https://hub.docker.com/r/uusec/nanqiang
docker run -d --name waf --hostname waf --restart always -p 99:4443 --privileged=true --user=root -e TZ='Asia/Shanghai' --ulimit nofile=262144:262144 -v /data/site:/data/site -e UUWAF_MYSQL_PASSWORD='wdqdmm@r' --link mariadb:wafdb uusec/nanqiang:latest /run.sh
docker exec -it waf /bin/bash
# F-Droid 是一个 Android 平台上 FOSS(Free and Open Source Software,自由开源软件)的目录,并提供下载安装支持。使用客户端可以更轻松地浏览、安装及跟进设备上的应用更新
https://f-droid.org/zh_Hans/packages/org.liberty.android.freeotpplus/
admin / wafadmin
waf.sql
SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;
CREATE DATABASE `uuwaf` DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
USE `uuwaf`;
-- ----------------------------
-- Table structure for waf_audits
-- ----------------------------
DROP TABLE IF EXISTS `waf_audits`;
CREATE TABLE `waf_audits` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`update_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
`type` varchar(16) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`info` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`usr` varchar(32) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`ip` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 211 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_unicode_ci ROW_FORMAT = Compact;
-- ----------------------------
-- Table structure for waf_certs
-- ----------------------------
DROP TABLE IF EXISTS `waf_certs`;
CREATE TABLE `waf_certs` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`sni` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`cert` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`key` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`expire_time` datetime NOT NULL,
`update_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 2 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_unicode_ci ROW_FORMAT = Compact;
-- ----------------------------
-- Records of waf_certs
-- ----------------------------
INSERT INTO `waf_certs` VALUES (1, '[\"*.uusec.com\"]', '-----BEGIN CERTIFICATE-----\nMIID4DCCAkigAwIBAgIRALnhB55mj63MyQ+SjGsSFQ8wDQYJKoZIhvcNAQELBQAw\nOjEOMAwGA1UEChMFVVVTRUMxEDAOBgNVBAsTB0lUIERlcHQxFjAUBgNVBAMTDVVV\nU0VDIFJvb3QgQ0EwHhcNMjIwODEwMTMzNjA0WhcNMjQxMTEwMTMzNjA0WjA7MQ4w\nDAYDVQQKEwVVVVNFQzETMBEGA1UECxMKVVVTRUMgVGVjaDEUMBIGA1UEAwwLKi51\ndXNlYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5SW/ejQwJ\nLR6iQjffa2MbflyN0gCW9lc2SZcCAx+cvCzkWHhhMauGpSsDgTJJ7QZts/qtZ9/5\nBnpjoysvpZuD9C4jMFWzXh4iBHnVw1BJJ7crCf1vtkiAnCEwVTEEoKr3c7fE3/yO\nyxl1DGL/tO3lZtb6LlNfR1el/6nDxjmqU10oMfgXLU5vxudgnBzBl5T33Zo9i+Tg\nVCychkK0zy10PDKBhwklv2F+hHCGRupfCTp+4dtxTry+Fie8KlVCUFqaCT1zUnGC\nZTZDXGp6V7zj1yA4Jt2ykGraOQWSvE2UCqLyN+FIEdirIxypRrLrMYLuIwhInZNR\nRjDtKcJj23PBAgMBAAGjYDBeMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr\nBgEFBQcDATAfBgNVHSMEGDAWgBR1LU6WGmoleMDVt+9ysy5RkU/McTAWBgNVHREE\nDzANggsqLnV1c2VjLmNvbTANBgkqhkiG9w0BAQsFAAOCAYEAew3yVcreq+FOQv6o\naU49TnPDzl/O8NwOCWmAAIPbDf0O88oQy8895g2ChbYF92fZ6vhuPc1AVUEf+77m\nBIjSsbhQldnayTiE51e/bwrSfil8BCTA0HbDiX8lFl5PvlaAyryKK1YY/eu/W2aK\nSmzzUXpLIot1fsGgkHJqPyu239Fn03Xv19eosHIdVkRauKwcOhJzabkioCqcKTgp\nfOA6VJlkPeP9Ar4rieJ+hAIBInE/jKx/jcgWBdz+KgE96YJxnTnb/3KE2hlkyjLo\nzciuYt2omfI0ji8+lAV43dLFynl/rlhJPcOmN29/RX75WePhu3oQlpMF51PSG1kG\nuIcru3t5EQY739R5Y5BzMD51A4ThJGCNfhJSNwKuJ5S19HbN0t/4dDlyMAF2BGVe\nIcPUDr1NvH/a++GuPsF1G3ST+TMN3VIjQoYU6SLj9vxKW07Gz4PBFGM4wPbuLsgO\nncZrouB867+aoAv1DX/LVHBwpXptJ85g4F1NahTBjo5Pq/5D\n-----END CERTIFICATE-----\n', '-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5SW/ejQwJLR6i\nQjffa2MbflyN0gCW9lc2SZcCAx+cvCzkWHhhMauGpSsDgTJJ7QZts/qtZ9/5Bnpj\noysvpZuD9C4jMFWzXh4iBHnVw1BJJ7crCf1vtkiAnCEwVTEEoKr3c7fE3/yOyxl1\nDGL/tO3lZtb6LlNfR1el/6nDxjmqU10oMfgXLU5vxudgnBzBl5T33Zo9i+TgVCyc\nhkK0zy10PDKBhwklv2F+hHCGRupfCTp+4dtxTry+Fie8KlVCUFqaCT1zUnGCZTZD\nXGp6V7zj1yA4Jt2ykGraOQWSvE2UCqLyN+FIEdirIxypRrLrMYLuIwhInZNRRjDt\nKcJj23PBAgMBAAECggEBALcNqXsaqDhsniY5+488PebMuU3XmoOKjnDw1ULEqTek\n5UkXap7Dfq2AgnVs76z/gelh9ZfZ1vnk/4dujdz95R3BYM+dEh4qLuT2vROGacxM\nc3cO4Ja8ZPbCyTtB/zKONTpR1c2oaJD+cIEmIqx0KNAKAPucRvwLtLkoU6U6MoBl\nO3HB8VIWy0G+eKst2vUNhoT6hbLHSGhWoXRFY0siQnkEqjm+D52jvsXb3lTPp4Kc\ncbfagXUbHn6kPcF30GYnCvA65mD58EKH2HxUDhMpJxNGWOfw2o+D7nsrBY/I9Tm6\nMB+Mk53N5rIPkFbnX11Zdc3o7Cy7Js4A/QfMUqoR4AECgYEA3QcHYF4cCcttrEoq\nhvyTk8FfjFf61PRnevxR0fSuyMPeBob7KxKEn3uNBw3jal4jzJM+aHaPXRgcqjzK\nw95aqh0O7As8Kv0/iyujliioY5AKSy/n9vbEgDRUYkA87u+RNaQnDaiNLwHu+EGf\n/9yMhZTmKuz/v30tcJP6gAW8VIECgYEA1pqxwjsLwErn1jDTXwNYoHLBv9u/0tsY\nyr64pqnD7BVhW43EUbPllBLHgaIuUccpiYBYi9CuJPJK+Djn0HBPT50ilupwtgJK\nQdgraxUgesNsb8HTGf1mnnLyHSAXf38LqCOobK/ilqSgx9TemhTyl12Nb5isrxSv\nBHBBAZoef0ECgYB22jW8Oz7mgW57K/KMXbtZw60GgbTO2JHgj1fMB8AJE1ILvn/H\nXJDWVZCzT2OPqgmkEzWG5OIYlEOtwzzhcGreePuyMCRtlXqa8p9nuns59pWicqNQ\nqMdnjTwnDRX3Afnal2esr4sj0O1Yr6lC46zok/Xk9UZdCQnrNJeKSgtIgQKBgEn+\nus3y2AFsknWLDkaTe8qO5vlFRuXoP6sgicCFhpVvZctQnWFiewVMWFf9WKU/27Wa\neG10/aalmG3wCRYYs3ALCTMqEMThE0OSyp24giNyIICEP0qV0f1OOucJ+rAuWRGX\ngeo/1wwEJZ/haQONt3uzeSICbYBMzG/mWLO5tUxBAoGBAI6ZYII0Vf/5CadqaQ7K\nbYa3RB23/v714vTNPHWwpRPKaTMrgFr9u3T4wmAETTWiuYYkG44YMMt275H06ycz\nB8HkaXgbJLffQJEl7mfIyaWfbBKe6g2V45AQGoktO+zyuTipxhQ9NvomBCt5fCS4\nrLRzYWPp8qXa0qWKDJ27/l+S\n-----END PRIVATE KEY-----\n', '2024-11-10 21:36:04', '2022-08-10 22:05:01');
-- ----------------------------
-- Table structure for waf_logs
-- ----------------------------
DROP TABLE IF EXISTS `waf_logs`;
CREATE TABLE `waf_logs` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`rule_id` bigint(20) NOT NULL,
`ip` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`host` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`url` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`data` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NULL,
`country` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`province` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`city` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`latitude` decimal(18, 14) NOT NULL,
