From 8b74143a0d8109eb0f581ac7dd05d4f4c0301452 Mon Sep 17 00:00:00 2001 From: loveshell <82163261@qq.com> Date: Mon, 22 Apr 2013 15:53:47 +0800 Subject: [PATCH 1/4] Update init.lua --- init.lua | 137 ++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 89 insertions(+), 48 deletions(-) diff --git a/init.lua b/init.lua index a8bdfd4..dfb6fac 100644 --- a/init.lua +++ b/init.lua @@ -1,6 +1,6 @@ --配置部分 logpath='/data/logs/hack/' -rulepath='/usr/local/nginx/conf/wafconf/' +rulepath='/usr/local/openresty/nginx/conf/ngx_lua_waf/wafconf/' syslogserver='127.0.0.1' filext='' --如果需要开启syslog传输,请取消掉log函数部分的注释 @@ -21,10 +21,10 @@ local O_APPEND = 0x0400; local S_IRUSR = 0x0100; local S_IWUSR = 0x0080; function write(logfile,msg) - local logger_fd = C.open(logfile, bor(O_RDWR, O_CREAT, O_APPEND), bor(S_IRUSR,S_IWUSR)); - local c = msg; - C.write(logger_fd, c, #c); - C.close(logger_fd) + local logger_fd = C.open(logfile, bor(O_RDWR, O_CREAT, O_APPEND), bor(S_IRUSR,S_IWUSR)); + local c = msg; + C.write(logger_fd, c, #c); + C.close(logger_fd) end function syslog(msg) ngx.header.content_type = "text/html" @@ -59,56 +59,97 @@ function syslog(msg) debug = 7 -local sock = ngx.socket.udp() -local ok, err = sock:setpeername(syslogserver, 514) ---上面的ip和端口就是syslog server的ip和端口地址,可自行修改 -if not ok then - ngx.say("failed to connect to syslog server: ", err) - return -end -level=info -facility=daemon -sign=level+facility*8 -ok, err = sock:send('<'..sign..'>'..msg) -sock:close() + local sock = ngx.socket.udp() + local ok, err = sock:setpeername(syslogserver, 514) + --上面的ip和端口就是syslog server的ip和端口地址,可自行修改 + if not ok then + ngx.say("failed to connect to syslog server: ", err) + return + end + level=info + facility=daemon + sign=level+facility*8 + ok, err = sock:send('<'..sign..'>'..msg) + sock:close() end -function log(method,url,data) - if data then - if ngx.var.http_user_agent then - -- syslog(ngx.var.remote_addr.." ".." ["..ngx.localtime().."] \""..method.." "..url.."\" \""..data.."\" \""..ngx.status.."\" \""..ngx.var.http_user_agent.."\"\n") - write(logpath..'/'..ngx.var.server_name.."_sec.log",ngx.var.remote_addr.." ".." ["..ngx.localtime().."] \""..method.." "..url.."\" \""..data.."\" \""..ngx.status.."\" \""..ngx.var.http_user_agent.."\"\n") - else - -- syslog(ngx.var.remote_addr.." ".." ["..ngx.localtime().."] \""..method.." "..url.."\" \""..data.."\" \"-\"\n") - write(logpath..'/'..ngx.var.server_name.."_sec.log",ngx.var.remote_addr.." ".." ["..ngx.localtime().."] \""..method.." "..url.."\" \""..data.."\" \"-\"\n") - end +function log() + if ngx.var.http_user_agent then + -- syslog(ngx.var.remote_addr.." ".." ["..ngx.localtime().."] \""..method.." "..url.."\" \"-\" \""..ngx.var.http_user_agent.."\"\n") + write(logpath..'/'..ngx.var.server_name.."_sec.log",ngx.var.remote_addr.." ".." ["..ngx.localtime().."] \""..ngx.req.get_method().." "..ngx.var.request_uri.."\" \"-\" \""..ngx.var.http_user_agent.."\"\n") else - if ngx.var.http_user_agent then - -- syslog(ngx.var.remote_addr.." ".." ["..ngx.localtime().."] \""..method.." "..url.."\" \"-\" \""..ngx.var.http_user_agent.."\"\n") - write(logpath..'/'..ngx.var.server_name.."