//此套WAF防護正則表達式規(guī)則來源于ShareWAF（http://www.sharewaf.com/）
//測試方法建議：請依下方測試使用的test語句進行，根據(jù)true、false，可知是否能識別出***并記錄到數(shù)據(jù)庫

創(chuàng)新互聯(lián)公司專業(yè)為企業(yè)提供懷仁網(wǎng)站建設(shè)、懷仁做網(wǎng)站、懷仁網(wǎng)站設(shè)計、懷仁網(wǎng)站制作等企業(yè)網(wǎng)站建設(shè)、網(wǎng)頁設(shè)計與制作、懷仁企業(yè)網(wǎng)站模板建站服務(wù)，十余年懷仁做網(wǎng)站經(jīng)驗，不只是建網(wǎng)站，更提供有價值的思路和整體網(wǎng)絡(luò)服務(wù)。

var regexp_debug = 0;
exports.anti_sqlinj_rule =[
? ?// /select|update|delete|truncate|join|union|exec|insert|drop|count|Sp_sqlexec|order by|’|"|>| ? ?/select.+(from|limit)/,
? ?/(?:(union(.*?)select))/,
? ?// /having|rongjitest/,
? ?/sleep\((\s*)(\d*)(\s*)\)/,
? ?/group\s+by.+\(/,
? ?/(?:from\W+information_schema\W)/,
? ?/(?:(?:current_)user|database|schema|connection_id)\s*\(/,

//新增
? ?/\s*or\s+.*=.*/i,
? ?/order\s+by\s+.*--$/i
];

if( regexp_debug == 1) {
? ? ///select|update|delete|truncate|join|union|exec|insert|drop|count|Sp_sqlexec|order ?by|’|"|>| ? ?//不區(qū)分大小寫的字符串匹配，留給影衛(wèi)字符匹配，這里不使用

//.匹配除“\n”之外的任何單個字符
? ?//含意：匹配select from或select limit語句
? ?//注意：區(qū)分大小寫，如要取消大小寫區(qū)分，加：/i

? ?//新增，匹配' or 1=1 –，規(guī)則：/空格出現(xiàn)或不出現(xiàn) or 空格出現(xiàn)1次或多次 任何字符不限次數(shù) = 任意字符不限次數(shù)
? ?console.log( /\s*or\s+.*=.*/i.test("'or 1=1") ); //true
? ?console.log( /\s*or\s+.*=.*/i.test("'or 1!=2") ); //true
? ?console.log( /\s*or\s+.*=.*/i.test("'or 'a'='a'") ); //true
? ?console.log( /\s*or\s+.*=.*/i.test("'or'a'='a'") ); //false
? ?console.log( /\s*or\s+.*=.*/i.test("'or1=1") ); //false

? ?//新增，匹配：order by 1 --
? ?console.log( /order\s+by\s+.*--$/i.test("order by 1 --") ); //true
? ?console.log( /order\s+by\s+.*--$/i.test("order ? by 2 ?--") ); //true
? ?console.log( /order\s+by\s+.*--$/i.test("order BY 3 --") ); //true

console.log( /select.+(from|limit)/.test("select * from abc") ); //true
? ?console.log( /select.+(from|limit)/.test("select top 10 * from abc") ); //true
? ?console.log( /select.+(from|limit)/.test("select top 10") ); //false
? ?console.log( /select.+(from|limit)/.test("Select top 10 from") ); //false

//(?:X)：僅分組
? ?//.：任意字符號
? ?//X*?：字符出現(xiàn)0次或多次
? ?//(.*)：任意字符出現(xiàn)0次或多次
? ?//含意：匹配union select語法
? ?//注意：區(qū)分大小寫，如要取消大小寫區(qū)分，加：/i
? ?console.log( /(?:(union(.*?)select))/.test("union select 1,2,3 from") ); //true
? ?console.log( /(?:(union(.*?)select))/.test("UNION select 1,2,3 from") ); //false
? ?console.log( /(?:(union(.*?)select))/.test("abc union abc select 1,2,3 from") ); //true
? ?console.log( /(?:(union(.*?)select))/.test("abc union /* */ select 1,2,3 from") ); //true
? ?console.log( /(?:(union(.*?)select))/.test("abc union /* */") ); //false
? ?console.log( /(?:(union(.*?)select))/.test("select col from table union all select col2 from table2") ); //true
? ?//對這條語法存疑，寫的可能有問題，下面一行的測試說明：(?:)（僅分組，不記錄分組序號，也不捕獲該匹配）是無意義的
? ?console.log( /union(.*?)select/.test("abc union /* */ select 1,2,3 from"),"test" ); //true