`longitude` decimal(18, 14) NOT NULL,
`update_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`id`) USING BTREE,
INDEX `idx_type`(`rule_id`) USING BTREE,
INDEX `idx_city`(`city`) USING BTREE,
INDEX `idx_time`(`update_time`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 739 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_unicode_ci ROW_FORMAT = Compact;
-- ----------------------------
-- Table structure for waf_ml
-- ----------------------------
DROP TABLE IF EXISTS `waf_ml`;
CREATE TABLE `waf_ml` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`enable` tinyint(1) NOT NULL DEFAULT 1,
`host` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`uri` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`schema` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`update_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 1002 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_unicode_ci ROW_FORMAT = COMPACT;
DROP TABLE IF EXISTS `waf_cdn`;
CREATE TABLE `waf_cdn` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`enable` tinyint(1) NOT NULL DEFAULT 1,
`host` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`uri` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`cache_time` varchar(16) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`update_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 1 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_unicode_ci ROW_FORMAT = COMPACT;
-- ----------------------------
-- Table structure for waf_rules
-- ----------------------------
DROP TABLE IF EXISTS `waf_rules`;
CREATE TABLE `waf_rules` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`level` tinyint(4) NOT NULL,
`name` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`type` tinyint(4) NOT NULL,
`description` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`content` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`update_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 69 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_unicode_ci ROW_FORMAT = Compact;
-- ----------------------------
-- Records of waf_rules
-- ----------------------------
INSERT INTO `waf_rules` VALUES (10, 2, 'Invalid protocol', 0, 'querystring参数过多', 'if waf.queryString==nil then\n return true,waf.qErr,true\nend\nreturn false', '2022-09-02 17:44:13');
INSERT INTO `waf_rules` VALUES (11, 3, 'Invalid protocol', 0, '非法post协议', 'if waf.form == nil then\n if waf.contains(waf.fErr, \"content_type\") then\n return true, waf.fErr .. \": \" .. waf.reqContentType, true\n end\n return true, waf.fErr, true\nend\nreturn false', '2022-10-07 21:27:59');
INSERT INTO `waf_rules` VALUES (12, 2, 'Invalid protocol', 0, 'cookie参数过多', 'if waf.cookies==nil then\n return true,waf.cErr,true\nend\nreturn false', '2022-09-02 17:44:03');
INSERT INTO `waf_rules` VALUES (13, 3, '防持续攻击', 0, '累计攻击超过100次,则在10分钟内拦截该ip访问', 'local ib = waf.ipBlock\nlocal c = ib:get(waf.ip)\nif c and c >= 100 then\n ib:set(waf.ip, c, 600, 1)\n return true, \"ip blocked for continue attack: \" .. waf.ip, true\nend\nreturn false', '2022-12-30 16:53:17');
INSERT INTO `waf_rules` VALUES (14, 2, '代理头sql注入', 0, '过滤http请求中X-Forwarded-For、Client-IP请求头中单引号sql注入', 'local rip=waf.reqHeaders.x_forwarded_for\nif rip then\n if type(rip) ~= \"string\" then\n return true,\"Malform X-Forwarded-For\",true\n elseif waf.contains(rip,\"\'\") then\n return true,rip,true\n end\nend\nrip=waf.reqHeaders.client_ip\nif rip then\n if type(rip) ~= \"string\" then\n return true,\"Malform Client-IP\",true\n elseif waf.contains(rip,\"\'\") then\n return true,rip,true\n end\nend\nreturn false', '2022-08-23 16:28:33');
INSERT INTO `waf_rules` VALUES (15, 3, '上传文件名过滤', 0, '过滤上传文件名中的网页脚本扩展名,拦截webshell上传', 'local rgx = waf.rgxMatch\n\nlocal function fileNameMatch(v)\n local m = rgx(v, \"\\\\.(?:as|cer\\\\b|cdx|ph|jsp|war|class|exe|ht|env|user\\\\.ini)|php\\\\.ini\", \"joi\")\n if m then\n return m, v\n end\n return false\nend\nif waf.form then\n local m, d = waf.knFilter(waf.form[\"FILES\"], fileNameMatch, 1)\n return m, d, true\nend\n\nreturn false', '2022-08-23 16:30:40');
INSERT INTO `waf_rules` VALUES (16, 3, '上传文件内容过滤', 0, '过滤上传的文件内容,拦截webshell上传', 'local rgx = waf.rgxMatch\nlocal function fileContentMatch(v)\n local m = rgx(v, \"<\\\\?.+?\\\\$(?:GLOBALS|_(?:GET|POST|COOKIE|REQUEST|SERVER|FILES|SESSION|ENV))|<\\\\?php|<jsp:|<%(?i:!|\\\\s*@|.*?\\\\brequest\\\\s*(?:\\\\.|\\\\())\", \"jos\")\n if m then\n return m, v\n end\n return false\nend\nif waf.form then\n local m, d = waf.knFilter(waf.form[\"FILES\"], fileContentMatch, 0)\n return m, d, true\nend\nreturn false', '2022-09-04 10:12:36');
INSERT INTO `waf_rules` VALUES (17, 1, '扫描器检测', 0, '检测常见的各种扫描器,如awvs、sqlmap、nessus、appscan、nmap等,拦截它们有助于减少黑客发现漏洞的风险', 'local m, d = waf.plugins.scannerDetection.check()\nif m then\n return true, d, true\nend\nreturn false', '2022-08-22 08:37:35');
INSERT INTO `waf_rules` VALUES (18, 3, 'HTTP Request Smuggling', 0, '此规则查找与单词HTTP/\\d或CR/LF字符组合的HTTP/WEBDAV方法名。这将指向试图将第二个请求注入到请求中,从而绕过对主请求执行的测试,如CVE-2019-20372(Nginx<1.17.7 请求走私漏洞)。参考:http://projects.webappsec.org/HTTP-Request-Smuggling', 'local kvFilter = waf.kvFilter\nlocal rgx = waf.rgxMatch\nlocal htmlEntityDecode = waf.htmlEntityDecode\n\nlocal function rMatch(v)\n local m = rgx(htmlEntityDecode(v), \"(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+[^\\\\s]+\\\\s+http/\\\\d\", \"josi\")\n if m then\n return m, v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local m, d = kvFilter(form[\"FORM\"], rMatch)\n if m then\n return m, d, true\n end\n m, d = rMatch(form[\"RAW\"])\n if m then\n return m, d, true\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n local m, d = kvFilter(queryString, rMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal cookies = waf.cookies\nif cookies then\n local m, d = kvFilter(cookies, rMatch)\n if m then\n return m, d, true\n end\nend\nreturn false', '2022-08-23 16:33:08');