_sec.log",ngx.var.remote_addr.." ".." ["..ngx.localtime().."] \""..method.." "..url.."\" \"-\" \""..ngx.var.http_user_agent.."\"\n") - else - -- syslog(ngx.var.remote_addr.." ".." ["..ngx.localtime().."] \""..method.." "..url.."\" \"-\" \"".."-\"\n") - write(logpath..'/'..ngx.var.server_name.."_sec.log",ngx.var.remote_addr.." ".." ["..ngx.localtime().."] \""..method.." "..url.."\" \"-\" \"".."-\"\n") - end + -- syslog(ngx.var.remote_addr.." ".." ["..ngx.localtime().."] \""..method.." "..url.."\" \"-\" \"".."-\"\n") + write(logpath..'/'..ngx.var.server_name.."_sec.log",ngx.var.remote_addr.." ".." ["..ngx.localtime().."] \""..ngx.req.get_method().." "..ngx.var.request_uri.."\" \"-\" \"".."-\"\n") end end ---------------------------------------响应函数-------------------------------------------------------------------------------- -function check() - ngx.header.content_type = "text/html" - ngx.print("just a joke hehe~ !!") - ngx.exit(200) -end ------------------------------------规则读取函数------------------------------------------------------------------- -function read_rule(var) - file = io.open(rulepath..'/'..var,"r") +function getrule(method,dict) + local waf = dict; + file = io.open(rulepath..'/'..method,"r") t = {} for line in file:lines() do - table.insert(t,line) + waf.set(waf,line,true) end file:close() - return(table.concat(t,"|")) end -regex=read_rule('global') -get=read_rule('get') -post=read_rule('post') -agent=read_rule('user-agent') -whitelist=read_rule('whitelist') +local update = ngx.shared.update; +local updated_at = update:get("updated_at"); +if updated_at == nil or updated_at < ( ngx.now() - 10 ) then + getrule('urlpath',ngx.shared.urlpath) + getrule('post',ngx.shared.post) + getrule('user-agent',ngx.shared.ua) + getrule('args',ngx.shared.args) + +else + update:set("updated_at", ngx.now()); +end +function say_html(ruleid) + ngx.header.content_type = "text/html" + ngx.say('Please go away~~~') + log() + ngx.exit(200) +end +function args() + for k,v in pairs(ngx.shared.args:get_keys()) do + local args = ngx.req.get_uri_args() + for key, val in pairs(args) do + if ngx.re.match(val,v,"isjo") then + say_html(k) + log('GET') + return true + end + end + end + return false +end + +function url() + for k,v in pairs(ngx.shared.urlpath:get_keys()) do + if ngx.re.match(ngx.var.request_uri,v,"isjo") then + say_html(k) + log('GET') + return true + end + end + return false +end + +function ua() + for k,v in pairs(ngx.shared.ua:get_keys()) do + if ngx.re.match(ngx.var.http_user_agent,v,"isjo") then + say_html(k) + log('User-agent') + end + end + return false +end + +function body() + for k,v in pairs(ngx.shared.post:get_keys()) do + if ngx.req.get_body_data() and ngx.re.match(ngx.req.get_body_data(),v,"isjo") then + say_html(k) + log('POST') + return true + end + end + return false +end From 1283448f4496daf95dcc2668db5c4926fbb88154 Mon Sep 17 00:00:00 2001 From: loveshell <82163261@qq.com> Date: Mon, 22 Apr 2013 15:54:18 +0800 Subject: [PATCH 2/4] Update waf.lua --- waf.lua | 48 ++++++++++++++++++------------------------------ 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/waf.lua b/waf.lua index 0f435ee..643a7a7 100644 --- a/waf.lua +++ b/waf.lua @@ -1,33 +1,21 @@ ngx.req.read_body() -if ngx.re.match(ngx.var.request_uri,whitelist,"isjo") then - return -else - if ngx.re.match(ngx.unescape_uri(ngx.var.request_uri),regex.."