//\s ：空白字符
? ?//\s* ：空白字符出現(xiàn)0次或多次（出現(xiàn)或不出現(xiàn)）
? ?//\d：數(shù)字
? ?//\d*：任意數(shù)字出現(xiàn)0次或多次
? ?//含意：匹配sleep(數(shù)字)函數(shù)，括號里可以有任何空白字符
? ?//注意：區(qū)分大小寫，如要取消大小寫區(qū)分，加：/i
? ?console.log( /sleep\((\s*)(\d*)(\s*)\)/.test("sleep(1)") ); //true
? ?console.log( /sleep\((\s*)(\d*)(\s*)\)/.test("sleep( ? 1 )") ); //true
? ?console.log( /sleep\((\s*)(\d*)(\s*)\)/.test("sleep('abc')") ); //false
? ?console.log( /sleep\((\s*)(\d*)(\s*)\)/.test("sleep(' abc')") ); //false
? ?console.log( /sleep\((\s*)(\d*)(\s*)\)/.test("SLEEP(1)") ); //false
? ?//加i，不區(qū)分大小寫
? ?console.log( /sleep\((\s*)(\d*)(\s*)\)/i.test("SLEEP(1)"),"test2" ); //true

//\s ：空白字符
? ?//.：任意字符號
? ?//含意：匹配group by語法
? ?//注意：區(qū)分大小寫，如要取消大小寫區(qū)分，加：/i
? ?//不確定：這條規(guī)則可能有誤，不應(yīng)該有（符號，group by語句沒有（
? ?console.log( /group\s+by.+\(/.test("group by id(") ); //true
? ?console.log( /group\s+by.+\(/.test("group by id") ); //false

//information_schema：MySQL自帶數(shù)據(jù)庫
? ?//\W:不能構(gòu)成單詞的字符，等價于[^A-Za-z0-9_]
? ?//(?:X)僅分組
? ?console.log( /(?:from\W+information_schema\W)/.test("select TABLES from * information_schema * ") ); //true
? ?console.log( /(?:from\W+information_schema\W)/.test("select TABLES from/**/information_schema/**/") ); //true
? ?console.log( /(?:from\W+information_schema\W)/.test("select TABLES from 123 /**/ union information_schema/**/") ); //false
? ?//(?:X)僅分組無意義，應(yīng)該可改為：
? ?console.log( /from\W+information_schema\W/.test("select TABLES from/**/information_schema/**/") ); //true

//(?:X)：僅分組
? ?//|：或
? ?//\s：空白字符
? ?//注意：區(qū)分大小寫，如要取消大小寫區(qū)分，加：/i
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_user (") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_database(") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_connection_id ? (") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_connection_id = (") ); //false
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("connection_id(") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("connection_ID(") ); //false
? ?//應(yīng)該可簡化為：
? ?console.log( /(?:current_)user|database|schema|connection_id\s*\(/.test("current_connection_id ? (") ); //true
? ?console.log( /(?:current_)user|database|schema|connection_id\s*\(/.test("connection_id(") ); //true
}

exports.anti_cookieinj_rule =[
? ?/select.+(from|limit)/,
? ?/(?:(union(.*?)select))/,
? ?///having|rongjitest/,
? ?/sleep\((\s*)(\d*)(\s*)\)/,
? ?/benchmark\((.*)\,(.*)\)/,
? ?/base64_decode\(/,
? ?/(?:from\W+information_schema\W)/,
? ?//修改，增加version
? ?/(?:(?:current_)user|database|version|schema|connection_id)\s*\(/,
? ?/(?:etc\/\W*passwd)/,
? ?/into(\s+)+(?:dump|out)file\s*/,
? ?/group\s+by.+\(/,
? ?/xwork.MethodAccessor/,
? ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/
];
if( regexp_debug == 1) {
? ?//\i大小寫區(qū)分問題不再贅述，普遍存在
? ?//mysql函數(shù)benchmark
? ?//檢測例：：benchmark(1000，encode("hello","goodbye"))
? ?console.log( /benchmark\((.*)\,(.*)\)/.test('select BENCHMARK(1000000,encode("hello","goodbye"))') ); //false
? ?console.log( /benchmark\((.*)\,(.*)\)/.test('select benchmark(1000000,encode("hello","goodbye"))'),"benchmark"); //true

///base64_decode\(/
? ?//檢測base64_decode()函數(shù)
? ?//到此，大至可理解：此套規(guī)則是針對mysql、php的
? ?console.log( /base64_decode\(/.test("base64_decode('abc')") ); //true
? ?console.log( /base64_decode\(/.test("base64_Decode('abc')") ); //false

console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("user(") ); //false
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_user(") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_user (") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_user ? (") ); //true
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_usEr ? (") ); //false
? ?console.log( /(?:(?:current_)user|database|schema|connection_id)\s*\(/.test("current_user ?* (") ); //false