INSERT INTO `waf_rules` VALUES (19, 0, '请求方法加强', 0, '不常用的http请求方法会出现一些安全漏洞,如:历史上Apache平台TRACE请求方法出现过XSS相关漏洞', 'if not waf.rgxMatch(waf.method, \"^(?:GET|HEAD|POST|PUT|DELETE|OPTIONS)$\") then\n return true, waf.method, true\nend ', '2022-08-23 16:33:27');
INSERT INTO `waf_rules` VALUES (20, 3, 'HTTP Response Splitting', 0, '该规则查找回车符(CR)%0d和换行符(LF)%0a字符。如果在响应报头中返回数据,这些字符可能会导致问题,并且可能会被中间代理服务器解释并被视为两个单独的响应。参考:http://projects.webappsec.org/HTTP-Response-Splitting', 'local kvFilter = waf.kvFilter\nlocal rgx = waf.rgxMatch\nlocal htmlEntityDecode = waf.htmlEntityDecode\n\nlocal function rMatch(v)\n local m = rgx(v, \"[\\\\r\\\\n]\\\\W*?(?:content-(?:type|length)|set-cookie|location):\\\\s*\\\\w\", \"josi\")\n if m then\n return m, v\n end\n return false\nend\n\nlocal function hMatch(v)\n local m = rgx(htmlEntityDecode(v), \"(?:\\\\bhttp/\\\\d|<(?:html|meta)\\\\b)\", \"josi\")\n if m then\n return m, v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local m, d = kvFilter(form[\"FORM\"], rMatch)\n if m then\n return m, d, true\n end\n m, d = kvFilter(form[\"FORM\"], hMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n local m, d = kvFilter(queryString, rMatch)\n if m then\n return m, d, true\n end\n m, d = kvFilter(queryString, hMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal cookies = waf.cookies\nif cookies then\n local m, d = kvFilter(cookies, rMatch)\n if m then\n return m, d, true\n end\n m, d = kvFilter(cookies, hMatch)\n if m then\n return m, d, true\n end\nend\nreturn false', '2022-08-23 16:33:57');
INSERT INTO `waf_rules` VALUES (21, 3, 'asp畸形编码过滤', 0, 'asp中unicode畸形编码会造成waf绕过危害', 'if waf.rgxMatch(waf.reqUri,\"%u00(?:aa|ba|d0|de|e2|f0|fe)\",\"i\") then\n return true,waf.reqUri,true\nend\nreturn false', '2022-08-23 16:34:12');
INSERT INTO `waf_rules` VALUES (22, 3, 'boundary异常拦截', 0, '拦截请求content type头中multipart/form-data的异常boundary,如php在上传解析boundary时没有符合rfc规范,对逗号产生了错误解析。', 'local ct = waf.reqContentType\n\nif ct then\n if type(ct) ~= \"string\" then\n return true, \"Malform Content-Type\", true\n elseif waf.contains(ct, \"boundary\") and (waf.strCounter(ct, \"boundary\") > 1 or not waf.rgxMatch(ct, \"boundary=[\\\\w\\\\-]+$\", \"jo\")) then\n return true, ct, true\n end\nend\n\nreturn false', '2022-08-23 16:34:45');
INSERT INTO `waf_rules` VALUES (23, 3, 'HTTP Header Injection', 0, 'HTTP头注入查找回车符(CR)%0d和换行符(LF)%0a字符,单独或与header字段名称组合使用。如果数据在响应头中返回并由客户端解释,这些字符可能会导致问题。', 'local rgx = waf.rgxMatch\nlocal htmlEntityDecode = waf.htmlEntityDecode\nlocal concat = table.concat\n\nlocal function hMatch(v)\n local m = rgx(htmlEntityDecode(v), \"[\\\\n\\\\r]\", \"jo\")\n if m then\n return m, v\n end\n return false\nend\n\nlocal function vMatch(v)\n local m = rgx(htmlEntityDecode(v), \"[\\\\n\\\\r]+(?:\\\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\\\s*:\", \"josi\")\n if m then\n return m, v\n end\n return false\nend\n\nlocal m, d = waf.kvFilter(waf.reqHeaders, hMatch)\nif m then\n return m, d, true\nend\n\nlocal queryString = waf.queryString\nif queryString then\n for k, v in pairs(waf.queryString) do\n m, d = hMatch(k)\n if m then\n return m, d, true\n end\n if type(v)==\"table\" then\n v = concat(v,\",\")\n end\n m, d = vMatch(v)\n if m then\n return m, d, true\n end\n end\nend\n\nlocal form = waf.form\nif form then\n for k, _ in pairs(form[\"FORM\"]) do\n m, d = hMatch(k)\n if m then\n return m, d, true\n end\n end\nend\n\nreturn false', '2022-09-10 13:41:16');
INSERT INTO `waf_rules` VALUES (24, 3, 'HTTP Splitting', 0, '此规则检测请求文件名中的\\n或\\r。参考:https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)', 'local rgx = waf.rgxMatch\nlocal function fMatch(v)\n local m = rgx(v, \"[\\\\n\\\\r]\", \"jo\")\n if m then\n return m, v\n end\n return false\nend\nlocal m, d = fMatch(waf.uri)\nif m then\n return m, d, true\nend\nreturn false', '2022-08-23 16:36:34');
INSERT INTO `waf_rules` VALUES (25, 3, 'LDAP Injection', 0, '拦截LDAP注入攻击', 'local kvFilter = waf.kvFilter\nlocal rgx = waf.rgxMatch\nlocal htmlEntityDecode = waf.htmlEntityDecode\n\nlocal function rMatch(v)\n local m = rgx(htmlEntityDecode(v), \"^[^:\\\\(\\\\)\\\\&\\\\|\\\\!\\\\<\\\\>\\\\~]*\\\\)\\\\s*(?:\\\\((?:[^,\\\\(\\\\)\\\\=\\\\&\\\\|\\\\!\\\\<\\\\>\\\\~]+[><~]?=|\\\\s*[&!|]\\\\s*(?:\\\\)|\\\\()?\\\\s*)|\\\\)\\\\s*\\\\(\\\\s*[\\\\&\\\\|\\\\!]\\\\s*|[&!|]\\\\s*\\\\([^\\\\(\\\\)\\\\=\\\\&\\\\|\\\\!\\\\<\\\\>\\\\~]+[><~]?=[^:\\\\(\\\\)\\\\&\\\\|\\\\!\\\\<\\\\>\\\\~]*)\", \"jos\")\n if m then\n return m, v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local m, d = kvFilter(form[\"FORM\"], rMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n local m, d = kvFilter(queryString, rMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal cookies = waf.cookies\nif cookies then\n local m, d = kvFilter(cookies, rMatch)\n if m then\n return m, d, true\n end\nend\nreturn false', '2022-08-23 16:36:52');
INSERT INTO `waf_rules` VALUES (26, 1, 'HTTP Parameter Pollution', 0, 'http参数污染攻击,该规则查找具有相同名称的多个参数,并检查一些后端参数弱校验时产生的绕过问题,如:foo[1]a=bar&foo[1]b=<evil>或foo[1]x[1]=bar&foo[1]x[2]=<evil>等。', 'local rgx = waf.rgxMatch\n\nlocal function rMatch(v)\n local m = rgx(v, \"(?:][^\\\\]]+$|][^\\\\]]+\\\\[)\", \"jos\")\n if m then\n return m, v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n for k, v in pairs(form[\"FORM\"]) do\n if type(v) == \"table\" then\n return true, k..\"=\"..table.concat(v, \",\"), true\n end\n local m, d = rMatch(k)\n if m then\n return m, d, true\n end\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n for k, v in pairs(queryString) do\n if type(v) == \"table\" then\n return true, k..\"=\"..table.concat(v, \",\"), true\n end\n local m, d = rMatch(k)\n if m then\n return m, d, true\n end\n end\nend\n\nlocal cookies = waf.cookies\nif cookies then\n for k, v in pairs(cookies) do\n if type(v) == \"table\" then\n return true, k..\"=\"..table.concat(v, \",\"), true\n end\n local m, d = rMatch(k)\n if m then\n return m, d, true\n end\n end\nend\nreturn false', '2022-09-05 13:41:24');
