Nginx 的 WAF 规则 LuaJIT 严重版本-工具盒子

前段时间杜老师发表了一篇《自建 CDN 服务器思路》其中介绍南墙 Web 应用防火墙，有些小伙伴们对其名字很感兴趣，而杜老师注意到了它的防护规则，感觉非常实用，顺手整理了下，分享给需要的小伙伴们。此篇为严重风险的防护规则！

fastjson漏洞拦截 {#fastjson漏洞拦截}

过滤阶段：请求阶段

规则描述：拦截fastjson漏洞漏洞攻击

规则内容：

|---------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | local jsonFilter = waf.jsonFilter local function rMatch(v) if v == "@type" then return true, v end return false end local form = waf.form if form then local raw = form["RAW"] local m = jsonFilter(raw, rMatch, false) if m then return m, raw, true end end return false |

json格式校验 {#json格式校验}

过滤阶段：请求阶段

规则描述：高级攻击者会构造一些异常json绕过WAF检测，该规则对json格式进行安全校验，可以拦截异常json请求。

规则内容：

|------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | local form = waf.form local rct = waf.reqContentType local rgx = waf.rgxMatch if rct and waf.contains(waf.toLower(rct), "application/json") and form then local raw = form["RAW"] if raw then if rgx(raw, "^\\s*$", "jos") then return false end local err = waf.checkJson(raw) if err then return true, err .. ":" .. raw, true end end end return false |

XSS跨站脚本攻击 {#XSS跨站脚本攻击}

过滤阶段：请求阶段

规则描述：攻击者通常会在有漏洞的程序中插入 JavaScript、VBScript、 ActiveX或Flash以欺骗用户。一旦得手，他们可以盗取用户帐户，修改用户设置，盗取/污染cookie，做虚假广告等。

规则内容：

|---------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | local kvFilter = waf.kvFilter local checkXSS = waf.checkXSS local function sMatch(v) if v then local m = checkXSS(v) if m then return m, v end end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], sMatch) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, sMatch) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, sMatch) if m then return m, d, true end end local m, d = sMatch(waf.userAgent) if m then return m, d, true end local m, d = sMatch(waf.referer) if m then return m, d, true end return false |

java安全规则集 {#java安全规则集}

过滤阶段：请求阶段

规则描述：检测spring、struts、java序列化等相关安全漏洞

规则内容：

|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 | local kvFilter = waf.kvFilter local rgx = waf.rgxMatch local urlDecode = waf.urlDecode local requestLine = waf.requestLine local check = waf.plugins.javaClassDetection.check local function sMatch(v) local m = rgx(v, "(?:\\$\\{)+(?:j(?:n|\\$\\{)|\\$\\{(?:\\w*:)+)", "joi") if m then return m, "Potential Log4j / Log4shell Attack: " .. v end m = rgx(v, "\\xac\\xed\\x00\\x05|rO0ABQ|KztAAU|Cs7QAF", "jo") if m then return m, "Magic bytes Detected, probable java serialization Attack: " .. v end m = rgx(v, "classLoader\\s*\\.\\s*resources\\s*\\.\\s*context\\s*\\.\\s*parent\\s*\\.\\s*pipeline|springframework\\s*\\.\\s*context\\s*\\.\\s*support\\s*\\.\\s*FileSystemXmlApplicationContext", "jos") if m then return m, "Spring Framework RCE(CVE-2022-22965): " .. v end m = check(v) if m then return m, "Potential dangerous java class: " .. v end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], sMatch) if m then return m, d, true end local raw = form["RAW"] m = rgx(raw, "\\xac\\xed\\x00\\x05|rO0ABQ|KztAAU|Cs7QAF", "jo") if m then return m, raw, true end m = check(raw) if m then return m, raw, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, sMatch) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, sMatch) if m then return m, d, true end end local m, d = kvFilter(waf.reqHeaders, sMatch) if m then return m, d, true end local m = rgx(urlDecode(requestLine), "(?:\\$\\{)+(?:j(?:n|\\$\\{)|\\$\\{(?:\\w*:)+)", "joi") if m then return m, requestLine, true end return false |