//etc路徑加passwd檢測
? ?//\W：不能構(gòu)成單詞的字符
? ?console.log( /(?:etc\/\W*passwd)/.test("etc/passwd") ); //true
? ?console.log( /(?:etc\/\W*passwd)/.test("etc//passwd") ); //true
? ?console.log( /(?:etc\/\W*passwd)/.test("etc passwd") ); //false
? ?console.log( /(?:etc\/\W*passwd)/.test("etc////passwd") ); //true
? ?console.log( /(?:etc\/\W*passwd)/.test("etc////PASSWD") ); //false

//mysql的file系列函數(shù)檢測：dumpfile\outfile
? ?//X+，X字符出現(xiàn)一次或多次
? ?//\s：空白字符
? ?console.log ( /into(\s+)+(?:dump|out)file\s*/.test("select * from test into outfile '/tmp/test.txt'") ); //true
? ?console.log ( /into(\s+)+(?:dump|out)file\s*/.test("select * from test into dumpfile '/tmp/test.txt'") ); //true
? ?console.log ( /into(\s+)+(?:dump|out)file\s*/.test("select * from test into dumpFILE '/tmp/test.txt'") ); //false

///xwork.MethodAccessor/,
? ?//這是struts2相關(guān)的一個漏洞關(guān)鍵字
? ?console.log( /xwork.MethodAccessor/.test("xwork.MethodAccessor") ); //true
? ?console.log( /xwork.MethodAccessor/.test("xwork.MethodAccessoR") ); //false

//w+：可以構(gòu)成單詞的字符
? ?//檢測各種函數(shù)
? ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/
? ?console.log( ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/.test("define") ?); //false
? ?console.log( ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/.test("define(") ?); //true
? ?console.log( ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/.test("define(") ?); //true
? ?console.log( ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/.test("preg_a(") ?); //true
}

exports.anti_xss_rule = [
? ?//注釋掉
? ?// /<|>|:|'|""|`|--|()|[]|{}|/,
? ?/\<(iframe|script|body|img|layer|div|meta|style|base|object|input)/,
? ?/(onmouseover|onmousemove|onerror|onload)\=/i,
? ?//新增
? ?/javascript:/i
];

if( regexp_debug == 1){

console.log( /\<(iframe|script|body|img|layer|div|meta|style|base|object|input)/.test(" ? ?console.log( /\<(iframe|script|body|img|layer|div|meta|style|base|object|input)/.test("iframe")); //false

console.log( /\<(iframe|script|body|img|layer|div|meta|style|base|object|input)/.test("

console.log( /(onmouseover|onmousemove|onerror|onload)\=/i.test("onerror='alert(1)'")); //true

console.log( /javascript:/i.test("javascript:alert(1);") );

}

exports.anti_folder_iterator_rule = [

/..\/..\//,

// /(?:etc\/\W*passwd\/shadow)/

//修改：

// /(?:etc\/\W*passwd)/i

];

if( regexp_debug == 1){

//匹配：../../

console.log( /..\/..\//.test("../../pass/") ); //true

console.log( /..\/..\//.test("../pass/") ); //false

}

exports.anti_cmdinj_rule = [

//修改

// || 命令

/\|\|.*(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/,

//命令||

/(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv).*\|\|/

];

if(regexp_debug == 1){

console.log( ? /\|\|.*(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/.test("||ipconfig") ?); //true

console.log( /\|\|.*(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/.test("||cd") ); //true

console.log( /\|\|.*(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/.test("cd") ); //false

console.log( /\|\|.*(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/.test("|cd") ); //false

}

exports.anti_remote_file_include_rule = [

/http:\/\/|https:\/\//,

/(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/,

//注釋

// /(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\//,

];

if(regexp_debug == 1){

console.log( /http:\/\/|https:\/\/|..\/..\//.test("http://") ); //true

console.log( /http:\/\/|https:\/\/|..\/..\//.test("http:") ); //false

console.log( /http:\/\/|https:\/\/|..\/..\//.test("https:") ); //false

}

exports.anti_local_file_include_rule = [

//這行容易誤報

// /..\//,

/(?:etc\/\W*passwd)/,

//注釋

// ? /(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/,

/(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\//

];

if( regexp_debug == 1){

//匹配：etc/ 不能構(gòu)成單詞的任意字符不出現(xiàn)或出現(xiàn)或出現(xiàn)多次 password

console.log( /(?:etc\/\W*passwd)/i.test("etc//passwd") ); //true

console.log( /(?:etc\/\W*passwd)/i.test("etc/passwd") ); //true

console.log( /(?:etc\/\W*passwd)/i.test("etc//**/passwd") ); //true

console.log( /(?:etc\/\W*passwd)/i.test("etc\\passwd") ); //false

console.log( /(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\//.test("file:/") ); //true

console.log( /(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\//.test("file:") ); //false

}