Update: [Sun Jan 12 00:29:42 UTC 2025]

2025-12-29 16:15:12 +00:00 · 2025-01-12 00:29:42 +00:00
parent 6eff0f9666
commit c59456bd3e
38 changed files with 3257 additions and 3257 deletions
--- a/waf_patterns/nginx/php.conf
+++ b/waf_patterns/nginx/php.conf
@@ -2,11 +2,15 @@
 location / {
    set $attack_detected 0;

+    if ($request_uri ~* "(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://") {
+        set $attack_detected 1;
+    }
+
    if ($request_uri ~* "@pm ?>") {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "(?i)<?(?:=|php)?s+") {
+    if ($request_uri ~* ".*.ph(?:pd*|tml|ar|ps|t|pt).*$") {
        set $attack_detected 1;
    }

@@ -14,6 +18,10 @@ location / {
        set $attack_detected 1;
    }

+    if ($request_uri ~* "AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI") {
+        set $attack_detected 1;
+    }
+
    if ($request_uri ~* "(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)") {
        set $attack_detected 1;
    }
@@ -22,6 +30,14 @@ location / {
        set $attack_detected 1;
    }

+    if ($request_uri ~* "(?i)<?(?:=|php)?s+") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "(?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])") {
+        set $attack_detected 1;
+    }
+
    if ($request_uri ~* "(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b") {
        set $attack_detected 1;
    }
@@ -30,22 +46,6 @@ location / {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "(?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* ".*.ph(?:pd*|tml|ar|ps|t|pt).*$") {
-        set $attack_detected 1;
-    }
-
    if ($attack_detected = 1) {
        return 403;
    }