From 0d1848c00e86b3ec63a249cfe965aaa2e745022b Mon Sep 17 00:00:00 2001 From: puhui222 <56866561+puhui222@users.noreply.github.com> Date: Mon, 10 Oct 2022 10:24:15 +0800 Subject: [PATCH] Create SQLi.lua --- rules/SQLi.lua | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 rules/SQLi.lua diff --git a/rules/SQLi.lua b/rules/SQLi.lua new file mode 100644 index 0000000..fffec8c --- /dev/null +++ b/rules/SQLi.lua @@ -0,0 +1,63 @@ +--[[ +规则名称: SQl注入 + +过滤阶段: 请求阶段 + +危险等级: 严重 + +规则描述: 对sql注入防护进行补充,增加FIELD()、position()等函数构造布尔盲注和基于时间的盲注进行防护 +--]] + + +local kvFilter = waf.kvFilter +local rgx = waf.rgxMatch + +local function sMatch(v) + local m = rgx(v, "\\((?:(?:#|--).*?\\n|/\\*.*?\\*/|\\s|\\xa0|\\()*select\\b", "joi") + if m then + return m, v + end + m = rgx(v, "union(?:(?:#|--).*?\\n|/\\*.*?\\*/|\\s|\\xa0|\\()+(?:select\\b|all\\b|distinct)", "joi") + if m then + return m, v + end + m = rgx(v, "(?i:\\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:t(?:d(?:dev(?:_(?:sam|po)p)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)?|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:insert_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|r(?:a(?:wto(?:nhex(?:toraw)?|hex)|dians|nd)|e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|ight|trim|pad)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o_(?:(?:second|day)s|base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\\W*?\\()", "jos") + if m then + return m, v + end + m = rgx(v, "(?i:(?:;\\s*?shutdown\\s*?(?:[#;]|\\/\\*|--|\\{)|waitfor\\s*?delay\\s?[\\\"'`]+\\s?\\d|select\\s*?sleep))", "jos") + if m then + return m, v + end + return false +end + +local form = waf.form +if form then + local m, d = kvFilter(form["FORM"], sMatch) + if m then + return m, d, true + end +end + +local queryString = waf.queryString +if queryString then + local m, d = kvFilter(queryString, sMatch) + if m then + return m, d, true + end +end + +local cookies = waf.cookies +if cookies then + local m, d = kvFilter(cookies, sMatch) + if m then + return m, d, true + end +end + +local m, d = kvFilter(waf.reqHeaders, sMatch) +if m then + return m, d, true +end +return false