没有所谓的捷径
一切都是时间最平凡的累积

nginx服务器WAF Naxsi拦截请求问题分析

本文最后更新:2023年5月25日,已超过509天未更新,如果文章内容失效,请留言反馈本站。

先来看一个例子,请求URL是:

http://xxx.xxx.com/api.php?a=mode&host=MTI3LjAuMC4x&version=2.1.6&time=1598768735&web=Chrome&ip=127.0.0.1&randkey=ynikvux&xinhukey=c2f8b1ba&authorkey=we0me03&aukey=rock20202&sysnum=2acc94

为什么会被拦截?

我们通过nginx的error日志搜索对应url

[error] 28583#28583: *603145128 NAXSI_FMT: ip=192.168.1.100&server=xxx.xxx.com&uri=/api.php&learning=0&vers=0.55&total_processed=3179630
&total_blocked=179048&block=1&cscore0=$SQL&score0=9&zone0=ARGS|NAME&id0=1011&var_name0=host&zone1=ARGS|NAME&id1=1011&var_name1=time&zone2=
ARGS|NAME&id2=1011&var_name2=ip, client: 192.168.1.100, server: localhost, request: "GET /api.php?a=mode&host=MTI3LjAuMC4x&version=2.1.6&
time=1598768735&web=Chrome&ip=127.0.0.1&randkey=ynikvux&xinhukey=c2f8b1ba&authorkey=we0me03&aukey=rock20202&sysnum=2acc94 HTTP/1.1", host: "xxx.xxx.com"

参数说明:
ip: 访问者IP地址
server: 服务名称,这里为nginx的location
uri: 请求地址
learning: (0/1)(学习模式是否开启)
vers: naxsi版本
total_processed: nginx工作进程
total_blocked: naxsi拦截进程
block: 0/1 是否拦截
cscoreN : 命名分数标签
scoreN : 得分(每一项naxsi规则都有对应的得分)
zoneN: 规则匹配发生的区域,包括arg|body|head
idN: 匹配的拦截规则号
var_nameN: 拦截规则匹配时的参数名

现在我们来看下WAF里面配置的规则:

