溫馨提示×

溫馨提示×

您好，登錄后才能下訂單哦！

密碼登錄×

忘記密碼？

登錄注冊(cè)×

獲取短信驗(yàn)證碼

其他方式登錄

點(diǎn)擊登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

用戶登錄×

賬戶密碼登錄

請(qǐng)使用微信掃描上方二維碼

使用幫助

請(qǐng)求超時(shí)！

請(qǐng)點(diǎn)擊重新獲取二維碼

對(duì)一套WAF防護(hù)規(guī)則（正則表達(dá)式）的整理和分析。

發(fā)布時(shí)間：2020-07-28 03:33:28 來源：網(wǎng)絡(luò) 閱讀：873 作者：w2sft 欄目：安全技術(shù)

//此套WAF防護(hù)正則表達(dá)式規(guī)則來源于ShareWAF（http://www.sharewaf.com/）
//測(cè)試方法建議：請(qǐng)依下方測(cè)試使用的test語句進(jìn)行，根據(jù)true、false，可知是否能識(shí)別出***并記錄到數(shù)據(jù)庫

var regexp_debug = 0;
exports.anti_sqlinj_rule =[
? ?// /select|update|delete|truncate|join|union|exec|insert|drop|count|Sp_sqlexec|order by|’|"|>| ? ?/select.+(from|limit)/,
? ?/(?:(union(.*?)select))/,
? ?// /having|rongjitest/,
? ?/sleep\((\s*)(\d*)(\s*)\)/,
? ?/group\s+by.+\(/,
? ?/(?:from\W+information_schema\W)/,
? ?/(?:(?:current_)user|database|schema|connection_id)\s*\(/,

//新增
? ?/\s*or\s+.*=.*/i,
? ?/order\s+by\s+.*--$/i
];

if( regexp_debug == 1) {
? ? ///select|update|delete|truncate|join|union|exec|insert|drop|count|Sp_sqlexec|order ?by|’|"|>| ? ?//不區(qū)分大小寫的字符串匹配，留給影衛(wèi)字符匹配，這里不使用

//.匹配除“\n”之外的任何單個(gè)字符
? ?//含意：匹配select from或select limit語句
? ?//注意：區(qū)分大小寫，如要取消大小寫區(qū)分，加：/i

? ?//新增，匹配' or 1=1 –，規(guī)則：/空格出現(xiàn)或不出現(xiàn) or 空格出現(xiàn)1次或多次任何字符不限次數(shù) = 任意字符不限次數(shù)
? ?console.log( /\s*or\s+.*=.*/i.test("'or 1=1") ); //true
? ?console.log( /\s*or\s+.*=.*/i.test("'or 1!=2") ); //true
? ?console.log( /\s*or\s+.*=.*/i.test("'or 'a'='a'") ); //true
? ?console.log( /\s*or\s+.*=.*/i.test("'or'a'='a'") ); //false
? ?console.log( /\s*or\s+.*=.*/i.test("'or1=1") ); //false

? ?//新增，匹配：order by 1 --
? ?console.log( /order\s+by\s+.*--$/i.test("order by 1 --") ); //true
? ?console.log( /order\s+by\s+.*--$/i.test("order ? by 2 ?--") ); //true
? ?console.log( /order\s+by\s+.*--$/i.test("order BY 3 --") ); //true

console.log( /select.+(from|limit)/.test("select * from abc") ); //true
? ?console.log( /select.+(from|limit)/.test("select top 10 * from abc") ); //true
? ?console.log( /select.+(from|limit)/.test("select top 10") ); //false
? ?console.log( /select.+(from|limit)/.test("Select top 10 from") ); //false

