mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 01:26:42 +03:00
Switching from WAF scripts to identYwaf (avoiding redundant work from my side)
This commit is contained in:
parent
ef7d4bb404
commit
0c79504ff1
|
@ -276,6 +276,8 @@ be bound by the terms and conditions of this License Agreement.
|
|||
|
||||
* The `bottle` web framework library located under `thirdparty/bottle/`.
|
||||
Copyright (C) 2012, Marcel Hellkamp.
|
||||
* The `identYwaf` library located under `thirdparty/identywaf/`.
|
||||
Copyright (C) 2019, Miroslav Stampar.
|
||||
* The `ordereddict` library located under `thirdparty/odict/`.
|
||||
Copyright (C) 2009, Raymond Hettinger.
|
||||
* The `six` Python 2 and 3 compatibility library located under `thirdparty/six/`.
|
||||
|
|
|
@ -108,6 +108,7 @@ from lib.request.templates import getPageTemplate
|
|||
from lib.techniques.union.test import unionTest
|
||||
from lib.techniques.union.use import configUnion
|
||||
from thirdparty import six
|
||||
from thirdparty.identywaf import identYwaf
|
||||
from thirdparty.six.moves import http_client as _http_client
|
||||
|
||||
def checkSqlInjection(place, parameter, value):
|
||||
|
@ -1402,119 +1403,54 @@ def checkWaf():
|
|||
kb.resendPostOnRedirect = popValue()
|
||||
kb.redirectChoice = popValue()
|
||||
|
||||
# TODO: today
|
||||
if retVal:
|
||||
warnMsg = "heuristics detected that the target "
|
||||
warnMsg += "is protected by some kind of WAF/IPS"
|
||||
logger.critical(warnMsg)
|
||||
pass
|
||||
# identYwaf
|
||||
#if conf.timeout == defaults.timeout:
|
||||
#logger.warning("dropping timeout to %d seconds (i.e. '--timeout=%d')" % (IDS_WAF_CHECK_TIMEOUT, IDS_WAF_CHECK_TIMEOUT))
|
||||
#conf.timeout = IDS_WAF_CHECK_TIMEOUT
|
||||
|
||||
if not conf.identifyWaf:
|
||||
message = "do you want sqlmap to try to detect backend "
|
||||
message += "WAF/IPS? [y/N] "
|
||||
# identYwaf
|
||||
|
||||
if readInput(message, default='N', boolean=True):
|
||||
conf.identifyWaf = True
|
||||
#def _(*args, **kwargs):
|
||||
#page, headers, code = None, None, None
|
||||
#try:
|
||||
#pushValue(kb.redirectChoice)
|
||||
#pushValue(kb.resendPostOnRedirect)
|
||||
|
||||
if conf.timeout == defaults.timeout:
|
||||
logger.warning("dropping timeout to %d seconds (i.e. '--timeout=%d')" % (IDS_WAF_CHECK_TIMEOUT, IDS_WAF_CHECK_TIMEOUT))
|
||||
conf.timeout = IDS_WAF_CHECK_TIMEOUT
|
||||
#kb.redirectChoice = REDIRECTION.YES
|
||||
#kb.resendPostOnRedirect = True
|
||||
|
||||
#if kwargs.get("get"):
|
||||
#kwargs["get"] = urlencode(kwargs["get"])
|
||||
#kwargs["raise404"] = False
|
||||
#kwargs["silent"] = True
|
||||
#kwargs["finalCode"] = True
|
||||
|
||||
#page, headers, code = Request.getPage(*args, **kwargs)
|
||||
#except Exception:
|
||||
#pass
|
||||
#finally:
|
||||
#kb.resendPostOnRedirect = popValue()
|
||||
#kb.redirectChoice = popValue()
|
||||
|
||||
|
||||
#message = "are you sure that you want to "
|
||||
#message += "continue with further target testing? [y/N] "
|
||||
#choice = readInput(message, default='N', boolean=True)
|
||||
|
||||
#if not conf.tamper:
|
||||
#warnMsg = "please consider usage of tamper scripts (option '--tamper')"
|
||||
#singleTimeWarnMessage(warnMsg)
|
||||
|
||||
#if not choice:
|
||||
#raise SqlmapUserQuitException
|
||||
|
||||
hashDBWrite(HASHDB_KEYS.CHECK_WAF_RESULT, retVal, True)
|
||||
|
||||
return retVal
|
||||
|
||||
@stackedmethod
|
||||
def identifyWaf():
|
||||
if not conf.identifyWaf:
|
||||
return None
|
||||
|
||||
if not kb.wafFunctions:
|
||||
setWafFunctions()
|
||||
|
||||
kb.testMode = True
|
||||
|
||||
infoMsg = "using WAF scripts to detect "
|
||||
infoMsg += "backend WAF/IPS protection"
|
||||
logger.info(infoMsg)
|
||||
|
||||
@cachedmethod
|
||||
def _(*args, **kwargs):
|
||||
page, headers, code = None, None, None
|
||||
try:
|
||||
pushValue(kb.redirectChoice)
|
||||
pushValue(kb.resendPostOnRedirect)
|
||||
|
||||
kb.redirectChoice = REDIRECTION.YES
|
||||
kb.resendPostOnRedirect = True
|
||||
|
||||
if kwargs.get("get"):
|
||||
kwargs["get"] = urlencode(kwargs["get"])
|
||||
kwargs["raise404"] = False
|
||||
kwargs["silent"] = True
|
||||
kwargs["finalCode"] = True
|
||||
|
||||
page, headers, code = Request.getPage(*args, **kwargs)
|
||||
except Exception:
|
||||
pass
|
||||
finally:
|
||||
kb.resendPostOnRedirect = popValue()
|
||||
kb.redirectChoice = popValue()
|
||||
|
||||
return page or "", headers or {}, code
|
||||
|
||||
retVal = []
|
||||
|
||||
for function, product in kb.wafFunctions:
|
||||
if retVal and "unknown" in product.lower():
|
||||
continue
|
||||
|
||||
try:
|
||||
logger.debug("checking for WAF/IPS product '%s'" % product)
|
||||
found = function(_)
|
||||
except Exception as ex:
|
||||
errMsg = "exception occurred while running "
|
||||
errMsg += "WAF script for '%s' ('%s')" % (product, getSafeExString(ex))
|
||||
logger.critical(errMsg)
|
||||
|
||||
found = False
|
||||
|
||||
if found:
|
||||
errMsg = "WAF/IPS identified as '%s'" % product
|
||||
logger.critical(errMsg)
|
||||
|
||||
retVal.append(product)
|
||||
|
||||
if retVal:
|
||||
if kb.wafSpecificResponse and "You don't have permission to access" not in kb.wafSpecificResponse and len(retVal) == 1 and "unknown" in retVal[0].lower():
|
||||
handle, filename = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.SPECIFIC_RESPONSE)
|
||||
os.close(handle)
|
||||
with openFile(filename, "w+b") as f:
|
||||
f.write(kb.wafSpecificResponse)
|
||||
|
||||
message = "WAF/IPS specific response can be found in '%s'. " % filename
|
||||
message += "If you know the details on used protection please "
|
||||
message += "report it along with specific response "
|
||||
message += "to '%s'" % DEV_EMAIL_ADDRESS
|
||||
logger.warn(message)
|
||||
|
||||
message = "are you sure that you want to "
|
||||
message += "continue with further target testing? [y/N] "
|
||||
choice = readInput(message, default='N', boolean=True)
|
||||
|
||||
if not conf.tamper:
|
||||
warnMsg = "please consider usage of tamper scripts (option '--tamper')"
|
||||
singleTimeWarnMessage(warnMsg)
|
||||
|
||||
if not choice:
|
||||
raise SqlmapUserQuitException
|
||||
else:
|
||||
warnMsg = "WAF/IPS product hasn't been identified"
|
||||
logger.warn(warnMsg)
|
||||
|
||||
kb.testType = None
|
||||
kb.testMode = False
|
||||
|
||||
return retVal
|
||||
|
||||
@stackedmethod
|
||||
def checkNullConnection():
|
||||
"""
|
||||
|
@ -1666,6 +1602,3 @@ def checkInternet():
|
|||
|
||||
def setVerbosity(): # Cross-referenced function
|
||||
raise NotImplementedError
|
||||
|
||||
def setWafFunctions(): # Cross-referenced function
|
||||
raise NotImplementedError
|
||||
|
|
|
@ -20,7 +20,6 @@ from lib.controller.checks import checkInternet
|
|||
from lib.controller.checks import checkNullConnection
|
||||
from lib.controller.checks import checkWaf
|
||||
from lib.controller.checks import heuristicCheckSqlInjection
|
||||
from lib.controller.checks import identifyWaf
|
||||
from lib.core.agent import agent
|
||||
from lib.core.common import dataToStdout
|
||||
from lib.core.common import extractRegexResult
|
||||
|
@ -423,9 +422,6 @@ def start():
|
|||
|
||||
checkWaf()
|
||||
|
||||
if conf.identifyWaf:
|
||||
identifyWaf()
|
||||
|
||||
if conf.nullConnection:
|
||||
checkNullConnection()
|
||||
|
||||
|
|
|
@ -904,42 +904,6 @@ def _setPreprocessFunctions():
|
|||
errMsg += "(Note: find template script at '%s')" % filename
|
||||
raise SqlmapGenericException(errMsg)
|
||||
|
||||
def _setWafFunctions():
|
||||
"""
|
||||
Loads WAF/IPS detecting functions from script(s)
|
||||
"""
|
||||
|
||||
if conf.identifyWaf:
|
||||
for found in glob.glob(os.path.join(paths.SQLMAP_WAF_PATH, "*.py")):
|
||||
dirname, filename = os.path.split(found)
|
||||
dirname = os.path.abspath(dirname)
|
||||
|
||||
if filename == "__init__.py":
|
||||
continue
|
||||
|
||||
debugMsg = "loading WAF script '%s'" % filename[:-3]
|
||||
logger.debug(debugMsg)
|
||||
|
||||
if dirname not in sys.path:
|
||||
sys.path.insert(0, dirname)
|
||||
|
||||
try:
|
||||
if filename[:-3] in sys.modules:
|
||||
del sys.modules[filename[:-3]]
|
||||
module = __import__(safeFilepathEncode(filename[:-3]))
|
||||
except ImportError as ex:
|
||||
raise SqlmapSyntaxException("cannot import WAF script '%s' (%s)" % (getUnicode(filename[:-3]), getSafeExString(ex)))
|
||||
|
||||
_ = dict(inspect.getmembers(module))
|
||||
if "detect" not in _:
|
||||
errMsg = "missing function 'detect(get_page)' "
|
||||
errMsg += "in WAF script '%s'" % found
|
||||
raise SqlmapGenericException(errMsg)
|
||||
else:
|
||||
kb.wafFunctions.append((_["detect"], _.get("__product__", filename[:-3])))
|
||||
|
||||
kb.wafFunctions = sorted(kb.wafFunctions, key=lambda _: "generic" in _[1].lower())
|
||||
|
||||
def _setThreads():
|
||||
if not isinstance(conf.threads, int) or conf.threads <= 0:
|
||||
conf.threads = 1
|
||||
|
@ -2394,10 +2358,6 @@ def _basicOptionValidation():
|
|||
errMsg = "option '-d' is incompatible with option '--dbms'"
|
||||
raise SqlmapSyntaxException(errMsg)
|
||||
|
||||
if conf.identifyWaf and conf.skipWaf:
|
||||
errMsg = "switch '--identify-waf' is incompatible with switch '--skip-waf'"
|
||||
raise SqlmapSyntaxException(errMsg)
|
||||
|
||||
if conf.titles and conf.nullConnection:
|
||||
errMsg = "switch '--titles' is incompatible with switch '--null-connection'"
|
||||
raise SqlmapSyntaxException(errMsg)
|
||||
|
@ -2630,7 +2590,6 @@ def init():
|
|||
_listTamperingFunctions()
|
||||
_setTamperingFunctions()
|
||||
_setPreprocessFunctions()
|
||||
_setWafFunctions()
|
||||
_setTrafficOutputFP()
|
||||
_setupHTTPCollector()
|
||||
_setHttpChunked()
|
||||
|
|
|
@ -229,7 +229,6 @@ optDict = {
|
|||
"dependencies": "boolean",
|
||||
"disableColoring": "boolean",
|
||||
"googlePage": "integer",
|
||||
"identifyWaf": "boolean",
|
||||
"listTampers": "boolean",
|
||||
"mobile": "boolean",
|
||||
"offline": "boolean",
|
||||
|
|
|
@ -28,7 +28,6 @@ from lib.core.common import shellExec
|
|||
from lib.core.convert import stdoutEncode
|
||||
from lib.core.option import _setHTTPHandlers
|
||||
from lib.core.option import setVerbosity
|
||||
from lib.core.option import _setWafFunctions
|
||||
from lib.core.settings import IS_WIN
|
||||
from thirdparty.six.moves import http_client as _http_client
|
||||
|
||||
|
@ -70,7 +69,6 @@ def resolveCrossReferences():
|
|||
lib.request.connect.setHTTPHandlers = _setHTTPHandlers
|
||||
lib.utils.search.setHTTPHandlers = _setHTTPHandlers
|
||||
lib.controller.checks.setVerbosity = setVerbosity
|
||||
lib.controller.checks.setWafFunctions = _setWafFunctions
|
||||
lib.utils.sqlalchemy.getSafeExString = getSafeExString
|
||||
thirdparty.ansistrm.ansistrm.stdoutEncode = stdoutEncode
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ from lib.core.enums import OS
|
|||
from thirdparty.six import unichr as _unichr
|
||||
|
||||
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
||||
VERSION = "1.3.5.130"
|
||||
VERSION = "1.3.5.131"
|
||||
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
||||
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
||||
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
|
||||
|
|
|
@ -652,9 +652,6 @@ def cmdLineParser(argv=None):
|
|||
miscellaneous.add_option("--gpage", dest="googlePage", type="int",
|
||||
help="Use Google dork results from specified page number")
|
||||
|
||||
miscellaneous.add_option("--identify-waf", dest="identifyWaf", action="store_true",
|
||||
help="Make a thorough testing for a WAF/IPS protection")
|
||||
|
||||
miscellaneous.add_option("--list-tampers", dest="listTampers", action="store_true",
|
||||
help="Display list of available tamper scripts")
