mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-18 02:05:42 +00:00
5 lines
7.2 KiB
Plaintext
5 lines
7.2 KiB
Plaintext
@block_rce {
|
|
path_regexp rce "(?i)(@lt 1|@lt 1|@rx (?i)(?:b[|@rx (?i)(?:b[|@pmFromFile windows-powershell-commands.data|@rx (?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b|@rx $(?:((?:.*|(.*)))|{.*}|[.*])|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]|@rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sx0b]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))|@rx ~(?:[+-](?:$|[sx0b0-9]+)|[0-9]+)|@rx (?i)(?:^|b[|@rx (?i)(?:^|b[|@rx !-d|@pmFromFile unix-shell.data|@rx ^(s*)s+{|@rx ^(s*)s+{|@rx ba[|@pmFromFile restricted-upload.data|@rx (?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b|@rx (?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b|@lt 2|@lt 2|@rx (?:b[|@rx $(?:((?:.*|(.*)))|{.*}|[.*])|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]|@rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{]|@rx /|@rx s|@rx ^[^#]+|@rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{]))|@rx /|@rx s|@rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{])|@rx /|@rx s|@rx (?i).|(?:[sx0b]*|b[|@rx (?i)[-0-9_a-z]+(?:[sx0b]*[|!@rx [0-9]s*'s*[0-9]|@rx ;[sx0b]*.[sx0b]*[|@rx rn.*?b(?:E(?:HLO [-.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [-.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}@.{1,255}>|R(?:CPT TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SETb)|VRFY .{1,64}(?: <.{1,64}@.{1,255}>|@.{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20} (?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}=|[+/-9A-Z_a-zx17fx212a]{3}))?=|STARTTLSb|NOOPb(?: .{1,255})?)|@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[|@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9_a-z]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))|@rx (?i)(?:^|b[|@rx (?i)(?:^|b[|@pmFromFile unix-shell.data|@lt 3|@lt 3|@rx (?:b[|@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sx0b&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[sx0b&)<>|]|pt(?:(?:itude)?[sx0b&)<>|]|-get)|r(?:[sx0b&)<>j|]|(?:p|ch)[sx0b&)<>|]|ia2c)|s(?:h?[sx0b&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sx0b&)<>|]|obm)|dd(?:group|user)|getty|nsible)|b(?:z(?:z[sx0b&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sx0b&)<>|]|c))|h[sx0b&)<>|])|tch[sx0b&)<>|])|lkid|pftrace|r(?:eaksw|idge[sx0b&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sx0b&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[sx0b&)<>|]|mp|p(?:[sx0b&)<>|]|io|ulimit)|s(?:h|cli[sx0b&)<>|]|plit|vtool)|u(?:t[sx0b&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sx0b&)<>|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[sx0b&)-<>|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sx0b&)<>|]|++)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[sx0b&)<>|]|w(?:say|think))|r(?:ash[sx0b&)<>|]|on(?:[sx0b&)<>|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sx0b&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sx0b&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sx0b&)<>|]|n(?:v(?:[sx0b&)<>|]|-update)|d(?:if|sw))|qn|s(?:[sx0b&)<>h|]|ac)|x(?:(?:ec)?[sx0b&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sx0b&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sx0b&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sx0b&)<>|]|le(?:[sx0b&)<>|]|test))|mt|tp(?:[sx0b&)<>|]|stats|who)|acter|o(?:ld[sx0b&)<>|]|reach)|ping)|g(?:c(?:c[^sx0b]|ore)|db|e(?:(?:m|tfacl)[sx0b&)<>|]|ni(?:e[sx0b&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sx0b&)<>|]|nsh)|(?:o|awk)[sx0b&)<>|]|pg|r(?:c|ep[sx0b&)<>|]|oup(?:[sx0b&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sx0b&)<>|]|e(?:ad[sx0b&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sx0b&)<>|]|onice|spell)|j(?:js|q|ava[sx0b&)<>|]|exec|o(?:(?:bs|in)[sx0b&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sx0b&)<>|]|all)|nife[sx0b&)<>|])|l(?:d(?:d?