(s*)s+{
-http-request deny if block_rce
+acl block_generic hdr_sub(User-Agent) -i [s*constructors*]
+http-request deny if block_generic
-acl block_rce hdr_sub(User-Agent) -i ba["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-"%',0-9@-Z_a-z]+=[^sv]
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i ($((((\.*)|\.*))|{\.*})|[<>](\.*)|[!?\.+])
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i /
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i s
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i ^[^\.]+\.[^;?]+[;?](\.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i ^[^\.]*?(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i ;[sv]*\.[sv]*["']?(a(rchive|uth)|b(a(ckup|il)|inary)|c(d|h(anges|eck)|lone|onnection)|d(atabases|b(config|info)|ump)|e(cho|qp|x(cel|it|p(ert|lain)))|f(ilectrl|ullschema)|he(aders|lp)|i(mpo(rt|ster)|ndexes|otrace)|l(i(mi|n)t|o(ad|g))|(mod|n(onc|ullvalu)|unmodul)e|o(nce|pen|utput)|p(arameter|r(int|o(gress|mpt)))|quit|re(ad|cover|store)|s(ave|c(anstats|hema)|e(lftest|parator|ssion)|h(a3sum|ell|ow)?|tats|ystem)|t(ables|estc(ase|trl)|ime(out|r)|race)|vfs(info|list|name)|width)
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i rn(?s:\.)*?b((?i:E)(HLO [--.A-Za-zx17fx212a]{1,255}|XPN \.{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<\.{1,64}(?i:@)\.{1,255}(?i:>)|(?i:R)(CPT TO:((?i:<)\.{1,64}(?i:@)\.{1,255}(?i:>)|(?i: ))?(?i:<)\.{1,64}(?i:>)|SETb)|VRFY \.{1,64}( <\.{1,64}(?i:@)\.{1,255}(?i:>)|(?i:@)\.{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(([+/-9A-Z_a-zx17fx212a]{4})*([+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb((?i: )\.{1,255})?)
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i (?is)rn\.*?b((LIST|TOP [0-9]+)( [0-9]+)?|U(SER \.+?|IDL( [0-9]+)?)|PASS \.+?|(RETR|DELE) [0-9]+?|A(POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (([+/-9A-Z_a-z]{4})*([+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i /([?*]+[a-z/]+|[a-z/]+[?*]+)
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i rn(?s:\.)*?b(DATA|QUIT|HELP( \.{1,255})?)
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i (?is)rn[0-9A-Z_a-z]{1,50}b (C((REATE|OPY [*,0-:]+) ["-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE ["-#%-&*--.0-9A-Zx5c_a-z]+|EX(AMINE ["-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(IST ["-#*--9A-Zx5c_a-z~]+? ["-#%-&*--9A-Zx5c_a-z]+|OG(IN [--.0-9@_a-z]{1,40} \.*?|OUT))|RENAME ["-#%-&*--9A-Zx5c_a-z]+? ["-#%-&*--9A-Zx5c_a-z]+|S(E(LECT ["-#%-&*--9A-Zx5c_a-z]+|ARCH( CHARSET [--.0-9A-Z_a-z]{1,40})? ((KEYWORD x5c)?(A(LL|NSWERED)|BCC|D(ELETED|RAFT)|(FLAGGE|OL)D|RECENT|SEEN|UN((ANSWER|FLAGG)ED|D(ELETED|RAFT)|SEEN)|NEW)|(BODY|CC|FROM|HEADER \.{1,100}|NOT|OR \.{1,255}|T(EXT|O)) \.{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(BEFORE|ON|S(ENT((BEFOR|SINC)E|ON)|INCE)) "?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}"?|S(MALLER [0-9]{1,20}|UBJECT \.{1,255})|U(ID [*,0-:]+?|NKEYWORD x5c(Seen|(Answer|Flagg)ed|D(eleted|raft)|Recent))))|T(ORE [*,0-:]+? [+-]?FLAGS(.SILENT)? ((x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE ["-#%-&*--9A-Zx5c_a-z]+)|UN(SUBSCRIBE ["-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i rn(?s:\.)*?b((QUI|STA|RSE)(?i:T)|NOOP|CAPA)
-http-request deny if block_rce
-
-acl block_rce hdr_sub(User-Agent) -i !(d|!)
-http-request deny if block_rce
+acl block_generic hdr_sub(User-Agent) -i @{\.*}
+http-request deny if block_generic
acl block_sql hdr_sub(User-Agent) -i (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])
http-request deny if block_sql
@@ -207,165 +84,6 @@ http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (Sybase message:|Warning\.{2,20}sybase|Sybase\.*Server message\.*)
http-request deny if block_sql
-acl block_java hdr_sub(User-Agent) -i java.lang\.(runtime|processbuilder)
-http-request deny if block_java
-
-acl block_java hdr_sub(User-Agent) -i (runtime|processbuilder)
-http-request deny if block_java
-
-acl block_java hdr_sub(User-Agent) -i (unmarshaller|base64data|java\.)
-http-request deny if block_java
-
-acl block_java hdr_sub(User-Agent) -i (clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)
-http-request deny if block_java
-
-acl block_java hdr_sub(User-Agent) -i \.*\.(jsp|jspx)\.*$
-http-request deny if block_java
-
-acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)([^}]{0,15}($|\$?)({|&l(brace|cub);?)|jndi|ctx)
-http-request deny if block_java
-
-acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)([^}]*($|\$?)({|&l(brace|cub);?)|jndi|ctx)
-http-request deny if block_java
-
-acl block_java hdr_sub(User-Agent) -i xacxedx00x05
-http-request deny if block_java
-
-acl block_java hdr_sub(User-Agent) -i (rO0ABQ|KztAAU|Cs7QAF)
-http-request deny if block_java
-
-acl block_java hdr_sub(User-Agent) -i javab\.+(runtime|processbuilder)
-http-request deny if block_java
-
-acl block_java hdr_sub(User-Agent) -i (class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)
-http-request deny if block_java
-
-acl block_java hdr_sub(User-Agent) -i (cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)
-http-request deny if block_java
-
-acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)
-http-request deny if block_java
-
-acl block_attack hdr_sub(User-Agent) -i ^content-types*:s*(\.*)$
-http-request deny if block_attack
-
-acl block_attack hdr_sub(User-Agent) -i content-transfer-encoding:(\.*)
-http-request deny if block_attack
-
-acl block_sqli hdr_sub(User-Agent) -i @detectSQLi
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i (?i:sleep(s*?d*?s*?)|benchmark(\.*?,\.*?))
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i alter[sv]*?[0-9A-Z_a-z]+\.*?char(acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|["'`](;*?[sv]*?waitfor[sv]+(time|delay)[sv]+["'`]|;\.*?:[sv]*?goto)
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i union\.*?select\.*?from
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?["'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?([#;{]|/*|--)
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i create[sv]+function[sv]\.+[sv]returns|;[sv]*?(alter|((cre|trunc|upd)at|renam)e|d(e(lete|sc)|rop)|(inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i ^([^']*'|[^"]*"|[^`]*`)[sv]*;
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i 1.e[(-),]
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i (^s*["'`;]+|["'`]+s*$)
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i [sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(=|<=>|(sounds[sv]+)?like|glob|r(like|egexp))[sv"'-)`]*?b([0-9A-Z_a-z]+)b
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i @streq %{TX.2}
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i [sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(like|r(like|egexp)))[sv"'-)`]*?b([0-9A-Z_a-z]+)b
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i !@streq %{TX.2}
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i ["'`][sv]*?((and|n(and|ot)|(xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?["'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+["'`]|like[sv]*?["'`]%|select[sv]+?[sv"'-),-.0-9A-[]_-z]+from[sv]+
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i ["'`][sv]*?b(x?or|div|like|between|and)b[sv]*?["'`]?[0-9]|x5cx(2[37]|3d)|^(\.?["'`]$|["'x5c`]*?(["'0-9`]+|[^"'`]+["'`])[sv]*?b(and|n(and|ot)|(xx?)?or|div|like|between||||&&)b[sv]*?["'0-9A-Z_-z][!&(-)+-\.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?["'`][sv]*?[0-9A-Z_a-z]|@([0-9A-Z_a-z]+[sv]+(and|x?or|div|like|between)b[sv]*?["'0-9`]+|[-0-9A-Z_a-z]+[sv](and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?["'`]\.|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i (?i:^[Wd]+s*?(alter|union)b)
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i b(orb([sv]?([0-9]{1,10}|["'][^=]{1,10}["'])[sv]?[<->]+|[sv]+([0-9]{1,10}|'[^=]{1,10}')([sv]*?[<->])?)|xorb[sv]+([0-9]{1,10}|'[^=]{1,10}')([sv]*?[<->])?)|'[sv]+x?or[sv]+\.{1,20}[!+-<->]
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i bandb([sv]+([0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?([0-9]{1,10}|["'][^=]{1,10}["']) ?[<->]+)
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i autonomous_transaction|(current_use|n?varcha|tbcreato)r|db(a_users|ms_java)|open(owa_util|query|rowset)|s(p_((addextendedpro|sqlexe)c|execute(sql)?|help|is_srvrolemember|makewebtask|oacreate|p(assword|repare)|replwritetovarbin)|ql_(longvarchar|variant))|utl_(file|http)|xp_(availablemedia|(cmdshel|servicecontro)l|dirtree|e(numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(_enumdomains)?|reg(addmultistring|delete(key|value)|enum(key|value)s|re(ad|movemultistring)|write)|terminate(_process)?)