INSERT INTO `waf_rules` VALUES (27, 3, 'header头漏洞', 0, 'httpoxy漏洞可被用来针对CGI环境设置非法代理,从而窃取服务器敏感数据。在CVE-2017-7269(IIS 6.0 WebDAV远程代码执行漏洞)中if和lock_token http头会造成溢出攻击。', 'if waf.reqHeaders.proxy ~= nil then\n return true, \"Proxy: \" .. waf.reqHeaders.proxy, true\nend\n\nif waf.reqHeaders.lock_token ~= nil then\n return true, \"Lock-Token: \" .. waf.reqHeaders.lock_token, true\nend\n\nif waf.reqHeaders[\"If\"] ~= nil then\n return true, \"If: \" .. waf.reqHeaders[\"If\"], true\nend\n\nreturn false', '2022-09-08 18:36:30');
INSERT INTO `waf_rules` VALUES (28, 3, 'ImageMagick漏洞', 0, 'ImageMagick是一个功能强大的开源图形处理软件,该漏洞可以执行任意命令和读写文件', 'local rgx = waf.rgxMatch\nlocal function imgContentMatch(v)\n local m = rgx(v, \"\\\\bpush\\\\s+graphic-context\\\\b|\\\\<\\\\s*image\\\\b\", \"joi\")\n if m then\n return m, v\n end\n return false\nend\nif waf.form then\n local m, d = waf.knFilter(waf.form[\"FILES\"], imgContentMatch, 0)\n return m, d, true\nend\nreturn false', '2022-08-23 16:38:27');
INSERT INTO `waf_rules` VALUES (29, 3, 'XXE漏洞', 0, 'XML外部实体注入(XML External Entity)漏洞简称XXE漏洞。当允许引用外部实体时,通过构造恶意内容,可导致读取任意文件、执行系统命令、探测内网端口、攻击内网网站等危害。', 'if waf.form and waf.form[\"RAW\"] then\n local m = waf.rgxMatch(waf.form[\"RAW\"], \"<!(?:DOCTYPE|ENTITY)[^>]+?\\\\bSYSTEM\\\\b\", \"jos\")\n if m then\n return m, waf.form[\"RAW\"], true\n end\nend\nreturn false', '2022-09-21 16:29:52');
INSERT INTO `waf_rules` VALUES (41, 3, 'Invalid protocol', 0, '请求header数过多,超过64个。', 'if waf.hErr and waf.hErr==\"truncated\" then\n return true,waf.hErr,true\nend\nreturn false', '2022-08-17 13:19:46');
INSERT INTO `waf_rules` VALUES (43, 1, '请求body大小限制', 0, '限制请求body大小为8M以下,黑客会尝试大数据包绕过waf过滤', 'if waf.reqContentLength>8388608 then\n return true,\"reqBody length is \"..waf.reqContentLength ,true\nend\nreturn false', '2022-08-20 18:14:17');
INSERT INTO `waf_rules` VALUES (44, 2, '异常请求字符编码拦截', 0, '黑客通常会在Content-Type头中使用异常的charset定义字符集编码来绕过waf保护,如IBM037, IBM500, cp875等', 'local rct = waf.reqContentType\nlocal has = waf.contains\nlocal counter = waf.strCounter\nlocal rgx = waf.rgxMatch\nif rct then\n rct = waf.toLower(rct)\n if has(rct, \"charset\") and (not rgx(rct, \"charset\\\\s*=\\\\s*(utf\\\\-8|gbk|gb2312|iso\\\\-8859\\\\-1|iso\\\\-8859\\\\-15|windows\\\\-1252)\",\"jo\") or counter(rct, \"charset\") > 1) then\n return true, rct, true\n end\nend\nreturn false', '2022-08-23 16:39:49');
INSERT INTO `waf_rules` VALUES (45, 3, '常规sql注入检测', 0, '检测url、cookie、form中的sql注入攻击。采用SQL语义检测引擎,可以降低误报。', 'local checkSQLI = waf.checkSQLI\nlocal kvFilter = waf.kvFilter\n\nlocal function sMatch(v)\n local m = checkSQLI(v)\n if m then\n return m, v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local m, d = kvFilter(form[\"FORM\"], sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n local m, d = kvFilter(queryString, sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal cookies = waf.cookies\nif cookies then\n local m, d = kvFilter(cookies, sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal m, d = kvFilter(waf.reqHeaders, sMatch)\nif m then\n return m, d, true\nend\n\nreturn false', '2022-12-30 16:47:07');
INSERT INTO `waf_rules` VALUES (46, 3, 'json sql注入检测', 0, '解析请求body中的json内容,并检测sql注入攻击。采用SQL语义检测引擎,可以降低误报。', 'local checkSQLI = waf.checkSQLI\nlocal jsonFilter = waf.jsonFilter\n\nlocal function rMatch(v)\n local m = checkSQLI(v)\n if m then\n return m, v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local m, d = jsonFilter(form[\"RAW\"], rMatch, false)\n if m then\n return m, d, true\n end\nend\n\nreturn false', '2022-12-30 16:46:53');
INSERT INTO `waf_rules` VALUES (47, 3, '常规命令注入检测', 0, '检测url、cookie、form中的shell命令注入攻击,采用RCE语义检测引擎可以检查各种变形,如:cat$IFS/etc/os-release或c$()at /e??/p?????等', 'local checkRCE = waf.checkRCE\nlocal kvFilter = waf.kvFilter\n\nlocal function rMatch(v)\n local m = checkRCE(v)\n if m then\n return m, v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local m, d = kvFilter(form[\"FORM\"], rMatch, true)\n if m then\n return m, d, true\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n local m, d = kvFilter(queryString, rMatch, true)\n if m then\n return m, d, true\n end\nend\n\nlocal cookies = waf.cookies\nif cookies then\n local m, d = kvFilter(cookies, rMatch, true)\n if m then\n return m, d, true\n end\nend\nreturn false', '2022-12-30 16:47:34');
INSERT INTO `waf_rules` VALUES (48, 3, 'json 命令注入检测', 0, '解析请求body中的json内容,并检测命令注入攻击。采用RCE语义检测引擎可以检查各种变形,如:cat$IFS/etc/os-release或c$()at /e??/p?????等', 'local checkRCE = waf.checkRCE\nlocal jsonFilter = waf.jsonFilter\n\nlocal function rMatch(v)\n local m = checkRCE(v)\n if m then\n return m, v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local m, d = jsonFilter(form[\"RAW\"], rMatch, false, true)\n if m then\n return m, d, true\n end\nend\n\nreturn false', '2022-12-30 16:48:06');
INSERT INTO `waf_rules` VALUES (49, 2, '路径遍历攻击', 0, '检测url、上传文件或参数中的路径遍历攻击。采用LFI语义检测引擎,可以检查如://///..\\\\..\\\\etc///passwd等变形攻击。', 'local checkPT = waf.checkPT\nlocal kvFilter = waf.kvFilter\n\nlocal function ptMatch(v)\n local m = checkPT(v)\n if m then\n return m, v\n end\n return false\nend\n\nlocal url = waf.urlDecode(waf.reqUri)\nif checkPT(url) then\n return true, url, true\nend\n\nlocal form = waf.form\nif form then\n local m, d = kvFilter(form[\"FORM\"], ptMatch)\n if m then\n return m, d, true\n end\n m, d = waf.knFilter(waf.form[\"FILES\"], ptMatch, 1)\n if m then\n return m, d, true\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n local m, d = kvFilter(queryString, ptMatch)\n if m then\n return m, d, true\n end\nend\n\nreturn false', '2022-08-23 16:42:47');
INSERT INTO `waf_rules` VALUES (50, 1, '敏感文件泄露检测', 0, '检测url中各种敏感泄露文件的路径,如svn、git、sql、log、bak等,防止被攻击者利用', 'local m, d = waf.plugins.fileLeakDetection.check()\nif m then\n return true, d, true\nend\nreturn false', '2022-08-23 16:43:49');