|
||||
|
||||
|
|
|
@ -788,10 +788,6 @@ disableColoring = False
|
|||
# Default: 1
|
||||
googlePage = 1
|
||||
|
||||
# Make a thorough testing for a WAF/IPS protection.
|
||||
# Valid: True or False
|
||||
identifyWaf = False
|
||||
|
||||
# Display list of available tamper scripts
|
||||
# Valid: True or False
|
||||
listTampers = False
|
||||
|
|
|
@ -270,7 +270,6 @@ paths:
|
|||
tmpPath: null
|
||||
titles: false
|
||||
getSchema: false
|
||||
identifyWaf: false
|
||||
paramDel: null
|
||||
safeReqFile: null
|
||||
regKey: null
|
||||
|
|
21
thirdparty/identywaf/LICENSE
vendored
Normal file
21
thirdparty/identywaf/LICENSE
vendored
Normal file
|
@ -0,0 +1,21 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) 2019 Miroslav Stampar
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
0
thirdparty/identywaf/__init__.py
vendored
Normal file
0
thirdparty/identywaf/__init__.py
vendored
Normal file
885
thirdparty/identywaf/data.json
vendored
Normal file
885
thirdparty/identywaf/data.json
vendored
Normal file
|
@ -0,0 +1,885 @@
|
|||
{
|
||||
"__copyright__": "Copyright (c) 2019 Miroslav Stampar (@stamparm), MIT. See the file 'LICENSE' for copying permission",
|
||||
"__notice__": "The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software",
|
||||
|
||||
"payloads": [
|
||||
"HTML::<img>",
|
||||
"SQLi::1 AND 1",
|
||||
"SQLi::1/**/AND/**/1",
|
||||
"SQLi::1/*0AND*/1",
|
||||
"SQLi::1 AND 1=1",
|
||||
"SQLi::1 AND 1 LIKE 1",
|
||||
"SQLi::1 AND 1 BETWEEN 0 AND 1",
|
||||
"SQLi::1 AND 2>(SELECT 1)-- -",
|
||||
"SQLi::' OR SLEEP(5) OR '",
|
||||
"SQLi::admin'-- -",
|
||||
"SQLi::information_schema",
|
||||
"SQLi::;DROP TABLE mysql.users",
|
||||
"SQLi::';DROP DATABASE mysql#",
|
||||
"SQLi::1/**/UNION/**/SELECT/**/1/**/FROM/**/information_schema.*",
|
||||
"SQLi::SELECT id FROM users WHERE id>2",
|
||||
"SQLi::1 UNION SELECT information_schema.*",
|
||||
"SQLi::1;EXEC xp_cmdshell('type autoexec.bat');",
|
||||
"SQLi::1;INSERT INTO USERS values('admin', 'foobar')",
|
||||
"XSS::<img src=x onerror=alert('XSS')>",
|
||||
"XSS::<img onfoo=f()>",
|
||||
"XSS::<script>",
|
||||
"XSS::<script>alert('XSS')</script>",
|
||||
"XSS::\\\";alert('XSS');//",
|
||||
"XSS::1' onerror=alert(String.fromCharCode(88,83,83))>",
|
||||
"XSS::<![CDATA[<script>var n=0;while(true){n++;}</script>]]>",
|
||||
"XSS::<meta http-equiv=\"refresh\" content=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\">",
|
||||
"XSS::javascript:alert(/XSS/)",
|
||||
"XSS::<marquee onstart=alert(1)>",
|
||||
"XPATHi::' and count(/*)=1 and '1'='1",
|
||||
"XPATHi::count(/child::node())",
|
||||
"XPATHi::' and count(/comment())=1 and '1'='1",
|
||||
"XPATHi::' or '1'='1",
|
||||
"XXE::<!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>",
|
||||
"LDAPi::admin*)((|userpassword=*)",
|
||||
"LDAPi::user=*)(uid=*))(|(uid=*",
|
||||
"LDAPi::*(|(objectclass=*))",
|
||||
"NOSQLi::true, $where: '1 == 1'",
|
||||
"NOSQLi::{ $ne: 1 }",
|
||||
"NOSQLi::' } ], $comment:'success'",
|
||||
"PHPi::<?php include_once(\"/etc/passwd\"); ?>",
|
||||
"ACE::netstat -antup | grep :443; ping 127.0.0.1; curl http://www.google.com",
|
||||
"PT:://///.htaccess",
|
||||
"PT::/etc/passwd",
|
||||
"PT::../../boot.ini",
|
||||
"PT::C:/inetpub/wwwroot/global.asa"
|
||||
],
|
||||
"wafs": {
|
||||
"360": {
|
||||
"company": "360",
|
||||
"name": "360",
|
||||
"regex": "<title>493</title>|/wzws-waf-cgi/",
|
||||
"signatures": [
|
||||
"9778:RVZXum61OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTC"
|
||||
]
|
||||
},
|
||||
"aesecure": {
|
||||
"company": "aeSecure",
|
||||
"name": "aeSecure",
|
||||
"regex": "aesecure_denied\\.png|aesecure-code: \\d+",
|
||||
"signatures": [
|
||||
"8a4b:RVdXu260OEhCWapBYKcPk4JzWOtohM4JiUcMrmRXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJOdLsXo2tKaK99n+i7c4RmkgI2FZnxtDtBeq+c36A4chW1XaTD"
|
||||
]
|
||||
},
|
||||
"airlock": {
|
||||
"company": "Phion/Ergon",
|
||||
"name": "Airlock",
|
||||
"regex": "The server detected a syntax error in your request",
|
||||
"signatures": [
|
||||
"3e2c:RVZXu261OEhCWapBYKcPk4JzWOtohM4IiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXomtKaK59n+i6c4RmkwI2FZjxtDtAeq6c36A5chW1XaTD"
|
||||
]
|
||||
},
|
||||
"alertlogic": {
|
||||
"company": "Alert Logic",
|
||||
"name": "Alert Logic",
|
||||
"regex": "(?s)timed_redirect\\(seconds, url\\).+?<p class=\"lid\">Reference ID:",
|
||||
"signatures": []
|
||||
},
|
||||
"aliyundun": {
|
||||
"company": "Alibaba Cloud Computing",
|
||||
"name": "AliYunDun",
|
||||
"regex": "Sorry, your request has been blocked as it may cause potential threats to the server's security|//errors\\.aliyun\\.com/",
|
||||
"signatures": [
|
||||
"e082:RVZXum61OElCWapAYKYPkoJzWOpohM4JiUYMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"anquanbao": {
|
||||
"company": "Anquanbao",
|
||||
"name": "Anquanbao",
|
||||
"regex": "/aqb_cc/error/",
|
||||
"signatures": [
|
||||
"c790:RVZXum61OElCWapAYKYPk4JzWOpohM4JiUYMr2RXg1uQJbX3uhdOn9hsOj+hXrAB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"d3d3:RVZXum61OElCWapAYKYPk4JzWOpohM4JiUYMr2RXg1uQJbX3uhdOn9hsOj+hXrAB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"approach": {
|
||||
"company": "Approach",
|
||||
"name": "Approach",
|
||||
"regex": "Approach.+?Web Application (Firewall|Filtering)",
|
||||
"signatures": [
|
||||
"fef0:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A5chW1XKTD"
|
||||
]
|
||||
},
|
||||
"armor": {
|
||||
"company": "Armor Defense",
|
||||
"name": "Armor Protection",
|
||||
"regex": "This request has been blocked by website protection from Armor",
|
||||
"signatures": [
|
||||
"03ec:RVZXum60OEhCWapBYKYPk4JzWOtohM4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c36A4chS1XaTC",
|
||||
"1160:RVZXum60OEhCWapBYKYPk4JyWOtohM4IiUcMr2RWg1qQJbX3uhZOnthsOj6hXrAA16BcPhJOdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC"
|
||||
],
|
||||
"note": "Uses SecureSphere (Imperva) (Reference: https://www.imperva.com/resources/case_studies/CS_Armor.pdf)"
|
||||
},
|
||||
"asm": {
|
||||
"company": "F5 Networks",
|
||||
"name": "Application Security Manager",
|
||||
"regex": "The requested URL was rejected\\. Please consult with your administrator|security\\.f5aas\\.com",
|
||||
"signatures": [
|
||||
"2f81:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI3FZjxtDtAeq+c36A4chS1XaTC",
|
||||
"4fd0:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtDtAeq6c3qA4chS1XaTC",
|
||||
"5904:RVZXum60OEhCWapBYKcPk4JzWOpohc4IiUcMr2RWg1uQJbX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtTtAeq+c3qA4chS1XaTC",
|
||||
"8bcf:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtTtAeq6c36A5chS1XaTC",
|
||||
"540f:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtTtAeq+c36A5chS1XaTC",
|
||||
"c7ba:RVZXum60OEhCWKpAYKYPkoJzWOpohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtLaK99n+i7c4VmkwI3FZjxtDtAeq6c3qA4chS1XaTC",
|
||||
"fb21:RVZXum60OEhCWapBYKcPk4JzWOpohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI3FZjxtDtAeq+c36A5chW1XaTC",
|
||||
"b6ff:RVZXum61OEhCWapBYKcPkoJzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"3b1e:RVZXum60OEhCWapBYKcPk4JyWOpohM4IiUcMr2RWg1qQJLX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tKaK99nui7c4RmkgI2FZjxtDtAeq6c3qA5chS1XKTC",
|
||||
"620c:RVZXum60OEhCWapBYKcPkoJzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC",
|
||||
"b9a0:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtDtAeq+c3qA4chW1XaTC",
|
||||
"ccb6:RVdXum61OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtTtAeq+c36A5chW1XaTC",
|
||||
"9138:RVZXum60OEhCWapBYKcPk4JzWOpohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtDtAeq6c3qA4chS1XaTC",
|
||||
"54cc:RVZXum61OEhCWapBYKcPkoJzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtDtAeq6c3qA4chS1XaTC",
|
||||
"4c83:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTC",
|
||||
"8453:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtDtAeq+c36A4chS1XaTC"
|
||||
]
|
||||
},
|
||||
"astra": {
|
||||
"company": "Czar Securities",
|
||||
"name": "Astra",
|
||||
"regex": "(?s)unfortunately our website protection system.+?//www\\.getastra\\.com",
|
||||
"signatures": []
|
||||
},
|
||||
"aws": {
|
||||
"company": "Amazon",
|
||||
"name": "AWS WAF",
|
||||
"regex": "(?i)HTTP/1.+\\b403\\b.+\\s+Server: aws|(?s)Request blocked.+?Generated by cloudfront",
|
||||
"signatures": [
|
||||
"2998:RVZXu261OEhCWapBYKcPk4JzWOpohM4IiUcMr2RWg1uQJbX3uhZOnthsOj6hXrAA16BcPhJOdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"fffa:RVZXum60OEhCWapAYKYPk4JyWOpohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPhJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"9de0:RVZXu261OEhCWapBYKcPk4JzWOpohM4IiUcMr2RWg1uQJbX3uhZOnthtOj+hXrAA16BcPhJOdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"34a8:RVZXu261OEhCWapBYKcPk4JzWOpohM4IiUcMr2RWg1uQJbX3uhdOn9htOj+hXrAB16BcPxJOdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"1104:RVZXum61OEhCWapBYKcPk4JzWOpohM4IiUcMr2RXg1uQJbX3uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"ea40:RVZXu261OEhCWapBYKcPk4JzWOtohM4IiUcMr2RWg1uQJbX3uhdOn9htOj+hXrAB16BcPxJOdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"barracuda": {
|
||||
"company": "Barracuda Networks",
|
||||
"name": "Barracuda",
|
||||
"regex": "\\bbarracuda_|barra_counter_session=|when this page occurred and the event ID found at the bottom of the page",
|
||||
"signatures": [
|
||||
"2676:RVdXum61OElCWapAYKYPk4JzWOtohM4JiUcMr2RWg1qQJbX3uhdOn9htOj+hXrAB16FcPxJPdLsXo2tKaK99n+i6c4VmkwI3FZjxtDtAeq6c36A4chS1XaTC",
|
||||
"db27:RVdXum61OElCWapAYKYPk4JzWOtohM4JiUcMr2RWg1qQJbX3uhdOn9htOj+hXrAB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XaTC"
|
||||
]
|
||||
},
|
||||
"bekchy": {
|
||||
"company": "Faydata Information Technologies Inc.",
|
||||
"name": "Bekchy",
|
||||
"regex": "<title>Bekchy - Access Denided</title>|<a class=\"btn\" href=\"https://bekchy.com/report\">",
|
||||
"signatures": [
|
||||
"e1c5:RVZXum60OEhCWKpAYKYPk4JzWOtohc4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"bitninja": {
|
||||
"company": "BitNinja",
|
||||
"name": "BitNinja",
|
||||
"regex": "alt=\"BitNinja|Security check by BitNinja|your IP will be removed from BitNinja|<title>Visitor anti-robot validation</title>",
|
||||
"signatures": []
|
||||
},
|
||||
"bluedon": {
|
||||
"company": "Bluedon",
|
||||
"name": "Bluedon",
|
||||
"regex": "Bluedon Web Application Firewall|Server: BDWAF",
|
||||
"signatures": []
|
||||
},
|
||||
"bulletproof": {
|
||||
"company": "AITpro Website Security",
|
||||
"name": "BulletProof Security Pro",
|
||||
"regex": "(?s)bpsMessage.+?403 Forbidden Error Page.+?If you arrived here due to a search or clicking on a link",
|
||||
"signatures": []
|
||||
},
|
||||
"cdnns": {
|
||||
"company": "CdnNs/WdidcNet",
|
||||
"name": "CdnNsWAF",
|
||||
"regex": "by CdnNsWAF Application Gateway",
|
||||
"signatures": [
|
||||
"5c5d:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPhJPdLsXo2tLaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"cerber": {
|
||||
"company": "Cerber Tech",
|
||||
"name": "WP Cerber Security",
|
||||
"regex": "We're sorry, you are not allowed to proceed|Your request looks suspicious or similar to automated requests from spam posting software",
|
||||
"signatures": [
|
||||
"d8c2:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"checkpoint": {
|
||||
"company": "Check Point",
|
||||
"name": "Next Generation Firewall",
|
||||
"regex": "",
|
||||
"signatures": [
|
||||
"b771:RVZXum61OEhCWapAYKYPkoJzWOpohc4JiUYMr2RWg1uQJbX2uhdOnthsOj+hX7AB16BcPhJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"3b40:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUYMrmRWg1qQJLX2uhdOnthsOj+hX7AB16BcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XKTC",
|
||||
"a332:RVZXum61OEhCWapAYKYPkoJzWOpohc4JiUYMr2RWg1uQJbX2uhdOnthsOj+hX7AB16BcPhJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC",
|
||||
"a89b:RVZXum61OEhCWapAYKYPkoJzWOpohc4JiUYMr2RWg1uQJbX2uhdOnthsOj+hX7AB16BcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"chuangyu": {
|
||||
"company": "Yunaq",
|
||||
"name": "Chuang Yu Shield",
|
||||
"regex": " \\d+\\.\\d+\\.\\d+\\.\\d+/[0-9a-f]{7} \\[\\d+\\] ",
|
||||
"signatures": [
|
||||
"eda6:RVZXum61OElCWapAYKcPkoJzWOpohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTC",
|
||||
"5bae:RVZXum61OElCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC"
|
||||
]
|
||||
},
|
||||
"cloudbric": {
|
||||
"company": "Cloudbric",
|
||||
"name": "Cloudbric",
|
||||
"regex": "Your request was blocked by Cloudbric",
|
||||
"signatures": [
|
||||
"514d:RVZXum60OEhCWapBYKcPk4JzWOtohM4JiUcMrmRXg1qQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"cloudflare": {
|
||||
"company": "CloudFlare",
|
||||
"name": "CloudFlare",
|
||||
"regex": "Attention Required! \\| Cloudflare|CLOUDFLARE_ERROR_",
|
||||
"signatures": [
|
||||
"956d:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"6b42:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"2295:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"0d86:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RWg1uQJbX2uhdOnthsOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"4849:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMrmRWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"535c:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUYMr2RWg1uQJbX2uhdOnthtOj+hXrAB16FcPxJOdLoXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC",
|
||||