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){12})
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i !^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+\.[-0-9A-Z_a-z]+$
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i (?i:b0x[a-fd]{3,})
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i ["'`][sv]*?((is[sv]+not|not[sv]+(like|glob|(betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i ^([^']*?('[^']*?'[^']*?)*?'|[^"]*?("[^"]*?"[^"]*?)*?"|[^`]*?(`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i ^(and|or)$
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i ^\.*?x5c['"`](\.*?['"`])?s*(and|or)b
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i W+d*?s*?bhavingbs*?[^s-]
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i ["'`][sd]*?[^ws]W*?dW*?\.*?["'`d]
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){8})
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){6})
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i W{4}
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i ';
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){3})
-http-request deny if block_sqli
-
-acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){2})
-http-request deny if block_sqli
-
-acl block_leakages hdr_sub(User-Agent) -i (<(TITLE>Index of\.*?Index of\.*?Index of|>[To Parent Directory]
)
-http-request deny if block_leakages
-
-acl block_leakages hdr_sub(User-Agent) -i ^#!s?/
-http-request deny if block_leakages
-
-acl block_leakages hdr_sub(User-Agent) -i ^5d{2}$
-http-request deny if block_leakages
-
acl block_enforcement hdr_sub(User-Agent) -i !^(&(([acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|([cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(mp|pos)|nbsp|oslash);|[^"';=])*$
http-request deny if block_enforcement
@@ -507,6 +225,18 @@ http-request deny if block_enforcement
acl block_enforcement hdr_sub(User-Agent) -i (^|[^x5c])x5c[cdeghijklmpqwxyz123456789]
http-request deny if block_enforcement
+acl block_exceptions hdr_sub(User-Agent) -i @streq GET /
+http-request deny if block_exceptions
+
+acl block_exceptions hdr_sub(User-Agent) -i @ipMatch 127.0.0.1,::1
+http-request deny if block_exceptions
+
+acl block_exceptions hdr_sub(User-Agent) -i @endsWith (internal dummy connection)
+http-request deny if block_exceptions
+
+acl block_exceptions hdr_sub(User-Agent) -i ^(GET /|OPTIONS *) HTTP/[12]\.[01]$
+http-request deny if block_exceptions
+
acl block_xss hdr_sub(User-Agent) -i !@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122
http-request deny if block_xss
@@ -582,6 +312,273 @@ http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i {{\.*?}}
http-request deny if block_xss
+acl block_php hdr_sub(User-Agent) -i (
+http-request deny if block_php
+
+acl block_php hdr_sub(User-Agent) -i (b(f(tp_(nb_)?f?(ge|pu)t|get(s?s|c)|scanf|write|open|read)|gz((encod|writ)e|compress|open|read)|s(ession_start|candir)|read((gz)?file|dir)|move_uploaded_file|(proc_|bz)open|call_user_func)|$_((pos|ge)t|session))b
+http-request deny if block_php
+
+acl block_php hdr_sub(User-Agent) -i |(sounds[sv]+)?like|glob|r(like|egexp))[sv"'-)`]*?b([0-9A-Z_a-z]+)b
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i @streq %{TX.2}
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i [sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(like|r(like|egexp)))[sv"'-)`]*?b([0-9A-Z_a-z]+)b
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i !@streq %{TX.2}
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i ["'`][sv]*?((and|n(and|ot)|(xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?["'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+["'`]|like[sv]*?["'`]%|select[sv]+?[sv"'-),-.0-9A-[]_-z]+from[sv]+
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i ["'`][sv]*?b(x?or|div|like|between|and)b[sv]*?["'`]?[0-9]|x5cx(2[37]|3d)|^(\.?["'`]$|["'x5c`]*?(["'0-9`]+|[^"'`]+["'`])[sv]*?b(and|n(and|ot)|(xx?)?or|div|like|between||||&&)b[sv]*?["'0-9A-Z_-z][!&(-)+-\.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?["'`][sv]*?[0-9A-Z_a-z]|@([0-9A-Z_a-z]+[sv]+(and|x?or|div|like|between)b[sv]*?["'0-9`]+|[-0-9A-Z_a-z]+[sv](and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?["'`]\.|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i (?i:^[Wd]+s*?(alter|union)b)
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i b(orb([sv]?([0-9]{1,10}|["'][^=]{1,10}["'])[sv]?[<->]+|[sv]+([0-9]{1,10}|'[^=]{1,10}')([sv]*?[<->])?)|xorb[sv]+([0-9]{1,10}|'[^=]{1,10}')([sv]*?[<->])?)|'[sv]+x?or[sv]+\.{1,20}[!+-<->]
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i bandb([sv]+([0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?([0-9]{1,10}|["'][^=]{1,10}["']) ?[<->]+)
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i autonomous_transaction|(current_use|n?varcha|tbcreato)r|db(a_users|ms_java)|open(owa_util|query|rowset)|s(p_((addextendedpro|sqlexe)c|execute(sql)?|help|is_srvrolemember|makewebtask|oacreate|p(assword|repare)|replwritetovarbin)|ql_(longvarchar|variant))|utl_(file|http)|xp_(availablemedia|(cmdshel|servicecontro)l|dirtree|e(numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(_enumdomains)?|reg(addmultistring|delete(key|value)|enum(key|value)s|re(ad|movemultistring)|write)|terminate(_process)?)
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){12})
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i !^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+\.[-0-9A-Z_a-z]+$
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i (?i:b0x[a-fd]{3,})
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i ["'`][sv]*?((is[sv]+not|not[sv]+(like|glob|(betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i ^([^']*?('[^']*?'[^']*?)*?'|[^"]*?("[^"]*?"[^"]*?)*?"|[^`]*?(`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i ^(and|or)$
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i ^\.*?x5c['"`](\.*?['"`])?s*(and|or)b
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i W+d*?s*?bhavingbs*?[^s-]
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i ["'`][sd]*?[^ws]W*?dW*?\.*?["'`d]
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){8})
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){6})
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i W{4}
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i ';
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){3})
+http-request deny if block_sqli
+
+acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){2})
+http-request deny if block_sqli
+
+acl block_java hdr_sub(User-Agent) -i java.lang\.(runtime|processbuilder)
+http-request deny if block_java
+
+acl block_java hdr_sub(User-Agent) -i (runtime|processbuilder)
+http-request deny if block_java
+
+acl block_java hdr_sub(User-Agent) -i (unmarshaller|base64data|java\.)
+http-request deny if block_java
+
+acl block_java hdr_sub(User-Agent) -i (clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)
+http-request deny if block_java
+
+acl block_java hdr_sub(User-Agent) -i \.*\.(jsp|jspx)\.*$
+http-request deny if block_java
+
+acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)([^}]{0,15}($|\$?)({|&l(brace|cub);?)|jndi|ctx)
+http-request deny if block_java
+
+acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)([^}]*($|\$?)({|&l(brace|cub);?)|jndi|ctx)
+http-request deny if block_java
+
+acl block_java hdr_sub(User-Agent) -i xacxedx00x05
+http-request deny if block_java
+
+acl block_java hdr_sub(User-Agent) -i (rO0ABQ|KztAAU|Cs7QAF)
+http-request deny if block_java
+
+acl block_java hdr_sub(User-Agent) -i javab\.+(runtime|processbuilder)
+http-request deny if block_java
+
+acl block_java hdr_sub(User-Agent) -i (class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)
+http-request deny if block_java
+
+acl block_java hdr_sub(User-Agent) -i (cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)
+http-request deny if block_java
+
+acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)
+http-request deny if block_java
+
+acl block_rce hdr_sub(User-Agent) -i $(((\.*|(\.*)))|{\.*})|[<>](\.*)|/[0-9A-Z_a-z]*[!?\.+]
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i b(for(/[dflr]\.*)? %+[^ ]+ in(\.*)[sv]?do|if(/i)?( not)?( (e(xist|rrorlevel)|defined|cmdextversion)b|[ (]\.*(b(g(eq|tr)|equ|neq|l(eq|ss))b|==)))
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i ![0-9]s*'s*[0-9]
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i !-d
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i ^(s*)s+{
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i ba["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-"%',0-9@-Z_a-z]+=[^sv]
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i ($((((\.*)|\.*))|{\.*})|[<>](\.*)|[!?\.+])
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i /
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i s
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i ^[^\.]+\.[^;?]+[;?](\.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i ^[^\.]*?(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i ;[sv]*\.[sv]*["']?(a(rchive|uth)|b(a(ckup|il)|inary)|c(d|h(anges|eck)|lone|onnection)|d(atabases|b(config|info)|ump)|e(cho|qp|x(cel|it|p(ert|lain)))|f(ilectrl|ullschema)|he(aders|lp)|i(mpo(rt|ster)|ndexes|otrace)|l(i(mi|n)t|o(ad|g))|(mod|n(onc|ullvalu)|unmodul)e|o(nce|pen|utput)|p(arameter|r(int|o(gress|mpt)))|quit|re(ad|cover|store)|s(ave|c(anstats|hema)|e(lftest|parator|ssion)|h(a3sum|ell|ow)?|tats|ystem)|t(ables|estc(ase|trl)|ime(out|r)|race)|vfs(info|list|name)|width)
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i rn(?s:\.)*?b((?i:E)(HLO [--.A-Za-zx17fx212a]{1,255}|XPN \.{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<\.{1,64}(?i:@)\.{1,255}(?i:>)|(?i:R)(CPT TO:((?i:<)\.{1,64}(?i:@)\.{1,255}(?i:>)|(?i: ))?(?i:<)\.{1,64}(?i:>)|SETb)|VRFY \.{1,64}( <\.{1,64}(?i:@)\.{1,255}(?i:>)|(?i:@)\.{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(([+/-9A-Z_a-zx17fx212a]{4})*([+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb((?i: )\.{1,255})?)
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i (?is)rn\.*?b((LIST|TOP [0-9]+)( [0-9]+)?|U(SER \.+?|IDL( [0-9]+)?)|PASS \.+?|(RETR|DELE) [0-9]+?|A(POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (([+/-9A-Z_a-z]{4})*([+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i /([?*]+[a-z/]+|[a-z/]+[?*]+)
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i rn(?s:\.)*?b(DATA|QUIT|HELP( \.{1,255})?)
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i (?is)rn[0-9A-Z_a-z]{1,50}b (C((REATE|OPY [*,0-:]+) ["-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE ["-#%-&*--.0-9A-Zx5c_a-z]+|EX(AMINE ["-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(IST ["-#*--9A-Zx5c_a-z~]+? ["-#%-&*--9A-Zx5c_a-z]+|OG(IN [--.0-9@_a-z]{1,40} \.*?|OUT))|RENAME ["-#%-&*--9A-Zx5c_a-z]+? ["-#%-&*--9A-Zx5c_a-z]+|S(E(LECT ["-#%-&*--9A-Zx5c_a-z]+|ARCH( CHARSET [--.0-9A-Z_a-z]{1,40})? ((KEYWORD x5c)?(A(LL|NSWERED)|BCC|D(ELETED|RAFT)|(FLAGGE|OL)D|RECENT|SEEN|UN((ANSWER|FLAGG)ED|D(ELETED|RAFT)|SEEN)|NEW)|(BODY|CC|FROM|HEADER \.{1,100}|NOT|OR \.{1,255}|T(EXT|O)) \.{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(BEFORE|ON|S(ENT((BEFOR|SINC)E|ON)|INCE)) "?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}"?|S(MALLER [0-9]{1,20}|UBJECT \.{1,255})|U(ID [*,0-:]+?|NKEYWORD x5c(Seen|(Answer|Flagg)ed|D(eleted|raft)|Recent))))|T(ORE [*,0-:]+? [+-]?FLAGS(.SILENT)? ((x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE ["-#%-&*--9A-Zx5c_a-z]+)|UN(SUBSCRIBE ["-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i rn(?s:\.)*?b((QUI|STA|RSE)(?i:T)|NOOP|CAPA)
+http-request deny if block_rce
+
+acl block_rce hdr_sub(User-Agent) -i !(d|!)