Shellshock漏洞 {#Shellshock漏洞}

过滤阶段：请求阶段

规则描述：检测对"Shellshock"(CVE-2014-6271和CVE-2014-7169) GNU Bash RCE漏洞的攻击。

规则内容：

|------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | local kvFilter = waf.kvFilter local rgx = waf.rgxMatch local requestLine = waf.requestLine local urlDecode = waf.urlDecode local function rMatch(v) local m = rgx(urlDecode(v), "\$\\s*\$\\s+{", "jos") if m then return m, v end return false end local m, d = kvFilter(waf.reqHeaders, rMatch) if m then return m, d, true end local m, d = rMatch(requestLine) if m then return m, d, true end return false |

远程文件包含 (RFI) {#远程文件包含-RFI}

过滤阶段：请求阶段

规则描述：该规则寻找常见类型的远程文件包含（RFI）攻击方法。 #-PHP"include（）"函数 #-JSP <jsp:include page= 或 <c:import url= #-RFI主机与本地主机不匹配

规则内容：

|---------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | local kvFilter = waf.kvFilter local rgx = waf.rgxMatch local host = waf.host local counter = waf.strCounter local str_find = string.find local str_sub = string.sub local function rMatch(v) local m = rgx(v, "^(?:url:)?file|ftps?|https?)://(?:[^@]+@)?([^/]+", "joi") if m then local i, j = str_find(v, host, 1, true) if i then if counter(str_sub(v, 1, j), "/") == 2 then return false end end end return m, v end local form = waf.form if form then local m, d = kvFilter(form["FORM"], rMatch) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, rMatch) if m then return m, d, true end end return false |

json 命令注入检测 {#json-命令注入检测}

过滤阶段：请求阶段

规则描述：解析请求body中的json内容，并检测命令注入攻击。采用RCE语义检测引擎可以检查各种变形，如：cat$IFS/etc/os-release或c$()at /e??/p???等

规则内容：

|------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | local checkRCE = waf.checkRCE local jsonFilter = waf.jsonFilter local function rMatch(v) local m = checkRCE(v) if m then return m, v end return false end local form = waf.form if form then local m, d = jsonFilter(form["RAW"], rMatch, false, true) if m then return m, d, true end end return false |

常规命令注入检测 {#常规命令注入检测}

过滤阶段：请求阶段

规则描述：检测url、cookie、form中的shell命令注入攻击，采用RCE语义检测引擎可以检查各种变形，如：cat$IFS/etc/os-release或c$()at /e??/p???等

规则内容：

|---------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | local checkRCE = waf.checkRCE local kvFilter = waf.kvFilter local function rMatch(v) local m = checkRCE(v) if m then return m, v end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], rMatch, true) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, rMatch, true) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, rMatch, true) if m then return m, d, true end end return false |

json sql注入检测 {#json-sql注入检测}

过滤阶段：请求阶段

规则描述：解析请求body中的json内容，并检测sql注入攻击。采用SQL语义检测引擎，可以降低误报。

规则内容：

|------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | local checkSQLI = waf.checkSQLI local jsonFilter = waf.jsonFilter local function rMatch(v) local m = checkSQLI(v) if m then return m, v end return false end local form = waf.form if form then local m, d = jsonFilter(form["RAW"], rMatch, false) if m then return m, d, true end end return false |

常规sql注入检测 {#常规sql注入检测}

过滤阶段：请求阶段

规则描述：检测url、cookie、form中的sql注入攻击。采用SQL语义检测引擎，可以降低误报。

规则内容：

|---------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | local checkSQLI = waf.checkSQLI local kvFilter = waf.kvFilter local function sMatch(v) local m = checkSQLI(v) if m then return m, v end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], sMatch) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, sMatch) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, sMatch) if m then return m, d, true end end local m, d = kvFilter(waf.reqHeaders, sMatch) if m then return m, d, true end return false |

