先来看一个例子,请求URL是:
http://xxx.xxx.com/api.php?a=mode&host=MTI3LjAuMC4x&version=2.1.6&time=1598768735&web=Chrome&ip=127.0.0.1&randkey=ynikvux&xinhukey=c2f8b1ba&authorkey=we0me03&aukey=rock20202&sysnum=2acc94
为什么会被拦截?
我们通过nginx的error日志搜索对应url
[error] 28583#28583: *603145128 NAXSI_FMT: ip=192.168.1.100&server=xxx.xxx.com&uri=/api.php&learning=0&vers=0.55&total_processed=3179630 &total_blocked=179048&block=1&cscore0=$SQL&score0=9&zone0=ARGS|NAME&id0=1011&var_name0=host&zone1=ARGS|NAME&id1=1011&var_name1=time&zone2= ARGS|NAME&id2=1011&var_name2=ip, client: 192.168.1.100, server: localhost, request: "GET /api.php?a=mode&host=MTI3LjAuMC4x&version=2.1.6& time=1598768735&web=Chrome&ip=127.0.0.1&randkey=ynikvux&xinhukey=c2f8b1ba&authorkey=we0me03&aukey=rock20202&sysnum=2acc94 HTTP/1.1", host: "xxx.xxx.com"
参数说明:
ip: 访问者IP地址
server: 服务名称,这里为nginx的location
uri: 请求地址
learning: (0/1)(学习模式是否开启)
vers: naxsi版本
total_processed: nginx工作进程
total_blocked: naxsi拦截进程
block: 0/1 是否拦截
cscoreN : 命名分数标签
scoreN : 得分(每一项naxsi规则都有对应的得分)
zoneN: 规则匹配发生的区域,包括arg|body|head
idN: 匹配的拦截规则号
var_nameN: 拦截规则匹配时的参数名
现在我们来看下WAF里面配置的规则:
################################## ## INTERNAL RULES IDS:1-999 ## ################################## #@MainRule "msg:weird request, unable to parse" id:1; #@MainRule "msg:request too big, stored on disk and not parsed" id:2; #@MainRule "msg:invalid hex encoding, null bytes" id:10; #@MainRule "msg:unknown content-type" id:11; #@MainRule "msg:invalid formatted url" id:12; #@MainRule "msg:invalid POST format" id:13; #@MainRule "msg:invalid POST boundary" id:14; #@MainRule "msg:invalid JSON" id:15; #@MainRule "msg:empty POST" id:16; #@MainRule "msg:libinjection_sql" id:17; #@MainRule "msg:libinjection_xss" id:18; ################################## ## SQL Injections IDs:1000-1099 ## ##1000 getfilter ##1001 postfilter ##1002 cookiefilter ##1003 agent ################################## MainRule "rx:\<.+javascript:window\[.{1}\\x|<.*=(&#\d+?;?)+?>|<.*(data|src)=data:text\/html.*>|\b(alert\(|confirm\(|expression\(|prompt\(|benchmark\s*?\(.*\)|sleep\s*?\(.*\)|\b(group_)?concat[\s\/\*]*?\([^\)]+?\)|\bcase[\s\/\*]*?when[\s\/\*]*?\([^\)]+?\)|load_file\s*?\()|<[a-z]+?\b[^>]*?\bon([a-z]{4,})\s*?=|^\+\/v(8|9)|\b(and|or)\b\s*?([\(\)'\"\d]+?=[\(\)'\"\d]+?|[\(\)'\"a-zA-Z]+?=[\(\)'\"a-zA-Z]+?|>|<|\s+?[\w]+?\s+?\bin\b\s*?\(|\blike\b\s+?[\"'])|\/\*.*\*\/|<\s*script\b|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\(.+\)|\s+?.+?\s+?|(`|'|\").*?(`|'|\"))FROM(\(.+\)|\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)" "msg:getfilter" "mz:ARGS" "s:$SQL:8" id:1000; MainRule "rx:\b(sleep\s*?