//(?:X)：僅分組
? ?//.：任意字符號(hào)
? ?//X*?：字符出現(xiàn)0次或多次
? ?//(.*)：任意字符出現(xiàn)0次或多次
? ?//含意：匹配union select語法
? ?//注意：區(qū)分大小寫，如要取消大小寫區(qū)分，加：/i
? ?console.log( /(?:(union(.*?)select))/.test("union select 1,2,3 from") ); //true
? ?console.log( /(?:(union(.*?)select))/.test("UNION select 1,2,3 from") ); //false
? ?console.log( /(?:(union(.*?)select))/.test("abc union abc select 1,2,3 from") ); //true
? ?console.log( /(?:(union(.*?)select))/.test("abc union /* */ select 1,2,3 from") ); //true
? ?console.log( /(?:(union(.*?)select))/.test("abc union /* */") ); //false
? ?console.log( /(?:(union(.*?)select))/.test("select col from table union all select col2 from table2") ); //true
? ?//對(duì)這條語法存疑，寫的可能有問題，下面一行的測(cè)試說明：(?:)（僅分組，不記錄分組序號(hào)，也不捕獲該匹配）是無意義的
? ?console.log( /union(.*?)select/.test("abc union /* */ select 1,2,3 from"),"test" ); //true

//\s ：空白字符
? ?//\s* ：空白字符出現(xiàn)0次或多次（出現(xiàn)或不出現(xiàn)）
? ?//\d：數(shù)字
? ?//\d*：任意數(shù)字出現(xiàn)0次或多次
? ?//含意：匹配sleep(數(shù)字)函數(shù)，括號(hào)里可以有任何空白字符
? ?//注意：區(qū)分大小寫，如要取消大小寫區(qū)分，加：/i
? ?console.log( /sleep\((\s*)(\d*)(\s*)\)/.test("sleep(1)") ); //true
? ?console.log( /sleep\((\s*)(\d*)(\s*)\)/.test("sleep( ? 1 )") ); //true
? ?console.log( /sleep\((\s*)(\d*)(\s*)\)/.test("sleep('abc')") ); //false
? ?console.log( /sleep\((\s*)(\d*)(\s*)\)/.test("sleep(' abc')") ); //false
? ?console.log( /sleep\((\s*)(\d*)(\s*)\)/.test("SLEEP(1)") ); //false
? ?//加i，不區(qū)分大小寫
? ?console.log( /sleep\((\s*)(\d*)(\s*)\)/i.test("SLEEP(1)"),"test2" ); //true

//\s ：空白字符
? ?//.：任意字符號(hào)
? ?//含意：匹配group by語法
? ?//注意：區(qū)分大小寫，如要取消大小寫區(qū)分，加：/i
? ?//不確定：這條規(guī)則可能有誤，不應(yīng)該有（符號(hào)，group by語句沒有（
? ?console.log( /group\s+by.+\(/.test("group by id(") ); //true
? ?console.log( /group\s+by.+\(/.test("group by id") ); //false

//information_schema：mysql自帶數(shù)據(jù)庫
? ?//\W:不能構(gòu)成單詞的字符，等價(jià)于[^A-Za-z0-9_]
? ?//(?:X)僅分組
? ?console.log( /(?:from\W+information_schema\W)/.test("select TABLES from * information_schema * ") ); //true
? ?console.log( /(?:from\W+information_schema\W)/.test("select TABLES from/**/information_schema/**/") ); //true
? ?console.log( /(?:from\W+information_schema\W)/.test("select TABLES from 123 /**/ union information_schema/**/") ); //false
? ?//(?:X)僅分組無意義，應(yīng)該可改為：
? ?console.log( /from\W+information_schema\W/.test("select TABLES from/**/information_schema/**/") ); //true