Invalid protocol {#Invalid-protocol}

过滤阶段：请求阶段

规则描述：请求header数过多，超过64个。

规则内容：

|-----------------|-----------------------------------------------------------------------------------------------| | 1 2 3 4 | if waf.hErr and waf.hErr=="truncated" then return true,waf.hErr,true end return false |

XXE漏洞 {#XXE漏洞}

过滤阶段：请求阶段

规则描述：XML外部实体注入(XML External Entity)漏洞简称XXE漏洞。当允许引用外部实体时，通过构造恶意内容，可导致读取任意文件、执行系统命令、探测内网端口、攻击内网网站等危害。

规则内容：

|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 | if waf.form and waf.form["RAW"] then local m = waf.rgxMatch(waf.form["RAW"], "<!(?:DOCTYPE|ENTITY)[^>]+?\\bSYSTEM\\b", "jos") if m then return m, waf.form["RAW"], true end end return false |

ImageMagick漏洞 {#ImageMagick漏洞}

过滤阶段：请求阶段

规则描述：ImageMagick是一个功能强大的开源图形处理软件，该漏洞可以执行任意命令和读写文件

规则内容：

|---------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 | local rgx = waf.rgxMatch local function imgContentMatch(v) local m = rgx(v, "\\bpush\\s+graphic-context\\b|\\<\\s*image\\b", "joi") if m then return m, v end return false end if waf.form then local m, d = waf.knFilter(waf.form["FILES"], imgContentMatch, 0) return m, d, true end return false |

header头漏洞 {#header头漏洞}

过滤阶段：请求阶段

规则描述：httpoxy漏洞可被用来针对CGI环境设置非法代理，从而窃取服务器敏感数据。在CVE-2017-7269（IIS 6.0 WebDAV远程代码执行漏洞）中if和lock_token http头会造成溢出攻击。

规则内容：

|---------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 | if waf.reqHeaders.proxy ~= nil then return true, "Proxy: " .. waf.reqHeaders.proxy, true end if waf.reqHeaders.lock_token ~= nil then return true, "Lock-Token: " .. waf.reqHeaders.lock_token, true end if waf.reqHeaders["If"] ~= nil then return true, "If: " .. waf.reqHeaders["If"], true end return false |

LDAP Injection {#LDAP-Injection}

过滤阶段：请求阶段

规则描述：拦截LDAP注入攻击

规则内容：

|------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | local kvFilter = waf.kvFilter local rgx = waf.rgxMatch local htmlEntityDecode = waf.htmlEntityDecode local function rMatch(v) local m = rgx(htmlEntityDecode(v), "^[^:\$\$\\&\\|\\!\\<\\>\\~]*\\)\\s*(?:\$(?:[^,\\(\$\\=\\&\\|\\!\\<\\>\\~]+[><~]?=|\\s*[&!|]\\s*(?:\\)|\$)?\\s*)|\$\\s*\$\\s*[\\&\\|\\!]\\s*|[&!|]\\s*\\([^\\(\$\\=\\&\\|\\!\\<\\>\\~]+[><~]?=[^:\$\$\\&\\|\\!\\<\\>\\~]*)", "jos") if m then return m, v end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], rMatch) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, rMatch) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, rMatch) if m then return m, d, true end end return false |

HTTP Splitting {#HTTP-Splitting}

过滤阶段：请求阶段

规则描述：此规则检测请求文件名中的\n或\r。

规则内容：

HTTP Header Injection {#HTTP-Header-Injection}

过滤阶段：请求阶段

规则描述：HTTP头注入查找回车符（CR）%0d和换行符（LF）%0a字符，单独或与header字段名称组合使用。如果数据在响应头中返回并由客户端解释，这些字符可能会导致问题。

规则内容：

boundary异常拦截 {#boundary异常拦截}

过滤阶段：请求阶段

规则描述：拦截请求content type头中multipart/form-data的异常boundary，如php在上传解析boundary时没有符合rfc规范，对逗号产生了错误解析。