\(.*\)|\b(group_)?concat[\s\/\*]*?\([^\)]+?\)|\bcase[\s\/\*]*?when[\s\/\*]*?\([^\)]+?\)|load_file\s*?\()|\b(and|or)\b\s*?([\(\)'\"\d]+?=[\(\)'\"\d]+?|[\(\)'\"a-zA-Z]+?=[\(\)'\"a-zA-Z]+?|>|<|\s+?[\w]+?\s+?\bin\b\s*?\(|\blike\b\s+?[\"'])|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE)(\(.+\)|\s+?.+?\s+?|(`|'|\").*?(`|'|\"))FROM(\(.+\)|\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)" "msg:postfilter" "mz:BODY" "s:$SQL:8" id:1001; MainRule "rx:benchmark\s*?\(.*\)|sleep\s*?\(.*\)|load_file\s*?\(|\b(and|or)\b\s*?([\(\)'\"\d]+?=[\(\)'\"\d]+?|[\(\)'\"a-zA-Z]+?=[\(\)'\"a-zA-Z]+?|>|<|\s+?[\w]+?\s+?\bin\b\s*?\(|\blike\b\s+?[\"'])|\/\*.*\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\(.+\)|\s+?.+?\s+?|(`|'|\").*?(`|'|\"))FROM(\(.+\)|\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)" "msg:cookiefilter" "mz:$HEADERS_VAR:Cookie" "s:$SQL:8" id:1002; MainRule "rx:YunGuanCe|MJ12bot|AhrefsBot|SemrushBot|DotBot|boryouSpider|DoCoMo|^oBot|^ApacheBench|ddos|pingback|crawler|BUbiNG|misc\.yahoo\.com\.cn|scrapy|Adsbot\/|BaiduSpider$|YisouSpider$" "msg:scanner" "mz:$HEADERS_VAR:User-Agent" "s:$SQL:8" id:1003; MainRule "rx:\/\*.*\*\/" "msg:asp" "mz:ARGS|URL" "s:$SQL:8" id:1007; MainRule "str:/etc/passwd" "msg:path" "mz:ARGS|URL" "s:$SQL:8" id:1008; MainRule "str:c:\\windows" "msg:path" "mz:ARGS|URL" "s:$SQL:8" id:1009; MainRule "str:cmd.exe" "msg:path" "mz:ARGS|URL|BODY" "s:$SQL:8" id:1010; MainRule "rx:^port$|^host$|^exit$|^time$|^ip$|^ho$|^eh$|^ma$" "msg:ddos" "mz:ARGS|NAME" "s:$SQL:3" id:1011; MainRule "rx:mjdu|psbt|time_e" "msg:ddos" "mz:ARGS" "s:$SQL:3" id:1012; MainRule "rx:maxwell\/|\/Home\/Lib\/Action\/.*|\/sam\.asp$" "msg:ddos" "mz:ARGS|URL" "s:$SQL:8" id:1013; MainRule "str:pingback.ping" "msg:wp-ddos" "mz:BODY" "s:$SQL:8" id:1014; MainRule "rx:Y21kJ10pOw==|base64_decode\(|Remote_server|72C24DD5-D70A-438B-8A42-98424B88AFB8|13709620-C279-11CE-A49E-444553540000|F935DC26-1CF0-11D0-ADB9-00C04FD58A0B|php eval\(\$_POST|h\"\"&\"\"|bjijtyuumyummktyt865ue56yg56kmyjnkj67ti|v5031e998|round\(\$packets\/\$exec_time|<\%eval request\(|\$oooo0o00o0o0o0o0o0o0o00000o0o0o0o0o0oo0o0o0o0o0oo0|\$max_time = time\(\)+\$exec_time|\$max_time = $time+\$exec_time|\$max=\(\$size-1\)\*\$size|\$g_aFromSurnames|WebKiller|\[\'mjdu\'\]|BFDDCFECADF|1393052144|play = request\(|then:execute\(e\)|Execute\(strAespCode\)|edocpsa=iMaiJ\^txen|by\*aming|\&StrReverse\(Request\(\"|execute GetHTml|Siliemor Shell|csseojc=ok|execute\(unescape\(temp\)\)|Thanks Snailsor|Response.Write\(eval\(Request.Item|Vipreg=20132165414621325641311254123112512|cGZzb2Nrb3Blbg==|\$_POST\[\'g\'.