+http-request deny if block_rce
+
+acl block_attack hdr_sub(User-Agent) -i (get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d
+http-request deny if block_attack
+
+acl block_attack hdr_sub(User-Agent) -i [rn]W*?(content-(type|length)|set-cookie|location):s*w
+http-request deny if block_attack
+
+acl block_attack hdr_sub(User-Agent) -i (bhttp/d|<(html|meta)b)
+http-request deny if block_attack
+
+acl block_attack hdr_sub(User-Agent) -i [nr]
+http-request deny if block_attack
+
+acl block_attack hdr_sub(User-Agent) -i [nr]+(s|location|refresh|(set-)?cookie|(x-)?(forwarded-(for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:
+http-request deny if block_attack
+
+acl block_attack hdr_sub(User-Agent) -i ^[^sv,;]+[sv,;]\.*?(application/(\.++)?json|(application/(soap+)?|text/)xml)
+http-request deny if block_attack
+
+acl block_attack hdr_sub(User-Agent) -i unix:[^|]*|
+http-request deny if block_attack
+
+acl block_attack hdr_sub(User-Agent) -i ^[^sv,;]+[sv,;]\.*?b(((tex|multipar)t|application)|((audi|vide)o|image|cs[sv]|(vn|relate)d|p(df|lain)|json|(soa|cs)p|x(ml|-www-form-urlencoded)|form-data|x-amf|(octe|repor)t|stream)|([+/]))b
+http-request deny if block_attack
+
+acl block_attack hdr_sub(User-Agent) -i \.
+http-request deny if block_attack
+
+acl block_attack hdr_sub(User-Agent) -i TX:paramcounter_(\.*)
+http-request deny if block_attack
+
acl block_iis hdr_sub(User-Agent) -i [a-z]:x5cinetpubb
http-request deny if block_iis
@@ -594,12 +591,6 @@ http-request deny if block_iis
acl block_iis hdr_sub(User-Agent) -i bServer Error in\.{0,50}?bApplicationb
http-request deny if block_iis
-acl block_php hdr_sub(User-Agent) -i (b(f(tp_(nb_)?f?(ge|pu)t|get(s?s|c)|scanf|write|open|read)|gz((encod|writ)e|compress|open|read)|s(ession_start|candir)|read((gz)?file|dir)|move_uploaded_file|(proc_|bz)open|call_user_func)|$_((pos|ge)t|session))b
-http-request deny if block_php
-
-acl block_php hdr_sub(User-Agent) -i r57 Shell Version [0-9\.]+|r57 shell)
http-request deny if block_shells
@@ -675,3 +666,12 @@ http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i @contains webadmin.php
http-request deny if block_shells
+acl block_leakages hdr_sub(User-Agent) -i (<(TITLE>Index of\.*?Index of\.*?Index of|>[To Parent Directory]
)
+http-request deny if block_leakages
+
+acl block_leakages hdr_sub(User-Agent) -i ^#!s?/
+http-request deny if block_leakages
+
+acl block_leakages hdr_sub(User-Agent) -i ^5d{2}$
+http-request deny if block_leakages
+
diff --git a/waf_patterns/nginx/bots.conf b/waf_patterns/nginx/bots.conf
index d2c6168..02f2832 100644
--- a/waf_patterns/nginx/bots.conf
+++ b/waf_patterns/nginx/bots.conf
@@ -618,6 +618,7 @@ map $http_user_agent $bad_bot {
"~*MVAClient" 1;
"~*MacOutlook\/" 1;
"~*Mag-Net" 1;
+ "~*MagentaNews\/" 1;
"~*Magnet" 1;
"~*MagpieRSS" 1;
"~*Mail.RU_Bot" 1;
@@ -1572,6 +1573,7 @@ map $http_user_agent $bad_bot {
"~*khttp\/" 1;
"~*knows\.is" 1;
"~*kouio" 1;
+ "~*krawler\.dk" 1;
"~*kube-probe" 1;
"~*kubectl" 1;
"~*kulturarw3" 1;
diff --git a/waf_patterns/nginx/waf_maps.conf b/waf_patterns/nginx/waf_maps.conf
index b797bc6..21eaeaf 100644
--- a/waf_patterns/nginx/waf_maps.conf
+++ b/waf_patterns/nginx/waf_maps.conf
@@ -2,11 +2,6 @@
# Automatically generated from OWASP rules.
http {
- map $request_uri $waf_block_lfi {
- default 0;
- "~*\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" 1;
- }
-
map $request_uri $waf_block_initialization {
default 0;
"~*@eq\ 100" 1;
@@ -17,13 +12,138 @@ http {
"~*!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" 1;
}
+ map $request_uri $waf_block_attack {
+ default 0;
+ "~*\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" 1;
+ "~*content\-transfer\-encoding:\(\.\*\)" 1;
+ "~*\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" 1;
+ "~*@gt\ 0" 1;
+ "~*TX:paramcounter_\(\.\*\)" 1;
+ "~*\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" 1;
+ "~*\[nr\]" 1;
+ "~*\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" 1;
+ "~*\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" 1;
+ "~*\^content\-types\*:s\*\(\.\*\)\$" 1;
+ "~*\." 1;
+ "~*unix:\[\^\|\]\*\|" 1;
+ "~*\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" 1;
+ "~*@gt\ 1" 1;
+ }
+
+ map $request_uri $waf_block_fixation {
+ default 0;
+ "~*\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" 1;
+ "~*\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" 1;
+ "~*@eq\ 0" 1;
+ "~*!@endsWith\ %\{request_headers\.host\}" 1;
+ "~*\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" 1;
+ }
+
+ map $request_uri $waf_block_rfi {
+ default 0;
+ "~*\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" 1;
+ "~*!@endsWith\ \.%\{request_headers\.host\}" 1;
+ }
+
+ map $request_uri $waf_block_lfi {
+ default 0;
+ "~*\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" 1;
+ }
+
map $request_uri $waf_block_generic {
default 0;
- "~*@\{\.\*\}" 1;
"~*\[s\*constructors\*\]" 1;
+ "~*@\{\.\*\}" 1;
"~*while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|\"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|\"\[\^\"\]\+\"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" 1;
}
+ map $request_uri $waf_block_evaluation {
+ default 0;
+ "~*@ge\ 2" 1;
+ "~*@ge\ 3" 1;
+ "~*@ge\ %\{tx\.inbound_anomaly_score_threshold\}" 1;
+ "~*@eq\ 1" 1;
+ "~*@ge\ %\{tx\.outbound_anomaly_score_threshold\}" 1;
+ "~*@ge\ 4" 1;
+ "~*@ge\ 1" 1;
+ }
+
+ map $request_uri $waf_block_sql {
+ default 0;
+ "~*\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" 1;
+ "~*\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" 1;
+ "~*\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" 1;
+ "~*\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" 1;
+ "~*\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" 1;
+ "~*\(\?i\)org\.hsqldb\.jdbc" 1;
+ "~*\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" 1;
+ "~*\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" 1;
+ "~*\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" 1;
+ "~*\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." 1;
+ "~*\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" 1;
+ "~*\(\?i:Warning:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" 1;
+ "~*\(\?i\)Dynamic\ SQL\ Error" 1;
+ }
+
+ map $request_uri $waf_block_enforcement {
+ default 0;
+ "~*@gt\ %\{tx\.combined_file_sizes\}" 1;
+ "~*@gt\ 0" 1;
+ "~*!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" 1;
+ "~*\(\?i\)x5cu\[0\-9a\-f\]\{4\}" 1;
+ "~*@endsWith\ \.pdf" 1;
+ "~*%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" 1;
+ "~*@gt\ %\{tx\.arg_name_length\}" 1;
+ "~*@eq\ 0" 1;
+ "~*@gt\ %\{tx\.total_arg_length\}" 1;
+ "~*@contains\ \#" 1;
+ "~*@gt\ %\{tx\.max_num_args\}" 1;
+ "~*@gt\ 50" 1;
+ "~*!@endsWith\ \.pdf" 1;
+ "~*!@streq\ JSON" 1;
+ "~*!@pm\ AppleWebKit\ Android" 1;
+ "~*@streq\ POST" 1;
+ "~*\^\.\*\$" 1;
+ "~*\['\";=\]" 1;
+ "~*x25" 1;
+ "~*@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" 1;
+ "~*!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" 1;
+ "~*!@rx\ \^d\+\$" 1;
+ "~*@eq\ 1" 1;
+ "~*@gt\ %\{tx\.max_file_size\}" 1;
+ "~*@gt\ %\{tx\.arg_length\}" 1;
+ "~*\^\[\^;s\]\+" 1;
+ "~*!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['\"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" 1;
+ "~*\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" 1;
+ "~*charset\.\*\?charset" 1;
+ "~*@validateUrlEncoding" 1;
+ "~*@validateByteRange\ 32\-36,38\-126" 1;
+ "~*charsets\*=s\*\[\"'\]\?\(\[\^;\"'s\]\+\)" 1;
+ "~*@within\ %\{tx\.restricted_headers_extended\}" 1;
+ "~*!@rx\ \^0\?\$" 1;
+ "~*\(d\+\)\-\(d\+\)" 1;
+ "~*!@rx\ \^OPTIONS\$" 1;
+ "~*@validateByteRange\ 9,10,13,32\-126,128\-255" 1;
+ "~*b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" 1;
+ "~*\^\$" 1;
+ "~*%\[0\-9a\-fA\-F\]\{2\}" 1;
+ "~*\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" 1;
+ "~*!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" 1;
+ "~*\.\(\[\^\.\]\+\)\$" 1;
+ "~*@within\ %\{tx\.restricted_extensions\}" 1;
+ "~*@ge\ 1" 1;
+ "~*\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" 1;
+ "~*\^\(\?:GET\|HEAD\)\$" 1;
+ "~*@validateUtf8Encoding" 1;
+ "~*@validateByteRange\ 1\-255" 1;
+ "~*\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" 1;
+ "~*\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" 1;
+ "~*@within\ %\{tx\.restricted_headers_basic\}" 1;
+ "~*@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" 1;
+ "~*!@rx\ \^0\$" 1;
+ "~*@gt\ 1" 1;
+ }
+
map $request_uri $waf_block_exceptions {
default 0;
"~*@endsWith\ \(internal\ dummy\ connection\)" 1;
@@ -32,301 +152,181 @@ http {
"~*@streq\ GET\ /" 1;
}
- map $request_uri $waf_block_rfi {
+ map $request_uri $waf_block_xss {
default 0;
- "~*!@endsWith\ \.%\{request_headers\.host\}" 1;
- "~*\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" 1;
- }
-
- map $request_uri $waf_block_attack {
- default 0;
- "~*@gt\ 0" 1;
- "~*\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" 1;
- "~*\." 1;
- "~*\[nr\]" 1;
- "~*\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" 1;
- "~*\^content\-types\*:s\*\(\.\*\)\$" 1;
- "~*unix:\[\^\|\]\*\|" 1;
- "~*@gt\ 1" 1;
- "~*\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" 1;
- "~*TX:paramcounter_\(\.\*\)" 1;
- "~*\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" 1;
- "~*\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" 1;
- "~*content\-transfer\-encoding:\(\.\*\)" 1;
- "~*\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" 1;
+ "~*\(\?i\)\]\*\[xbe>\]\)\|\(\?:\.\*\?\(\?:@\[ix5c\]\|\(\?:\[:=\]\|\&\#x\?0\*\(\?:58\|3A\|61\|3D\);\?\)\.\*\?\(\?:\[\(x5c\]\|\&\#x\?0\*\(\?:40\|28\|92\|5C\);\?\)\)\)" 1;
+ "~*\(\?i\)A\-Z_a\-z\]\*\(\?:\[\^sv\"'<>\]\*:\)\?\[\^0\-9<>A\-Z_a\-z\]\*\[\^0\-9A\-Z_a\-z\]\*\?\(\?:s\[\^0\-9A\-Z_a\-z\]\*\?\(\?:c\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?t\|t\[\^0\-9A\-Z_a\-z\]\*\?y\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\|v\[\^0\-9A\-Z_a\-z\]\*\?g\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9>A\-Z_a\-z\]\)\|f\[\^0\-9A\-Z_a\-z\]\*\?o\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?m\|m\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?q\[\^0\-9A\-Z_a\-z\]\*\?u\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?e\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:l\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?k\|o\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?j\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?c\[\^0\-9A\-Z_a\-z\]\*\?t\|e\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?d\|a\[\^0\-9A\-Z_a\-z\]\*\?\(\?:p\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?t\|u\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?o\|n\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?e\)\|p\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\|i\?\[\^0\-9A\-Z_a\-z\]\*\?f\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?e\|b\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?s\[\^0\-9A\-Z_a\-z\]\*\?e\|o\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?y\|i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?s\)\|i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\?\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?e\?\|v\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?o\)\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:<\[0\-9A\-Z_a\-z\]\.\*\[sv/\]\|\[\"'\]\(\?:\.\*\[sv/\]\)\?\)\(\?:background\|formaction\|lowsrc\|on\(\?:a\(\?:bort\|ctivate\|d\(\?:apteradded\|dtrack\)\|fter\(\?:print\|\(\?:scriptexecu\|upda\)te\)\|lerting\|n\(\?:imation\(\?:cancel\|end\|iteration\|start\)\|tennastatechange\)\|ppcommand\|u\(\?:dio\(\?:end\|process\|start\)\|xclick\)\)\|b\(\?:e\(\?:fore\(\?:\(\?:\(\?:\(\?:de\)\?activa\|scriptexecu\)t\|toggl\)e\|c\(\?:opy\|ut\)\|editfocus\|input\|p\(\?:aste\|rint\)\|u\(\?:nload\|pdate\)\)\|gin\(\?:Event\)\?\)\|l\(\?:ocked\|ur\)\|oun\(\?:ce\|dary\)\|roadcast\|usy\)\|c\(\?:a\(\?:\(\?:ch\|llschang\)ed\|nplay\(\?:through\)\?\|rdstatechange\)\|\(\?:ell\|fstate\)change\|h\(\?:a\(\?:rging\(\?:time\)\?cha\)\?nge\|ecking\)\|l\(\?:ick\|ose\)\|o\(\?:m\(\?:mand\(\?:update\)\?\|p\(\?:lete\|osition\(\?:end\|start\|update\)\)\)\|n\(\?:nect\(\?:ed\|ing\)\|t\(\?:extmenu\|rolselect\)\)\|py\)\|u\(\?:echange\|t\)\)\|d\(\?:ata\(\?:\(\?:availabl\|chang\)e\|error\|setc\(\?:hanged\|omplete\)\)\|blclick\|e\(\?:activate\|livery\(\?:error\|success\)\|vice\(\?:found\|light\|\(\?:mo\|orienta\)tion\|proximity\)\)\|i\(\?:aling\|s\(\?:abled\|c\(\?:hargingtimechange\|onnect\(\?:ed\|ing\)\)\)\)\|o\(\?:m\(\?:a\(\?:ctivate\|ttrmodified\)\|\(\?:characterdata\|subtree\)modified\|focus\(\?:in\|out\)\|mousescroll\|node\(\?:inserted\(\?:intodocument\)\?\|removed\(\?:fromdocument\)\?\)\)\|wnloading\)\|r\(\?:ag\(\?:drop\|e\(\?:n\(\?:d\|ter\)\|xit\)\|\(\?:gestur\|leav\)e\|over\|start\)\|op\)\|urationchange\)\|e\(\?:mptied\|n\(\?:abled\|d\(\?:ed\|Event\)\?\|ter\)\|rror\(\?:update\)\?\|xit\)\|f\(\?:ailed\|i\(\?:lterchange\|nish\)\|o\(\?:cus\(\?:in\|out\)\?\|rm\(\?:change\|input\)\)\|ullscreenchange\)\|g\(\?:amepad\(\?:axismove\|button\(\?:down\|up\)\|\(\?:dis\)\?connected\)\|et\)\|h\(\?:ashchange\|e\(\?:adphoneschange\|l\[dp\]\)\|olding\)\|i\(\?:cc\(\?:cardlockerror\|infochange\)\|n\(\?:coming\|put\|valid\)\)\|key\(\?:down\|press\|up\)\|l\(\?:evelchange\|o\(\?:ad\(\?:e\(\?:d\(\?:meta\)\?data\|nd\)\|start\)\?\|secapture\)\|y\)\|m\(\?:ark\|essage\|o\(\?:use\(\?:down\|enter\|\(\?:lea\|mo\)ve\|o\(\?:ut\|ver\)\|up\|wheel\)\|ve\(\?:end\|start\)\?\|z\(\?:a\(\?:fterpaint\|udioavailable\)\|\(\?:beforeresiz\|orientationchang\|t\(\?:apgestur\|imechang\)\)e\|\(\?:edgeui\(\?:c\(\?:ancel\|omplet\)\|start\)e\|network\(\?:down\|up\)loa\)d\|fullscreen\(\?:change\|error\)\|m\(\?:agnifygesture\(\?:start\|update\)\?\|ouse\(\?:hittest\|pixelscroll\)\)\|p\(\?:ointerlock\(\?:change\|error\)\|resstapgesture\)\|rotategesture\(\?:start\|update\)\?\|s\(\?:crolledareachanged\|wipegesture\(\?:end\|start\|update\)\?\)\)\)\)\|no\(\?:match\|update\)\|o\(\?:\(\?:bsolet\|\(\?:ff\|n\)lin\)e\|pen\|verflow\(\?:changed\)\?\)\|p\(\?:a\(\?:ge\(\?:hide\|show\)\|int\|\(\?:st\|us\)e\)\|lay\(\?:ing\)\?\|o\(\?:inter\(\?:down\|enter\|\(\?:\(\?:lea\|mo\)v\|rawupdat\)e\|o\(\?:ut\|ver\)\|up\)\|p\(\?:state\|up\(\?:hid\(\?:den\|ing\)\|show\(\?:ing\|n\)\)\)\)\|ro\(\?:gress\|pertychange\)\)\|r\(\?:atechange\|e\(\?:adystatechange\|ceived\|movetrack\|peat\(\?:Event\)\?\|quest\|s\(\?:et\|ize\|u\(\?:lt\|m\(\?:e\|ing\)\)\)\|trieving\)\|ow\(\?:e\(\?:nter\|xit\)\|s\(\?:delete\|inserted\)\)\)\|s\(\?:croll\(\?:end\)\?\|e\(\?:arch\|ek\(\?:complete\|ed\|ing\)\|lect\(\?:ionchange\|start\)\?\|n\(\?:ding\|t\)\|t\)\|how\|\(\?:ound\|peech\)\(\?:end\|start\)\|t\(\?:a\(\?:lled\|rt\|t\(\?:echange\|uschanged\)\)\|k\(\?:comma\|sessione\)nd\|op\)\|u\(\?:bmit\|ccess\|spend\)\|vg\(\?:abort\|error\|\(\?:un\)\?load\|resize\|scroll\|zoom\)\)\|t\(\?:ext\|ime\(\?:out\|update\)\|o\(\?:ggle\|uch\(\?:cancel\|en\(\?:d\|ter\)\|\(\?:lea\|mo\)ve\|start\)\)\|ransition\(\?:cancel\|end\|run\|start\)\)\|u\(\?:n\(\?:derflow\|handledrejection\|load\)\|p\(\?:dateready\|gradeneeded\)\|s\(\?:erproximity\|sdreceived\)\)\|v\(\?:ersion\|o\(\?:ic\|lum\)e\)change\|w\(\?:a\(\?:it\|rn\)ing\|ebkit\(\?:animation\(\?:end\|iteration\|start\)\|transitionend\)\|heel\)\|zoom\)\|ping\|s\(\?:rc\|tyle\)\)\[x08\-nf\-r\ \]\*\?=" 1;