规则内容：

|---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 | local ct = waf.reqContentType if ct then if type(ct) ~= "string" then return true, "Malform Content-Type", true elseif waf.contains(ct, "boundary") and (waf.strCounter(ct, "boundary") > 1 or not waf.rgxMatch(ct, "boundary=[\\w\\-]+$", "jo")) then return true, ct, true end end return false |

asp畸形编码过滤 {#asp畸形编码过滤}

过滤阶段：请求阶段

规则描述：asp中unicode畸形编码会造成waf绕过危害

规则内容：

|-----------------|--------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 | if waf.rgxMatch(waf.reqUri,"%u00(?:aa|ba|d0|de|e2|f0|fe)","i") then return true,waf.reqUri,true end return false |

HTTP Response Splitting {#HTTP-Response-Splitting}

过滤阶段：请求阶段

规则描述：该规则查找回车符（CR）%0d和换行符（LF）%0a字符。如果在响应报头中返回数据，这些字符可能会导致问题，并且可能会被中间代理服务器解释并被视为两个单独的响应。

规则内容：

HTTP Request Smuggling {#HTTP-Request-Smuggling}

过滤阶段：请求阶段

规则描述：此规则查找与单词HTTP/\d或CR/LF字符组合的HTTP/WEBDAV方法名。这将指向试图将第二个请求注入到请求中，从而绕过对主请求执行的测试，如CVE-2019-20372(Nginx<1.17.7 请求走私漏洞)。

规则内容：

|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | local kvFilter = waf.kvFilter local rgx = waf.rgxMatch local htmlEntityDecode = waf.htmlEntityDecode local function rMatch(v) local m = rgx(htmlEntityDecode(v), "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d", "josi") if m then return m, v end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], rMatch) if m then return m, d, true end m, d = rMatch(form["RAW"]) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, rMatch) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, rMatch) if m then return m, d, true end end return false |

上传文件内容过滤 {#上传文件内容过滤}

过滤阶段：请求阶段

规则描述：过滤上传的文件内容，拦截webshell上传

规则内容：

|---------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 | local rgx = waf.rgxMatch local function fileContentMatch(v) local m = rgx(v, "<\\?.+?\\$(?:GLOBALS|_(?:GET|POST|COOKIE|REQUEST|SERVER|FILES|SESSION|ENV))|<\\?php|<jsp:|<%(?i:!|\\s*@|.*?\\brequest\\s*(?:\\.|\\())", "jos") if m then return m, v end return false end if waf.form then local m, d = waf.knFilter(waf.form["FILES"], fileContentMatch, 0) return m, d, true end return false |

上传文件名过滤 {#上传文件名过滤}

过滤阶段：请求阶段

规则描述：过滤上传文件名中的网页脚本扩展名，拦截webshell上传

规则内容：

|---------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | local rgx = waf.rgxMatch local function fileNameMatch(v) local m = rgx(v, "\\.(?:as|cer\\b|cdx|ph|jsp|war|class|exe|ht|env|user\\.ini)|php\\.ini", "joi") if m then return m, v end return false end if waf.form then local m, d = waf.knFilter(waf.form["FILES"], fileNameMatch, 1) return m, d, true end return false |

防持续攻击 {#防持续攻击}

过滤阶段：请求阶段

规则描述：累计攻击超过100次，则在10分钟内拦截该ip访问

规则内容：

|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 | local ib = waf.ipBlock local c = ib:get(waf.ip) if c and c >= 100 then ib:set(waf.ip, c, 600, 1) return true, "ip blocked for continue attack: " .. waf.ip, true end return false |

Invalid protocol {#Invalid-protocol-2}

过滤阶段：请求阶段

规则描述：非法post协议

规则内容：

|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 | if waf.form == nil then if waf.contains(waf.fErr, "content_type") then return true, waf.fErr .. ": " .. waf.reqContentType, true end return true, waf.fErr, true end return false |