Shulou(Shulou.com)06/01 Report--

/ / this set of WAF protection regular expression rules comes from ShareWAF (http://www.sharewaf.com/)

/ / Test method suggestion: please follow the test statement used in the test below. According to true and false, you can know whether * * can be identified and recorded in the database.

Var regexp_debug = 0

Exports.anti_sqlinj_rule = [

/ select | update | delete | truncate | join | union | exec | insert | drop | count | Sp_sqlexec | order by |'| "| > | / select.+ (from | limit) /

/ (?: (union (. *) select)) /

/ having | rongjitest/

/ sleep\ ((\ s*) (\ d*) (\ s*)\) /

/ group\ sroomby.+\ (/

/ (?: from\ W+information_schema\ W) /

/ (?: (current_) user | database | schema | connection_id)\ s*\ (/

/ / add

/\ s*or\ sroom.accounting.accounting.accountablesI

/ order\ s+by\ swarms. Muhammad Muhammad I

]

If (regexp_debug = = 1) {

/ select | update | delete | truncate | join | union | exec | insert | drop | count | Sp_sqlexec | order by |'| | > | / / strings that are case-insensitive are matched and left to match video and satellite characters, which is not used here.

/ /. Matches any single character except "\ n"

/ / implication: matches select from or select limit statements

/ / Note: case sensitive. If you want to cancel case sensitivity, add: / I

/ / add, match'or 1'-, rule: / spaces appear or no or spaces appear 1 or more times any character unlimited number of times = any character unlimited number of times

Console.log (/\ s*or\ s+.*=.*/i.test ("'or 1: 1")); / / true

Console.log (/\ s*or\ s+.*=.*/i.test ("'or 1 subscription 2")); / / true

Console.log (/\ s*or\ s+.*=.*/i.test ("'or'a')); / / true

Console.log (/\ s*or\ s+.*=.*/i.test ("'or'a'='a'")); / / false

Console.log (/\ s*or\ s+.*=.*/i.test ("'or1=1")); / / false

/ / added. Match: order by 1--

Console.log (/ order\ s+by\ s+.*--$/i.test ("order by 1--")); / / true

Console.log (/ order\ s+by\ s+.*--$/i.test ("order by 2 -")); / / true

Console.log (/ order\ s+by\ s+.*--$/i.test ("order BY 3 -")); / / true

Console.log (/ select.+ (from | limit) / .test ("select * from abc")); / / true

Console.log (/ select.+ (from | limit) / .test ("select top 10 * from abc")); / / true

Console.log (/ select.+ (from | limit) / .test ("select top 10"); / / false

Console.log (/ select.+ (from | limit) / .test ("Select top 10 from"); / / false

/ / (?: X): grouping only

/ /.: any word symbol

/ / Xcharacters: characters appear 0 or more times

/ / (.*): any character appears 0 or more times

/ / implication: match union select syntax

/ / Note: case sensitive. If you want to cancel case sensitivity, add: / I

Console.log (/ (?: (union (. *?) select)) / .test ("union select 1, 2, 3 from"); / / true

Console.log (/ (?: (union (. *?) select)) / .test ("UNION select 1, 2, 3 from"); / / false

Console.log (/ (?: (union (. *?) select)) / .test ("abc union abc select 1, 2, 3 from"); / / true

Console.log (/ (?: (union (. *?) select)) / .test ("abc union / * * / select 1 from 2 from")); / / true

Console.log (/?: (union (. *?) select) / .test ("abc union / * * /")); / / false

Console.log (/ (?: (union (. *?) select) / .test ("select col from table union all select col2 from table2")); / / true

/ / there is a doubt about this grammar, and there may be something wrong with the writing. the test of the following line shows that: (only grouping, not recording the packet sequence number, nor capturing the match) is meaningless.

Console.log (/ union (. *?) select/.test ("abc union / * * / select 1 from 2 from"), "test"); / / true

/ /\ s: White space character

/ /\ s*: the white space character appears 0 or more times (occurs or does not appear)

/ /\ d: number

/ /\ dnumbers: any number appears 0 or more times

/ / implication: matches the sleep (number) function. There can be any blank characters in parentheses.

/ / Note: case sensitive. If you want to cancel case sensitivity, add: / I

Console.log (/ sleep\ ((\ s*) (\ d*) (\ s*)) / .test ("sleep (1)")); / / true

Console.log (/ sleep\ ((\ s*) (\ d*) (\ s*)) / .test ("sleep (1)")); / / true

Console.log (/ sleep\ ((\ s*) (\ d*) (\ s*)\) / .test ("sleep ('abc')")); / / false

Console.log (/ sleep\ ((\ s*) (\ d*) (\ s*)\) / .test ("sleep ('abc')")); / / false

Console.log (/ sleep\ ((\ s*) (\ d*) (\ s*)) / .test ("SLEEP (1)")); / / false

/ / add I, case-insensitive

Console.log (/ sleep\ ((\ s*) (\ d*) (\ s*)) / i.test ("SLEEP (1)"), "test2"); / / true

/ /\ s: White space character

/ /.: any word symbol

/ / implication: match group by syntax

/ / Note: case sensitive. If you want to cancel case sensitivity, add: / I

/ / uncertainty: this rule may be incorrect and should not be (symbol, group by statement does not have (

Console.log (/ group\ sroomby.+\ (/ .test ("group by id ("); / / true

Console.log (/ group\ sroomby.+\ (/ .test ("group by id")); / / false

/ / information_schema:mysql has its own database

/ /\ W: a character that cannot form a word, equivalent to [^ A-Za-z0-9 _]

/ / (?: X) grouping only

Console.log (/ (?: from\ W+information_schema\ W) / .test ("select TABLES from * information_schema *")); / / true

Console.log (/ (?: from\ W+information_schema\ W) / .test ("select TABLES from/**/information_schema/**/")); / / true

Console.log (/ (?: from\ W+information_schema\ W) / .test ("select TABLES from 123 / * * / union information_schema/**/"); / / false

/ / (?: X) grouping alone is meaningless and should be changed to:

Console.log (/ from\ W+information_schema\ W/.test ("select TABLES from/**/information_schema/**/")); / / true

/ / (?: X): grouping only

/ / |: or

/ /\ s: White space character

/ / Note: case sensitive. If you want to cancel case sensitivity, add: / I

Console.log (/ (?: (?: current_) user | database | schema | connection_id)\ s *\ (/ .test ("current_user (")); / / true

Console.log (/ (?: (?: current_) user | database | schema | connection_id)\ s *\ (/ .test ("current_database (")); / / true

Console.log (/ (?: (?: current_) user | database | schema | connection_id)\ s *\ (/ .test ("current_connection_id (")); / / true

Console.log (/ (?: (?: current_) user | database | schema | connection_id)\ s *\ (/ .test ("current_connection_id = (")); / / false

Console.log (/ (?: (?: current_) user | database | schema | connection_id)\ s *\ (/ .test ("connection_id (")); / / true

Console.log (/ (?: (?: current_) user | database | schema | connection_id)\ s *\ (/ .test ("connection_ID (")); / / false

/ / it should be simplified to:

Console.log (/ (?: current_) user | database | schema | connection_id\ s *\ (/ .test ("current_connection_id (")); / / true

Console.log (/ (?: current_) user | database | schema | connection_id\ s *\ (/ .test ("connection_id (")); / / true

}

Exports.anti_cookieinj_rule = [

/ select.+ (from | limit) /

/ (?: (union (. *) select)) /

/ having | rongjitest/

/ sleep\ ((\ s*) (\ d*) (\ s*)\) /

/ benchmark\ (. *)\, (. *)\) /

/ base64_decode\ (/

/ (?: from\ W+information_schema\ W) /

/ / modify, add version

/ (?: (current_) user | database | version | schema | connection_id)\ s*\ (/

/ (?: etc\ /\ W*passwd) /

/ into (\ s +) + (?: dump | out) file\ sframes /

/ group\ sroomby.+\ (/

/ xwork.MethodAccessor/

/ (?: define | eval | file_get_contents | include | require | require_once | shell_exec | system | passthru | preg_\ w+ | execute | echo | print | print_r | var_dump | (fp) open | alert | showmodaldialog)\ (/

]

If (regexp_debug = = 1) {

/ /\ I the problem of case sensitivity is no longer discussed and is common.