[sx0b&)<>|]|config)|(?:[np]|ynx)[sx0b&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sx0b&)<>|]|(?:la)?tex)|z(?:[sx0b&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sx0b&)<>|]|comm|log(?:in)?)|tex[sx0b&)<>|])|ess(?:[sx0b&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sx0b&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sx0b&)<>|]|il(?:[sx0b&)<>q|]|x[sx0b&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sx0b&)<>|]|k(?:dir[sx0b&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sx0b&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sx0b&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sx0b&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sx0b&)<>|]|m(?:[sx0b&)<>|]|ap)|p(?:m[sx0b&)<>|]|ing)|a(?:no[sx0b&)<>|]|sm|wk)|o(?:de[sx0b&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sx0b&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sx0b&)<>|]|s(?:swd|te[sx0b&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sx0b&)<>|]|tp)|g(?:[sx0b&)<>|]|rep)|hp(?:[sx0b&)57<>|]|-cgi)|i(?:(?:co?|ng)[sx0b&)<>|]|p[^sx0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sx0b&)<>|]|int(?:env|f[sx0b&)<>|]))|s(?:[sx0b&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:(?:f|ms)[sx0b&)<>|]|l(?:[sx0b&)5<>|]|sh))|opd|u(?:ppet[sx0b&)<>|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[sx0b&)<>|]|k(?:e[sx0b&)<>|]|u))|c(?:p[sx0b&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sx0b&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sx0b&)<>|]|user)|pm(?:[sx0b&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sx0b&)<>|]|sync|u(?:by[^sx0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[sx0b&)<>|])|e(?:(?:d|lf|rvice)[sx0b&)<>|]|t(?:(?:facl)?[sx0b&)<>|]|arch|env|sid)|ndmail)|(?:g|ash)[sx0b&)<>|]|h(?:(?:adow|ells)?[sx0b&)<>|]|.distrib|u(?:f|tdown[sx0b&)<>|]))|s(?:[sx0b&)<>|]|h(?:[sx0b&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sx0b&)<>|]|do)|vn|diff|ftp|l(?:eep[sx0b&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sx0b&)<>|])|p(?:lit[sx0b&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sx0b&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sx0b&)<>|]|il[sx0b&)<>f|]|sk(?:[sx0b&)<>|]|set))|bl|c(?:p(?:[sx0b&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sx0b&)<>|]|lnet)|i(?:c[sx0b&)<>|]|me(?:(?:out)?[sx0b&)<>|]|datectl))|o(?:p|uch[sx0b&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sx0b&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sx0b&)<>|]|expand|iq|l(?:ink[sx0b&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sx0b&)<>|]|std))|p(?:2date[sx0b&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[sx0b&)<>|]|m(?:[sx0b&)<>|]|diff)|gr|pw|rsh|sudo)|algrind|olatility[sx0b&)<>|])|w(?:[sx0b&)<>c|]|h(?:o(?:[sx0b&)<>|]|ami|is)?|iptail[sx0b&)<>|])|a(?:ll|tch)[sx0b&)<>|]|i(?:reshark|sh[sx0b&)<>|]))|x(?:(?:x|pa)d|z(?:[sx0b&)<>|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sx0b&)<>|]|um)|z(?:ip(?:[sx0b&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sx0b&)<>|])|f?grep|less|more|run|ypper))(?:b|[^0-9A-Z_a-z])|@rx (?i)(?:^|b[|@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)|@rx rn.*?b(?:DATA|QUIT|HELP(?: .{1,255})?)|@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [|@rx rn.*?b(?:(?:QUI|STA|RSE)T|NOOP|CAPA)|@rx !(?:d|!)|@lt 4|@lt 4)"
|
|
}
|
|
respond @block_rce 403
|