+ "~*<\(\?:a\|abbr\|acronym\|address\|applet\|area\|audioscope\|b\|base\|basefront\|bdo\|bgsound\|big\|blackface\|blink\|blockquote\|body\|bq\|br\|button\|caption\|center\|cite\|code\|col\|colgroup\|comment\|dd\|del\|dfn\|dir\|div\|dl\|dt\|em\|embed\|fieldset\|fn\|font\|form\|frame\|frameset\|h1\|head\|hr\|html\|i\|iframe\|ilayer\|img\|input\|ins\|isindex\|kdb\|keygen\|label\|layer\|legend\|li\|limittext\|link\|listing\|map\|marquee\|menu\|meta\|multicol\|nobr\|noembed\|noframes\|noscript\|nosmartquotes\|object\|ol\|optgroup\|option\|p\|param\|plaintext\|pre\|q\|rt\|ruby\|s\|samp\|script\|select\|server\|shadow\|sidebar\|small\|spacer\|span\|strike\|strong\|style\|sub\|sup\|table\|tbody\|td\|textarea\|tfoot\|th\|thead\|title\|tr\|tt\|u\|ul\|var\|wbr\|xml\|xmp\)W" 1;
+ "~*\(\?i\)\]\*\[xbe>\]\|<\[\^xbe\]\*xbe" 1;
+ "~*\(\?i\)\[s\"'`;/0\-9=x0Bx09x0Cx3Bx2Cx28x3B\]on\[a\-zA\-Z\]\{3,25\}\[sx0Bx09x0Cx3Bx2Cx28x3B\]\*\?=\[\^=\]" 1;
+ "~*\(\?i:\[\"'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\|in\)\.\*\?\(\?:\(\?:l\|x5cu006C\)\(\?:o\|x5cu006F\)\(\?:c\|x5cu0063\)\(\?:a\|x5cu0061\)\(\?:t\|x5cu0074\)\(\?:i\|x5cu0069\)\(\?:o\|x5cu006F\)\(\?:n\|x5cu006E\)\|\(\?:n\|x5cu006E\)\(\?:a\|x5cu0061\)\(\?:m\|x5cu006D\)\(\?:e\|x5cu0065\)\|\(\?:o\|x5cu006F\)\(\?:n\|x5cu006E\)\(\?:e\|x5cu0065\)\(\?:r\|x5cu0072\)\(\?:r\|x5cu0072\)\(\?:o\|x5cu006F\)\(\?:r\|x5cu0072\)\|\(\?:v\|x5cu0076\)\(\?:a\|x5cu0061\)\(\?:l\|x5cu006C\)\(\?:u\|x5cu0075\)\(\?:e\|x5cu0065\)\(\?:O\|x5cu004F\)\(\?:f\|x5cu0066\)\)\.\*\?=\)" 1;
+ "~*\(\?i:" 1;
+ "~*\(\?i\)\.\(\?:b\(\?:x\(\?:link:href\|html\|mlns\)\|data:text/html\|formaction\|patternb\.\*\?=\)\|!ENTITY\[sv\]\+\(\?:%\[sv\]\+\)\?\[\^sv\]\+\[sv\]\+\(\?:SYSTEM\|PUBLIC\)\|@import\|;base64\)b" 1;
+ "~*\(\(\?:\[\[\^\]\]\*\]\[\^\.\]\*\.\)\|Reflect\[\^\.\]\*\.\)\.\*\(\?:map\|sort\|apply\)\[\^\.\]\*\.\.\*call\[\^`\]\*`\.\*`" 1;
+ "~*\(\?i\)\]\*>\[sS\]\*\?" 1;
+ "~*\(\?i:<\.\*\[:\]\?vmlframe\.\*\?\[s/\+\]\*\?src\[s/\+\]\*=\)" 1;
+ "~*\(\?i\)\]" 1;
+ "~*@detectXSS" 1;
}
map $request_uri $waf_block_php {
default 0;
+ "~*\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" 1;
+ "~*AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" 1;
+ "~*\[oOcC\]:d\+:\"\.\+\?\":d\+:\{\.\*\}" 1;
+ "~*\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" 1;
+ "~*\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" 1;
+ "~*@pm\ =" 1;
+ "~*@pm\ \?>" 1;
+ "~*\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" 1;
"~*\(\?i\)<\?\(\?:=\|php\)\?s\+" 1;
"~*\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" 1;
- "~*@pm\ \?>" 1;
"~*\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" 1;
- "~*@pm\ =" 1;
- "~*\[oOcC\]:d\+:\"\.\+\?\":d\+:\{\.\*\}" 1;
- "~*\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" 1;
- "~*\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" 1;
- "~*\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" 1;
- "~*\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" 1;
- "~*AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" 1;
- }
-
- map $request_uri $waf_block_fixation {
- default 0;
- "~*\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" 1;
- "~*\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" 1;
- "~*\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" 1;
- "~*@eq\ 0" 1;
- "~*!@endsWith\ %\{request_headers\.host\}" 1;
- }
-
- map $request_uri $waf_block_rce {
- default 0;
- "~*!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" 1;
- "~*\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" 1;
- "~*ba\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-\"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" 1;
- "~*rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" 1;
- "~*\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" 1;
- "~*!\-d" 1;
- "~*;\[sv\]\*\.\[sv\]\*\[\"'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" 1;
- "~*\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" 1;
- "~*rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" 1;
- "~*/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" 1;
- "~*rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" 1;
- "~*!\(\?:d\|!\)" 1;
- "~*/" 1;
- "~*\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \[\"\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \[\"\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \[\"\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ \"\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}\"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" 1;
- "~*\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" 1;
- "~*\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" 1;
- "~*s" 1;
- "~*\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" 1;
- "~*b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" 1;
- "~*\^\(s\*\)s\+\{" 1;
- }
-
- map $request_uri $waf_block_sql {
- default 0;
- "~*\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" 1;
- "~*\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" 1;
- "~*\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" 1;
- "~*\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" 1;
- "~*\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" 1;
- "~*\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" 1;
- "~*\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." 1;
- "~*\(\?i\)org\.hsqldb\.jdbc" 1;
- "~*\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" 1;
- "~*\(\?i\)Dynamic\ SQL\ Error" 1;
- "~*\(\?i:Warning:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" 1;
- "~*\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" 1;
- "~*\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" 1;
- }
-
- map $request_uri $waf_block_java {
- default 0;
- "~*\(\?:runtime\|processbuilder\)" 1;
- "~*java\.lang\.\(\?:runtime\|processbuilder\)" 1;
- "~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" 1;
- "~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" 1;
- "~*\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" 1;
- "~*xacxedx00x05" 1;
- "~*\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" 1;
- "~*javab\.\+\(\?:runtime\|processbuilder\)" 1;
- "~*\.\*\.\(\?:jsp\|jspx\)\.\*\$" 1;
- "~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" 1;
- "~*\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" 1;
- "~*\(\?:unmarshaller\|base64data\|java\.\)" 1;
- "~*\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" 1;
- }
-
- map $request_uri $waf_block_evaluation {
- default 0;
- "~*@ge\ 3" 1;
- "~*@ge\ 2" 1;
- "~*@ge\ %\{tx\.inbound_anomaly_score_threshold\}" 1;
- "~*@eq\ 1" 1;
- "~*@ge\ 4" 1;
- "~*@ge\ 1" 1;
- "~*@ge\ %\{tx\.outbound_anomaly_score_threshold\}" 1;
}
map $request_uri $waf_block_sqli {
default 0;
- "~*\[\"'`\]\[sd\]\*\?\[\^ws\]W\*\?dW\*\?\.\*\?\[\"'`d\]" 1;
+ "~*\(\?i:sleep\(s\*\?d\*\?s\*\?\)\|benchmark\(\.\*\?,\.\*\?\)\)" 1;