"675a:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMrmRWg1uQJbX2uhdOnthsOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"4a45:RVZXum60OEhCWKpAYKYPkoJzWOpohM4IiUcMrmRWg1uQJLX2uhdOnthsOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC",
|
||||
"1f29:RVZXum60OEhCWKpAYKYPkoJzWOpohM4IiUcMrmRWg1uQJLX2uhZOnthtOj+hXrAA16FcPhJOdLoXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC",
|
||||
"6002:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUcMrmRWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"78df:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMrmRWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTD",
|
||||
"cf65:RVZXum60OEhCWapBYKcPkoJzWOtohM4IiUcMrmRWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4VmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"85c6:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC",
|
||||
"9a2d:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMrmRWg1uQJLX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"0576:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMrmRXg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"f3bb:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUYMr2RXg1uQJbX3uhdOnthtOj+hXrAB16FcPxJPdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC",
|
||||
"471d:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RWg1uQJbX2uhZOnthtOj+hXrAA16FcPhJOdLoXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"8936:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUcMrmRWg1uQJLX2uhdOnthsOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC",
|
||||
"0ade:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUcMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"22d1:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RWg1uQJbX2uhdOnthtOj+hXrAA16FcPxJOdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"e9bd:RVZXum60OEhCWKpAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOnthsOj+hXrAB16FcPxJPdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"comodo": {
|
||||
"company": "Comodo",
|
||||
"name": "Comodo",
|
||||
"regex": "Server: Protected by COMODO WAF",
|
||||
"signatures": [
|
||||
"ade8:RVZXum60OEhCWapAYKYPkoJzWOpohc4IiUYMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTD",
|
||||
"f063:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTD",
|
||||
"985c:RVZXum60OEhCWapAYKYPkoJzWOpohc4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4VmkwI3FZjxtDtAeq+c3qA5chW1XaTD",
|
||||
"f063:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTD",
|
||||
"1971:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTD"
|
||||
]
|
||||
},
|
||||
"crawlprotect": {
|
||||
"company": "Jean-Denis Brun",
|
||||
"name": "CrawlProtect",
|
||||
"regex": "<title>CrawlProtect|This site is protected by CrawlProtectc|Set-Cookie: crawlprotecttag",
|
||||
"signatures": [
|
||||
"1eca:RVZXum60OEhCWKpBYKYPkoJzWOpohM4IiUYMrmRXg1uQJLX2uhZOnthtOj+hXrAA16FcPhJPdLoXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XKTC"
|
||||
]
|
||||
},
|
||||
"distil": {
|
||||
"company": "Distil Networks",
|
||||
"name": "Distil",
|
||||
"regex": "distilCaptchaForm|distilCallbackGuard|cdn\\.distilnetworks\\.com/images/anomaly-detected\\.png",
|
||||
"signatures": []
|
||||
},
|
||||
"dotdefender": {
|
||||
"company": "Applicure Technologies",
|
||||
"name": "dotDefender",
|
||||
"regex": "dotDefender Blocked Your Request|Applicure is the leading provider of web application security|Please contact the site administrator, and provide the following Reference ID",
|
||||
"signatures": [
|
||||
"7cce:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUYMrmRWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"dddb:RVdXum61OElCWapAYKYPk4JzWOtohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC",
|
||||
"0718:RVZXum61OElCWapAYKYPk4JzWOtohM4IiUYMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"9bf2:RVdXum61OElCWapAYKYPk4JzWOtohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"expressionengine": {
|
||||
"company": "EllisLab",
|
||||
"name": "ExpressionEngine",
|
||||
"regex": "(?s)\\bexp_last_.+?(Invalid GET Data|Invalid URI)",
|
||||
"signatures": [
|
||||
"88ec:RVZXum60OEhCWKpAYKYPkoJyWOpohM4JiUcMrmRWg1qQJbX3uhZOnthsOj6hX7AA16FcPxJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"fortiweb": {
|
||||
"company": "Fortinet",
|
||||
"name": "FortiWeb",
|
||||
"regex": "Server Unavailable!",
|
||||
"signatures": [
|
||||
"9d05:RVZXu261OElCWapBYKcPk4JzWOtohM4IiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTD"
|
||||
]
|
||||
},
|
||||
"godaddy": {
|
||||
"company": "GoDaddy",
|
||||
"name": "GoDaddy Website Security",
|
||||
"regex": "GoDaddy Security - Access Denied|Access Denied - GoDaddy Website Firewall",
|
||||
"signatures": [
|
||||
"6cff:RVdXum60OEhCWapAYKYPk4JzWOtohM4IiUYMr2RWg1uQJbX3uhdOn9htOj+hXrAA16FcPxJOdLoXomtKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"greywizard": {
|
||||
"company": "Grey Wizard",
|
||||
"name": "Greywizard",
|
||||
"regex": "(?i)server: greywizard|detected attempted attack or non standard traffic from your IP address|<title>Grey Wizard</title>",
|
||||
"signatures": [
|
||||
"c669:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOnthsOj+hX7AB16FcPhJPdLsXomtKaK59nui7c4RmkwI2FZjxtDtAeq+c3qA5chW1XaTC"
|
||||
]
|
||||
},
|
||||
"imunify360": {
|
||||
"company": "CloudLinux",
|
||||
"name": "Imunify360",
|
||||
"regex": "Server: imunify360-webshield|protected by Imunify360|Powered by Imunify360|imunify360 preloader",
|
||||
"signatures": []
|
||||
},
|
||||
"incapsula": {
|
||||
"company": "Incapsula/Imperva",
|
||||
"name": "Incapsula",
|
||||
"regex": "Incapsula incident ID",
|
||||
"signatures": [
|
||||
"2770:RVZXum60OEhCWKpAYKYPkoJzWOpohc4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC",
|
||||
"3193:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZnxtDtAeq6c3qA4chS1XKTC",
|
||||
"cdd1:RVZXum60OEhCWapAYKcPk4JzWOpohM4IiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtLaK99n+i7c4RmkgI2FZnxtTtBeq+c36A5chW1XaTC"
|
||||
]
|
||||
},
|
||||
"isaserver": {
|
||||
"company": "Microsoft",
|
||||
"name": "ISA Server",
|
||||
"regex": "The (ISA Server|server) denied the specified Uniform Resource Locator \\(URL\\)",
|
||||
"signatures": []
|
||||
},
|
||||
"janusec": {
|
||||
"company": "Janusec",
|
||||
"name": "Janusec Application Gateway",
|
||||
"regex": "Reason:.+by Janusec Application Gateway",
|
||||
"signatures": [
|
||||
"5c5d:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPhJPdLsXo2tLaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"jiasule": {
|
||||
"company": "Jiasule",
|
||||
"name": "Jiasule",
|
||||
"regex": "Server: jiasule-WAF|notice-jiasule|static\\.jiasule\\.com/static/js/http_error\\.js",
|
||||
"signatures": [
|
||||
"7520:RVZXum61OElCWapAYKYPk4JzWOpohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtBeq+c36A5chW1XaTD",
|
||||
"001e:RVZXum61OElCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI3FZjxtTtAeq+c36A5chW1XaTC",
|
||||
"665d:RVZXum61OElCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA5chS1XaTC",
|
||||
"4fed:RVZXum61OElCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC"
|
||||
]
|
||||
},
|
||||
"knownsec": {
|
||||
"company": "Knownsec",
|
||||
"name": "KS-WAF",
|
||||
"regex": "url\\('/ks-waf-error\\.png'\\)",
|
||||
"signatures": []
|
||||
},
|
||||
"kona": {
|
||||
"company": "Akamai Technologies",
|
||||
"name": "Kona Site Defender",
|
||||
"regex": "(?s)Server: AkamaiGHost.+?You don't have permission to access|\\b18\\.[0-9a-f]{8}.1[0-9]{9}\\.[0-9a-f]{7}\\b",
|
||||
"signatures": [
|
||||
"b996:RVZXum60OEhCWapAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"1893:RVZXum60OEhCWapAYKYPk4JzWOtohM4JiUcMr2RXg1uQJLX3uhZOnthsOj6hXrAA16BcPhJOdLoXo2tKaK99n+i6c4RmkwI2FZjxtDtAeq+c3qA4chS1XKTC",
|
||||
"165b:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC",
|
||||
"12b3:RVZXum60OEhCWKpAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"3426:RVZXum60OEhCWapAYKYPk4JzWOtohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC",
|
||||
"e197:RVZXum60OEhCWKpAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhZOnthsOj6hXrAA16BcPhJOdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC",
|
||||
"eb57:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hX7AB16FcPxJPdLsXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c36A4chS1XaTC",
|
||||
"94ed:RVZXum60OEhCWapAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"5ca8:RVZXum60OEhCWKpAYKYPkoJzWOtohM4IiUYMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXomtKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"cc5b:RVZXum60OEhCWKpAYKYPkoJzWOtohM4IiUYMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"e7d9:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"bd78:RVZXum60OEhCWKpAYKYPk4JzWOtohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"6cbc:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTD",
|
||||
"a40d:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"1f03:RVZXum60OEhCWapBYKYPk4JzWOpohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTD",
|
||||
"e120:RVZXum60OEhCWKpAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"7ae5:RVZXum60OEhCWKpAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"6bf2:RVZXum60OEhCWapAYKYPkoJzWOtohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"1db3:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC",
|
||||
"fcbb:RVZXum60OEhCWapAYKYPkoJzWOtohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"d1b6:RVZXum60OEhCWKpAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD",
|
||||
"8b30:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD",
|
||||
"8db8:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD",
|
||||
"8900:RVZXum60OEhCWapAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD",
|
||||
"677e:RVZXum60OEhCWapAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"a13a:RVZXum60OEhCWKpAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"579e:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"82b4:RVZXum60OEhCWapAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTD",
|
||||
"22e4:RVZXum60OEhCWapAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhZOnthsOj6hXrAA16BcPhJOdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC",
|
||||
"bd0e:RVZXum60OEhCWapAYKYPk4JzWOtohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD",
|
||||
"8976:RVZXum60OEhCWKpAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"e34c:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMr2RWg1qQJLX2uhdOn9htOj+hX7AB16FcPxJPdLsXomtKaK59nui6c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"malcare": {
|
||||
"company": "Inactiv",
|
||||
"name": "MalCare",
|
||||
"regex": "Blocked because of Malicious Activities|Firewall(<[^>]+>)*powered by(<[^>]+>)*MalCare",
|
||||
"signatures": [
|
||||
"def2:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"modsecurity": {
|
||||
"company": "Trustwave",
|
||||
"name": "ModSecurity",
|
||||
"regex": "(?i)Server:.+mod_security|This error was generated by Mod_Security|/modsecurity\\-errorpage/|One or more things in your request were suspicious|rules of the mod_security module|mod_security rules triggered|Protected by Mod Security|HTTP Error 40\\d\\.0 - ModSecurity Action|40\\d ModSecurity Action|ModSecurity IIS \\(\\d+bits\\)</td>",
|
||||
"signatures": [
|
||||
"46d5:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"1ece:RVZXum61OEhCWapBYKcPk4JzWOpohc4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPhJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"69c6:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthsOj+hX7AB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"28eb:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX2uhZOnthtOj+hXrAB16FcPhJOdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XaTC",
|
||||
"3918:RVZXum60OEhCWapAYKYPk4JyWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK99n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"511d:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPhJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"f694:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhZOnthtOj+hX7AB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"51ca:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPhJOdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"e18b:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhZOnthtOj+hX7AB16FcPhJOdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"6e99:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hXrAB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"dd72:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"f53e:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"e15c:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhZOnthtOj+hX7AB16FcPhJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"ded8:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhZOnthtOj+hXrAB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"6e99:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hXrAB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"7986:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hXrAB16FcPhJOdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"02b2:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD",
|
||||
"4602:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPhJOdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"b1a2:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD",
|
||||
"5e9a:RVZXum60OEhCWapAYKYPk4JyWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hXrAB16FcPhJPdLsXomtKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD",
|
||||
"35c4:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chS1XKTC",
|
||||
"c697:RVZXum60OEhCWapAYKYPk4JyWOpohM4JiUcMr2RXg1uQJbX3uhZOnthtOj+hX7AB16FcPhJPdLsXomtKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD",
|
||||
"85e3:RVZXum60OElCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPhJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"7d7f:RVZXum60OEhCWapAYKYPk4JyWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD",
|
||||
"064b:RVZXum60OEhCWapAYKYPk4JyWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hXrAB16FcPhJOdLsXomtKaK99n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"5659:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUYMr2RXg1uQJbX2uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"94b1:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJbX2uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"7951:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hXrAB16FcPhJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD",
|
||||
"b83a:RVZXum60OEhCWKpAYKYPkoJyWOpohM4JiUYMrmRWg1qQJbX2uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTD",
|
||||
"4191:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUYMr2RXg1uQJbX2uhdOnthtOj+hX7AB16FcPhJPdLoXomtKaK59n+i7c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD"
|
||||
]
|
||||
},
|
||||
"naxsi": {
|
||||
"company": "NBS System",
|
||||
"name": "NAXSI",
|
||||
"regex": "(?i)Blocked By NAXSI|Naxsi Blocked Information|naxsi/waf",
|
||||
"signatures": [
|
||||
"19ee:RVdXum61OElCWKpAYKYPk4JzWOtohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI3FZnxtDtBeq+c36A4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"netscaler": {
|
||||
"company": "Citrix",
|
||||
"name": "NetScaler AppFirewall",
|
||||
"regex": "<title>Application Firewall Block Page</title>|Violation Category: APPFW_|AppFW Session ID|Access has been blocked - if you feel this is in error, please contact the site administrators quoting the following",
|
||||
"signatures": [
|
||||
"9c6c:RVdXum60OEhCWKpAYKYPkoJzWOpohM4JiUcMrmRWg1qQJbX3uhdOn9hsOj6hXrAA16BcPhJOdLsXo2tKaK99n+i6c4RmkgI2FZnxtDtAeq6c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"newdefend": {
|
||||
"company": "Newdefend",
|
||||
"name": "Newdefend",
|
||||
"regex": "Server: NewDefend|/nd_block/",
|
||||
"signatures": [
|
||||
"1ba1:RVZXu261OElCWapBYKYPk4JzWOpohM4JiUcMr2RXg1uQJLX3uhdOnthsOj+hX7AB16FcPxJPdLoXo2tKaK99n+i7c4RmkwI3FZjxtDtAeq+c36A4chW1XaTD"
|
||||
]
|
||||
},
|
||||
"nexusguard": {
|
||||
"company": "Nexusguard Limited",
|
||||
"name": "Nexusguard",
|
||||
"regex": "speresources\\.nexusguard\\.com/wafpage/[^>]*#\\d{3};|<p>Powered by Nexusguard</p>",
|
||||
"signatures": [
|
||||
"869d:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hX7AB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC"
|
||||
]
|
||||
},
|
||||
"ninjafirewall": {
|
||||
"company": "NinTechNet",
|
||||
"name": "NinjaFirewall",
|
||||
"regex": "<title>NinjaFirewall: 403 Forbidden|For security reasons?, it was blocked and logged",
|
||||
"signatures": [
|
||||
"2c12:RVZXum60OEhCWapBYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOn9hsOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtBeq+c3qA4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"onmessageshield": {
|
||||
"company": "Blackbaud",
|
||||
"name": "onMessage Shield",
|
||||
"regex": "This site is protected by an enhanced security system to ensure a safe browsing experience|onMessage SHIELD",
|
||||
"signatures": [
|
||||
"125a:RVdXum61OElCWKpAYKYPk4JzWOtohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI3FZnxtDtBeq+c36A5chW1XaTC"
|
||||
]
|
||||
},
|
||||
"paloalto": {
|
||||
"company": "Palo Alto Networks",
|
||||
"name": "Palo Alto",
|
||||
"regex": "has been blocked in accordance with company policy|Palo Alto Next Generation Security Platform",
|
||||
"signatures": [
|
||||
"862a:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX3uhZOnthsOj+hXrAA16BcPhJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c3qA4chW1XKTC",
|
||||
"5fe6:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMrmRWg1uQJLX2uhZOnthsOj+hXrAA16BcPhJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c3qA4chW1XKTC",
|
||||
"cffd:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX3uhZOnthsOj+hXrAA16BcPhJPdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chW1XKTC",
|
||||
"1427:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthtOj+hXrAA16FcPhJPdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"fa37:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX3uhZOnthsOj6hXrAA16BcPhJOdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"9135:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX3uhZOnthsOj+hXrAA16BcPhJOdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c3qA4chW1XKTC",
|
||||
"953a:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj+hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chW1XKTC"
|
||||
]
|
||||
},
|
||||
"perimeterx": {
|
||||
"company": "PerimeterX",
|
||||
"name": "PerimeterX",
|
||||
"regex": "https://www.perimeterx.com/whywasiblocked",
|
||||
"signatures": []
|
||||
},
|
||||
"profense": {
|
||||
"company": "ArmorLogic",
|
||||
"name": "Profense",
|
||||
"regex": "Server: Profense",
|
||||
"signatures": [
|
||||
"eaee:RVZXum60OEhCWapAYKYPkoJyWOtohM4JiUcMr2RWg1uQJbX3uhdOnthsOj+hXrAB16FcPxJOdLsXo2tLaK99n+i6c4VmkwI3FZjxtDtAeq6c3qA4chS1XaTC"
|
||||
]
|
||||
},
|
||||
"radware": {
|
||||
"company": "Radware",
|
||||
"name": "AppWall",
|
||||
"regex": "Unauthorized Request Blocked|You are seeing this page because we have detected unauthorized activity|mailto:CloudWebSec@radware\\.com",
|
||||
"signatures": [
|
||||
"e68e:RVdXu261OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hXrAB16FcPxJPdLsXo2tKaK99n+i7c4VmkwI3FZnxtDtAeq+c36A5chW1XaTD",
|
||||
"48fa:RVdXu260OEhCWapBYKcPkoJzWOpohM4JiUYMrmRXg1uQJbX3uhdOn9hsOj+hX7AA16BcPxJOdLsXomtKaK59n+i6c4RmkgI2FZnxtDtAeq6c3qA5chW1XaTD",
|
||||
"8fc4:RVdXu261OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hXrAB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI3FZnxtDtAeq+c36A5chW1XaTD"
|
||||
]
|
||||
},
|
||||
"reblaze": {
|
||||
"company": "Reblaze",
|
||||
"name": "Reblaze",
|
||||
"regex": "For further information, do not hesitate to contact us",
|
||||
"signatures": [
|
||||
"86fb:RVZXum61OElCWKpAYKcPkoJzWOtohM4JiUcMr2RXg1uQJbX3uhdOnthsOj6hXrAB16BcPhJPdLoXo2tLaK99n+i7c4RmkgI2FZjxtDtBeq+c36A5chW1XaTD"
|
||||
]
|
||||
},
|
||||
"requestvalidationmode": {
|
||||
"company": "Microsoft",
|
||||
"name": "ASP.NET RequestValidationMode",
|
||||
"regex": "HttpRequestValidationException|Request Validation has detected a potentially dangerous client input value|ASP\\.NET has detected data in the request that is potentially dangerous",
|
||||
"signatures": [
|
||||
"7ecd:RVdXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hXrAA16FcPxJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC",
|
||||
"919b:RVdXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hXrAA16FcPxJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTD",
|
||||
"14fa:RVdXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hXrAA16FcPxJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XaTC",
|
||||
"a10d:RVdXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hXrAA16FcPxJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"7564:RVdXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hXrAA16FcPhJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"rsfirewall": {
|
||||
"company": "RSJoomla!",
|
||||
"name": "RSFirewall",
|
||||
"regex": "COM_RSFIREWALL_",
|
||||
"signatures": [
|
||||
"d829:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XaTC"
|
||||
]
|
||||
},
|
||||
"safe3": {
|
||||
"company": "Safe3",
|
||||
"name": "Safe3",
|
||||
"regex": "Server: Safe3 Web Firewall|Safe3waf/",
|
||||
"signatures": [
|
||||
"1b84:RVZXum60OEhCWKpAYKYPk4JyWOpohM4IiUYMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"safedog": {
|
||||
"company": "Safedog",
|
||||
"name": "Safedog",
|
||||
"regex": "Server: Safedog|safedogsite/broswer_logo\\.jpg|404\\.safedog\\.cn/sitedog_stat\\.html|404\\.safedog\\.cn/images/safedogsite/head\\.png",
|
||||
"signatures": [
|
||||
"0ee1:RVdXu261OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AA16FcPhJOdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD",
|
||||
"28a0:RVZXu261OEhCWapBYKcPk4JzWOpohM4IiUcMr2RXg1uQJbX3uhdOnthsOj+hX7AA16FcPhJOdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC",
|
||||
"90fa:RVZXu261OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AA16FcPhJOdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD"
|
||||
]
|
||||
},
|
||||
"safeline": {
|
||||
"company": "Chaitin Tech",
|
||||
"name": "SafeLine Next Gen WAF",
|
||||
"regex": "<!\\-\\- event_id: [0-9a-f]{32} \\-\\->",
|
||||
"signatures": []
|
||||
},
|
||||
"secureentry": {
|
||||
"company": "United Security Providers",
|
||||
"name": "Secure Entry Server",
|
||||
"regex": "Server: Secure Entry Server",
|
||||
"signatures": [
|
||||
"6249:RVZXum60OEhCWKpAYKYPk4JzWOpohM4IiUcMr2RWg1uQJbX3uhdOn9htOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"secureiis": {
|
||||
"company": "BeyondTrust",
|
||||
"name": "SecureIIS Web Server Security",
|
||||
"regex": "//www\\.eeye\\.com/SecureIIS/|\\?subject=[^>]*SecureIIS Error|SecureIIS[^<]+Web Server Protection",
|
||||
"signatures": [
|
||||
"b43e:RVZXum60OEhCWKpAYKYPkoJzWOtohM4IiUcMrmRWg1qQJbX3uhdOnthsOj+hX7AB16BcPhJOdLoXo2tKaK99n+i6c4VmkwI3FZnxtDtBeq6c36A4chS1XaTC",
|
||||
"71c7:RVZXum61OElCWKpAYKYPk4JyWOpohc4IiUYMr2RWg1uQJbX2uhdOnthtOj+hXrAB16FcPhJOdLoXo2tLaK99nui7c4RmkwI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"f2ed:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJbX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4VmkwI3FZjxtDtAeq6c36A4chS1XaTC"
|
||||
]
|
||||
},
|
||||
"secupress": {
|
||||
"company": "SecuPress",
|
||||
"name": "SecuPress",
|
||||
"regex": "<h1>SecuPress</h1><h2>\\d{3}",
|
||||
"signatures": [
|
||||
"bcb4:RVZXum60OEhCWKpAYKYPkoJyWOpohc4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"shieldsecurity": {
|
||||
"company": "One Dollar Plugin",
|
||||
"name": "Shield Security",
|
||||
"regex": "Something in the URL, Form or Cookie data wasn't appropriate",
|
||||
"signatures": [
|
||||
"e41d:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD",
|
||||
"389c:RVZXum61OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD",
|
||||
"a79a:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTD"
|
||||
]
|
||||
},
|
||||
"securesphere": {
|
||||
"company": "Imperva",
|
||||
"name": "SecureSphere",
|
||||
"regex": "<H2>Error</H2>.+?#FEEE7A.+?<STRONG>Error</STRONG>|Contact support for additional information.<br/>The incident ID is: (\\d{19}|N/A)",
|
||||
"signatures": [
|
||||
"c055:RVZXum60OEhCWapAYKYPkoJzWOpohM4JiUcMr2RWg1uQJbX2uhZOnthsOj+hX7AB16FcPxJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC",
|
||||
"f460:RVZXum60OEhCWapBYKYPk4JzWOtohM4JiUcMr2RWg1uQJbX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC",
|
||||
"9113:RVZXum60OEhCWapBYKYPk4JzWOtohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC",
|
||||
"dc2c:RVZXum60OEhCWapBYKYPk4JzWOtohM4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC",
|
||||
"599d:RVZXum60OEhCWapBYKYPk4JzWOtohM4JiUcMr2RWg1uQJbX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC",
|
||||
"a86e:RVZXum60OEhCWapBYKYPk4JyWOtohM4JiUcMr2RWg1uQJbX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC",
|
||||
"81ca:RVZXum60OEhCWapBYKYPk4JzWOtohM4IiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"siteground": {
|
||||
"company": "SiteGround",
|
||||
"name": "SiteGround",
|
||||
"regex": "The page you are trying to access is restricted due to a security rule|Our system thinks you might be a robot!|/.well-known/captcha/",
|
||||
"signatures": [
|
||||
"da25:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA5chW1XKTC"
|
||||
]
|
||||
},
|
||||
"siteguard": {
|
||||
"company": "JP-Secure",
|
||||
"name": "SiteGuard",
|
||||
"regex": "Powered by SiteGuard|The server refuse to browse the page",
|
||||
"signatures": [
|
||||
"6e49:RVZXum61OElCWapBYKcPk4JzWOtohM4JiUYMr2RWg1qQJbX3uhdOnthtOj+hX7AB16FcPhJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"9839:RVZXum61OElCWapBYKcPk4JzWOtohM4JiUYMr2RWg1qQJbX3uhdOnthtOj+hX7AB16FcPhJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq6c36A4chS1XaTC",
|
||||
"bc2d:RVZXum61OElCWapBYKcPk4JzWOtohM4JiUYMr2RWg1qQJLX3uhdOnthtOj+hX7AB16FcPhJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"sitelock": {
|
||||
"company": "SiteLock",
|
||||
"name": "TrueShield",
|
||||
"regex": "SiteLock Incident ID|SiteLock will remember you and will not show this page again|<span class=\\\"value INCIDENT_ID\\\">",
|
||||
"signatures": [],
|
||||
"note": "Uses Incapsula (Reference: https://www.whitefirdesign.com/blog/2016/11/08/more-evidence-that-sitelocks-trueshield-web-application-firewall-is-really-incapsulas-waf/)"
|
||||
},
|
||||
"sonicwall": {
|
||||
"company": "Dell",
|
||||
"name": "SonicWALL",
|
||||
"regex": "Server: SonicWALL|(?s)<title>Web Site Blocked</title>.+?nsa_banner",
|
||||
"signatures": [
|
||||
"f85c:RVZXum61OElCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1qQJLX2uhZOnthsOj+hX7AA16FcPxJPdLoXo2tLaK99nui7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTD"
|
||||
]
|
||||
},
|
||||
"sophos": {
|
||||
"company": "Sophos",
|
||||
"name": "UTM Web Protection",
|
||||
"regex": "Powered by UTM Web Protection",
|
||||
"signatures": []
|
||||
},
|
||||
"squarespace": {
|
||||
"company": "Squarespace",
|
||||
"name": "Squarespace",
|
||||
"regex": "(?s) @ .+?BRICK-50",
|
||||
"signatures": [
|
||||
"b012:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC",
|
||||
"4381:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOn9hsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC"
|
||||
]
|
||||
},
|
||||
"stackpath": {
|
||||
"company": "StackPath",
|
||||
"name": "StackPath",
|
||||
"regex": "You performed an action that triggered the service and blocked your request",
|
||||
"signatures": [
|
||||
"5ab0:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUYMr2RWg1uQJbX2uhdOn9hsOj+hXrAA16FcPhJOdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD",
|
||||
"7e0a:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUYMr2RWg1uQJbX2uhdOn9htOj+hXrAA16FcPxJOdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD"
|
||||
]
|
||||
},
|
||||
"sucuri": {
|
||||
"company": "Sucuri",
|
||||
"name": "Sucuri",
|
||||
"regex": "Access Denied - Sucuri Website Firewall|Sucuri WebSite Firewall - CloudProxy - Access Denied|Questions\\?.+cloudproxy@sucuri\\.net",
|
||||
"signatures": [
|
||||
"60a9:RVZXum61OElCWapAYKYPk4JzWOpohM4JiUYMr2RXg1uQJbX3uhdOn9htOj+hXrAB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI2FZjxtDtAeq+c36A5chW1XaTC"
|
||||
]
|
||||
},
|
||||
"tencent": {
|
||||
"company": "Tencent Cloud Computing",
|
||||
"name": "Tencent Cloud",
|
||||
"regex": "waf\\.tencent-cloud\\.com",
|
||||
"signatures": [
|
||||
"3f82:RVZXum60OEhCWapBYKcPk4JzWOpohM4IiUYMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99nui7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTD"
|
||||
]
|
||||
},
|
||||
"tmg": {
|
||||
"company": "Microsoft",
|
||||
"name": "Forefront Threat Management Gateway",
|
||||
"regex": "",
|
||||
"signatures": [
|
||||
"4d00:RVZXum60OEhCWKpAYKYPkoJyWOpohM4JiUYMr2RWg1qQJLX3uhdOnthsOj+hX7AB16BcPhJPdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq+c3qA4chS1XaTC"
|
||||
]
|
||||
},
|
||||
"urlmaster": {
|
||||
"company": "iFinity/DotNetNuke",
|
||||
"name": "Url Master SecurityCheck",
|
||||
"regex": "UrlRewriteModule\\.SecurityCheck|X-UrlMaster-(Debug|Ex):",
|
||||
"signatures": [
|
||||
"ddd8:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XaTC"
|
||||
]
|
||||
},
|
||||
"urlscan": {
|
||||
"company": "Microsoft",
|
||||
"name": "UrlScan",
|
||||
"regex": "Rejected-By-UrlScan",
|
||||
"signatures": [
|
||||
"0294:RVdXum60OEhCWKpAYKYPk4JyWOpohM4IiUYMrmRXg1qQJLX2uhdOn9htOj+hXrAB16FcPxJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"vfw": {
|
||||
"company": "OWASP",
|
||||
"name": "Varnish Firewall",
|
||||
"regex": "Request rejected by xVarnish-WAF",
|
||||
"signatures": []
|
||||
},
|
||||
"virusdie": {
|
||||
"company": "Virusdie LLC",
|
||||
"name": "Virusdie",
|
||||
"regex": "Virusdie</title>|http://cdn\\.virusdie\\.ru/splash/firewallstop\\.png|<meta name=\\\"FW_BLOCK\\\"",
|
||||
"signatures": []
|
||||
},
|
||||
"vsf": {
|
||||
"company": "Varnish Cache Project",
|
||||
"name": "Varnish Security Firewall",
|
||||
"regex": "<title>403 Naughty, not nice!</title>",
|
||||
"signatures": [
|
||||
"26fa:RVZXum60OEhCWKpAYKYPkoJyWOpohM4JiUcMr2RXg1qQJLX3uhZOnthsOj+hXrAA16FcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD"
|
||||
]
|
||||
},
|
||||
"wallarm": {
|
||||
"company": "Wallarm",
|
||||
"name": "Wallarm",
|
||||
"regex": "Server: nginx-wallarm",
|
||||
"signatures": [
|
||||
"c02b:RVZXu261OElCWapBYKcPk4JzWOpohM4JiUcMr2RWg1uQJbX3uhdOnthsOj+hXrAB16FcPxJOdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"watchguard": {
|
||||
"company": "WatchGuard Technologies",
|
||||
"name": "WatchGuard",
|
||||
"regex": "Server: WatchGuard|Request denied by WatchGuard Firewall",
|
||||
"signatures": [
|
||||
"4f4f:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX2uhZOnthsOj+hXrAA16FcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC",
|
||||
"2a3c:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RXg1uQJLX2uhZOnthsOj+hX7AA16FcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC",
|
||||
"aa64:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RXg1uQJLX2uhZOnthsOj+hX7AA16FcPhJOdLoXomtKaK59nui7c4RmkgI3FZjxtDtAeq+c3qA4chW1XaTC"
|
||||
]
|
||||
},
|
||||
"webarx": {
|
||||
"company": "WebARX",
|
||||
"name": "WebARX",
|
||||
"regex": "/wp-content/plugins/webarx/includes/|This request has been blocked by.+?>WebARX<",
|
||||
"signatures": []
|
||||
},
|
||||
"webknight": {
|
||||
"company": "AQTRONIX",
|
||||
"name": "WebKnight",
|
||||
"regex": "WebKnight Application Firewall Alert|AQTRONIX WebKnight|HTTP Error 999\\.0 - AW Special Error",
|
||||
"signatures": [
|
||||
"80f9:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJbX2uhdOnthtOj+hXrAB16FcPhJPdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"73e5:RVZXum60OEhCWKpAYKYPk4JyWOtohM4JiUcMrmRXg1uQJbX3uhZOnthsOj6hX7AA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XaTC",
|
||||
"d0f0:RVdXum60OEhCWKpAYKYPk4JyWOtohM4JiUcMrmRXg1uQJbX3uhdOn9htOj+hX7AA16FcPxJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC",
|
||||
"f0c3:RVZXum61OElCWKpAYKYPk4JyWOtohM4JiUcMr2RXg1uQJbX3uhZOnthsOj6hX7AA16BcPhJOdLoXo2tKaK59n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"6763:RVZXum61OElCWKpAYKYPk4JzWOtohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"7701:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJbX2uhdOn9htOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"902b:RVdXum60OEhCWKpAYKYPk4JyWOpohM4IiUYMrmRXg1qQJbX2uhdOn9htOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC",
|
||||
"4d4d:RVdXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJbX2uhdOn9htOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC",
|
||||
"17a8:RVZXum60OEhCWKpAYKYPkoJyWOpohM4JiUcMrmRXg1qQJbX3uhdOnthtOj+hXrAB16FcPhJPdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"webseal": {
|
||||
"company": "IBM",
|
||||
"name": "WebSEAL",
|
||||
"regex": "(?i)Server: WebSEAL|This is a WebSEAL error message template file|The Access Manager WebSEAL server received an invalid HTTP request",
|
||||
"signatures": [
|
||||
"0338:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthtOj+hXrAA16FcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC"
|
||||
]
|
||||
},
|
||||
"webtotem": {
|
||||
"company": "WebTotem",
|
||||
"name": "WebTotem",
|
||||
"regex": "The current request was blocked by.+?>WebTotem<",
|
||||
"signatures": []
|
||||
},
|
||||
"wordfence": {
|
||||
"company": "Feedjit",
|
||||
"name": "Wordfence",
|
||||
"regex": "Generated by Wordfence|This response was generated by Wordfence|broke one of the Wordfence (advanced )?blocking rules|: wfWAF|/plugins/wordfence",
|
||||
"signatures": [
|
||||
"d04a:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC",
|
||||
"26b1:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAA16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC",
|
||||
"09cf:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtBeq6c3qA4chW1XaTC",
|
||||
"1834:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c36A4chW1XaTC",
|
||||
"d38c:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkwI3FZjxtDtAeq6c3qA4chW1XaTC",
|
||||
"d5bb:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1uQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC",
|
||||
"3f1c:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD",
|
||||
"dbfe:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA5chW1XaTC",
|
||||
"5b85:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RXg1uQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTD",
|
||||
"f806:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC",
|
||||
"0f0d:RVZXum61OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkwI3FZjxtDtAeq6c3qA4chW1XaTC",
|
||||
"b13e:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJbX3uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC",
|
||||
"40eb:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16BcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC",
|
||||
"93cd:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC",
|
||||
"ba7d:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XKTC"
|
||||
]
|
||||
},
|
||||
"wts": {
|
||||
"company": "WTS",
|
||||
"name": "WTS",
|
||||
"regex": "Server: wts/|>WTS\\-WAF",
|
||||
"signatures": [
|
||||
"e94f:RVZXum61OElCWapAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPhJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XKTC",
|
||||
"12ce:RVZXum61OElCWapAYKYPkoJzWOpohM4IiUYMr2RWg1uQJLX3uhdOnthtOj+hX7AB16FcPhJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XKTC"
|
||||
]
|
||||
},
|
||||
"yundun": {
|
||||
"company": "Yundun",
|
||||
"name": "Yundun",
|
||||
"regex": "Blocked by YUNDUN Cloud WAF|yundun\\.com/yd_http_error/",
|
||||
"signatures": [
|
||||
"4853:RVZXum61OEhCWapBYKcPk4JzWOtohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC"
|
||||
]
|
||||
},
|
||||
"yunsuo": {
|
||||
"company": "Yunsuo",
|
||||
"name": "Yunsuo",
|
||||
"regex": "yunsuo_session|<img class=\\\"yunsuologo\\\"",
|
||||
"signatures": [
|
||||
"441b:RVZXum60OEhCWKpAYKYPkoJzWOtohM4JiUcMr2RXg1uQJbX3uhdOnthsOj+hX7AA16FcPxJOdLoXomtKaK59nui7c4VmkgI2FZjxtDtAeq+c3qA4chW1XKTC",
|
||||
"e795:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUcMr2RXg1uQJbX3uhdOnthsOj+hX7AB16FcPhJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC",
|
||||
"7b8e:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUcMr2RXg1uQJbX3uhdOnthsOj+hX7AA16FcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XKTC"
|
||||
]
|
||||
},
|
||||
"zenedge": {
|
||||
"company": "Zenedge",
|
||||
"name": "Zenedge",
|
||||
"regex": "(?s)Server: ZENEDGE.+?<div class=\\\"number\\\">403</div>",
|
||||
"signatures": [
|
||||
"a8fb:RVdXu260OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI2FZnxtDtBeq+c36A4chW1XaTD",
|
||||
"ba3d:RVdXu260OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI2FZjxtDtAeq+c36A4chW1XaTD"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
585
thirdparty/identywaf/identYwaf.py
vendored
Executable file
585
thirdparty/identywaf/identYwaf.py
vendored
Executable file
|
@ -0,0 +1,585 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2019 Miroslav Stampar (@stamparm), MIT
|
||||
See the file 'LICENSE' for copying permission
|
||||
|
||||
The above copyright notice and this permission notice shall be included in
|
||||
all copies or substantial portions of the Software.
|
||||
"""
|
||||
|
||||
from __future__ import print_function
|
||||
|
||||
import base64
|
||||
import codecs
|
||||
import difflib
|
||||
import json
|
||||
import locale
|
||||
import optparse
|
||||
import os
|
||||
import random
|
||||
import re
|
||||
import ssl
|
||||
import socket
|
||||
import string
|
||||
import struct
|
||||
import subprocess
|
||||
import sys
|
||||
import time
|
||||
import zlib
|
||||
|
||||
if sys.version_info >= (3, 0):
|
||||
import http.cookiejar
|
||||
import http.client as httplib
|
||||
import urllib.request
|
||||
|
||||
IS_WIN = subprocess._mswindows
|
||||
|
||||
build_opener = urllib.request.build_opener
|
||||
install_opener = urllib.request.install_opener
|
||||
quote = urllib.parse.quote
|
||||
urlopen = urllib.request.urlopen
|
||||
CookieJar = http.cookiejar.CookieJar
|
||||
ProxyHandler = urllib.request.ProxyHandler
|
||||
Request = urllib.request.Request
|
||||
HTTPCookieProcessor = urllib.request.HTTPCookieProcessor
|
||||
|
||||
xrange = range
|
||||
else:
|
||||
import cookielib
|
||||
import httplib
|
||||
import urllib
|
||||
import urllib2
|
||||
|
||||
IS_WIN = subprocess.mswindows
|
||||
|
||||
build_opener = urllib2.build_opener
|
||||
install_opener = urllib2.install_opener
|
||||
quote = urllib.quote
|
||||
urlopen = urllib2.urlopen
|
||||
CookieJar = cookielib.CookieJar
|
||||
ProxyHandler = urllib2.ProxyHandler
|
||||
Request = urllib2.Request
|
||||
HTTPCookieProcessor = urllib2.HTTPCookieProcessor
|
||||
|
||||
# Reference: http://blog.mathieu-leplatre.info/python-utf-8-print-fails-when-redirecting-stdout.html
|
||||
sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.stdout)
|
||||
|
||||
NAME = "identYwaf"
|
||||
VERSION = "1.0.108"
|
||||
BANNER = """
|
||||
` __ __ `
|
||||
____ ___ ___ ____ ______ `| T T` __ __ ____ _____
|
||||
l j| \ / _]| \ | T`| | |`| T__T T / T| __|
|
||||
| T | \ / [_ | _ Yl_j l_j`| ~ |`| | | |Y o || l_
|
||||
| | | D YY _]| | | | | `|___ |`| | | || || _|
|
||||
j l | || [_ | | | | | `| !` \ / | | || ]
|
||||
|____jl_____jl_____jl__j__j l__j `l____/ ` \_/\_/ l__j__jl__j (%s)%s""".strip("\n") % (VERSION, "\n")
|
||||
|
||||
RAW, TEXT, HTTPCODE, SERVER, TITLE, HTML, URL = xrange(7)
|
||||
COOKIE, UA, REFERER = "Cookie", "User-Agent", "Referer"
|
||||
GET, POST = "GET", "POST"
|
||||
GENERIC_PROTECTION_KEYWORDS = ("rejected", "forbidden", "suspicious", "malicious", "captcha", "invalid", "your ip", "please contact", "terminated", "protected", "unauthorized", "blocked", "protection", "incident", "denied", "detected", "dangerous", "firewall", "fw_block", "unusual activity", "bad request", "request id", "injection", "permission", "not acceptable", "security policy", "security reasons")
|
||||
GENERIC_PROTECTION_REGEX = r"(?i)\b(%s)\b"
|
||||
GENERIC_ERROR_MESSAGE_REGEX = r"\b[A-Z][\w, '-]*(protected by|security|unauthorized|detected|attack|error|rejected|allowed|suspicious|automated|blocked|invalid|denied|permission)[\w, '!-]*"
|
||||
WAF_RECOGNITION_REGEX = None
|
||||
HEURISTIC_PAYLOAD = "1 AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert(\"XSS\")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#" # Reference: https://github.com/sqlmapproject/sqlmap/blob/master/lib/core/settings.py
|
||||
PAYLOADS = []
|
||||
SIGNATURES = {}
|
||||
DATA_JSON = {}
|
||||
DATA_JSON_FILE = os.path.join(os.path.dirname(__file__), "data.json")
|
||||
MAX_HELP_OPTION_LENGTH = 18
|
||||
IS_TTY = sys.stdout.isatty()
|
||||
COLORIZE = not IS_WIN and IS_TTY
|
||||
LEVEL_COLORS = {"o": "\033[00;94m", "x": "\033[00;91m", "!": "\033[00;93m", "i": "\033[00;95m", "=": "\033[00;93m", "+": "\033[00;92m", "-": "\033[00;91m"}
|
||||
VERIFY_OK_INTERVAL = 5
|
||||
VERIFY_RETRY_TIMES = 3
|
||||
MIN_MATCH_PARTIAL = 5
|
||||
DEFAULTS = {"timeout": 10}
|
||||
MAX_MATCHES = 5
|
||||
QUICK_RATIO_THRESHOLD = 0.2
|
||||
MAX_JS_CHALLENGE_SNAPLEN = 120
|
||||
ENCODING_TRANSLATIONS = {"windows-874": "iso-8859-11", "utf-8859-1": "utf8", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8", "utc8": "utf8", "ebcdic": "ebcdic-cp-be", "iso-8859": "iso8859-1", "iso-8859-0": "iso8859-1", "ansi": "ascii", "gbk2312": "gbk", "windows-31j": "cp932", "en": "us"} # Reference: https://github.com/sqlmapproject/sqlmap/blob/master/lib/request/basic.py
|
||||
PROXY_TESTING_PAGE = "https://myexternalip.com/raw"
|
||||
|
||||
if COLORIZE:
|
||||
for _ in re.findall(r"`.+?`", BANNER):
|
||||
BANNER = BANNER.replace(_, "\033[01;92m%s\033[00;49m" % _.strip('`'))
|
||||
for _ in re.findall(r" [Do] ", BANNER):
|
||||
BANNER = BANNER.replace(_, "\033[01;93m%s\033[00;49m" % _.strip('`'))
|
||||
BANNER = re.sub(VERSION, r"\033[01;91m%s\033[00;49m" % VERSION, BANNER)
|
||||
else:
|
||||
BANNER = BANNER.replace('`', "")
|
||||
|
||||
_ = random.randint(20, 64)
|
||||
DEFAULT_USER_AGENT = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; %s; rv:%d.0) Gecko/20100101 Firefox/%d.0" % (NAME, _, _)
|
||||
HEADERS = {"User-Agent": DEFAULT_USER_AGENT, "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "identity", "Cache-Control": "max-age=0"}
|
||||
|
||||
original = None
|
||||
options = None
|
||||
intrusive = None
|
||||
heuristic = None
|
||||
chained = False
|
||||
locked_code = None
|
||||
locked_regex = None
|
||||
non_blind = set()
|
||||
seen = set()
|
||||
blocked = []
|
||||
servers = set()
|
||||
codes = set()
|
||||
proxies = list()
|
||||
proxies_index = 0
|
||||
|
||||
_exit = exit
|
||||
|
||||
def exit(message=None):
|
||||
if message:
|
||||
print("%s%s" % (message, ' ' * 20))
|
||||
_exit(1)
|
||||
|
||||
def retrieve(url, data=None):
|
||||
global proxies_index
|
||||
|
||||
retval = {}
|
||||
|
||||
if proxies:
|
||||
while True:
|
||||
try:
|
||||
opener = build_opener(ProxyHandler({"http": proxies[proxies_index], "https": proxies[proxies_index]}))
|
||||
install_opener(opener)
|
||||
proxies_index = (proxies_index + 1) % len(proxies)
|
||||
urlopen(PROXY_TESTING_PAGE).read()
|
||||
except KeyboardInterrupt:
|
||||
raise
|
||||
except:
|
||||
pass
|
||||
else:
|
||||
break
|
||||
|
||||
try:
|
||||
req = Request("".join(url[_].replace(' ', "%20") if _ > url.find('?') else url[_] for _ in xrange(len(url))), data, HEADERS)
|
||||
resp = urlopen(req, timeout=options.timeout)
|
||||
retval[URL] = resp.url
|
||||
retval[HTML] = resp.read()
|
||||
retval[HTTPCODE] = resp.code
|
||||
retval[RAW] = "%s %d %s\n%s\n%s" % (httplib.HTTPConnection._http_vsn_str, retval[HTTPCODE], resp.msg, str(resp.headers), retval[HTML])
|
||||
except Exception as ex:
|
||||
retval[URL] = getattr(ex, "url", url)
|
||||
retval[HTTPCODE] = getattr(ex, "code", None)
|
||||
try:
|
||||
retval[HTML] = ex.read() if hasattr(ex, "read") else getattr(ex, "msg", str(ex))
|
||||
except:
|
||||
retval[HTML] = ""
|
||||
retval[RAW] = "%s %s %s\n%s\n%s" % (httplib.HTTPConnection._http_vsn_str, retval[HTTPCODE] or "", getattr(ex, "msg", ""), str(ex.headers) if hasattr(ex, "headers") else "", retval[HTML])
|
||||
|
||||
for encoding in re.findall(r"charset=[\s\"']?([\w-]+)", retval[RAW])[::-1] + ["utf8"]:
|
||||
encoding = ENCODING_TRANSLATIONS.get(encoding, encoding)
|
||||
try:
|
||||
retval[HTML] = retval[HTML].decode(encoding, errors="replace")
|
||||
break
|
||||
except:
|
||||
pass
|
||||
|
||||
match = re.search(r"<title>\s*(?P<result>[^<]+?)\s*</title>", retval[HTML], re.I)
|
||||
retval[TITLE] = match.group("result") if match and "result" in match.groupdict() else None
|
||||
retval[TEXT] = re.sub(r"(?si)<script.+?</script>|<!--.+?-->|<style.+?</style>|<[^>]+>|\s+", " ", retval[HTML])
|
||||
match = re.search(r"(?im)^Server: (.+)", retval[RAW])
|
||||
retval[SERVER] = match.group(1).strip() if match else ""
|
||||
return retval
|
||||
|
||||
def calc_hash(value, binary=True):
|
||||
value = value.encode("utf8") if not isinstance(value, bytes) else value
|
||||
result = zlib.crc32(value) & 0xffff
|
||||
if binary:
|
||||
result = struct.pack(">H", result)
|
||||
return result
|
||||
|
||||
def single_print(message):
|
||||
if message not in seen:
|
||||
print(message)
|
||||
seen.add(message)
|
||||
|
||||
def check_payload(payload, protection_regex=GENERIC_PROTECTION_REGEX % '|'.join(GENERIC_PROTECTION_KEYWORDS)):
|
||||
global chained
|
||||
global heuristic
|
||||
global intrusive
|
||||
global locked_code
|
||||
global locked_regex
|
||||
|
||||
time.sleep(options.delay or 0)
|
||||
if options.post:
|
||||
_ = "%s=%s" % ("".join(random.sample(string.ascii_letters, 3)), quote(payload))
|
||||
intrusive = retrieve(options.url, _)
|
||||
else:
|
||||
_ = "%s%s%s=%s" % (options.url, '?' if '?' not in options.url else '&', "".join(random.sample(string.ascii_letters, 3)), quote(payload))
|
||||
intrusive = retrieve(_)
|
||||
|
||||
if options.lock and not payload.isdigit():
|
||||
if payload == HEURISTIC_PAYLOAD:
|
||||
match = re.search(re.sub(r"Server:|Protected by", "".join(random.sample(string.ascii_letters, 6)), WAF_RECOGNITION_REGEX, flags=re.I), intrusive[RAW] or "")
|
||||
if match:
|
||||
result = True
|
||||
|
||||
for _ in match.groupdict():
|
||||
if match.group(_):
|
||||
waf = re.sub(r"\Awaf_", "", _)
|
||||
locked_regex = DATA_JSON["wafs"][waf]["regex"]
|
||||
locked_code = intrusive[HTTPCODE]
|
||||
break
|
||||
else:
|
||||
result = False
|
||||
|
||||
if not result:
|
||||
exit(colorize("[x] can't lock results to a non-blind match"))
|
||||
else:
|
||||
result = re.search(locked_regex, intrusive[RAW]) is not None and locked_code == intrusive[HTTPCODE]
|
||||
elif options.string:
|
||||
result = options.string in (intrusive[RAW] or "")
|
||||
elif options.code:
|
||||
result = options.code == intrusive[HTTPCODE]
|
||||
else:
|
||||
result = intrusive[HTTPCODE] != original[HTTPCODE] or (intrusive[HTTPCODE] != 200 and intrusive[TITLE] != original[TITLE]) or (re.search(protection_regex, intrusive[HTML]) is not None and re.search(protection_regex, original[HTML]) is None) or (difflib.SequenceMatcher(a=original[HTML] or "", b=intrusive[HTML] or "").quick_ratio() < QUICK_RATIO_THRESHOLD)
|
||||
|
||||
if not payload.isdigit():
|
||||
if result:
|
||||
if options.debug:
|
||||
print("\r---%s" % (40 * ' '))
|
||||
print(payload)
|
||||
print(intrusive[HTTPCODE], intrusive[RAW])
|
||||
print("---")
|
||||
|
||||
if intrusive[SERVER]:
|
||||
servers.add(re.sub(r"\s*\(.+\)\Z", "", intrusive[SERVER]))
|
||||
if len(servers) > 1:
|
||||
chained = True
|
||||
single_print(colorize("[!] multiple (reactive) rejection HTTP 'Server' headers detected (%s)" % ', '.join("'%s'" % _ for _ in sorted(servers))))
|
||||
|
||||
if intrusive[HTTPCODE]:
|
||||
codes.add(intrusive[HTTPCODE])
|
||||
if len(codes) > 1:
|
||||
chained = True
|
||||
single_print(colorize("[!] multiple (reactive) rejection HTTP codes detected (%s)" % ', '.join("%s" % _ for _ in sorted(codes))))
|
||||
|
||||
if heuristic and heuristic[HTML] and intrusive[HTML] and difflib.SequenceMatcher(a=heuristic[HTML] or "", b=intrusive[HTML] or "").quick_ratio() < QUICK_RATIO_THRESHOLD:
|
||||
chained = True
|
||||
single_print(colorize("[!] multiple (reactive) rejection HTML responses detected"))
|
||||
|
||||
if payload == HEURISTIC_PAYLOAD:
|
||||
heuristic = intrusive
|
||||
|
||||
return result
|
||||
|
||||
def colorize(message):
|
||||
if COLORIZE:
|
||||
message = re.sub(r"\[(.)\]", lambda match: "[%s%s\033[00;49m]" % (LEVEL_COLORS[match.group(1)], match.group(1)), message)
|
||||
|
||||
if any(_ in message for _ in ("rejected summary", "challenge detected")):
|
||||
for match in re.finditer(r"[^\w]'([^)]+)'" if "rejected summary" in message else r"\('(.+)'\)", message):
|
||||
message = message.replace("'%s'" % match.group(1), "'\033[37m%s\033[00;49m'" % match.group(1), 1)
|
||||
else:
|
||||
for match in re.finditer(r"[^\w]'([^']+)'", message):
|
||||
message = message.replace("'%s'" % match.group(1), "'\033[37m%s\033[00;49m'" % match.group(1), 1)
|
||||
|
||||
if "blind match" in message:
|
||||
for match in re.finditer(r"\(((\d+)%)\)", message):
|
||||
message = message.replace(match.group(1), "\033[%dm%s\033[00;49m" % (92 if int(match.group(2)) >= 95 else (93 if int(match.group(2)) > 80 else 90), match.group(1)))
|
||||
|
||||
if "hardness" in message:
|
||||
for match in re.finditer(r"\(((\d+)%)\)", message):
|
||||
message = message.replace(match.group(1), "\033[%dm%s\033[00;49m" % (95 if " insane " in message else (91 if " hard " in message else (93 if " moderate " in message else 92)), match.group(1)))
|
||||
|
||||
return message
|
||||
|
||||
def parse_args():
|
||||
global options
|
||||
|
||||
parser = optparse.OptionParser(version=VERSION)
|
||||
parser.add_option("--delay", dest="delay", type=int, help="Delay (sec) between tests (default: 0)")
|
||||
parser.add_option("--timeout", dest="timeout", type=int, help="Response timeout (sec) (default: 10)")
|
||||
parser.add_option("--proxy", dest="proxy", help="HTTP proxy address (e.g. \"http://127.0.0.1:8080\")")
|
||||
parser.add_option("--proxy-file", dest="proxy_file", help="Load (rotating) HTTP(s) proxy list from a file")
|
||||
parser.add_option("--random-agent", dest="random_agent", action="store_true", help="Use random HTTP User-Agent header value")
|
||||
parser.add_option("--code", dest="code", type=int, help="Expected HTTP code in rejected responses")
|
||||
parser.add_option("--string", dest="string", help="Expected string in rejected responses")
|
||||
parser.add_option("--post", dest="post", action="store_true", help="Use POST body for sending payloads")
|
||||
parser.add_option("--debug", dest="debug", action="store_true", help=optparse.SUPPRESS_HELP)
|
||||
parser.add_option("--fast", dest="fast", action="store_true", help=optparse.SUPPRESS_HELP)
|
||||
parser.add_option("--lock", dest="lock", action="store_true", help=optparse.SUPPRESS_HELP)
|
||||
|
||||
# Dirty hack(s) for help message
|
||||
def _(self, *args):
|
||||
retval = parser.formatter._format_option_strings(*args)
|
||||
if len(retval) > MAX_HELP_OPTION_LENGTH:
|
||||
retval = ("%%.%ds.." % (MAX_HELP_OPTION_LENGTH - parser.formatter.indent_increment)) % retval
|
||||
return retval
|
||||
|
||||
parser.usage = "python %s <host|url>" % parser.usage
|
||||
parser.formatter._format_option_strings = parser.formatter.format_option_strings
|
||||
parser.formatter.format_option_strings = type(parser.formatter.format_option_strings)(_, parser)
|
||||
|
||||
for _ in ("-h", "--version"):
|
||||
option = parser.get_option(_)
|
||||
option.help = option.help.capitalize()
|
||||
|
||||
try:
|
||||
options, _ = parser.parse_args()
|
||||
except SystemExit:
|
||||
raise
|
||||
|
||||
if len(sys.argv) > 1:
|
||||
url = sys.argv[-1]
|
||||
if not url.startswith("http"):
|
||||
url = "http://%s" % url
|
||||
options.url = url
|
||||
else:
|
||||
parser.print_help()
|
||||
raise SystemExit
|
||||
|
||||
for key in DEFAULTS:
|
||||
if getattr(options, key, None) is None:
|
||||
setattr(options, key, DEFAULTS[key])
|
||||
|
||||
def load_data():
|
||||
global WAF_RECOGNITION_REGEX
|
||||
|
||||
if os.path.isfile(DATA_JSON_FILE):
|
||||
with codecs.open(DATA_JSON_FILE, "rb", encoding="utf8") as f:
|
||||
DATA_JSON.update(json.load(f))
|
||||
|
||||
WAF_RECOGNITION_REGEX = ""
|
||||
for waf in DATA_JSON["wafs"]:
|
||||
if DATA_JSON["wafs"][waf]["regex"]:
|
||||
WAF_RECOGNITION_REGEX += "%s|" % ("(?P<waf_%s>%s)" % (waf, DATA_JSON["wafs"][waf]["regex"]))
|
||||
for signature in DATA_JSON["wafs"][waf]["signatures"]:
|
||||
SIGNATURES[signature] = waf
|
||||
WAF_RECOGNITION_REGEX = WAF_RECOGNITION_REGEX.strip('|')
|
||||
|
||||
flags = "".join(set(_ for _ in "".join(re.findall(r"\(\?(\w+)\)", WAF_RECOGNITION_REGEX))))
|
||||
WAF_RECOGNITION_REGEX = "(?%s)%s" % (flags, re.sub(r"\(\?\w+\)", "", WAF_RECOGNITION_REGEX)) # patch for "DeprecationWarning: Flags not at the start of the expression" in Python3.7
|
||||
else:
|
||||
exit(colorize("[x] file '%s' is missing" % DATA_JSON_FILE))
|
||||
|
||||
def init():
|
||||
os.chdir(os.path.abspath(os.path.dirname(__file__)))
|
||||
|
||||
print(colorize("[o] initializing handlers..."))
|
||||
|
||||
# Reference: https://stackoverflow.com/a/28052583
|
||||
if hasattr(ssl, "_create_unverified_context"):
|
||||
ssl._create_default_https_context = ssl._create_unverified_context
|
||||
|
||||
if options.proxy_file:
|
||||
if os.path.isfile(options.proxy_file):
|
||||
print(colorize("[o] loading proxy list..."))
|
||||
|
||||
with codecs.open(options.proxy_file, "rb", encoding="utf8") as f:
|
||||
proxies.extend(re.sub(r"\s.*", "", _.strip()) for _ in f.read().strip().split('\n') if _.startswith("http"))
|
||||
random.shuffle(proxies)
|
||||
else:
|
||||
exit(colorize("[x] file '%s' does not exist" % options.proxy_file))
|
||||
|
||||
|
||||
cookie_jar = CookieJar()
|
||||
opener = build_opener(HTTPCookieProcessor(cookie_jar))
|
||||
install_opener(opener)
|
||||
|
||||
if options.proxy:
|
||||
opener = build_opener(ProxyHandler({"http": options.proxy, "https": options.proxy}))
|
||||
install_opener(opener)
|
||||
|
||||
if options.random_agent:
|
||||
revision = random.randint(20, 64)
|
||||
platform = random.sample(("X11; %s %s" % (random.sample(("Linux", "Ubuntu; Linux", "U; Linux", "U; OpenBSD", "U; FreeBSD"), 1)[0], random.sample(("amd64", "i586", "i686", "amd64"), 1)[0]), "Windows NT %s%s" % (random.sample(("5.0", "5.1", "5.2", "6.0", "6.1", "6.2", "6.3", "10.0"), 1)[0], random.sample(("", "; Win64", "; WOW64"), 1)[0]), "Macintosh; Intel Mac OS X 10.%s" % random.randint(1, 11)), 1)[0]
|
||||
user_agent = "Mozilla/5.0 (%s; rv:%d.0) Gecko/20100101 Firefox/%d.0" % (platform, revision, revision)
|
||||
HEADERS["User-Agent"] = user_agent
|
||||
|
||||
def format_name(waf):
|
||||
return "%s%s" % (DATA_JSON["wafs"][waf]["name"], (" (%s)" % DATA_JSON["wafs"][waf]["company"]) if DATA_JSON["wafs"][waf]["name"] != DATA_JSON["wafs"][waf]["company"] else "")
|
||||
|
||||
def non_blind_check(raw):
|
||||
retval = False
|
||||
match = re.search(WAF_RECOGNITION_REGEX, raw or "")
|
||||
if match:
|
||||
retval = True
|
||||
for _ in match.groupdict():
|
||||
if match.group(_):
|
||||
waf = re.sub(r"\Awaf_", "", _)
|
||||
non_blind.add(waf)
|
||||
single_print(colorize("[+] non-blind match: '%s'%s" % (format_name(waf), 20 * ' ')))
|
||||
return retval
|
||||
|
||||
def run():
|
||||
global original
|
||||
|
||||
hostname = options.url.split("//")[-1].split('/')[0].split(':')[0]
|
||||
|
||||
if not hostname.replace('.', "").isdigit():
|
||||
print(colorize("[i] checking hostname '%s'..." % hostname))
|
||||
try:
|
||||
socket.getaddrinfo(hostname, None)
|
||||
except socket.gaierror:
|
||||
exit(colorize("[x] host '%s' does not exist" % hostname))
|
||||
|
||||
results = ""
|
||||
signature = b""
|
||||
counter = 0
|
||||
original = retrieve(options.url)
|
||||
|
||||
if 300 <= (original[HTTPCODE] or 0) < 400 and original[URL]:
|
||||
original = retrieve(original[URL])
|
||||
|
||||
options.url = original[URL]
|
||||
|
||||
if original[HTTPCODE] is None:
|
||||
exit(colorize("[x] missing valid response"))
|
||||
|
||||
if not any((options.string, options.code)) and original[HTTPCODE] >= 400:
|
||||
non_blind_check(original[RAW])
|
||||
if options.debug:
|
||||
print("\r---%s" % (40 * ' '))
|
||||
print(original[HTTPCODE], original[RAW])
|
||||
print("---")
|
||||
exit(colorize("[x] access to host '%s' seems to be restricted%s" % (hostname, (" (%d: '<title>%s</title>')" % (original[HTTPCODE], original[TITLE].strip())) if original[TITLE] else "")))
|
||||
|
||||
challenge = None
|
||||
if all(_ in original[HTML].lower() for _ in ("eval", "<script")):
|
||||
match = re.search(r"(?is)<body[^>]*>(.*)</body>", re.sub(r"(?is)<script.+?</script>", "", original[HTML]))
|
||||
if re.search(r"(?i)<(body|div)", original[HTML]) is None or (match and len(match.group(1)) == 0):
|
||||
challenge = re.search(r"(?is)<script.+</script>", original[HTML]).group(0).replace("\n", "\\n")
|
||||
print(colorize("[x] anti-robot JS challenge detected ('%s%s')" % (challenge[:MAX_JS_CHALLENGE_SNAPLEN], "..." if len(challenge) > MAX_JS_CHALLENGE_SNAPLEN else "")))
|
||||
|
||||
protection_keywords = GENERIC_PROTECTION_KEYWORDS
|
||||
protection_regex = GENERIC_PROTECTION_REGEX % '|'.join(keyword for keyword in protection_keywords if keyword not in original[HTML].lower())
|
||||
|
||||
print(colorize("[i] running basic heuristic test..."))
|
||||
if not check_payload(HEURISTIC_PAYLOAD):
|
||||
check = False
|
||||
if options.url.startswith("https://"):
|
||||
options.url = options.url.replace("https://", "http://")
|
||||
check = check_payload(HEURISTIC_PAYLOAD)
|
||||
if not check:
|
||||
if non_blind_check(intrusive[RAW]):
|
||||
exit(colorize("[x] unable to continue due to static responses%s" % (" (captcha)" if re.search(r"(?i)captcha", intrusive[RAW]) is not None else "")))
|
||||
elif challenge is None:
|
||||
exit(colorize("[x] host '%s' does not seem to be protected" % hostname))
|
||||
else:
|
||||
exit(colorize("[x] response not changing without JS challenge solved"))
|
||||
|
||||
if options.fast and not non_blind:
|
||||
exit(colorize("[x] fast exit because of missing non-blind match"))
|
||||
|
||||
if not intrusive[HTTPCODE]:
|
||||
print(colorize("[i] rejected summary: RST|DROP"))
|
||||
else:
|
||||
_ = "...".join(match.group(0) for match in re.finditer(GENERIC_ERROR_MESSAGE_REGEX, intrusive[HTML])).strip().replace(" ", " ")
|
||||
print(colorize(("[i] rejected summary: %d ('%s%s')" % (intrusive[HTTPCODE], ("<title>%s</title>" % intrusive[TITLE]) if intrusive[TITLE] else "", "" if not _ or intrusive[HTTPCODE] < 400 else ("...%s" % _))).replace(" ('')", "")))
|
||||
|
||||
found = non_blind_check(intrusive[RAW] if intrusive[HTTPCODE] is not None else original[RAW])
|
||||
|
||||
if not found:
|
||||
print(colorize("[-] non-blind match: -"))
|
||||
|
||||
for item in DATA_JSON["payloads"]:
|
||||
info, payload = item.split("::", 1)
|
||||
counter += 1
|
||||
|
||||
if IS_TTY:
|
||||
sys.stdout.write(colorize("\r[i] running payload tests... (%d/%d)\r" % (counter, len(DATA_JSON["payloads"]))))
|
||||
sys.stdout.flush()
|
||||
|
||||
if counter % VERIFY_OK_INTERVAL == 0:
|
||||
for i in xrange(VERIFY_RETRY_TIMES):
|
||||
if not check_payload(str(random.randint(1, 9)), protection_regex):
|
||||
break
|
||||
elif i == VERIFY_RETRY_TIMES - 1:
|
||||
exit(colorize("[x] host '%s' seems to be misconfigured or rejecting benign requests%s" % (hostname, (" (%d: '<title>%s</title>')" % (intrusive[HTTPCODE], intrusive[TITLE].strip())) if intrusive[TITLE] else "")))
|
||||
else:
|
||||
time.sleep(5)
|
||||
|
||||
last = check_payload(payload, protection_regex)
|
||||
non_blind_check(intrusive[RAW])
|
||||
signature += struct.pack(">H", ((calc_hash(payload, binary=False) << 1) | last) & 0xffff)
|
||||
results += 'x' if last else '.'
|
||||
|
||||
if last and info not in blocked:
|
||||
blocked.append(info)
|
||||
|
||||
_ = calc_hash(signature)
|
||||
signature = "%s:%s" % (_.encode("hex") if not hasattr(_, "hex") else _.hex(), base64.b64encode(signature).decode("ascii"))
|
||||
|
||||
print(colorize("%s[=] results: '%s'" % ("\n" if IS_TTY else "", results)))
|
||||
|
||||
hardness = 100 * results.count('x') / len(results)
|
||||
print(colorize("[=] hardness: %s (%d%%)" % ("insane" if hardness >= 80 else ("hard" if hardness >= 50 else ("moderate" if hardness >= 30 else "easy")), hardness)))
|
||||
|
||||
if blocked:
|
||||
print(colorize("[=] blocked categories: %s" % ", ".join(blocked)))
|
||||
|
||||
if not results.strip('.') or not results.strip('x'):
|
||||
print(colorize("[-] blind match: -"))
|
||||
|
||||
if re.search(r"(?i)captcha", original[HTML]) is not None:
|
||||
exit(colorize("[x] there seems to be an activated captcha"))
|
||||
else:
|
||||
print(colorize("[=] signature: '%s'" % signature))
|
||||
|
||||
if signature in SIGNATURES:
|
||||
waf = SIGNATURES[signature]
|
||||
print(colorize("[+] blind match: '%s' (100%%)" % format_name(waf)))
|
||||
elif results.count('x') < MIN_MATCH_PARTIAL:
|
||||
print(colorize("[-] blind match: -"))
|
||||
else:
|
||||
matches = {}
|
||||
markers = set()
|
||||
decoded = base64.b64decode(signature.split(':')[-1])
|
||||
for i in xrange(0, len(decoded), 2):
|
||||
part = struct.unpack(">H", decoded[i: i + 2])[0]
|
||||
markers.add(part)
|
||||
|
||||
for candidate in SIGNATURES:
|
||||
counter_y, counter_n = 0, 0
|
||||
decoded = base64.b64decode(candidate.split(':')[-1])
|
||||
for i in xrange(0, len(decoded), 2):
|
||||
part = struct.unpack(">H", decoded[i: i + 2])[0]
|
||||
if part in markers:
|
||||
counter_y += 1
|
||||
elif any(_ in markers for _ in (part & ~1, part | 1)):
|
||||
counter_n += 1
|
||||
result = int(round(100 * counter_y / (counter_y + counter_n)))
|
||||
if SIGNATURES[candidate] in matches:
|
||||
if result > matches[SIGNATURES[candidate]]:
|
||||
matches[SIGNATURES[candidate]] = result
|
||||
else:
|
||||
matches[SIGNATURES[candidate]] = result
|
||||
|
||||
if chained:
|
||||
for _ in list(matches.keys()):
|
||||
if matches[_] < 90:
|
||||
del matches[_]
|
||||
|
||||
if not matches:
|
||||
print(colorize("[-] blind match: - "))
|
||||
print(colorize("[!] probably chained web protection systems"))
|
||||
else:
|
||||
matches = [(_[1], _[0]) for _ in matches.items()]
|
||||
matches.sort(reverse=True)
|
||||
|
||||
print(colorize("[+] blind match: %s" % ", ".join("'%s' (%d%%)" % (format_name(matches[i][1]), matches[i][0]) for i in xrange(min(len(matches), MAX_MATCHES) if matches[0][0] != 100 else 1))))
|
||||
|
||||
print()
|
||||
|
||||
def main():
|
||||
if "--version" not in sys.argv:
|
||||
print(BANNER)
|
||||
|
||||
parse_args()
|
||||
init()
|
||||
run()
|
||||
|
||||
load_data()
|
||||
|
||||
if __name__ == "__main__":
|
||||
try:
|
||||
main()
|
||||
except KeyboardInterrupt:
|
||||
exit(colorize("\r[x] Ctrl-C pressed"))
|
23
waf/360.py
23
waf/360.py
|
@ -1,23 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "360 Web Application Firewall (360)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= headers.get("X-Powered-By-360wzb") is not None
|
||||
retval |= code == 493 and "/wzws-waf-cgi/" in (page or "")
|
||||
retval |= all(_ in (page or "") for _ in ("eventID", "If you are the Webmaster", "<title>493</title>"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,8 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
pass
|
|
@ -1,22 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "aeSecure (aeSecure)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= headers.get("aeSecure-code") is not None
|
||||
retval |= all(_ in (page or "") for _ in ("aeSecure", "aesecure_denied.png"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Airlock (Phion/Ergon)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"\AAL[_-]?(SESS|LB)", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
retval |= all(_ in (page or "") for _ in ("The server detected a syntax error in your request", "Check your request and all parameters", "Bad Request", "Your request ID was"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Anquanbao Web Application Firewall (Anquanbao)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= code == 405 and any(_ in (page or "") for _ in ("/aqb_cc/error/", "hidden_intercept_time"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,27 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Approach Web Application Firewall (Approach)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= re.search(r"Approach Web Application Firewall", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= re.search(r"Approach(</b>)? Web Application Firewall", page or "", re.I) is not None
|
||||
retval |= " Your IP address has been logged and this information could be used by authorities to track you." in (page or "")
|
||||
retval |= all(_ in (page or "") for _ in ("Sorry for the inconvenience!", "If this was an legitimate request please contact us with details!"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
21
waf/armor.py
21
waf/armor.py
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Armor Protection (Armor Defense)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= "This request has been blocked by website protection from Armor" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
22
waf/asm.py
22
waf/asm.py
|
@ -1,22 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Application Security Manager (F5 Networks)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= "The requested URL was rejected. Please consult with your administrator." in (page or "")
|
||||
retval |= all(_ in (page or "") for _ in ("security.f5aas.com", "Please enable JavaScript to view the page content"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
21
waf/astra.py
21
waf/astra.py
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Astra (Czar Securities)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= all(_ in (page or "") for _ in ("unfortunately our website protection system", "//www.getastra.com"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
24
waf/aws.py
24
waf/aws.py
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Amazon Web Services Web Application Firewall (Amazon)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= code == 403 and re.search(r"\bAWS", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,26 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Barracuda Web Application Firewall (Barracuda Networks)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"\Abarra_counter_session=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
retval |= re.search(r"(\A|\b)barracuda_", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
retval |= "when this page occurred and the event ID found at the bottom of the page" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Bekchy (Faydata Information Technologies Inc.)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= any(_ in (page or "") for _ in ("<title>Bekchy - Access Denided</title>", "<a class=\"btn\" href=\"https://bekchy.com/report\">"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "BitNinja (BitNinja)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= any(_ in (page or "") for _ in ("alt=\"BitNinja|Security check by BitNinja", "your IP will be removed from BitNinja", "<title>Visitor anti-robot validation</title>"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Bluedon Web Application Firewall (Bluedon Information Security Technology)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= re.search(r"BDWAF", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= re.search(r"Bluedon Web Application Firewall", page or "", re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "WP Cerber Security (Cerber Tech)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= any(_ in (page or "") for _ in ("We're sorry, you are not allowed to proceed", "Your request looks suspicious or similar to automated requests from spam posting software"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,22 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "ChinaCache (ChinaCache Networks)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= (code or 0) >= 400 and headers.get("Powered-By-ChinaCache") is not None
|
||||
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Cisco ACE XML Gateway (Cisco Systems)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
_, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"ACE XML Gateway", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Cloudbric Web Application Firewall (Cloudbric)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= (code or 0) >= 400 and all(_ in (page or "") for _ in ("Cloudbric", "Malicious Code Detected"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,33 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "CloudFlare Web Application Firewall (CloudFlare)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
|
||||
if (code or 0) >= 400:
|
||||
retval |= re.search(r"cloudflare", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= re.search(r"\A__cfduid=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
retval |= headers.get("cf-ray") is not None
|
||||
retval |= re.search(r"CloudFlare Ray ID:|var CloudFlare=", page or "") is not None
|
||||
retval |= all(_ in (page or "") for _ in ("Attention Required! | Cloudflare", "Please complete the security check to access"))
|
||||
retval |= all(_ in (page or "") for _ in ("Attention Required! | Cloudflare", "Sorry, you have been blocked"))
|
||||
retval |= any(_ in (page or "") for _ in ("CLOUDFLARE_ERROR_500S_BOX", "::CAPTCHA_BOX::"))
|
||||
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "CloudFront (Amazon)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= all(_ in (page or "") for _ in ("Generated by cloudfront", "Request blocked"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Comodo Web Application Firewall (Comodo)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
_, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"Protected by COMODO WAF", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,22 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "CrawlProtect (Jean-Denis Brun)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, code = get_page(get=vector)
|
||||
retval |= (code or 0) >= 400 and "This site is protected by CrawlProtect" in (page or "")
|
||||
retval |= "<title>CrawlProtect" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,22 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Distil Web Application Firewall Security (Distil Networks)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= headers.get("x-distil-cs") is not None
|
||||
retval |= any(_ in (page or "") for _ in ("distilCaptchaForm", "distilCallbackGuard", "cdn.distilnetworks.com/images/anomaly-detected.png"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,22 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "dotDefender (Applicure Technologies)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= headers.get("X-dotDefender-denied", "") == "1"
|
||||
retval |= any(_ in (page or "") for _ in ("dotDefender Blocked Your Request", '<meta name="description" content="Applicure is the leading provider of web application security', "Please contact the site administrator, and provide the following Reference ID:"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "EdgeCast Web Application Firewall (Verizon)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
_, headers, code = get_page(get=vector)
|
||||
retval |= code == 400 and re.search(r"\AECDF", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "ExpressionEngine (EllisLab)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= any((page or "").strip() == _ for _ in ("Invalid GET Data", "Invalid URI")) and re.search(r"\bexp_last_", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "FortiWeb Web Application Firewall (Fortinet)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"\AFORTIWAFSID=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
retval |= all(_ in (page or "") for _ in (".fgd_icon", ".blocked", ".authenticate"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,35 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.convert import getUnicode
|
||||
from lib.core.data import kb
|
||||
from lib.core.settings import GENERIC_PROTECTION_REGEX
|
||||
from lib.core.settings import IPS_WAF_CHECK_PAYLOAD
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Generic (Unknown)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
original, _, code = get_page()
|
||||
if original is None or (code or 0) >= 400:
|
||||
return False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
|
||||
if (code or 0) >= 400 or (IPS_WAF_CHECK_PAYLOAD in vector and (code is None or re.search(GENERIC_PROTECTION_REGEX, page or "") and not re.search(GENERIC_PROTECTION_REGEX, original or ""))):
|
||||
if code is not None:
|