##################################
## INTERNAL RULES IDS:1-999 ##
##################################
#@MainRule "msg:weird request, unable to parse" id:1;
#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
#@MainRule "msg:invalid hex encoding, null bytes" id:10;
#@MainRule "msg:unknown content-type" id:11;
#@MainRule "msg:invalid formatted url" id:12;
#@MainRule "msg:invalid POST format" id:13;
#@MainRule "msg:invalid POST boundary" id:14;
#@MainRule "msg:invalid JSON" id:15;
#@MainRule "msg:empty POST" id:16;
#@MainRule "msg:libinjection_sql" id:17;
#@MainRule "msg:libinjection_xss" id:18;
##################################
## SQL Injections IDs:1000-1099 ##
##1000 getfilter
##1001 postfilter
##1002 cookiefilter
##1003 agent
##################################
MainRule "rx:\<.+javascript:window\[.{1}\\x|<.*=(&#\d+?;?)+?>|<.*(data|src)=data:text\/html.*>|\b(alert\(|confirm\(|expression\(|prompt\(|benchmark\s*?\(.*\)|sleep\s*?\(.*\)|\b(group_)?concat[\s\/\*]*?\([^\)]+?\)|\bcase[\s\/\*]*?when[\s\/\*]*?\([^\)]+?\)|load_file\s*?\()|<[a-z]+?\b[^>]*?\bon([a-z]{4,})\s*?=|^\+\/v(8|9)|\b(and|or)\b\s*?([\(\)'\"\d]+?=[\(\)'\"\d]+?|[\(\)'\"a-zA-Z]+?=[\(\)'\"a-zA-Z]+?|>|<|\s+?[\w]+?\s+?\bin\b\s*?\(|\blike\b\s+?[\"'])|\/\*.*\*\/|<\s*script\b|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\(.+\)|\s+?.+?\s+?|(`|'|\").*?(`|'|\"))FROM(\(.+\)|\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)" "msg:getfilter" "mz:ARGS" "s:$SQL:8" id:1000;
MainRule "rx:\b(sleep\s*?\(.*\)|\b(group_)?concat[\s\/\*]*?\([^\)]+?\)|\bcase[\s\/\*]*?when[\s\/\*]*?\([^\)]+?\)|load_file\s*?\()|\b(and|or)\b\s*?([\(\)'\"\d]+?=[\(\)'\"\d]+?|[\(\)'\"a-zA-Z]+?=[\(\)'\"a-zA-Z]+?|>|<|\s+?[\w]+?\s+?\bin\b\s*?\(|\blike\b\s+?[\"'])|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE)(\(.+\)|\s+?.+?\s+?|(`|'|\").*?(`|'|\"))FROM(\(.+\)|\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)" "msg:postfilter" "mz:BODY" "s:$SQL:8" id:1001;
MainRule "rx:benchmark\s*?\(.*\)|sleep\s*?\(.*\)|load_file\s*?\(|\b(and|or)\b\s*?([\(\)'\"\d]+?=[\(\)'\"\d]+?|[\(\)'\"a-zA-Z]+?=[\(\)'\"a-zA-Z]+?|>|<|\s+?[\w]+?\s+?\bin\b\s*?\(|\blike\b\s+?[\"'])|\/\*.*\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\(.+\)|\s+?.+?\s+?|(`|'|\").*?(`|'|\"))FROM(\(.+\)|\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)" "msg:cookiefilter" "mz:$HEADERS_VAR:Cookie" "s:$SQL:8" id:1002;
MainRule "rx:YunGuanCe|MJ12bot|AhrefsBot|SemrushBot|DotBot|boryouSpider|DoCoMo|^oBot|^ApacheBench|ddos|pingback|crawler|BUbiNG|misc\.yahoo\.com\.cn|scrapy|Adsbot\/|BaiduSpider$|YisouSpider$" "msg:scanner" "mz:$HEADERS_VAR:User-Agent" "s:$SQL:8" id:1003;
MainRule "rx:\/\*.*\*\/" "msg:asp" "mz:ARGS|URL" "s:$SQL:8" id:1007;
MainRule "str:/etc/passwd" "msg:path" "mz:ARGS|URL" "s:$SQL:8" id:1008;
MainRule "str:c:\\windows" "msg:path" "mz:ARGS|URL" "s:$SQL:8" id:1009;
MainRule "str:cmd.exe" "msg:path" "mz:ARGS|URL|BODY" "s:$SQL:8" id:1010;
MainRule "rx:^port$|^host$|^exit$|^time$|^ip$|^ho$|^eh$|^ma$" "msg:ddos" "mz:ARGS|NAME" "s:$SQL:3" id:1011;
MainRule "rx:mjdu|psbt|time_e" "msg:ddos" "mz:ARGS" "s:$SQL:3" id:1012;
MainRule "rx:maxwell\/|\/Home\/Lib\/Action\/.*|\/sam\.asp$" "msg:ddos" "mz:ARGS|URL" "s:$SQL:8" id:1013;
MainRule "str:pingback.ping" "msg:wp-ddos" "mz:BODY" "s:$SQL:8" id:1014;
MainRule "rx:Y21kJ10pOw==|base64_decode\(|Remote_server|72C24DD5-D70A-438B-8A42-98424B88AFB8|13709620-C279-11CE-A49E-444553540000|F935DC26-1CF0-11D0-ADB9-00C04FD58A0B|php eval\(\$_POST|h\"\"&\"\"|bjijtyuumyummktyt865ue56yg56kmyjnkj67ti|v5031e998|round\(\$packets\/\$exec_time|<\%eval request\(|\$oooo0o00o0o0o0o0o0o0o00000o0o0o0o0o0oo0o0o0o0o0oo0|\$max_time = time\(\)+\$exec_time|\$max_time = $time+\$exec_time|\$max=\(\$size-1\)\*\$size|\$g_aFromSurnames|WebKiller|\[\'mjdu\'\]|BFDDCFECADF|1393052144|play = request\(|then:execute\(e\)|Execute\(strAespCode\)|edocpsa=iMaiJ\^txen|by\*aming|\&StrReverse\(Request\(\"|execute GetHTml|Siliemor Shell|csseojc=ok|execute\(unescape\(temp\)\)|Thanks Snailsor|Response.Write\(eval\(Request.Item|Vipreg=20132165414621325641311254123112512|cGZzb2Nrb3Blbg==|\$_POST\[\'g\'.\'u\'.\'i\'.\'g\'.\'e\'\]|ASPXSpy|assert\(\$_POST\[|\$B_10=string|MTympT1urI9ypaWipaZ|post_mch\(\$sds,\$stat,\$rel|str_ireplace\(\"123\",\"123\"|5459q3057o8s1o01qp782|\\x67i\\x65q\\x68\\x6ai\\x79e\\x6a\\x72g|str_replace\( \"\{link5\}\", \"<a href=|\$Content_mb|aQ0o010o|\$_unitFloor = 3|\$Branch_directory" "msg:shellcode" "mz:ARGS|URL|BODY" "s:$SQL:8" id:1015;
MainRule "rx:\.ph|\.asp" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$SQL:8" id:1016;
MainRule "rx:@eval\(" "msg:attcode" "mz:BODY" "s:$SQL:8" id:1017;
MainRule "rx:(php|asp)#" "msg:phpcms" "mz:$BODY_VAR_X:info\[content\]|$URL_X:index\.php" "s:$SQL:8" id:1018;
MainRule "str:select" "msg:phpcms" "mz:$BODY_VAR_X:password|$URL_X:index\.php" "s:$SQL:8" id:1019;
MainRule "rx:(asp|php);|^/(?!.*_mssql/).*\.(bak)|^/((?!cgi-bin/).)*\.(pl|cgi)$|\.(asp|aspx)\/.*\.(?!htm|asp|aspx)|^/(?!.*/).*\.(rar|zip|gz|tar|7z)|^/\.(?!well-known)|^/(src)/.*\.(php|asp)|20202019\.php" "msg:url" "mz:URL" "s:$SQL:8" id:1020;
MainRule "rx:\.(exe|com|bat)$" "msg:exe file upload!" "mz:FILE_EXT" "s:$SQL:8" id:1021;