"~*\(\?i\)alter\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\.\*\?char\(\?:acter\)\?\[sv\]\+set\[sv\]\+\[0\-9A\-Z_a\-z\]\+\|\[\"'`\]\(\?:;\*\?\[sv\]\*\?waitfor\[sv\]\+\(\?:time\|delay\)\[sv\]\+\[\"'`\]\|;\.\*\?:\[sv\]\*\?goto\)" 1;
+ "~*\(\?i\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv\"'\-\)`\]\*\?\(\?:=\|<=>\|\(\?:sounds\[sv\]\+\)\?like\|glob\|r\(\?:like\|egexp\)\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" 1;
"~*\(\?i\)\[\"'`\]\[sv\]\*\?\(\?:\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)\[sv\]\+\[sv0\-9A\-Z_a\-z\]\+=\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?having\[sv\]\+\|like\[\^0\-9A\-Z_a\-z\]\*\?\[\"'0\-9`\]\)\|\[0\-9A\-Z_a\-z\]\[sv\]\+like\[sv\]\+\[\"'`\]\|like\[sv\]\*\?\[\"'`\]%\|select\[sv\]\+\?\[sv\"'\-\),\-\.0\-9A\-\[\]_\-z\]\+from\[sv\]\+" 1;
- "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{12\}\)" 1;
- "~*';" 1;
- "~*\(\?i\)\[\"'`\]\[sv\]\*\?b\(\?:x\?or\|div\|like\|between\|and\)b\[sv\]\*\?\[\"'`\]\?\[0\-9\]\|x5cx\(\?:2\[37\]\|3d\)\|\^\(\?:\.\?\[\"'`\]\$\|\[\"'x5c`\]\*\?\(\?:\[\"'0\-9`\]\+\|\[\^\"'`\]\+\[\"'`\]\)\[sv\]\*\?b\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)b\[sv\]\*\?\[\"'0\-9A\-Z_\-z\]\[!\&\(\-\)\+\-\.@\]\)\|\[\^sv0\-9A\-Z_a\-z\]\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?\[\-\|\]\[sv\]\*\?\[\"'`\]\[sv\]\*\?\[0\-9A\-Z_a\-z\]\|@\(\?:\[0\-9A\-Z_a\-z\]\+\[sv\]\+\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\"'0\-9`\]\+\|\[\-0\-9A\-Z_a\-z\]\+\[sv\]\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\^sv0\-9A\-Z_a\-z\]\)\|\[\^sv0\-:A\-Z_a\-z\]\[sv\]\*\?\[0\-9\]\[\^0\-9A\-Z_a\-z\]\+\[\^sv0\-9A\-Z_a\-z\]\[sv\]\*\?\[\"'`\]\.\|\[\^0\-9A\-Z_a\-z\]information_schema\|table_name\[\^0\-9A\-Z_a\-z\]" 1;
- "~*\(\?i\)b\(\?:orb\(\?:\[sv\]\?\(\?:\[0\-9\]\{1,10\}\|\[\"'\]\[\^=\]\{1,10\}\[\"'\]\)\[sv\]\?\[<\->\]\+\|\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|xorb\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|'\[sv\]\+x\?or\[sv\]\+\.\{1,20\}\[!\+\-<\->\]" 1;
- "~*@detectSQLi" 1;
- "~*\(\?i:\^\[Wd\]\+s\*\?\(\?:alter\|union\)b\)" 1;
+ "~*\(\?i\)select\[sv\]\*\?pg_sleep\|waitfor\[sv\]\*\?delay\[sv\]\?\[\"'`\]\+\[sv\]\?\[0\-9\]\|;\[sv\]\*\?shutdown\[sv\]\*\?\(\?:\[\#;\{\]\|/\*\|\-\-\)" 1;
+ "~*\^\(\?:\[\^'\]\*'\|\[\^\"\]\*\"\|\[\^`\]\*`\)\[sv\]\*;" 1;
"~*!@streq\ %\{TX\.2\}" 1;
"~*!@rx\ \^ey\[\-0\-9A\-Z_a\-z\]\+\.ey\[\-0\-9A\-Z_a\-z\]\+\.\[\-0\-9A\-Z_a\-z\]\+\$" 1;
- "~*\(\?i\)autonomous_transaction\|\(\?:current_use\|n\?varcha\|tbcreato\)r\|db\(\?:a_users\|ms_java\)\|open\(\?:owa_util\|query\|rowset\)\|s\(\?:p_\(\?:\(\?:addextendedpro\|sqlexe\)c\|execute\(\?:sql\)\?\|help\|is_srvrolemember\|makewebtask\|oacreate\|p\(\?:assword\|repare\)\|replwritetovarbin\)\|ql_\(\?:longvarchar\|variant\)\)\|utl_\(\?:file\|http\)\|xp_\(\?:availablemedia\|\(\?:cmdshel\|servicecontro\)l\|dirtree\|e\(\?:numdsn\|xecresultset\)\|filelist\|loginconfig\|makecab\|ntsec\(\?:_enumdomains\)\?\|reg\(\?:addmultistring\|delete\(\?:key\|value\)\|enum\(\?:key\|value\)s\|re\(\?:ad\|movemultistring\)\|write\)\|terminate\(\?:_process\)\?\)" 1;
- "~*\(\?i\)\^\(\?:\[\^'\]\*\?\(\?:'\[\^'\]\*\?'\[\^'\]\*\?\)\*\?'\|\[\^\"\]\*\?\(\?:\"\[\^\"\]\*\?\"\[\^\"\]\*\?\)\*\?\"\|\[\^`\]\*\?\(\?:`\[\^`\]\*\?`\[\^`\]\*\?\)\*\?`\)\[sv\]\*\(\[0\-9A\-Z_a\-z\]\+\)b" 1;
- "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{3\}\)" 1;
"~*\(\?i\)W\+d\*\?s\*\?bhavingbs\*\?\[\^s\-\]" 1;
- "~*\(\?i:b0x\[a\-fd\]\{3,\}\)" 1;
- "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{6\}\)" 1;
- "~*\^\(\?i:\-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|\-2147483648\|\-2147483649\|0000023456\|2\.2250738585072007e\-308\|2\.2250738585072011e\-308\|1e309\)\$" 1;
- "~*\^\(\?:\[\^'\]\*'\|\[\^\"\]\*\"\|\[\^`\]\*`\)\[sv\]\*;" 1;
+ "~*\(\?i:\^\[Wd\]\+s\*\?\(\?:alter\|union\)b\)" 1;
"~*\(\?i\)create\[sv\]\+function\[sv\]\.\+\[sv\]returns\|;\[sv\]\*\?\(\?:alter\|\(\?:\(\?:cre\|trunc\|upd\)at\|renam\)e\|d\(\?:e\(\?:lete\|sc\)\|rop\)\|\(\?:inser\|selec\)t\|load\)b\[sv\]\*\?\[\(\[\]\?\[0\-9A\-Z_a\-z\]\{2,\}" 1;
- "~*\(\?i\)bandb\(\?:\[sv\]\+\(\?:\[0\-9\]\{1,10\}\[sv\]\*\?\[<\->\]\|'\[\^=\]\{1,10\}'\)\|\ \?\(\?:\[0\-9\]\{1,10\}\|\[\"'\]\[\^=\]\{1,10\}\[\"'\]\)\ \?\[<\->\]\+\)" 1;
- "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{2\}\)" 1;
- "~*\(\?i\)\[\"'`\]\[sv\]\*\?\(\?:\(\?:is\[sv\]\+not\|not\[sv\]\+\(\?:like\|glob\|\(\?:betwee\|i\)n\|null\|regexp\|match\)\|mod\|div\|sounds\[sv\]\+like\)b\|\[%\-\&\*\-\+\-/<\->\^\|\]\)" 1;
- "~*@streq\ %\{TX\.2\}" 1;
- "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{8\}\)" 1;
- "~*\^\(\?:and\|or\)\$" 1;
- "~*W\{4\}" 1;
- "~*\(\?i\)union\.\*\?select\.\*\?from" 1;
- "~*\(\?:\^s\*\[\"'`;\]\+\|\[\"'`\]\+s\*\$\)" 1;
- "~*\(\?i\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv\"'\-\)`\]\*\?\(\?:=\|<=>\|\(\?:sounds\[sv\]\+\)\?like\|glob\|r\(\?:like\|egexp\)\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" 1;
- "~*\^\.\*\?x5c\['\"`\]\(\?:\.\*\?\['\"`\]\)\?s\*\(\?:and\|or\)b" 1;
- "~*\(\?i:sleep\(s\*\?d\*\?s\*\?\)\|benchmark\(\.\*\?,\.\*\?\)\)" 1;
- "~*\(\?i\)select\[sv\]\*\?pg_sleep\|waitfor\[sv\]\*\?delay\[sv\]\?\[\"'`\]\+\[sv\]\?\[0\-9\]\|;\[sv\]\*\?shutdown\[sv\]\*\?\(\?:\[\#;\{\]\|/\*\|\-\-\)" 1;
- "~*\(\?i\)1\.e\[\(\-\),\]" 1;
+ "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{3\}\)" 1;
"~*\(\?i\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv\"'\-\)`\]\*\?\(\?:!\[<\->\]\|<\[=\->\]\?\|>=\?\|\^\|is\[sv\]\+not\|not\[sv\]\+\(\?:like\|r\(\?:like\|egexp\)\)\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" 1;
+ "~*\^\(\?i:\-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|\-2147483648\|\-2147483649\|0000023456\|2\.2250738585072007e\-308\|2\.2250738585072011e\-308\|1e309\)\$" 1;
+ "~*\(\?i\)\^\(\?:\[\^'\]\*\?\(\?:'\[\^'\]\*\?'\[\^'\]\*\?\)\*\?'\|\[\^\"\]\*\?\(\?:\"\[\^\"\]\*\?\"\[\^\"\]\*\?\)\*\?\"\|\[\^`\]\*\?\(\?:`\[\^`\]\*\?`\[\^`\]\*\?\)\*\?`\)\[sv\]\*\(\[0\-9A\-Z_a\-z\]\+\)b" 1;
+ "~*W\{4\}" 1;
+ "~*@detectSQLi" 1;
+ "~*\^\.\*\?x5c\['\"`\]\(\?:\.\*\?\['\"`\]\)\?s\*\(\?:and\|or\)b" 1;
+ "~*\(\?:\^s\*\[\"'`;\]\+\|\[\"'`\]\+s\*\$\)" 1;
+ "~*\(\?i\)b\(\?:orb\(\?:\[sv\]\?\(\?:\[0\-9\]\{1,10\}\|\[\"'\]\[\^=\]\{1,10\}\[\"'\]\)\[sv\]\?\[<\->\]\+\|\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|xorb\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|'\[sv\]\+x\?or\[sv\]\+\.\{1,20\}\[!\+\-<\->\]" 1;
+ "~*\(\?i\)union\.\*\?select\.\*\?from" 1;
+ "~*\(\?i\)\[\"'`\]\[sv\]\*\?\(\?:\(\?:is\[sv\]\+not\|not\[sv\]\+\(\?:like\|glob\|\(\?:betwee\|i\)n\|null\|regexp\|match\)\|mod\|div\|sounds\[sv\]\+like\)b\|\[%\-\&\*\-\+\-/<\->\^\|\]\)" 1;
+ "~*\(\?i\)\[\"'`\]\[sv\]\*\?b\(\?:x\?or\|div\|like\|between\|and\)b\[sv\]\*\?\[\"'`\]\?\[0\-9\]\|x5cx\(\?:2\[37\]\|3d\)\|\^\(\?:\.\?\[\"'`\]\$\|\[\"'x5c`\]\*\?\(\?:\[\"'0\-9`\]\+\|\[\^\"'`\]\+\[\"'`\]\)\[sv\]\*\?b\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)b\[sv\]\*\?\[\"'0\-9A\-Z_\-z\]\[!\&\(\-\)\+\-\.@\]\)\|\[\^sv0\-9A\-Z_a\-z\]\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?\[\-\|\]\[sv\]\*\?\[\"'`\]\[sv\]\*\?\[0\-9A\-Z_a\-z\]\|@\(\?:\[0\-9A\-Z_a\-z\]\+\[sv\]\+\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\"'0\-9`\]\+\|\[\-0\-9A\-Z_a\-z\]\+\[sv\]\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\^sv0\-9A\-Z_a\-z\]\)\|\[\^sv0\-:A\-Z_a\-z\]\[sv\]\*\?\[0\-9\]\[\^0\-9A\-Z_a\-z\]\+\[\^sv0\-9A\-Z_a\-z\]\[sv\]\*\?\[\"'`\]\.\|\[\^0\-9A\-Z_a\-z\]information_schema\|table_name\[\^0\-9A\-Z_a\-z\]" 1;
+ "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{2\}\)" 1;