INSERT INTO `waf_rules` VALUES (51, 3, '远程文件包含 (RFI)', 0, '该规则寻找常见类型的远程文件包含(RFI)攻击方法。\n#-PHP“include()”函数\n#-JSP <jsp:include page= 或 <c:import url=\n#-RFI主机与本地主机不匹配', 'local kvFilter = waf.kvFilter\nlocal rgx = waf.rgxMatch\nlocal host = waf.host\nlocal counter = waf.strCounter\nlocal str_find = string.find\nlocal str_sub = string.sub\n\nlocal function rMatch(v)\n local m = rgx(v, \"^(?:url:)?file|ftps?|https?)://(?:[^@]+@)?([^/]+\", \"joi\")\n if m then\n local i, j = str_find(v, host, 1, true)\n if i then\n if counter(str_sub(v, 1, j), \"/\") == 2 then\n return false\n end\n end\n end\n return m, v\nend\n\nlocal form = waf.form\nif form then\n local m, d = kvFilter(form[\"FORM\"], rMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n local m, d = kvFilter(queryString, rMatch)\n if m then\n return m, d, true\n end\nend\n\nreturn false', '2022-08-23 16:44:17');
INSERT INTO `waf_rules` VALUES (52, 3, 'Shellshock漏洞', 0, '检测对“Shellshock”(CVE-2014-6271和CVE-2014-7169) GNU Bash RCE漏洞的攻击。', 'local kvFilter = waf.kvFilter\nlocal rgx = waf.rgxMatch\nlocal requestLine = waf.requestLine\nlocal urlDecode = waf.urlDecode\n\nlocal function rMatch(v)\n local m = rgx(urlDecode(v), \"\\\\(\\\\s*\\\\)\\\\s+{\", \"jos\")\n if m then\n return m, v\n end\n return false\nend\n\nlocal m, d = kvFilter(waf.reqHeaders, rMatch)\nif m then\n return m, d, true\nend\n\nlocal m, d = rMatch(requestLine)\nif m then\n return m, d, true\nend\n\nreturn false', '2022-08-23 16:44:48');
INSERT INTO `waf_rules` VALUES (53, 2, 'php安全规则集', 0, '检测php相关的对象序列化等漏洞', 'local kvFilter = waf.kvFilter\nlocal rgx = waf.rgxMatch\n\nlocal function sMatch(v)\n local m = rgx(v, \"php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)|(?:ssh2(?:.(?:s(?:(?:ft|c)p|hell)|tunnel|exec))?|z(?:lib|ip)|(?:ph|r)ar|expect|bzip2|glob|ogg)://\", \"joi\")\n if m then\n return m, v\n end\n m = rgx(v, \"[oOcC]:\\\\d+:\\\"\\\\w+\\\":\\\\d+:{.*?}\", \"jos\")\n if m then\n return m, v\n end\n return false\nend\n\nlocal function fileContentMatch(v)\n local m = rgx(v, \"<\\\\?.+?\\\\$_(?:GET|POST|COOKIE|REQUEST|SERVER|FILES|SESSION)|<\\\\?php\", \"jos\")\n if m then\n return m, v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local m, d = kvFilter(form[\"FORM\"], sMatch)\n if m then\n return m, d, true\n end\n m, d = waf.knFilter(form[\"FILES\"], fileContentMatch, 0)\n if m then\n return m, d, true\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n local m, d = kvFilter(queryString, sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal cookies = waf.cookies\nif cookies then\n local m, d = kvFilter(cookies, sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal m, d = kvFilter(waf.reqHeaders, sMatch)\nif m then\n return m, d, true\nend\nreturn false', '2022-08-23 16:46:41');
INSERT INTO `waf_rules` VALUES (54, 2, '通用攻击', 0, '本规则拦截ruby、node、js、perl注入和SSRF攻击', 'local kvFilter = waf.kvFilter\nlocal rgx = waf.rgxMatch\n\nlocal function sMatch(v)\n local m = rgx(v, \"Process\\\\s*\\\\.\\\\s*spawn\\\\s*\\\\(\", \"jos\")\n if m then\n return m, \"Ruby Injection Attack: \"..v\n end\n m = rgx(v, \"t(?:his\\\\.constructor|runcateSync\\\\s*\\\\()|\\\\b(?:spawn|eval)\\\\s*\\\\(|_(?:\\\\$\\\\$ND_FUNC\\\\$\\\\$_|_js_function)|String\\\\s*\\\\.\\\\s*fromCharCode\", \"jos\")\n if m then\n return m, \"Node.js Injection Attack: \"..v\n end\n m = rgx(v, \"__proto__|constructor\\\\s*(?:\\\\.|\\\\[)\\\\s*prototype\", \"jos\")\n if m then\n return m, \"JavaScript Prototype Pollution: \"..v\n end\n m = rgx(v, \"(?:s(?:sh(?:2(?:.(?:s(?:(?:ft|c)p|hell)|tunnel|exec))?)?|m(?:[bs]|tps?)|vn(?:\\\\+ssh)?|n(?:ews|mp)|ips?|ftp|3)|p(?:op(?:3s?|2)|r(?:oxy|es)|h(?:ar|p)|aparazzi|syc)|c(?:ompress.(?:bzip2|zlib)|a(?:llto|p)|id|vs)|t(?:e(?:amspeak|lnet)|urns?|ftp)|f(?:i(?:nger|sh)|(?:ee)?d|tps?)|i(?:rc[6s]?|maps?|pps?|cap|ax)|d(?:a(?:ta|v)|n(?:tp|s)|ict)|m(?:a(?:ilto|ven)|umble|ms)|n(?:e(?:tdoc|ws)|ntps?|fs)|r(?:tm(?:f?p)?|sync|ar|mi)|v(?:iew-source|entrilo|nc)|a(?:ttachment|f[ps]|cap)|b(?:eshare|itcoin|lob)|g(?:o(?:pher)?|lob|it)|u(?:nreal|t2004|dp)|e(?:xpect|d2k)|h(?:ttps?|323)|w(?:ebcal|s?s)|ja(?:bbe)?r|x(?:mpp|ri)|ldap[is]?|ogg|zip):\\\\/\\\\/(?:(?:[\\\\d.]{0,11}(?:(?:\\\\xe2(?:\\\\x92(?:[\\\\x9c\\\\x9d\\\\x9e\\\\x9f\\\\xa0\\\\xa1\\\\xa2\\\\xa3\\\\xa4\\\\xa5\\\\xa6\\\\xa7\\\\xa8\\\\xa9\\\\xaa\\\\xab\\\\xac\\\\xad\\\\xae\\\\xaf\\\\xb0\\\\xb1\\\\xb2\\\\xb3\\\\xb4\\\\xb5]|[\\\\x88\\\\x89\\\\x8a\\\\x8b\\\\x8c\\\\x8d\\\\x8e\\\\x8f\\\\x90\\\\x91\\\\x92\\\\x93\\\\x94\\\\x95\\\\x96\\\\x97\\\\x98\\\\x99\\\\x9a\\\\x9b]|[\\\\xb6\\\\xb7\\\\xb8\\\\xb9\\\\xba\\\\xbb\\\\xbc\\\\xbd\\\\xbe\\\\xbf]|[\\\\x80\\\\x81\\\\x82\\\\x83\\\\x84\\\\x85\\\\x86\\\\x87])|\\\\x93(?:[\\\\x80\\\\x81\\\\x82\\\\x83\\\\x84\\\\x85\\\\x86\\\\x87\\\\x88\\\\x89\\\\x8a\\\\x8b\\\\x8c\\\\x8d\\\\x8e\\\\x8f]|[\\\\x9c\\\\x9d\\\\x9e\\\\x9f\\\\xa0\\\\xa1\\\\xa2\\\\xa3\\\\xa4\\\\xa5\\\\xa6\\\\xa7\\\\xa8\\\\xa9]|[\\\\x90\\\\x91\\\\x92\\\\x93\\\\x94\\\\x95\\\\x96\\\\x97\\\\x98\\\\x99\\\\x9a\\\\x9b]|[\\\\xbf\\\\xb5\\\\xb6\\\\xb7\\\\xb8\\\\xb9\\\\xba\\\\xbb\\\\xbc\\\\xbd\\\\xbe]|[\\\\xab\\\\xac\\\\xad\\\\xae\\\\xaf\\\\xb0\\\\xb1\\\\xb2\\\\xb3\\\\xb4])|\\\\x91(?:[\\\\xaa\\\\xa0\\\\xa1\\\\xa2\\\\xa3\\\\xa4\\\\xa5\\\\xa6\\\\xa7\\\\xa8\\\\xa9\\\\xaa\\\\xab\\\\xac\\\\xad\\\\xae\\\\xaf\\\\xb0\\\\xb1\\\\xb2\\\\xb3]|[\\\\xb4\\\\xb5\\\\xb6\\\\xb7\\\\xb8\\\\xb9\\\\xba\\\\xbb\\\\xbc\\\\xbd\\\\xbe\\\\xbf]))|\\\\xe3\\\\x80\\\\x82))+)|[a-z][\\\\w\\\\-\\\\.]{1,255}:\\\\d{1,5}(?:#?\\\\s*&?@(?:(?:\\\\d{1,3}\\\\.){3,3}\\\\d{1,3}|[a-z][\\\\w\\\\-\\\\.]{1,255}):\\\\d{1,5}\\\\/?)+|(?:0x[a-f0-9]{2}\\\\.){3}0x[a-f0-9]{2}|(?:0{1,4}\\\\d{1,3}\\\\.){3}0{1,4}\\\\d{1,3}|\\\\d{1,3}\\\\.(?:\\\\d{1,3}\\\\.\\\\d{5}|\\\\d{8})|0x(?:[a-f0-9]{16}|[a-f0-9]{8})|\\\\[[a-f\\\\d:]+(?:[\\\\d.]+|%\\\\w+)?\\\\]|(?:\\\\x5c\\\\x5c[a-z\\\\d-]\\\\.?_?)+|\\\\d{10})\", \"josi\")\n if m then\n return m, \"Possible Server Side Request Forgery (SSRF) Attack: \"..v\n end\n m = rgx(v, \"\\\\@\\\\{.*?\\\\}\", \"jos\")\n if m then\n return m, \"Perl Injection Attack: \"..v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local m, d = kvFilter(form[\"FORM\"], sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n local m, d = kvFilter(queryString, sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal cookies = waf.cookies\nif cookies then\n local m, d = kvFilter(cookies, sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal m, d = kvFilter(waf.reqHeaders, sMatch)\nif m then\n return m, d, true\nend\nreturn false\n', '2022-09-10 13:41:33');
