nginx服务器WAF Naxsi拦截请求问题分析

先来看一个例子，请求URL是：

http://xxx.xxx.com/api.php?a=mode&host=MTI3LjAuMC4x&version=2.1.6&time=1598768735&web=Chrome&ip=127.0.0.1&randkey=ynikvux&xinhukey=c2f8b1ba&authorkey=we0me03&aukey=rock20202&sysnum=2acc94

为什么会被拦截?

我们通过nginx的error日志搜索对应url

[error] 28583#28583: *603145128 NAXSI_FMT: ip=192.168.1.100&server=xxx.xxx.com&uri=/api.php&learning=0&vers=0.55&total_processed=3179630
&total_blocked=179048&block=1&cscore0=$SQL&score0=9&zone0=ARGS|NAME&id0=1011&var_name0=host&zone1=ARGS|NAME&id1=1011&var_name1=time&zone2=
ARGS|NAME&id2=1011&var_name2=ip, client: 192.168.1.100, server: localhost, request: "GET /api.php?a=mode&host=MTI3LjAuMC4x&version=2.1.6&
time=1598768735&web=Chrome&ip=127.0.0.1&randkey=ynikvux&xinhukey=c2f8b1ba&authorkey=we0me03&aukey=rock20202&sysnum=2acc94 HTTP/1.1", host: "xxx.xxx.com"

参数说明：
ip: 访问者IP地址
server: 服务名称，这里为nginx的location
uri: 请求地址
learning: (0/1)(学习模式是否开启)
vers: naxsi版本
total_processed: nginx工作进程
total_blocked: naxsi拦截进程
block: 0/1 是否拦截
cscoreN : 命名分数标签
scoreN : 得分(每一项naxsi规则都有对应的得分)
zoneN: 规则匹配发生的区域,包括arg|body|head
idN: 匹配的拦截规则号
var_nameN: 拦截规则匹配时的参数名