+ "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{12\}\)" 1;
+ "~*';" 1;
+ "~*\(\?i\)1\.e\[\(\-\),\]" 1;
+ "~*@streq\ %\{TX\.2\}" 1;
+ "~*\(\?i\)autonomous_transaction\|\(\?:current_use\|n\?varcha\|tbcreato\)r\|db\(\?:a_users\|ms_java\)\|open\(\?:owa_util\|query\|rowset\)\|s\(\?:p_\(\?:\(\?:addextendedpro\|sqlexe\)c\|execute\(\?:sql\)\?\|help\|is_srvrolemember\|makewebtask\|oacreate\|p\(\?:assword\|repare\)\|replwritetovarbin\)\|ql_\(\?:longvarchar\|variant\)\)\|utl_\(\?:file\|http\)\|xp_\(\?:availablemedia\|\(\?:cmdshel\|servicecontro\)l\|dirtree\|e\(\?:numdsn\|xecresultset\)\|filelist\|loginconfig\|makecab\|ntsec\(\?:_enumdomains\)\?\|reg\(\?:addmultistring\|delete\(\?:key\|value\)\|enum\(\?:key\|value\)s\|re\(\?:ad\|movemultistring\)\|write\)\|terminate\(\?:_process\)\?\)" 1;
+ "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{8\}\)" 1;
+ "~*\[\"'`\]\[sd\]\*\?\[\^ws\]W\*\?dW\*\?\.\*\?\[\"'`d\]" 1;
+ "~*\(\?i\)bandb\(\?:\[sv\]\+\(\?:\[0\-9\]\{1,10\}\[sv\]\*\?\[<\->\]\|'\[\^=\]\{1,10\}'\)\|\ \?\(\?:\[0\-9\]\{1,10\}\|\[\"'\]\[\^=\]\{1,10\}\[\"'\]\)\ \?\[<\->\]\+\)" 1;
+ "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{6\}\)" 1;
+ "~*\^\(\?:and\|or\)\$" 1;
+ "~*\(\?i:b0x\[a\-fd\]\{3,\}\)" 1;
}
- map $request_uri $waf_block_leakages {
+ map $request_uri $waf_block_java {
default 0;
- "~*\^\#!s\?/" 1;
- "~*\^5d\{2\}\$" 1;
- "~*\(\?:<\(\?:TITLE>Index\ of\.\*\?Index\ of\.\*\?Index\ of\|>\[To\ Parent\ Directory\]
\)" 1;
+ "~*\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" 1;
+ "~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" 1;
+ "~*\(\?:runtime\|processbuilder\)" 1;
+ "~*\.\*\.\(\?:jsp\|jspx\)\.\*\$" 1;
+ "~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" 1;
+ "~*\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" 1;
+ "~*\(\?:unmarshaller\|base64data\|java\.\)" 1;
+ "~*xacxedx00x05" 1;
+ "~*javab\.\+\(\?:runtime\|processbuilder\)" 1;
+ "~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" 1;
+ "~*\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" 1;
+ "~*java\.lang\.\(\?:runtime\|processbuilder\)" 1;
+ "~*\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" 1;
}
- map $request_uri $waf_block_enforcement {
+ map $request_uri $waf_block_rce {
default 0;
- "~*%\[0\-9a\-fA\-F\]\{2\}" 1;
- "~*!@rx\ \^d\+\$" 1;
- "~*!@rx\ \^OPTIONS\$" 1;
- "~*@gt\ %\{tx\.arg_length\}" 1;
- "~*@validateByteRange\ 9,10,13,32\-126,128\-255" 1;
- "~*\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" 1;
- "~*\^\$" 1;
- "~*@gt\ %\{tx\.max_num_args\}" 1;
- "~*\^\[\^;s\]\+" 1;
- "~*\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" 1;
- "~*!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" 1;
- "~*@validateUtf8Encoding" 1;
- "~*\(d\+\)\-\(d\+\)" 1;
- "~*@validateByteRange\ 32\-36,38\-126" 1;
- "~*@endsWith\ \.pdf" 1;
- "~*charsets\*=s\*\[\"'\]\?\(\[\^;\"'s\]\+\)" 1;
- "~*!@rx\ \^0\?\$" 1;
- "~*\.\(\[\^\.\]\+\)\$" 1;
- "~*@within\ %\{tx\.restricted_extensions\}" 1;
- "~*\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" 1;
- "~*@gt\ %\{tx\.max_file_size\}" 1;
- "~*@ge\ 1" 1;
- "~*b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" 1;
- "~*charset\.\*\?charset" 1;
- "~*!@streq\ JSON" 1;
- "~*@gt\ %\{tx\.total_arg_length\}" 1;
- "~*\^\(\?:GET\|HEAD\)\$" 1;
- "~*\(\?i\)x5cu\[0\-9a\-f\]\{4\}" 1;
- "~*@gt\ 50" 1;
- "~*!@endsWith\ \.pdf" 1;
- "~*\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" 1;
- "~*\^\.\*\$" 1;
- "~*@eq\ 1" 1;
- "~*!@rx\ \^0\$" 1;
- "~*@validateByteRange\ 1\-255" 1;
- "~*@eq\ 0" 1;
- "~*\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" 1;
- "~*@within\ %\{tx\.restricted_headers_extended\}" 1;
- "~*@gt\ %\{tx\.arg_name_length\}" 1;
- "~*%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" 1;
- "~*@gt\ 0" 1;
- "~*@contains\ \#" 1;
- "~*!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" 1;
- "~*!@pm\ AppleWebKit\ Android" 1;
- "~*@validateUrlEncoding" 1;
- "~*\['\";=\]" 1;
- "~*@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" 1;
- "~*x25" 1;
- "~*@streq\ POST" 1;
- "~*@gt\ %\{tx\.combined_file_sizes\}" 1;
- "~*!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['\"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" 1;
- "~*@within\ %\{tx\.restricted_headers_basic\}" 1;
- "~*@gt\ 1" 1;
- "~*@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" 1;
- "~*!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" 1;
- }
-
- map $request_uri $waf_block_xss {
- default 0;
- "~*\(\?i\)\]\*>\[sS\]\*\?" 1;
- "~*\(\?i:A\-Z_a\-z\]\*\(\?:\[\^sv\"'<>\]\*:\)\?\[\^0\-9<>A\-Z_a\-z\]\*\[\^0\-9A\-Z_a\-z\]\*\?\(\?:s\[\^0\-9A\-Z_a\-z\]\*\?\(\?:c\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?t\|t\[\^0\-9A\-Z_a\-z\]\*\?y\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\|v\[\^0\-9A\-Z_a\-z\]\*\?g\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9>A\-Z_a\-z\]\)\|f\[\^0\-9A\-Z_a\-z\]\*\?o\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?m\|m\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?q\[\^0\-9A\-Z_a\-z\]\*\?u\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?e\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:l\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?k\|o\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?j\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?c\[\^0\-9A\-Z_a\-z\]\*\?t\|e\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?d\|a\[\^0\-9A\-Z_a\-z\]\*\?\(\?:p\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?t\|u\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?o\|n\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?e\)\|p\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\|i\?\[\^0\-9A\-Z_a\-z\]\*\?f\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?e\|b\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?s\[\^0\-9A\-Z_a\-z\]\*\?e\|o\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?y\|i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?s\)\|i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\?\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?e\?\|v\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?o\)\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:<\[0\-9A\-Z_a\-z\]\.\*\[sv/\]\|\[\"'\]\(\?:\.\*\[sv/\]\)\?\)\(\?:background\|formaction\|lowsrc\|on\(\?:a\(\?:bort\|ctivate\|d\(\?:apteradded\|dtrack\)\|fter\(\?:print\|\(\?:scriptexecu\|upda\)te\)\|lerting\|n\(\?:imation\(\?:cancel\|end\|iteration\|start\)\|tennastatechange\)\|ppcommand\|u\(\?:dio\(\?:end\|process\|start\)\|xclick\)\)\|b\(\?:e\(\?:fore\(\?:\(\?:\(\?:\(\?:de\)\?activa\|scriptexecu\)t\|toggl\)e\|c\(\?:opy\|ut\)\|editfocus\|input\|p\(\?:aste\|rint\)\|u\(\?:nload\|pdate\)\)\|gin\(\?:Event\)\?\)\|l\(\?:ocked\|ur\)\|oun\(\?:ce\|dary\)\|roadcast\|usy\)\|c\(\?:a\(\?:\(\?:ch\|llschang\)ed\|nplay\(\?:through\)\?\|rdstatechange\)\|\(\?:ell\|fstate\)change\|h\(\?:a\(\?:rging\(\?:time\)\?cha\)\?nge\|ecking\)\|l\(\?:ick\|ose\)\|o\(\?:m\(\?:mand\(\?:update\)\?\|p\(\?:lete\|osition\(\?:end\|start\|update\)\)\)\|n\(\?:nect\(\?:ed\|ing\)\|t\(\?:extmenu\|rolselect\)\)\|py\)\|u\(\?:echange\|t\)\)\|d\(\?:ata\(\?:\(\?:availabl\|chang\)e\|error\|setc\(\?:hanged\|omplete\)\)\|blclick\|e\(\?:activate\|livery\(\?:error\|success\)\|vice\(\?:found\|light\|\(\?:mo\|orienta\)tion\|proximity\)\)\|i\(\?:aling\|s\(\?:abled\|c\(\?:hargingtimechange\|onnect\(\?:ed\|ing\)\)\)\)\|o\(\?:m\(\?:a\(\?:ctivate\|ttrmodified\)\|\(\?:characterdata\|subtree\)modified\|focus\(\?:in\|out\)\|mousescroll\|node\(\?:inserted\(\?:intodocument\)\?