根据错误日志中记录的idN(id0=1011)找到这条规则

匹配模式:内容(正则表达式) 描述 匹配区域 评分 规则id
MainRule "rx:^port$|^host$|^exit$|^time$|^ip$|^ho$|^eh$|^ma$" "msg:ddos" "mz:ARGS|NAME" "s:$SQL:3" id:1011;

1. MainRule

MainRule:定义检测规则和分数
BasicRule:定义MainRule的白名单(whitelist.rules)
CheckRule:定义当分数达到阀值时所采取的动作(site.rules中定义了)

#LearningMode; #Enables learning mode
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8" BLOCK

意思是得分超过8分就进行拦截

2.”rx:” 匹配模式

str:字符串
rx:正则表达式
d:libinj_xss:libinjection检测为xss
d:libinj_sql:libinjection检测为sql注入

3.”$port$|^host$|^exit$|^time$|^ip$|^ho$|^eh$|^ma$” 为正则表达式

4.”msg:ddos” 为描述,仅用于描述规则,不会有其他动作

5.”mz:ARGS|NAME” 匹配区域

ARGS: GET args 参数
HEADERS:HTTP Headers
BODY: POST args (和 RAW_BODY)
URL:在?之前的URL

6.”s:$SQL:3” 定义cscore0标签,可以理解成变量名,匹配到一次就得3分

7.id:1011 匹配的拦截规则号定义为1011

再来看看error日志中记录
&var_name0=host&zone1=ARGS|NAME&id1=1011&var_name1=time&zone2=ARGS|NAME&id2=1011&var_name2=ip
实际访问的url
api.php a=mode&host=MTI3LjAuMC4x&version=2.1.6&time=1598768735&web=Chrome&ip=127.0.0.1&randkey=ynikvux&xinhukey=c2f8b1ba&authorkey=we0me03&aukey=rock20202&sysnum=2acc94
第一次匹配到了参数host, 得分3分
第二次匹配到了参数time, 得分3分
第三次匹配到了参数ip, 得分3分
总共得分9分,也就是error日志中的:score0=9
CheckRule中定义了大于8分就进行拦截 CheckRule “$SQL >= 8” BLOCK
所以出现了文章开头的WAF拦截提示

怎么解决这种拦截问题?

修改为post方式提交数据即可,或者更改参数名称

更多关于naxsi介绍参看https://github.com/nbs-system/naxsi/wiki

» 站长码字辛苦,有用点个赞吧,也可以打个
» 若转载请保留本文转自:豫章小站 » 《nginx服务器WAF Naxsi拦截请求问题分析》
» 本文链接地址:https://blog.mydns.vip/4688.html
» 如果喜欢可以: 点此订阅本站 有需要帮助,可以联系小站
赞(0) 打赏
声明:本站发布的内容(图片、视频和文字)以原创、转载和分享网络内容为主,若涉及侵权请及时告知,将会在第一时间删除,联系邮箱:contact@mydns.vip。文章观点不代表本站立场。本站原创内容未经允许不得转载,或转载时需注明出处:豫章小站 » nginx服务器WAF Naxsi拦截请求问题分析
分享到: 更多 (0)

评论 抢沙发


  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

智慧源于勤奋,伟大出自平凡

没有所谓的捷径,一切都是时间最平凡的累积,今天所做的努力都是在为明天积蓄力量

联系我们赞助我们

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