INSERT INTO `waf_rules` VALUES (55, 3, 'java安全规则集', 0, '检测spring、struts、java序列化等相关安全漏洞', 'local kvFilter = waf.kvFilter\nlocal rgx = waf.rgxMatch\nlocal urlDecode = waf.urlDecode\nlocal requestLine = waf.requestLine\nlocal check = waf.plugins.javaClassDetection.check\n\nlocal function sMatch(v)\n local m = rgx(v, \"(?:\\\\$\\\\{)+(?:j(?:n|\\\\$\\\\{)|\\\\$\\\\{(?:\\\\w*:)+)\", \"joi\")\n if m then\n return m, \"Potential Log4j / Log4shell Attack: \" .. v\n end\n m = rgx(v, \"\\\\xac\\\\xed\\\\x00\\\\x05|rO0ABQ|KztAAU|Cs7QAF\", \"jo\")\n if m then\n return m, \"Magic bytes Detected, probable java serialization Attack: \" .. v\n end\n m = rgx(v, \"classLoader\\\\s*\\\\.\\\\s*resources\\\\s*\\\\.\\\\s*context\\\\s*\\\\.\\\\s*parent\\\\s*\\\\.\\\\s*pipeline|springframework\\\\s*\\\\.\\\\s*context\\\\s*\\\\.\\\\s*support\\\\s*\\\\.\\\\s*FileSystemXmlApplicationContext\", \"jos\")\n if m then\n return m, \"Spring Framework RCE(CVE-2022-22965): \" .. v\n end\n m = check(v)\n if m then\n return m, \"Potential dangerous java class: \" .. v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local m, d = kvFilter(form[\"FORM\"], sMatch)\n if m then\n return m, d, true\n end\n local raw = form[\"RAW\"]\n m = rgx(raw, \"\\\\xac\\\\xed\\\\x00\\\\x05|rO0ABQ|KztAAU|Cs7QAF\", \"jo\")\n if m then\n return m, raw, true\n end\n m = check(raw)\n if m then\n return m, raw, true\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n local m, d = kvFilter(queryString, sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal cookies = waf.cookies\nif cookies then\n local m, d = kvFilter(cookies, sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal m, d = kvFilter(waf.reqHeaders, sMatch)\nif m then\n return m, d, true\nend\n\nlocal m = rgx(urlDecode(requestLine), \"(?:\\\\$\\\\{)+(?:j(?:n|\\\\$\\\\{)|\\\\$\\\\{(?:\\\\w*:)+)\", \"joi\")\nif m then\n return m, requestLine, true\nend\n\nreturn false\n', '2022-08-23 16:47:21');
INSERT INTO `waf_rules` VALUES (56, 3, 'XSS跨站脚本攻击', 0, '攻击者通常会在有漏洞的程序中插入 JavaScript、VBScript、 ActiveX或Flash以欺骗用户。一旦得手,他们可以盗取用户帐户,修改用户设置,盗取/污染cookie,做虚假广告等。', 'local kvFilter = waf.kvFilter\nlocal checkXSS = waf.checkXSS\n\n\nlocal function sMatch(v)\n if v then\n local m = checkXSS(v)\n if m then\n return m, v\n end\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local m, d = kvFilter(form[\"FORM\"], sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n local m, d = kvFilter(queryString, sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal cookies = waf.cookies\nif cookies then\n local m, d = kvFilter(cookies, sMatch)\n if m then\n return m, d, true\n end\nend\n\nlocal m, d = sMatch(waf.userAgent)\nif m then\n return m, d, true\nend\n\nlocal m, d = sMatch(waf.referer)\nif m then\n return m, d, true\nend\n\nreturn false', '2022-08-24 12:10:21');
INSERT INTO `waf_rules` VALUES (57, 2, '固定会话(Session Fixation)攻击', 0, '会话固定攻击(session fixation attack)是利用应用系统在服务器的会话ID固定不变机制,借助他人用相同的会话ID获取认证和授权,然后利用该会话ID劫持他人的会话以成功冒充他人,造成会话固定攻击。参考:https://owasp.org/www-community/attacks/Session_fixation', 'local kvFilter = waf.kvFilter\nlocal rgx = waf.rgxMatch\nlocal referer = waf.referer\nlocal host = waf.host\nlocal endWith = waf.endWith\n\nlocal function sMatch(v)\n local m = rgx(v, \"\\\\bhttp-equiv\\\\W+set-cookie\\\\b\", \"joi\")\n if m then\n return m, v\n end\n return false\nend\n\nlocal function nMatch(v)\n local m = rgx(v, \"^(?:jsessionid|aspsessionid|asp\\\\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$\", \"joi\")\n if m then\n return m, v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local m, d = kvFilter(form[\"FORM\"], sMatch)\n if m then\n return m, d, true\n end\n for k, v in pairs(form[\"FORM\"]) do\n m, d = nMatch(k)\n if m then\n if not referer then\n if type(v) == \"table\" then\n v = table.concat(v)\n end\n return m, d .. \":\" .. v, true\n else\n m = ngx.re.match(referer, \"^https?://(.*?)/\", \"jo\")\n if m and not endWith(m[1], host) then\n if type(v) == \"table\" then\n v = table.concat(v)\n end\n return m, d .. \":\" .. v, true\n end\n end\n end\n end\nend\n\nlocal queryString = waf.queryString\nif queryString then\n local m, d = kvFilter(queryString, sMatch)\n if m then\n return m, d, true\n end\n for k, v in pairs(queryString) do\n m, d = nMatch(k)\n if m then\n if not referer then\n if type(v) == \"table\" then\n v = table.concat(v)\n end\n return m, d .. \":\" .. v, true\n else\n m = ngx.re.match(referer, \"^https?://(.*?)/\", \"jo\")\n if m and not endWith(m[1], host) then\n if type(v) == \"table\" then\n v = table.concat(v)\n end\n return m, d .. \":\" .. v, true\n end\n end\n end\n end\nend\n\nlocal cookies = waf.cookies\nif cookies then\n local m, d = kvFilter(cookies, sMatch)\n if m then\n return m, d, true\n end\nend\n\nreturn false', '2022-09-10 13:42:18');
INSERT INTO `waf_rules` VALUES (58, 2, '数据泄露检测', 2, '从返回页面检测列目录漏洞和源代码泄露问题', 'local rgx = waf.rgxMatch\nlocal rb = waf.respBody\n\nlocal m = rgx(rb, \"<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\\\\[To Parent Directory\\\\]</[Aa]><br>\", \"jo\")\nif m then\n return m, \"Directory Listing: \" .. rb, true\nend\n\nm = rgx(rb, \"^\\\\s*(?:#\\\\!\\\\s?/|<%|<\\\\?\\\\s*[^x]|<jsp:)\", \"jo\")\nif m then\n return m, \"Source code leak: \" .. rb, true\nend\n\nreturn false', '2022-08-24 11:31:33');
INSERT INTO `waf_rules` VALUES (59, 0, 'Java报错检测', 2, '返回页面的java报错可能会泄露服务器敏感信息', 'local check = waf.plugins.javaErrorDetection.check\nlocal rb = waf.respBody\n\nif waf.status == 500 then\n local m,d = check(rb)\n if m then\n return m, \"Java error: \" .. d, true\n end\nend\n\nreturn false', '2022-08-24 11:31:49');