\|removed\(\?:fromdocument\)\?\)\)\|wnloading\)\|r\(\?:ag\(\?:drop\|e\(\?:n\(\?:d\|ter\)\|xit\)\|\(\?:gestur\|leav\)e\|over\|start\)\|op\)\|urationchange\)\|e\(\?:mptied\|n\(\?:abled\|d\(\?:ed\|Event\)\?\|ter\)\|rror\(\?:update\)\?\|xit\)\|f\(\?:ailed\|i\(\?:lterchange\|nish\)\|o\(\?:cus\(\?:in\|out\)\?\|rm\(\?:change\|input\)\)\|ullscreenchange\)\|g\(\?:amepad\(\?:axismove\|button\(\?:down\|up\)\|\(\?:dis\)\?connected\)\|et\)\|h\(\?:ashchange\|e\(\?:adphoneschange\|l\[dp\]\)\|olding\)\|i\(\?:cc\(\?:cardlockerror\|infochange\)\|n\(\?:coming\|put\|valid\)\)\|key\(\?:down\|press\|up\)\|l\(\?:evelchange\|o\(\?:ad\(\?:e\(\?:d\(\?:meta\)\?data\|nd\)\|start\)\?\|secapture\)\|y\)\|m\(\?:ark\|essage\|o\(\?:use\(\?:down\|enter\|\(\?:lea\|mo\)ve\|o\(\?:ut\|ver\)\|up\|wheel\)\|ve\(\?:end\|start\)\?\|z\(\?:a\(\?:fterpaint\|udioavailable\)\|\(\?:beforeresiz\|orientationchang\|t\(\?:apgestur\|imechang\)\)e\|\(\?:edgeui\(\?:c\(\?:ancel\|omplet\)\|start\)e\|network\(\?:down\|up\)loa\)d\|fullscreen\(\?:change\|error\)\|m\(\?:agnifygesture\(\?:start\|update\)\?\|ouse\(\?:hittest\|pixelscroll\)\)\|p\(\?:ointerlock\(\?:change\|error\)\|resstapgesture\)\|rotategesture\(\?:start\|update\)\?\|s\(\?:crolledareachanged\|wipegesture\(\?:end\|start\|update\)\?\)\)\)\)\|no\(\?:match\|update\)\|o\(\?:\(\?:bsolet\|\(\?:ff\|n\)lin\)e\|pen\|verflow\(\?:changed\)\?\)\|p\(\?:a\(\?:ge\(\?:hide\|show\)\|int\|\(\?:st\|us\)e\)\|lay\(\?:ing\)\?\|o\(\?:inter\(\?:down\|enter\|\(\?:\(\?:lea\|mo\)v\|rawupdat\)e\|o\(\?:ut\|ver\)\|up\)\|p\(\?:state\|up\(\?:hid\(\?:den\|ing\)\|show\(\?:ing\|n\)\)\)\)\|ro\(\?:gress\|pertychange\)\)\|r\(\?:atechange\|e\(\?:adystatechange\|ceived\|movetrack\|peat\(\?:Event\)\?\|quest\|s\(\?:et\|ize\|u\(\?:lt\|m\(\?:e\|ing\)\)\)\|trieving\)\|ow\(\?:e\(\?:nter\|xit\)\|s\(\?:delete\|inserted\)\)\)\|s\(\?:croll\(\?:end\)\?\|e\(\?:arch\|ek\(\?:complete\|ed\|ing\)\|lect\(\?:ionchange\|start\)\?\|n\(\?:ding\|t\)\|t\)\|how\|\(\?:ound\|peech\)\(\?:end\|start\)\|t\(\?:a\(\?:lled\|rt\|t\(\?:echange\|uschanged\)\)\|k\(\?:comma\|sessione\)nd\|op\)\|u\(\?:bmit\|ccess\|spend\)\|vg\(\?:abort\|error\|\(\?:un\)\?load\|resize\|scroll\|zoom\)\)\|t\(\?:ext\|ime\(\?:out\|update\)\|o\(\?:ggle\|uch\(\?:cancel\|en\(\?:d\|ter\)\|\(\?:lea\|mo\)ve\|start\)\)\|ransition\(\?:cancel\|end\|run\|start\)\)\|u\(\?:n\(\?:derflow\|handledrejection\|load\)\|p\(\?:dateready\|gradeneeded\)\|s\(\?:erproximity\|sdreceived\)\)\|v\(\?:ersion\|o\(\?:ic\|lum\)e\)change\|w\(\?:a\(\?:it\|rn\)ing\|ebkit\(\?:animation\(\?:end\|iteration\|start\)\|transitionend\)\|heel\)\|zoom\)\|ping\|s\(\?:rc\|tyle\)\)\[x08\-nf\-r\ \]\*\?=" 1;
- "~*@contains\ \-\->" 1;
- "~*\(\?i\)\[\"'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\|in\)\.\+\?\[\.\]\.\+\?=" 1;
- "~*\(\?:xbcs\*/s\*\[\^xbe>\]\*\[xbe>\]\)\|\(\?:\]" 1;
- "~*\(\?i:<\.\*\[:\]\?vmlframe\.\*\?\[s/\+\]\*\?src\[s/\+\]\*=\)" 1;
- "~*<\[\?\]\?import\[s/\+S\]\*\?implementation\[s/\+\]\*\?=" 1;
- "~*\(\?i\)\.\(\?:b\(\?:x\(\?:link:href\|html\|mlns\)\|data:text/html\|formaction\|patternb\.\*\?=\)\|!ENTITY\[sv\]\+\(\?:%\[sv\]\+\)\?\[\^sv\]\+\[sv\]\+\(\?:SYSTEM\|PUBLIC\)\|@import\|;base64\)b" 1;
- "~*xbc\[\^xbe>\]\*\[xbe>\]\|<\[\^xbe\]\*xbe" 1;
- "~*\(\(\?:\[\[\^\]\]\*\]\[\^\.\]\*\.\)\|Reflect\[\^\.\]\*\.\)\.\*\(\?:map\|sort\|apply\)\[\^\.\]\*\.\.\*call\[\^`\]\*`\.\*`" 1;
- "~*\(\?i\)b\(\?:s\(\?:tyle\|rc\)\|href\)b\[sS\]\*\?=" 1;
- "~*\(\?i\)\[s\"'`;/0\-9=x0Bx09x0Cx3Bx2Cx28x3B\]on\[a\-zA\-Z\]\{3,25\}\[sx0Bx09x0Cx3Bx2Cx28x3B\]\*\?=\[\^=\]" 1;
- "~*<\(\?:a\|abbr\|acronym\|address\|applet\|area\|audioscope\|b\|base\|basefront\|bdo\|bgsound\|big\|blackface\|blink\|blockquote\|body\|bq\|br\|button\|caption\|center\|cite\|code\|col\|colgroup\|comment\|dd\|del\|dfn\|dir\|div\|dl\|dt\|em\|embed\|fieldset\|fn\|font\|form\|frame\|frameset\|h1\|head\|hr\|html\|i\|iframe\|ilayer\|img\|input\|ins\|isindex\|kdb\|keygen\|label\|layer\|legend\|li\|limittext\|link\|listing\|map\|marquee\|menu\|meta\|multicol\|nobr\|noembed\|noframes\|noscript\|nosmartquotes\|object\|ol\|optgroup\|option\|p\|param\|plaintext\|pre\|q\|rt\|ruby\|s\|samp\|script\|select\|server\|shadow\|sidebar\|small\|spacer\|span\|strike\|strong\|style\|sub\|sup\|table\|tbody\|td\|textarea\|tfoot\|th\|thead\|title\|tr\|tt\|u\|ul\|var\|wbr\|xml\|xmp\)W" 1;
- "~*@detectXSS" 1;
- "~*\(\?i:\.\*\?\(\?:@\[ix5c\]\|\(\?:\[:=\]\|\&\#x\?0\*\(\?:58\|3A\|61\|3D\);\?\)\.\*\?\(\?:\[\(x5c\]\|\&\#x\?0\*\(\?:40\|28\|92\|5C\);\?\)\)\)" 1;
- "~*\(\?i\)\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" 1;
+ "~*\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" 1;
+ "~*/" 1;
+ "~*!\(\?:d\|!\)" 1;
+ "~*rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" 1;
+ "~*b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" 1;
+ "~*!\-d" 1;
+ "~*s" 1;
+ "~*rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" 1;
+ "~*\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" 1;
+ "~*\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" 1;
+ "~*;\[sv\]\*\.\[sv\]\*\[\"'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" 1;
+ "~*/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" 1;
+ "~*!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" 1;
+ "~*\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" 1;
+ "~*ba\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-\"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" 1;
}
map $request_uri $waf_block_iis {
default 0;
+ "~*\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)
Timeout\ expired
\)\|internal\ server\ error
\.\*\?part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.
\|cannot\ connect\ to\ the\ server:\ timed\ out\)" 1;
+ "~*bServer\ Error\ in\.\{0,50\}\?bApplicationb" 1;
"~*!@rx\ \^404\$" 1;
"~*\[a\-z\]:x5cinetpubb" 1;
- "~*bServer\ Error\ in\.\{0,50\}\?bApplicationb" 1;
- "~*\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)
Timeout\ expired
\)\|internal\ server\ error
\.\*\?part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.
\|cannot\ connect\ to\ the\ server:\ timed\ out\)" 1;
}
map $request_uri $waf_block_correlation {
default 0;
"~*@gt\ 0" 1;
- "~*@ge\ %\{tx\.inbound_anomaly_score_threshold\}" 1;
"~*@ge\ 5" 1;
+ "~*@ge\ %\{tx\.inbound_anomaly_score_threshold\}" 1;
"~*@eq\ 0" 1;
"~*@ge\ %\{tx\.outbound_anomaly_score_threshold\}" 1;
}
map $request_uri $waf_block_shells {
default 0;
+ "~*\^nnRu24PostWebShell\ \-" 1;
+ "~*\^<title>PHP\ Web\ Shellrnrnrn\ \ \ \ " 1;
+ "~*\^rnrnrnPhpSpy\ Ver\ \[0\-9\]\+" 1;
+ "~*SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" 1;
+ "~*<title>CasuS\ \[0\-9\.\]\+\ by\ MafiABoY" 1;
+ "~*\^nnWeb\ Shell" 1;
+ "~*B4TM4N\ SH3LL\.\*" 1;
+ "~*\^\ ::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::" 1;
+ "~*@contains\ punkholicshell" 1;
+ "~*\^n\ \ \ \ \ \ n\ \ \ \ \ \ \ \ \ \ \ \ \ azrail\ \[0\-9\.\]\+\ by\ C\-W\-M" 1;
+ "~*>SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ r57\ Shell\ Version\ \[0\-9\.\]\+\|r57\ shell\)" 1;
+ "~*\^rnrnGRP\ WebShell\ \[0\-9\.\]\+" 1;
+ "~*<small>NGHshell\ \[0\-9\.\]\+\ by\ Cr4sh</body></html>n\$" 1;
+ "~*<title>Symlink_Sa\ \[0\-9\.\]\+" 1;
+ "~*\^nnInput\ command\ :n" 1;
+ "~*\^\ nnnng00nshell\ v\[0\-9\.\]\+" 1;
+ "~*\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+" 1;
+ "~*\^n\.\*\?\ \~\ Shell\ Inn