现在我们来看下WAF里面配置的规则：

##################################
## INTERNAL RULES IDS:1-999 ##
##################################
#@MainRule "msg:weird request, unable to parse" id:1;
#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
#@MainRule "msg:invalid hex encoding, null bytes" id:10;
#@MainRule "msg:unknown content-type" id:11;
#@MainRule "msg:invalid formatted url" id:12;
#@MainRule "msg:invalid POST format" id:13;
#@MainRule "msg:invalid POST boundary" id:14;
#@MainRule "msg:invalid JSON" id:15;
#@MainRule "msg:empty POST" id:16;
#@MainRule "msg:libinjection_sql" id:17;
#@MainRule "msg:libinjection_xss" id:18;
##################################
## SQL Injections IDs:1000-1099 ##
##1000 getfilter
##1001 postfilter
##1002 cookiefilter
##1003 agent
##################################
MainRule "rx:\<.+javascript:window\[.{1}\\x|<.*=(&#\d+?;?)+?>|<.*(data|src)=data:text\/html.*>|\b(alert\(|confirm\(|expression\(|prompt\(|benchmark\s*?\(.*\)|sleep\s*?\(.*\)|\b(group_)?concat[\s\/\*]*?\([^\)]+?\)|\bcase[\s\/\*]*?when[\s\/\*]*?\([^\)]+?\)|load_file\s*?\()|<[a-z]+?\b[^>]*?\bon([a-z]{4,})\s*?=|^\+\/v(8|9)|\b(and|or)\b\s*?([\(\)'\"\d]+?=[\(\)'\"\d]+?|[\(\)'\"a-zA-Z]+?=[\(\)'\"a-zA-Z]+?|>|<|\s+?[\w]+?\s+?\bin\b\s*?\(|\blike\b\s+?[\"'])|\/\*.*\*\/|<\s*script\b|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\(.+\)|\s+?.+?\s+?|(`|'|\").*?(`|'|\"))FROM(\(.+\)|\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)" "msg:getfilter" "mz:ARGS" "s:$SQL:8" id:1000;
MainRule "rx:\b(sleep\s*?\(.*\)|\b(group_)?concat[\s\/\*]*?\([^\)]+?\)|\bcase[\s\/\*]*?when[\s\/\*]*?\([^\)]+?\)|load_file\s*?\()|\b(and|or)\b\s*?([\(\)'\"\d]+?=[\(\)'\"\d]+?|[\(\)'\"a-zA-Z]+?=[\(\)'\"a-zA-Z]+?|>|<|\s+?[\w]+?\s+?\bin\b\s*?\(|\blike\b\s+?[\"'])|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE)(\(.+\)|\s+?.+?\s+?|(`|'|\").*?(`|'|\"))FROM(\(.+\)|\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)" "msg:postfilter" "mz:BODY" "s:$SQL:8" id:1001;
MainRule "rx:benchmark\s*?\(.*\)|sleep\s*?\(.*\)|load_file\s*?\(|\b(and|or)\b\s*?([\(\)'\"\d]+?=[\(\)'\"\d]+?|[\(\)'\"a-zA-Z]+?=[\(\)'\"a-zA-Z]+?|>|<|\s+?[\w]+?\s+?\bin\b\s*?\(|\blike\b\s+?[\"'])|\/\*.*\*\/|<\s*script\b|\bEXEC\b|UNION.+?SELECT\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)|UPDATE\s*(\(.+\)\s*|@{1,2}.+?\s*|\s+?.+?|(`|'|\").*?(`|'|\")\s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\(.+\)|\s+?.+?\s+?|(`|'|\").*?(`|'|\"))FROM(\(.+\)|\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)" "msg:cookiefilter" "mz:$HEADERS_VAR:Cookie" "s:$SQL:8" id:1002;
MainRule "rx:YunGuanCe|MJ12bot|AhrefsBot|SemrushBot|DotBot|boryouSpider|DoCoMo|^oBot|^ApacheBench|ddos|pingback|crawler|BUbiNG|misc\.yahoo\.com\.cn|scrapy|Adsbot\/|BaiduSpider$|YisouSpider$" "msg:scanner" "mz:$HEADERS_VAR:User-Agent" "s:$SQL:8" id:1003;
MainRule "rx:\/\*.*\*\/" "msg:asp" "mz:ARGS|URL" "s:$SQL:8" id:1007;
MainRule "str:/etc/passwd" "msg:path" "mz:ARGS|URL" "s:$SQL:8" id:1008;
MainRule "str:c:\\windows" "msg:path" "mz:ARGS|URL" "s:$SQL:8" id:1009;
MainRule "str:cmd.exe" "msg:path" "mz:ARGS|URL|BODY" "s:$SQL:8" id:1010;
MainRule "rx:^port$|^host$|^exit$|^time$|^ip$|^ho$|^eh$|^ma$" "msg:ddos" "mz:ARGS|NAME" "s:$SQL:3" id:1011;
MainRule "rx:mjdu|psbt|time_e" "msg:ddos" "mz:ARGS" "s:$SQL:3" id:1012;
MainRule "rx:maxwell\/|\/Home\/Lib\/Action\/.*|\/sam\.asp$" "msg:ddos" "mz:ARGS|URL" "s:$SQL:8" id:1013;
MainRule "str:pingback.ping" "msg:wp-ddos" "mz:BODY" "s:$SQL:8" id:1014;
MainRule "rx:Y21kJ10pOw==|base64_decode\(|Remote_server|72C24DD5-D70A-438B-8A42-98424B88AFB8|13709620-C279-11CE-A49E-444553540000|F935DC26-1CF0-11D0-ADB9-00C04FD58A0B|php eval\(\$_POST|h\"\"&\"\"|bjijtyuumyummktyt865ue56yg56kmyjnkj67ti|v5031e998|round\(\$packets\/\$exec_time|<\%eval request\(|\$oooo0o00o0o0o0o0o0o0o00000o0o0o0o0o0oo0o0o0o0o0oo0|\$max_time = time\(\)+\$exec_time|\$max_time = $time+\$exec_time|\$max=\(\$size-1\)\*\$size|\$g_aFromSurnames|WebKiller|\[\'mjdu\'\]|BFDDCFECADF|1393052144|play = request\(|then:execute\(e\)|Execute\(strAespCode\)|edocpsa=iMaiJ\^txen|by\*aming|\&StrReverse\(Request\(\"|execute GetHTml|Siliemor Shell|csseojc=ok|execute\(unescape\(temp\)\)|Thanks Snailsor|Response.Write\(eval\(Request.Item|Vipreg=20132165414621325641311254123112512|cGZzb2Nrb3Blbg==|\$_POST\[\'g\'.\'u\'.\'i\'.\'g\'.\'e\'\]|ASPXSpy|assert\(\$_POST\[|\$B_10=string|MTympT1urI9ypaWipaZ|post_mch\(\$sds,\$stat,\$rel|str_ireplace\(\"123\",\"123\"|5459q3057o8s1o01qp782|\\x67i\\x65q\\x68\\x6ai\\x79e\\x6a\\x72g|str_replace\( \"\{link5\}\", \"<a href=|\$Content_mb|aQ0o010o|\$_unitFloor = 3|\$Branch_directory" "msg:shellcode" "mz:ARGS|URL|BODY" "s:$SQL:8" id:1015;
MainRule "rx:\.ph|\.asp" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$SQL:8" id:1016;
MainRule "rx:@eval\(" "msg:attcode" "mz:BODY" "s:$SQL:8" id:1017;
MainRule "rx:(php|asp)#" "msg:phpcms" "mz:$BODY_VAR_X:info\[content\]|$URL_X:index\.php" "s:$SQL:8" id:1018;
MainRule "str:select" "msg:phpcms" "mz:$BODY_VAR_X:password|$URL_X:index\.php" "s:$SQL:8" id:1019;
MainRule "rx:(asp|php);|^/(?!.*_mssql/).*\.(bak)|^/((?!cgi-bin/).)*\.(pl|cgi)$|\.(asp|aspx)\/.*\.(?!htm|asp|aspx)|^/(?!.*/).*\.(rar|zip|gz|tar|7z)|^/\.(?!well-known)|^/(src)/.*\.(php|asp)|20202019\.php" "msg:url" "mz:URL" "s:$SQL:8" id:1020;
MainRule "rx:\.(exe|com|bat)$" "msg:exe file upload!" "mz:FILE_EXT" "s:$SQL:8" id:1021;

