D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
proc
/
self
/
root
/
opt
/
bitninja-waf
/
etc
/
crs
/
rules
/
Filename :
REQUEST-930-APPLICATION-ATTACK-LFI.conf
back
Copy
# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.0.2 # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:930011,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:930012,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) # # # -=[ Directory Traversal Attacks ]=- # # Ref: https://github.com/wireghoul/dotdotpwn # # [ Encoded /../ Payloads ] # SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "(?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" \ "phase:request,\ msg:'Path Traversal Attack (/../)',\ id:930100,\ ver:'OWASP_CRS/3.0.0',\ rev:'3',\ maturity:'9',\ accuracy:'7',\ t:none,\ block,\ severity:CRITICAL,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-lfi',\ tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'" # # [ Decoded /../ Payloads ] # SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@pm ..\ ../" \ "phase:request,\ msg:'Path Traversal Attack (/../)',\ id:930110,\ ver:'OWASP_CRS/3.0.0',\ rev:'1',\ maturity:'9',\ accuracy:'7',\ multiMatch,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ block,\ severity:CRITICAL,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-lfi',\ tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'" # # -=[ OS File Access ]=- # # Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf lfi-os-files.data" \ "phase:request,\ msg:'OS File Access Attempt',\ rev:'4',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ block,\ id:930120,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-lfi',\ tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\ tag:'WASCTC/WASC-33',\ tag:'OWASP_TOP_10/A4',\ tag:'PCI/6.5.4',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',chain" SecRule &IP:wp_admin_in "@eq 0" "chain,t:none" SecRule &TX:BN_CPANEL_CALL "@eq 0" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}" # # -=[ Restricted File Access ]=- # # Detects attempts to retrieve application source code, metadata, # credentials and version control history possibly reachable in a web root. # SecRule REQUEST_FILENAME "@pmf restricted-files.data" \ "phase:request,\ msg:'Restricted File Access Attempt',\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'7',\ accuracy:'8',\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ block,\ id:930130,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-lfi',\ tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\ tag:'WASCTC/WASC-33',\ tag:'OWASP_TOP_10/A4',\ tag:'PCI/6.5.4',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:930013,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:930014,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) # SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:930015,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:930016,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) # SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:930017,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:930018,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI"