mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-17 09:45:34 +00:00
50 lines
4.2 KiB
Plaintext
50 lines
4.2 KiB
Plaintext
# Nginx WAF rules for SQLI
|
||
# Automatically generated from OWASP rules.
|
||
# Include this file in your server or location block.
|
||
|
||
map $request_uri $waf_block_sqli {
|
||
default 0;
|
||
"~*^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$" 1;
|
||
"~*(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b" 1;
|
||
"~*^(?:and|or)$" 1;
|
||
"~*(?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)" 1;
|
||
"~*(?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+" 1;
|
||
"~*(?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" 1;
|
||
"~*W{4}" 1;
|
||
"~*^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;" 1;
|
||
"~*(?i:b0x[a-fd]{3,})" 1;
|
||
"~*';" 1;
|
||
"~*(?i)union.*?select.*?from" 1;
|
||
"~*(?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" 1;
|
||
"~*(?i)[\"'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])" 1;
|
||
"~*(?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}" 1;
|
||
"~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){2})" 1;
|
||
"~*@detectSQLi" 1;
|
||
"~*(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b" 1;
|
||
"~*(?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))" 1;
|
||
"~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){12})" 1;
|
||
"~*(?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" 1;
|
||
"~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){8})" 1;
|
||
"~*^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b" 1;
|
||
"~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){6})" 1;
|
||
"~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){3})" 1;
|
||
"~*(?i)W+d*?s*?bhavingbs*?[^s-]" 1;
|
||
"~*[\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]" 1;
|
||
"~*(?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)" 1;
|
||
"~*@streq %{TX.2}" 1;
|
||
"~*(?i:^[Wd]+s*?(?:alter|union)b)" 1;
|
||
"~*!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$" 1;
|
||
"~*!@streq %{TX.2}" 1;
|
||
"~*(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b" 1;
|
||
"~*(?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]" 1;
|
||
"~*(?:^s*[\"'`;]+|[\"'`]+s*$)" 1;
|
||
"~*(?i)1.e[(-),]" 1;
|
||
}
|
||
|
||
if ($waf_block_sqli) {
|
||
return 403;
|
||
# Log the blocked request (optional)
|
||
# access_log /var/log/nginx/waf_blocked.log;
|
||
}
|
||
|