//(?:X)：僅分組
? ?//|：或
? ?//\s：空白字符
? ?//注意：區(qū)分大小寫，如要取消大小寫區(qū)分，加：/i
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_user (") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_database(") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_connection_id ? (") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_connection_id = (") ); //false
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("connection_id(") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("connection_ID(") ); //false
? ?//應(yīng)該可簡(jiǎn)化為：
? ?console.log( /(?:current_)user|database|schema|connection_id\s*\(/.test("current_connection_id ? (") ); //true
? ?console.log( /(?:current_)user|database|schema|connection_id\s*\(/.test("connection_id(") ); //true
}

exports.anti_cookieinj_rule =[
? ?/select.+(from|limit)/,
? ?/(?:(union(.*?)select))/,
? ?///having|rongjitest/,
? ?/sleep\((\s*)(\d*)(\s*)\)/,
? ?/benchmark\((.*)\,(.*)\)/,
? ?/base64_decode\(/,
? ?/(?:from\W+information_schema\W)/,
? ?//修改，增加version
? ?/(?:(?:current_)user|database|version|schema|connection_id)\s*\(/,
? ?/(?:etc\/\W*passwd)/,
? ?/into(\s+)+(?:dump|out)file\s*/,
? ?/group\s+by.+\(/,
? ?/xwork.MethodAccessor/,
? ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/
];
if( regexp_debug == 1) {
? ?//\i大小寫區(qū)分問題不再贅述，普遍存在
? ?//mysql函數(shù)benchmark
? ?//檢測(cè)例：：benchmark(1000，encode("hello","goodbye"))
? ?console.log( /benchmark\((.*)\,(.*)\)/.test('select BENCHMARK(1000000,encode("hello","goodbye"))') ); //false
? ?console.log( /benchmark\((.*)\,(.*)\)/.test('select benchmark(1000000,encode("hello","goodbye"))'),"benchmark"); //true

///base64_decode\(/
? ?//檢測(cè)base64_decode()函數(shù)
? ?//到此，大至可理解：此套規(guī)則是針對(duì)mysql、php的
? ?console.log( /base64_decode\(/.test("base64_decode('abc')") ); //true
? ?console.log( /base64_decode\(/.test("base64_Decode('abc')") ); //false

console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("user(") ); //false
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_user(") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_user (") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_user ? (") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_usEr ? (") ); //false
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_user ?* (") ); //false

//etc路徑加passwd檢測(cè)
? ?//\W：不能構(gòu)成單詞的字符
? ?console.log( /(?:etc\/\W*passwd)/.test("etc/passwd") ); //true
? ?console.log( /(?:etc\/\W*passwd)/.test("etc//passwd") ); //true
? ?console.log( /(?:etc\/\W*passwd)/.test("etc passwd") ); //false
? ?console.log( /(?:etc\/\W*passwd)/.test("etc////passwd") ); //true
? ?console.log( /(?:etc\/\W*passwd)/.test("etc////PASSWD") ); //false

//mysql的file系列函數(shù)檢測(cè)：dumpfile\outfile
? ?//X+，X字符出現(xiàn)一次或多次
? ?//\s：空白字符
? ?console.log ( /into(\s+)+(?:dump|out)file\s*/.test("select * from test into outfile '/tmp/test.txt'") ); //true
? ?console.log ( /into(\s+)+(?:dump|out)file\s*/.test("select * from test into dumpfile '/tmp/test.txt'") ); //true
? ?console.log ( /into(\s+)+(?:dump|out)file\s*/.test("select * from test into dumpFILE '/tmp/test.txt'") ); //false

///xwork.MethodAccessor/,
? ?//這是struts2相關(guān)的一個(gè)漏洞關(guān)鍵字
? ?console.log( /xwork.MethodAccessor/.test("xwork.MethodAccessor") ); //true
? ?console.log( /xwork.MethodAccessor/.test("xwork.MethodAccessoR") ); //false