根据错误日志中记录的idN(id0=1011)找到这条规则

匹配模式:内容(正则表达式) 描述 匹配区域 评分 规则id
MainRule "rx:^port$|^host$|^exit$|^time$|^ip$|^ho$|^eh$|^ma$" "msg:ddos" "mz:ARGS|NAME" "s:$SQL:3" id:1011;

1. MainRule

MainRule：定义检测规则和分数
BasicRule：定义MainRule的白名单(whitelist.rules)
CheckRule：定义当分数达到阀值时所采取的动作(site.rules中定义了)

#LearningMode; #Enables learning mode
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8" BLOCK

意思是得分超过8分就进行拦截

2.”rx:” 匹配模式

str：字符串
rx：正则表达式
d:libinj_xss：libinjection检测为xss
d:libinj_sql：libinjection检测为sql注入

3.”$port$|^host$|^exit$|^time$|^ip$|^ho$|^eh$|^ma$” 为正则表达式

4.”msg:ddos” 为描述，仅用于描述规则，不会有其他动作

5.”mz:ARGS|NAME” 匹配区域

ARGS: GET args 参数
HEADERS：HTTP Headers
BODY： POST args (和 RAW_BODY)
URL：在?之前的URL

6.”s:$SQL:3” 定义cscore0标签,可以理解成变量名,匹配到一次就得3分

7.id:1011 匹配的拦截规则号定义为1011

再来看看error日志中记录
&var_name0=host&zone1=ARGS|NAME&id1=1011&var_name1=time&zone2=ARGS|NAME&id2=1011&var_name2=ip
实际访问的url
api.php a=mode&host=MTI3LjAuMC4x&version=2.1.6&time=1598768735&web=Chrome&ip=127.0.0.1&randkey=ynikvux&xinhukey=c2f8b1ba&authorkey=we0me03&aukey=rock20202&sysnum=2acc94
第一次匹配到了参数host, 得分3分
第二次匹配到了参数time, 得分3分
第三次匹配到了参数ip, 得分3分
总共得分9分,也就是error日志中的:score0=9
CheckRule中定义了大于8分就进行拦截 CheckRule “$SQL >= 8” BLOCK
所以出现了文章开头的WAF拦截提示

怎么解决这种拦截问题?

修改为post方式提交数据即可,或者更改参数名称

更多关于naxsi介绍参看https://github.com/nbs-system/naxsi/wiki

» 站长码字辛苦，有用点个赞吧，也可以打个赏
» 若转载请保留本文转自：豫章小站 » 《nginx服务器WAF Naxsi拦截请求问题分析》

» 本文链接地址：https://blog.mydns.vip/4688.html

» 如果喜欢可以： 点此订阅本站 有需要帮助，可以联系小站