/ / mysql function benchmark

/ / Test example: benchmark (1000 focus encode ("hello", "goodbye"))

Console.log (/ benchmark\ ((. *)\, (. *)\) / .test ('select BENCHMARK (1000000 hello encode ("hello", "goodbye"); / / false

Console.log (/ benchmark\ ((. *)\, (. *)\) / .test ('select benchmark (1000000 hello encode ("hello", "goodbye"))'), "benchmark"); / / true

/ base64_decode\ (/

/ / detect the base64_decode () function

/ / at this point, it is understandable: this set of rules is for mysql and php

Console.log (/ base64_decode\ (/ .test ("base64_decode ('abc')")); / / true

Console.log (/ base64_decode\ (/ .test ("base64_Decode ('abc')")); / / false

Console.log (/ (?: (?: current_) user | database | schema | connection_id)\ s *\ (/ .test ("user (")); / / false

Console.log (/ (?: (?: current_) user | database | schema | connection_id)\ s *\ (/ .test ("current_user (")); / / true

Console.log (/ (?: (?: current_) user | database | schema | connection_id)\ s *\ (/ .test ("current_user (")); / / true

Console.log (/ (?: (?: current_) user | database | schema | connection_id)\ s *\ (/ .test ("current_user (")); / / true

Console.log (/ (?: (?: current_) user | database | schema | connection_id)\ s *\ (/ .test ("current_usEr (")); / / false

Console.log (/ (?: (?: current_) user | database | schema | connection_id)\ s *\ (/ .test ("current_user * (")); / / false

/ / etc path plus passwd detection

/ /\ W: characters that cannot make up a word

Console.log (/ (?: etc\ /\ W*passwd) / .test ("etc/passwd")); / / true

Console.log (/ (?: etc\ /\ W*passwd) / .test ("etc//passwd")); / / true

Console.log (/ (?: etc\ /\ W*passwd) / .test ("etc passwd")); / / false

Console.log (/ (?: etc\ /\ W*passwd) / .test ("etc////passwd")); / / true

Console.log (/ (?: etc\ /\ W*passwd) / .test ("etc////PASSWD")); / / false

/ / file series function detection of mysql: dumpfile\ outfile

The X character appears one or more times.

/ /\ s: White space character

Console.log (/ into (\ s +) + (?: dump | out) file\ s*/.test ("select * from test into outfile'/ tmp/test.txt'")); / / true

Console.log (/ into (\ s +) + (?: dump | out) file\ s*/.test ("select * from test into dumpfile'/ tmp/test.txt'")); / / true

Console.log (/ into (\ s +) + (?: dump | out) file\ s*/.test ("select * from test into dumpFILE'/ tmp/test.txt'")); / / false

/ xwork.MethodAccessor/

/ / this is a vulnerability keyword related to struts2

Console.log (/ xwork.MethodAccessor/.test ("xwork.MethodAccessor")); / / true

Console.log (/ xwork.MethodAccessor/.test ("xwork.MethodAccessoR")); / / false

/ / wicked: characters that can make up a word

/ / detect various functions

/ (?: define | eval | file_get_contents | include | require | require_once | shell_exec | system | passthru | preg_\ w+ | execute | echo | print | print_r | var_dump | (fp) open | alert | showmodaldialog)\ (/

Console.log (/ (?: define | eval | file_get_contents | include | require | require_once | shell_exec | phpinfo | system | passthru | preg_\ w+ | execute | echo | print | print_r | var_dump | (fp) open | alert | showmodaldialog)\ (/ .test ("define")); / / false

Console.log (/ (?: define | eval | file_get_contents | include | require | require_once | shell_exec | phpinfo | system | passthru | preg_\ w+ | execute | echo | print | print_r | var_dump | (fp) open | alert | showmodaldialog)\ (/ .test ("define (")); / / true)

Console.log (/ (?: define | eval | file_get_contents | include | require | require_once | shell_exec | phpinfo | system | passthru | preg_\ w+ | execute | echo | print | print_r | var_dump | (fp) open | alert | showmodaldialog)\ (/ .test ("define (")); / / true)

Console.log (/ (?: define | eval | file_get_contents | include | require | require_once | shell_exec | phpinfo | system | passthru | preg_\ w+ | execute | echo | print | print_r | var_dump | (fp) open | alert | showmodaldialog)\ (/ .test ("preg_a (")); / / true)

}

Exports.anti_xss_rule = [

/ / comment out

/ |:'| "| `|-- | () | [] | {} | /

/\

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.