//w+：可以構(gòu)成單詞的字符
? ?//檢測(cè)各種函數(shù)
? ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/
? ?console.log( ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/.test("define") ?); //false
? ?console.log( ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/.test("define(") ?); //true
? ?console.log( ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/.test("define(") ?); //true
? ?console.log( ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/.test("preg_a(") ?); //true
}

exports.anti_xss_rule = [
? ?//注釋掉
? ?// /<|>|:|'|""|`|--|()|[]|{}|/,
? ?/\<(iframe|script|body|img|layer|div|meta|style|base|object|input)/,
? ?/(onmouseover|onmousemove|onerror|onload)\=/i,
? ?//新增
? ?/javascript:/i
];

if( regexp_debug == 1){

console.log( /\<(iframe|script|body|img|layer|div|meta|style|base|object|input)/.test(" ? ?console.log( /\<(iframe|script|body|img|layer|div|meta|style|base|object|input)/.test("iframe")); //false

console.log( /\<(iframe|script|body|img|layer|div|meta|style|base|object|input)/.test("

console.log( /(onmouseover|onmousemove|onerror|onload)\=/i.test("onerror='alert(1)'")); //true

console.log( /javascript:/i.test("javascript:alert(1);") );

}

exports.anti_folder_iterator_rule = [

/..\/..\//,

// /(?:etc\/\W*passwd\/shadow)/

//修改：

// /(?:etc\/\W*passwd)/i

];

if( regexp_debug == 1){

//匹配：../../

console.log( /..\/..\//.test("../../pass/") ); //true

console.log( /..\/..\//.test("../pass/") ); //false

}

exports.anti_cmdinj_rule = [

//修改

// || 命令

/\|\|.*(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/,

//命令||

/(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv).*\|\|/

];

if(regexp_debug == 1){

console.log( ? /\|\|.*(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/.test("||ipconfig") ?); //true

console.log( /\|\|.*(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/.test("||cd") ); //true

console.log( /\|\|.*(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/.test("cd") ); //false

console.log( /\|\|.*(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/.test("|cd") ); //false

}

exports.anti_remote_file_include_rule = [

/http:\/\/|https:\/\//,

/(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/,

//注釋

// /(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\//,

];

if(regexp_debug == 1){

console.log( /http:\/\/|https:\/\/|..\/..\//.test("http://") ); //true

console.log( /http:\/\/|https:\/\/|..\/..\//.test("http:") ); //false

console.log( /http:\/\/|https:\/\/|..\/..\//.test("https:") ); //false

}

exports.anti_local_file_include_rule = [

//這行容易誤報(bào)

// /..\//,

/(?:etc\/\W*passwd)/,

//注釋

// ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/,

/(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\//

];

if( regexp_debug == 1){

//匹配：etc/ 不能構(gòu)成單詞的任意字符不出現(xiàn)或出現(xiàn)或出現(xiàn)多次 password

console.log( /(?:etc\/\W*passwd)/i.test("etc//passwd") ); //true

console.log( /(?:etc\/\W*passwd)/i.test("etc/passwd") ); //true

console.log( /(?:etc\/\W*passwd)/i.test("etc//**/passwd") ); //true

console.log( /(?:etc\/\W*passwd)/i.test("etc\\passwd") ); //false

console.log( /(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\//.test("file:/") ); //true

console.log( /(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\//.test("file:") ); //false

}

向AI問一下細(xì)節(jié)

推薦閱讀：

免責(zé)聲明：本站發(fā)布的內(nèi)容（圖片、視頻和文字）以原創(chuàng)、轉(zhuǎn)載和分享為主，文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱：is@yisu.com進(jìn)行舉報(bào)，并提供相關(guān)證據(jù)，一經(jīng)查實(shí)，將立刻刪除涉嫌侵權(quán)內(nèi)容。

上一篇新聞：
二叉樹的相關(guān)操作
下一篇新聞：
windows_learn 005 軟件部署

猜你喜歡

AI
助
手

產(chǎn)品服務(wù)

地區(qū)劃分

專題活動(dòng)

幫助支持

關(guān)于我們

售后咨詢

7*24小時(shí)在線電話：400-100-2938

7*24小時(shí)在線 QQ：800811969

關(guān)注億速云

億速云公眾號(hào)

手機(jī)網(wǎng)站二維碼

<small id="xjlrb"></small>