||||
kb.wafSpecificResponse = "HTTP/1.1 %s\n%s\n%s" % (code, "".join(getUnicode(_) for _ in (headers.headers if headers else {}) or [] if not _.startswith("URI")), getUnicode(page or ""))
|
||||
|
||||
retval = True
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "GoDaddy Website Firewall (GoDaddy Inc.)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= any(_ in (page or "") for _ in ("Access Denied - GoDaddy Website Firewall", "<title>GoDaddy Security - Access Denied</title>"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Greywizard (Grey Wizard)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"\Agreywizard", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= any(_ in (page or "") for _ in ("We've detected attempted attack or non standard traffic from your IP address", "<title>Grey Wizard</title>"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Imunify360 (CloudLinux Inc.)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"\Aimunify360", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= any(_ in (page or "") for _ in ("protected by Imunify360", "Powered by Imunify360", "imunify360 preloader"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,29 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Incapsula Web Application Firewall (Incapsula/Imperva)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"incap_ses|visid_incap", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
retval |= re.search(r"Incapsula", headers.get("X-CDN", ""), re.I) is not None
|
||||
retval |= "Incapsula incident ID" in (page or "")
|
||||
retval |= all(_ in (page or "") for _ in ("Error code 15", "This request was blocked by the security rules"))
|
||||
retval |= re.search(r"(?i)incident.{1,100}?\b\d{19}\-\d{17}\b", page or "") is not None
|
||||
retval |= headers.get("X-Iinfo") is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,16 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.common import randomInt
|
||||
|
||||
__product__ = "ISA Server (Microsoft)"
|
||||
|
||||
def detect(get_page):
|
||||
page, _, _ = get_page(host=randomInt(6))
|
||||
retval = "The server denied the specified Uniform Resource Locator (URL). Contact the server administrator." in (page or "")
|
||||
retval |= "The ISA Server denied the specified Uniform Resource Locator (URL)" in (page or "")
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Janusec Application Gateway (Janusec)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= all(_ in (page or "") for _ in ("Reason:", "by Janusec Application Gateway"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,28 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Jiasule Web Application Firewall (Jiasule)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= re.search(r"jiasule-WAF", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= re.search(r"__jsluid=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
retval |= re.search(r"jsl_tracking", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
retval |= re.search(r"static\.jiasule\.com/static/js/http_error\.js", page or "", re.I) is not None
|
||||
retval |= code == 403 and "notice-jiasule" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,23 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "KS-WAF (Knownsec)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= re.search(r"url\('/ks-waf-error\.png'\)", page or "", re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
24
waf/kona.py
24
waf/kona.py
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "KONA Security Solutions (Akamai Technologies)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= (code or 0) >= 400 and re.search(r"AkamaiGHost", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "MalCare (Inactiv.com Media Solutions Pvt Ltd.)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= "Blocked because of Malicious Activities" in (page or "")
|
||||
retval |= re.search(r"Firewall(<[^>]+>)*powered by(<[^>]+>)*MalCare", page or "") is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "ModSecurity: Open Source Web Application Firewall (Trustwave)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= re.search(r"Mod_Security|NOYB", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= any(_ in (page or "") for _ in ("This error was generated by Mod_Security", "One or more things in your request were suspicious", "rules of the mod_security module", "Protected by Mod Security"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
24
waf/naxsi.py
24
waf/naxsi.py
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "NAXSI (NBS System)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
_, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"naxsi/waf", headers.get(HTTP_HEADER.X_DATA_ORIGIN, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "NetScaler AppFirewall (Citrix)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= any(_ in (page or "") for _ in ("<title>Application Firewall Block Page</title>", "Violation Category: APPFW_", "AppFW Session ID", "Access has been blocked - if you feel this is in error, please contact the site administrators quoting the following"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Newdefend Web Application Firewall (Newdefend)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"NewDefend", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= any(_ in (page or "") for _ in ("/nd_block/", "http://www.newdefend.com/feedback/misinformation/"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Nexusguard (Nexusguard Limited)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= "<p>Powered by Nexusguard</p>" in (page or "")
|
||||
retval |= re.search(r"speresources\.nexusguard\.com/wafpage/[^>]*#\d{3};", page or "") is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,22 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "NinjaFirewall (NinTechNet)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= "<title>NinjaFirewall: 403 Forbidden" in (page or "")
|
||||
retval |= all(_ in (page or "") for _ in ("For security reasons, it was blocked and logged", "NinjaFirewall"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "onMessage Shield (Blackbaud)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"onMessage Shield", headers.get("X-Engine", ""), re.I) is not None
|
||||
retval |= "This site is protected by an enhanced security system to ensure a safe browsing experience" in (page or "")
|
||||
retval |= "onMessage SHIELD" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Palo Alto Firewall (Palo Alto Networks)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= re.search(r"has been blocked in accordance with company policy", page or "", re.I) is not None
|
||||
retval |= all(_ in (page or "") for _ in ("Palo Alto Next Generation Security Platform", "Download Blocked"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "PerimeterX (PerimeterX, Inc.)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= "https://www.perimeterx.com/whywasiblocked" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Profense Web Application Firewall (Armorlogic)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
_, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"\APLBSID=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
retval |= re.search(r"Profense", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,15 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
__product__ = "Proventia Web Application Security (IBM)"
|
||||
|
||||
def detect(get_page):
|
||||
page, _, _ = get_page()
|
||||
if page is None:
|
||||
return False
|
||||
page, _, _ = get_page(url="/Admin_Files/")
|
||||
return page is None
|
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "AppWall (Radware)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"Unauthorized Activity Has Been Detected.+Case Number:", page or "", re.I | re.S) is not None
|
||||
retval |= headers.get("X-SL-CompState") is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,26 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Reblaze Web Application Firewall (Reblaze)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"\Arbzid=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
retval |= re.search(r"Reblaze Secure Web Gateway", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= all(_ in (page or "") for _ in ("Current session has been terminated", "For further information, do not hesitate to contact us", "Access denied (403)"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,23 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "ASP.NET RequestValidationMode (Microsoft)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, code = get_page(get=vector)
|
||||
retval |= "ASP.NET has detected data in the request that is potentially dangerous" in (page or "")
|
||||
retval |= "Request Validation has detected a potentially dangerous client input value" in (page or "")
|
||||
retval |= code == 500 and "HttpRequestValidationException" in page
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "RSFirewall (RSJoomla!)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= any(_ in (page or "") for _ in ("COM_RSFIREWALL_403_FORBIDDEN", "COM_RSFIREWALL_EVENT"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
26
waf/safe3.py
26
waf/safe3.py
|
@ -1,26 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Safe3 Web Application Firewall"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"Safe3WAF", headers.get(HTTP_HEADER.X_POWERED_BY, ""), re.I) is not None
|
||||
retval |= re.search(r"Safe3 Web Firewall", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= all(_ in (page or "") for _ in ("403 Forbidden", "Safe3waf/"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,27 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Safedog Web Application Firewall (Safedog)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"WAF/2\.0", headers.get(HTTP_HEADER.X_POWERED_BY, ""), re.I) is not None
|
||||
retval |= re.search(r"Safedog", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= re.search(r"safedog", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
retval |= any(_ in (page or "") for _ in ("safedogsite/broswer_logo.jpg", "404.safedog.cn/sitedog_stat.html"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "SafeLine Next Gen WAF (Chaitin Tech)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= all(_ in (page or "") for _ in ("SafeLine", "<!-- event_id:"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Secure Entry Server (United Security Providers)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= (code or 0) >= 400 and re.search(r"Secure Entry Server", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "SecureIIS Web Server Security (BeyondTrust)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= re.search(r"SecureIIS[^<]+Web Server Protection", page or "") is not None
|
||||
retval |= "http://www.eeye.com/SecureIIS/" in (page or "")
|
||||
retval |= re.search(r"\?subject=[^>]*SecureIIS Error", page or "") is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,23 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "SecureSphere Web Application Firewall (Imperva)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= re.search(r"<H2>Error</H2>.+?#FEEE7A.+?<STRONG>Error</STRONG>|Contact support for additional information.<br/>The incident ID is: (\\d{19}|N/A)", page or "", re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "SEnginx (Neusoft Corporation)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= "SENGINX-ROBOT-MITIGATION" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Shield Security (One Dollar Plugin)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= "Something in the URL, Form or Cookie data wasn't appropriate" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "SiteGround Web Application Firewall (SiteGround)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= "The page you are trying to access is restricted due to a security rule" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "SiteGuard (JP-Secure)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= any(_ in (page or "") for _ in ("Powered by SiteGuard", "The server refuse to browse the page"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,22 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "TrueShield Web Application Firewall (SiteLock)"
|
||||
|
||||
# Note: https://www.whitefirdesign.com/blog/2016/11/08/more-evidence-that-sitelocks-trueshield-web-application-firewall-is-really-incapsulas-waf/
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= any(_ in (page or "") for _ in ("SiteLock Incident ID", '<span class="value INCIDENT_ID">'))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,27 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "SonicWALL (Dell)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= "This request is blocked by the SonicWALL" in (page or "")
|
||||
retval |= all(_ in (page or "") for _ in ("#shd", "#nsa_banner"))
|
||||
retval |= re.search(r"Web Site Blocked.+\bnsa_banner", page or "", re.I) is not None
|
||||
retval |= re.search(r"SonicWALL", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "UTM Web Protection (Sophos)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= "Powered by UTM Web Protection" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Squarespace Web Application Firewall (Squarespace)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= all(_ in (page or "") for _ in ("BRICK-50", " @ ", "404 Not Found"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "StackPath Web Application Firewall (StackPath LLC)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= all(_ in (page or "") for _ in ("You performed an action that triggered the service and blocked your request",))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,29 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "CloudProxy WebSite Firewall (Sucuri)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= code == 403 and re.search(r"Sucuri/Cloudproxy", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= "Access Denied - Sucuri Website Firewall" in (page or "")
|
||||
retval |= "Sucuri WebSite Firewall - CloudProxy - Access Denied" in (page or "")
|
||||
retval |= re.search(r"Questions\?.+cloudproxy@sucuri\.net", (page or "")) is not None
|
||||
retval |= headers.get("X-Sucuri-ID") is not None
|
||||
retval |= headers.get("X-Sucuri-Cache") is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Tencent Cloud Web Application Firewall (Tencent Cloud Computing)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, code = get_page(get=vector)
|
||||
retval |= code == 405 and "waf.tencent-cloud.com" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "TrafficShield (F5 Networks)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
_, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"F5-TrafficShield", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= re.search(r"\AASINFO=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Url Master SecurityCheck (iFinity/DotNetNuke)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, code = get_page(get=vector)
|
||||
retval |= (code or 0) >= 400 and all(_ in (page or "") for _ in ("UrlMaster", "UrlRewriteModule", "SecurityCheck"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "UrlScan (Microsoft)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= re.search(r"Rejected-By-UrlScan", headers.get(HTTP_HEADER.LOCATION, ""), re.I) is not None
|
||||
retval |= code != 200 and re.search(r"/Rejected-By-UrlScan", page or "", re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Varnish FireWall (OWASP)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, code = get_page(get=vector)
|
||||
retval |= (code or 0) >= 400 and "Request rejected by xVarnish-WAF" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Virusdie (Virusdie LLC)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= any(_ in (page or "") for _ in ("| Virusdie</title>", "http://cdn.virusdie.ru/splash/firewallstop.png", "© Virusdie.ru</p>", '<meta name="FW_BLOCK"'))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Wallarm Web Application Firewall (Wallarm)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
_, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"nginx-wallarm", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "WatchGuard (WatchGuard Technologies)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= (code or 0) >= 400 and re.search(r"\AWatchGuard", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= "Request denied by WatchGuard Firewall" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,26 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "WebKnight Application Firewall (AQTRONIX)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= code == 999
|
||||
retval |= re.search(r"WebKnight", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= any(_ in (page or "") for _ in ("WebKnight Application Firewall Alert", "AQTRONIX WebKnight"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "WebSEAL (IBM)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"WebSEAL", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= any(_ in (page or "") for _ in ("This is a WebSEAL error message template file", "The Access Manager WebSEAL server received an invalid HTTP request"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Wordfence (Feedjit)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, _, _ = get_page(get=vector)
|
||||
retval |= any(_ in (page or "") for _ in ("A potentially unsafe operation has been detected in your request to this site", "Generated by Wordfence", "Your access to this site has been limited", "This response was generated by Wordfence"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
25
waf/wts.py
25
waf/wts.py
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "WTS Web Application Firewall"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= ">WTS-WAF" in (page or "")
|
||||
retval |= re.search(r"\Awts/", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,26 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Yundun Web Application Firewall (Yundun)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"YUNDUN", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= re.search(r"YUNDUN", headers.get("X-Cache", ""), re.I) is not None
|
||||
retval |= "Blocked by YUNDUN Cloud WAF" in (page or "")
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Yunsuo Web Application Firewall (Yunsuo)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, _ = get_page(get=vector)
|
||||
retval |= re.search(r"<img class=\"yunsuologo\"", page, re.I) is not None
|
||||
retval |= re.search(r"yunsuo_session", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
|
@ -1,25 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.enums import HTTP_HEADER
|
||||
from lib.core.settings import WAF_ATTACK_VECTORS
|
||||
|
||||
__product__ = "Zenedge Web Application Firewall (Zenedge)"
|
||||
|
||||
def detect(get_page):
|
||||
retval = False
|
||||
|
||||
for vector in WAF_ATTACK_VECTORS:
|
||||
page, headers, code = get_page(get=vector)
|
||||
retval |= (code or 0) >= 400 and re.search(r"\AZENEDGE", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
|
||||
retval |= all(_ in (page or "") for _ in ("Your request has been blocked", "Incident ID", "/__zenedge/assets/"))
|
||||
if retval:
|
||||
break
|
||||
|
||||
return retval
|
Loading…
Reference in New Issue
Block a user