INSERT INTO `waf_rules` VALUES (60, 2, 'SQL报错检测', 2, '返回页面的sql报错可能会泄露服务器敏感信息', 'local check = waf.plugins.sqlErrorDetection.check\nlocal rb = waf.respBody\nlocal rgx = waf.rgxMatch\nlocal has = waf.contains\n\nif waf.status == 500 then\n local m = check(rb)\n if m then\n if rgx(rb, \"JET Database Engine|Access Database Engine|\\\\[Microsoft\\\\]\\\\[ODBC Microsoft Access Driver\\\\]\", \"jo\") then\n return m, \"Microsoft Access SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"ORA-[0-9][0-9][0-9][0-9]|java\\\\.sql\\\\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*\", \"jo\") then\n return m, \"Oracle SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"DB2 SQL error:|\\\\[IBM\\\\]\\\\[CLI Driver\\\\]\\\\[DB2/6000\\\\]|CLI Driver.*DB2|DB2 SQL error|db2_\\\\w+\\\\(\", \"jo\") then\n return m, \"DB2 SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"\\\\[DM_QUERY_E_SYNTAX\\\\]|has occurred in the vicinity of:\", \"jo\") then\n return m, \"EMC SQL Information Leakage: \" .. rb, true\n end\n if has(rb, \"Dynamic SQL Error\") then\n return m, \"firebird SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"Exception (?:condition )?\\\\d+\\\\. Transaction rollback\\\\.\", \"jo\") then\n return m, \"Frontbase SQL Information Leakage: \" .. rb, true\n end\n if has(rb, \"org.hsqldb.jdbc\") then\n return m, \"hsqldb SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"An illegal character has been found in the statement|com\\\\.informix\\\\.jdbc|Exception.*Informix\", \"jo\") then\n return m, \"informix SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"Warning.*ingres_|Ingres SQLSTATE|Ingres\\\\W.*Driver\", \"jo\") then\n return m, \"ingres SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"<b>Warning</b>: ibase_|Unexpected end of command in statement\", \"jo\") then\n return m, \"interbase SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"SQL error.*POS[0-9]+|Warning.*maxdb\", \"jo\") then\n return m, \"maxDB SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"System\\\\.Data\\\\.OleDb\\\\.OleDbException|\\\\[Microsoft\\\\]\\\\[ODBC SQL Server Driver\\\\]|\\\\[Macromedia\\\\]\\\\[SQLServer JDBC Driver\\\\]|\\\\[SqlException|System\\\\.Data\\\\.SqlClient\\\\.SqlException|Unclosed quotation mark after the character string|\'80040e14\'|mssql_query\\\\(\\\\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\\\\.|ADODB\\\\.Field \\\\(0x800A0BCD\\\\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\\\\WSystem\\\\.Data\\\\.SqlClient\\\\.\", \"jo\") then\n return m, \"Mssql SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"MyS(?:QL server version for the right syntax to use|qlClient\\\\.)|(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn\'t match(?: value count at row)?|(?:Table \'[^\']+\' doesn\'t exis|valid MySQL resul)t|You have an error in your SQL syntax(?: near|;)|Warning.{1,10}mysql_(?:[a-z_()]{1,26})?|ERROR [0-9]{4} \\\\([a-z0-9]{5}\\\\):|mysql_fetch_array\\\\(\\\\)|on MySQL result index|\\\\[MySQL\\\\]\\\\[ODBC\", \"jo\") then\n return m, \"Mysql SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"PostgreSQL query failed:|pg_query\\\\(\\\\) \\\\[:|pg_exec\\\\(\\\\) \\\\[:|PostgreSQL.{1,20}ERROR|Warning.*\\\\bpg_.*|valid PostgreSQL result|Npgsql\\\\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server\", \"jo\") then\n return m, \"Postgres SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"Warning.*sqlite_|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\\\\.Exception|System\\\\.Data\\\\.SQLite\\\\.SQLiteException\", \"jo\") then\n return m, \"SQLite SQL Information Leakage: \" .. rb, true\n end\n if rgx(rb, \"Sybase message:|Warning.{2,20}sybase|Sybase.*Server message\", \"jo\") then\n return m, \"Sybase SQL Information Leakage: \" .. rb, true\n end\n end\nend\n\nreturn false', '2022-08-24 11:31:57');
INSERT INTO `waf_rules` VALUES (61, 0, 'php报错检测', 2, '返回页面的php报错可能会泄露服务器敏感信息', 'local check = waf.plugins.phpErrorDetection.check\nlocal rb = waf.respBody\n\nif waf.status == 500 then\n local m, d = check(rb)\n if m then\n return m, \"php error: \" .. d, true\n end\nend\n\nreturn false', '2022-08-24 11:32:04');
INSERT INTO `waf_rules` VALUES (62, 0, 'IIS报错检测', 2, 'IIS返回页面的报错可能会泄露服务器敏感信息', 'local rgx = waf.rgxMatch\nlocal rb = waf.respBody\n\nlocal m = rgx(rb, \"[a-z]:\\\\x5cinetpub\\\\b\", \"jo\")\nif m then\n return m, rb, true\nend\n\nif waf.status == 500 then\n local m = rgx(rb, \"Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error \'800(?:04005|40e31)\'.{1,40}?Timeout expired| \\\\(0x80040e31\\\\)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error\\\\.</h2>|cannot connect to the server: timed out\", \"jo\")\n if m then\n return m, rb, true\n end\n local m = rgx(rb, \"\\\\b(?:A(?:DODB\\\\.Command\\\\b.{0,100}?\\\\b(?:Application uses a value of the wrong type for the current operation\\\\b|error\')| trappable error occurred in an external object\\\\. The script cannot continue running\\\\b)|Microsoft VBScript (?:compilation (?:\\\\(0x8|error)|runtime (?:Error|\\\\(0x8))\\\\b|Object required: \'|error \'800)|<b>Version Information:</b>(?: |\\\\s)(?:Microsoft \\\\.NET Framework|ASP\\\\.NET) Version:|>error \'ASP\\\\b|An Error Has Occurred|>Syntax error in string in query expression|/[Ee]rror[Mm]essage\\\\.aspx?\\\\?[Ee]rror\\\\b\", \"jo\")\n if m then\n return m, rb, true\n end\nend\n\nif waf.status == 404 then\n local m = rgx(rb, \"\\\\bServer Error in.{0,50}?\\\\bApplication\\\\b\", \"jo\")\n if m then\n return m, rb, true\n end\nend\n\nreturn false', '2022-08-24 11:32:15');
INSERT INTO `waf_rules` VALUES (63, 3, 'json格式校验', 0, '高级攻击者会构造一些异常json绕过WAF检测,该规则对json格式进行安全校验,可以拦截异常json请求。', 'local form = waf.form\nlocal rct = waf.reqContentType\nlocal rgx = waf.rgxMatch\n\nif rct and waf.contains(waf.toLower(rct), \"application/json\") and form then\n local raw = form[\"RAW\"]\n if raw then\n if rgx(raw, \"^\\\\s*$\", \"jos\") then\n return false\n end\n local err = waf.checkJson(raw)\n if err then\n return true, err .. \":\" .. raw, true\n end\n end\nend\n\nreturn false', '2022-09-05 17:21:41');