\'u\'.\'i\'.\'g\'.\'e\'\]|ASPXSpy|assert\(\$_POST\[|\$B_10=string|MTympT1urI9ypaWipaZ|post_mch\(\$sds,\$stat,\$rel|str_ireplace\(\"123\",\"123\"|5459q3057o8s1o01qp782|\\x67i\\x65q\\x68\\x6ai\\x79e\\x6a\\x72g|str_replace\( \"\{link5\}\", \"<a href=|\$Content_mb|aQ0o010o|\$_unitFloor = 3|\$Branch_directory" "msg:shellcode" "mz:ARGS|URL|BODY" "s:$SQL:8" id:1015; MainRule "rx:\.ph|\.asp" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$SQL:8" id:1016; MainRule "rx:@eval\(" "msg:attcode" "mz:BODY" "s:$SQL:8" id:1017; MainRule "rx:(php|asp)#" "msg:phpcms" "mz:$BODY_VAR_X:info\[content\]|$URL_X:index\.php" "s:$SQL:8" id:1018; MainRule "str:select" "msg:phpcms" "mz:$BODY_VAR_X:password|$URL_X:index\.php" "s:$SQL:8" id:1019; MainRule "rx:(asp|php);|^/(?!.*_mssql/).*\.(bak)|^/((?!cgi-bin/).)*\.(pl|cgi)$|\.(asp|aspx)\/.*\.(?!htm|asp|aspx)|^/(?!.*/).*\.(rar|zip|gz|tar|7z)|^/\.(?!well-known)|^/(src)/.*\.(php|asp)|20202019\.php" "msg:url" "mz:URL" "s:$SQL:8" id:1020; MainRule "rx:\.(exe|com|bat)$" "msg:exe file upload!" "mz:FILE_EXT" "s:$SQL:8" id:1021;
根据错误日志中记录的idN(id0=1011)找到这条规则
匹配模式:内容(正则表达式) 描述 匹配区域 评分 规则id MainRule "rx:^port$|^host$|^exit$|^time$|^ip$|^ho$|^eh$|^ma$" "msg:ddos" "mz:ARGS|NAME" "s:$SQL:3" id:1011;
1. MainRule
MainRule:定义检测规则和分数
BasicRule:定义MainRule的白名单(whitelist.rules)
CheckRule:定义当分数达到阀值时所采取的动作(site.rules中定义了)
#LearningMode; #Enables learning mode SecRulesEnabled; #SecRulesDisabled; DeniedUrl "/RequestDenied"; ## check rules CheckRule "$SQL >= 8" BLOCK
意思是得分超过8分就进行拦截
2.”rx:” 匹配模式
str:字符串
rx:正则表达式
d:libinj_xss:libinjection检测为xss
d:libinj_sql:libinjection检测为sql注入
3.”$port$|^host$|^exit$|^time$|^ip$|^ho$|^eh$|^ma$” 为正则表达式
4.”msg:ddos” 为描述,仅用于描述规则,不会有其他动作
5.”mz:ARGS|NAME” 匹配区域
ARGS: GET args 参数
HEADERS:HTTP Headers
BODY: POST args (和 RAW_BODY)
URL:在?之前的URL
6.”s:$SQL:3” 定义cscore0标签,可以理解成变量名,匹配到一次就得3分
7.id:1011 匹配的拦截规则号定义为1011
再来看看error日志中记录
&var_name0=host&zone1=ARGS|NAME&id1=1011&var_name1=time&zone2=ARGS|NAME&id2=1011&var_name2=ip
实际访问的url
api.php a=mode&host=MTI3LjAuMC4x&version=2.1.6&time=1598768735&web=Chrome&ip=127.0.0.1&randkey=ynikvux&xinhukey=c2f8b1ba&authorkey=we0me03&aukey=rock20202&sysnum=2acc94
第一次匹配到了参数host, 得分3分
第二次匹配到了参数time, 得分3分
第三次匹配到了参数ip, 得分3分
总共得分9分,也就是error日志中的:score0=9
CheckRule中定义了大于8分就进行拦截 CheckRule “$SQL >= 8” BLOCK
所以出现了文章开头的WAF拦截提示
怎么解决这种拦截问题?
修改为post方式提交数据即可,或者更改参数名称
更多关于naxsi介绍参看https://github.com/nbs-system/naxsi/wiki
» 本文链接地址:https://blog.mydns.vip/4688.html
最新评论
麻烦发下检测工具
让我下载
非常好