|"..get,"isjo") then - log('GET',ngx.unescape_uri(ngx.var.request_uri)) - check() --- elseif ngx.re.match(string.gsub(ngx.var.request_uri,"\\%",""),regex.."|"..get,"isjo") then --- log('GET',ngx.var.request_uri) --- check() - elseif ngx.re.match(ngx.var.request_uri,[[%00|%0b|%0d|%c0%ae|%0a]],"isjo") then - check() - elseif ngx.var.http_user_agent and ngx.re.match(ngx.var.http_user_agent,regex.."|"..agent,"isjo") then - log('USER-AGENT',ngx.unescape_uri(ngx.var.request_uri)) - check() - elseif ngx.req.get_body_data() and ngx.re.match(ngx.req.get_body_data(),[[Content-Disposition: form-data;(.*)filename=]],"isjo") ==nil and ngx.re.match(ngx.unescape_uri(ngx.req.get_body_data()),regex.."|"..post,"isjo") then - log('POST',ngx.unescape_uri(ngx.var.request_uri),ngx.unescape_uri(ngx.req.get_body_data())) - check() - elseif string.len(filext) >0 then - if ngx.req.get_body_data() and ngx.re.match(ngx.req.get_body_data(),"Content-Disposition: form-data;(.*)filename=\"(.*)."..filext.."\"","isjo") then - check() - end --- elseif ngx.req.get_headers()["Cookie"] and ngx.re.match(ngx.unescape_uri(ngx.req.get_headers()["Cookie"]),regex,"isjo")then --- log('COOKIE',ngx.unescape_uri(ngx.var.request_uri),ngx.unescape_uri(ngx.req.get_headers()["Cookie"])) --- check() - elseif ngx.req.get_headers()['Acunetix-Aspect'] then - ngx.exit(400) - elseif ngx.req.get_headers()['X-Scan-Memo'] then - ngx.exit(400) - else - return +if ngx.req.get_headers()['Acunetix-Aspect'] then + ngx.exit(400) +elseif ngx.req.get_headers()['X-Scan-Memo'] then + ngx.exit(400) +end +if ua() then +elseif url() then +elseif args() then +elseif ngx.req.get_body_data() and ngx.re.match(ngx.req.get_body_data(),[[Content-Disposition: form-data;(.*)filename=]],"isjo") ==nil then + ngx.req.read_body() + body() + ngx.req.discard_body() +elseif string.len(filext) >0 then + if ngx.req.get_body_data() and ngx.re.match(ngx.req.get_body_data(),"Content-Disposition: form-data;(.*)filename=\"(.*)."..filext.."\"","isjo") then + ngx.exit('Not Allow Uploaded!!') end +else + return end + log('User-agent') From 7e2638ed0756375df75ec95a61d4b799de3bf89b Mon Sep 17 00:00:00 2001 From: loveshell <82163261@qq.com> Date: Mon, 22 Apr 2013 15:55:16 +0800 Subject: [PATCH 3/4] Rename global to args --- wafconf/{global => args} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename wafconf/{global => args} (100%) diff --git a/wafconf/global b/wafconf/args similarity index 100% rename from wafconf/global rename to wafconf/args From 16f85b473361d66bf05a5e5f61c140932929f93c Mon Sep 17 00:00:00 2001 From: loveshell <82163261@qq.com> Date: Mon, 22 Apr 2013 15:55:34 +0800 Subject: [PATCH 4/4] Rename get to urlpath --- wafconf/{get => urlpath} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename wafconf/{get => urlpath} (100%) diff --git a/wafconf/get b/wafconf/urlpath similarity index 100% rename from wafconf/get rename to wafconf/urlpath