INSERT INTO `waf_rules` VALUES (64, 3, 'fastjson漏洞拦截', 0, '拦截fastjson漏洞漏洞攻击', 'local jsonFilter = waf.jsonFilter\n\nlocal function rMatch(v)\n if v == \"@type\" then\n return true, v\n end\n return false\nend\n\nlocal form = waf.form\nif form then\n local raw = form[\"RAW\"]\n local m = jsonFilter(raw, rMatch, false)\n if m then\n return m, raw, true\n end\nend\n\nreturn false', '2022-09-02 19:00:52');
INSERT INTO `waf_rules` VALUES (65, 1, '弱口令检测', 0, '检测常见登录页面的弱口令问题', 'local check = waf.plugins.weakPwdDetection.check\nlocal toLower = waf.toLower\nlocal has = waf.contains\n\nlocal form = waf.form\nlocal uri = toLower(waf.uri)\nif form and (has(uri, \"login\") or has(uri, \"logon\") or has(uri, \"signin\")) then\n local f = form[\"FORM\"]\n if f then\n for k, v in pairs(f) do\n k = toLower(k)\n if (k == \"pass\" or has(k, \"pwd\") or has(k, \"passwd\") or has(k, \"password\")) and check(v) then\n return true, form[\"RAW\"], false\n end\n end\n end\nend\n\nreturn false', '2022-11-24 18:30:06');
INSERT INTO `waf_rules` VALUES (66, 0, '防CC攻击规则', 0, '当一分钟访问/api/路径频率超过360次,则在5分钟内拦截该ip访问', 'if not waf.startWith(waf.toLower(waf.uri), \"/api/\") then\n return false\nend\n\nlocal sh = ngx.shared.ipCache\nlocal ccIp = \'cc-\' .. waf.ip\nlocal c, f = sh:get(ccIp)\nif not c then\n sh:set(ccIp, 1, 60, 1) -- 设置1分钟也就是60秒访问计数时间\nelse\n if f == 2 then\n return waf.block(true) -- 重置TCP连接,不记录日志\n end\n sh:incr(ccIp, 1)\n if c + 1 >= 360 then\n sh:set(ccIp, c + 1, 300, 2) -- 设置5分钟也就是300秒拦截时间\n return true, ccIp, true\n end\nend\n\nreturn false', '2022-10-08 18:46:51');
INSERT INTO `waf_rules` VALUES (67, 1, '机器人攻击防护', 0, '通过生成滑动旋转验证码来拦截机器人攻击,如漏洞扫描、网络爬虫、CC攻击等自动化攻击行为,Token有效期30分钟。', 'local sh = ngx.shared.ipCache\nlocal robotIp = \'rb:\' .. waf.ip\nlocal c, f = sh:get(robotIp)\n\n-- 如果是静态页面且没有进行滑动旋转验证码验证则返回\nif not (waf.isQueryString or waf.reqContentLength > 0) and f ~= 2 then\n return false\nend\n\nif not c then\n sh:set(robotIp, 1, 60, 1) -- 设置1分钟也就是60秒访问计数时间段\nelse\n if f == 2 then\n return waf.checkRobot(waf) -- 启动机器人滑动旋转验证码验证\n end\n sh:incr(robotIp, 1)\n if c + 1 >= 360 then\n sh:set(robotIp, c + 1, 1800, 2) -- 达到了60秒内请求超过360次的阈值,进入机器人验证模式\n return true, robotIp, true\n end\nend\n\nreturn false', '2023-04-18 17:30:55');
-- ----------------------------
-- Table structure for waf_sites
-- ----------------------------
DROP TABLE IF EXISTS `waf_sites`;
CREATE TABLE `waf_sites` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`host` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`description` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NULL,
`mode` tinyint(1) NOT NULL DEFAULT 1,
`rules` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NULL,
`ip_whitelist` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NULL,
`url_whitelist` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NULL,
`deny_page` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NULL,
`is_websocket` tinyint(1) NOT NULL DEFAULT 0,
`is_ml` tinyint(1) NOT NULL DEFAULT 0,
`skip_cache` tinyint(1) NOT NULL DEFAULT 0,
`ip_source` tinyint(1) NOT NULL DEFAULT 0,
`ip_order` int(11) NOT NULL DEFAULT 2,
`upstream` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`update_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_unicode_ci ROW_FORMAT = COMPACT;
-- ----------------------------
-- Records of waf_sites
-- ----------------------------
INSERT INTO `waf_sites` VALUES (1, 'www.uusec.com', '', 1, '{\"10\":0,\"11\":0,\"12\":0,\"14\":0,\"15\":0,\"16\":0,\"17\":0,\"18\":0,\"19\":0,\"20\":0,\"21\":0,\"22\":0,\"23\":0,\"24\":0,\"25\":0,\"26\":0,\"27\":0,\"28\":0,\"29\":0,\"41\":0,\"43\":0,\"44\":0,\"45\":0,\"46\":0,\"47\":0,\"48\":0,\"49\":0,\"50\":0,\"51\":0,\"52\":0,\"53\":0,\"54\":0,\"55\":0,\"56\":0,\"57\":0,\"58\":2,\"59\":2,\"60\":2,\"61\":2,\"62\":2,\"63\":0,\"64\":0,\"65\":0}', '[\"\"]', '[\"\"]', '', 1, 0, 0, 0, 2, '{ \"type\":\"roundrobin\", \"scheme\":\"http\", \"servers\": { \"76.76.21.164:80\":1 } }', '2022-10-05 16:00:17');
-- ----------------------------
-- Table structure for waf_stats
-- ----------------------------
DROP TABLE IF EXISTS `waf_stats`;
CREATE TABLE `waf_stats` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`day` varchar(32) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`visits` bigint(20) NOT NULL DEFAULT 0,
`clients` bigint(20) NOT NULL DEFAULT 0,
`update_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`id`) USING BTREE,
INDEX `idx_day`(`day`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 32 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_unicode_ci ROW_FORMAT = Compact;
-- ----------------------------
-- Table structure for waf_users
-- ----------------------------
DROP TABLE IF EXISTS `waf_users`;
CREATE TABLE `waf_users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`usr` varchar(32) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`pwd` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`fail` int(11) NOT NULL DEFAULT 0,
`update_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
`role` tinyint(4) NOT NULL,
`otp` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
`first` tinyint(1) NOT NULL DEFAULT 1,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 2 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_unicode_ci ROW_FORMAT = Compact;
-- ----------------------------
-- Records of waf_users
-- ----------------------------
INSERT INTO `waf_users` VALUES (1, 'admin', '$2a$10$novLr.VMetYWbdwb2701Ie2HmfpW8TmsXtQ5hLPYJoaPXbtSfGnSC', 0, '2022-10-08 08:16:26', 0, 'otpauth://totp/uuWAF:admin?algorithm=SHA256&digits=6&issuer=uuWAF&period=30&secret=EXKFN3EFNMBUDZVRPR6SB6EWYNIFXJW2', 1);
SET FOREIGN_KEY_CHECKS = 1;
追梦赤子心:domsn.com
签名:这个人很懒,什么也没有留下!
收藏的用户(0)
X
正在加载信息~
最新回复 (0)