From 0c79504ff1c2e0f80e3c36cc841de62fc4bd997a Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Fri, 24 May 2019 13:09:28 +0200 Subject: [PATCH] Switching from WAF scripts to identYwaf (avoiding redundant work from my side) --- doc/THIRD-PARTY.md | 2 + lib/controller/checks.py | 147 ++--- lib/controller/controller.py | 4 - lib/core/option.py | 41 -- lib/core/optiondict.py | 1 - lib/core/patch.py | 2 - lib/core/settings.py | 2 +- lib/parse/cmdline.py | 3 - sqlmap.conf | 4 - swagger.yaml | 1 - thirdparty/identywaf/LICENSE | 21 + thirdparty/identywaf/__init__.py | 0 thirdparty/identywaf/data.json | 885 ++++++++++++++++++++++++++++++ thirdparty/identywaf/identYwaf.py | 585 ++++++++++++++++++++ waf/360.py | 23 - waf/__init__.py | 8 - waf/aesecure.py | 22 - waf/airlock.py | 25 - waf/anquanbao.py | 21 - waf/approach.py | 27 - waf/armor.py | 21 - waf/asm.py | 22 - waf/astra.py | 21 - waf/aws.py | 24 - waf/barracuda.py | 26 - waf/bekchy.py | 21 - waf/bitninja.py | 21 - waf/bluedon.py | 25 - waf/cerber.py | 21 - waf/chinacache.py | 22 - waf/ciscoacexml.py | 24 - waf/cloudbric.py | 21 - waf/cloudflare.py | 33 -- waf/cloudfront.py | 21 - waf/comodo.py | 24 - waf/crawlprotect.py | 22 - waf/distil.py | 22 - waf/dotdefender.py | 22 - waf/edgecast.py | 24 - waf/expressionengine.py | 24 - waf/fortiweb.py | 25 - waf/generic.py | 35 -- waf/godaddy.py | 21 - waf/greywizard.py | 25 - waf/imunify360.py | 25 - waf/incapsula.py | 29 - waf/isaserver.py | 16 - waf/janusec.py | 21 - waf/jiasule.py | 28 - waf/knownsec.py | 23 - waf/kona.py | 24 - waf/malcare.py | 24 - waf/modsecurity.py | 25 - waf/naxsi.py | 24 - waf/netscaler.py | 21 - waf/newdefend.py | 25 - waf/nexusguard.py | 24 - waf/ninjafirewall.py | 22 - waf/onmessageshield.py | 25 - waf/paloalto.py | 24 - waf/perimeterx.py | 21 - waf/profense.py | 25 - waf/proventia.py | 15 - waf/radware.py | 24 - waf/reblaze.py | 26 - waf/requestvalidationmode.py | 23 - waf/rsfirewall.py | 21 - waf/safe3.py | 26 - waf/safedog.py | 27 - waf/safeline.py | 21 - waf/secureentry.py | 24 - waf/secureiis.py | 25 - waf/securesphere.py | 23 - waf/senginx.py | 21 - waf/shieldsecurity.py | 21 - waf/siteground.py | 21 - waf/siteguard.py | 21 - waf/sitelock.py | 22 - waf/sonicwall.py | 27 - waf/sophos.py | 21 - waf/squarespace.py | 21 - waf/stackpath.py | 21 - waf/sucuri.py | 29 - waf/tencent.py | 21 - waf/trafficshield.py | 25 - waf/urlmaster.py | 21 - waf/urlscan.py | 25 - waf/varnish.py | 21 - waf/virusdie.py | 21 - waf/wallarm.py | 24 - waf/watchguard.py | 25 - waf/webknight.py | 26 - waf/webseal.py | 25 - waf/wordfence.py | 21 - waf/wts.py | 25 - waf/yundun.py | 26 - waf/yunsuo.py | 25 - waf/zenedge.py | 25 - 98 files changed, 1534 insertions(+), 2119 deletions(-) create mode 100644 thirdparty/identywaf/LICENSE create mode 100644 thirdparty/identywaf/__init__.py create mode 100644 thirdparty/identywaf/data.json create mode 100755 thirdparty/identywaf/identYwaf.py delete mode 100644 waf/360.py delete mode 100644 waf/__init__.py delete mode 100644 waf/aesecure.py delete mode 100644 waf/airlock.py delete mode 100644 waf/anquanbao.py delete mode 100644 waf/approach.py delete mode 100644 waf/armor.py delete mode 100644 waf/asm.py delete mode 100644 waf/astra.py delete mode 100644 waf/aws.py delete mode 100644 waf/barracuda.py delete mode 100644 waf/bekchy.py delete mode 100644 waf/bitninja.py delete mode 100644 waf/bluedon.py delete mode 100644 waf/cerber.py delete mode 100644 waf/chinacache.py delete mode 100644 waf/ciscoacexml.py delete mode 100644 waf/cloudbric.py delete mode 100644 waf/cloudflare.py delete mode 100644 waf/cloudfront.py delete mode 100644 waf/comodo.py delete mode 100644 waf/crawlprotect.py delete mode 100644 waf/distil.py delete mode 100644 waf/dotdefender.py delete mode 100644 waf/edgecast.py delete mode 100644 waf/expressionengine.py delete mode 100644 waf/fortiweb.py delete mode 100644 waf/generic.py delete mode 100644 waf/godaddy.py delete mode 100644 waf/greywizard.py delete mode 100644 waf/imunify360.py delete mode 100644 waf/incapsula.py delete mode 100644 waf/isaserver.py delete mode 100644 waf/janusec.py delete mode 100644 waf/jiasule.py delete mode 100644 waf/knownsec.py delete mode 100644 waf/kona.py delete mode 100644 waf/malcare.py delete mode 100644 waf/modsecurity.py delete mode 100644 waf/naxsi.py delete mode 100644 waf/netscaler.py delete mode 100644 waf/newdefend.py delete mode 100644 waf/nexusguard.py delete mode 100644 waf/ninjafirewall.py delete mode 100644 waf/onmessageshield.py delete mode 100644 waf/paloalto.py delete mode 100644 waf/perimeterx.py delete mode 100644 waf/profense.py delete mode 100644 waf/proventia.py delete mode 100644 waf/radware.py delete mode 100644 waf/reblaze.py delete mode 100644 waf/requestvalidationmode.py delete mode 100644 waf/rsfirewall.py delete mode 100644 waf/safe3.py delete mode 100644 waf/safedog.py delete mode 100644 waf/safeline.py delete mode 100644 waf/secureentry.py delete mode 100644 waf/secureiis.py delete mode 100644 waf/securesphere.py delete mode 100644 waf/senginx.py delete mode 100644 waf/shieldsecurity.py delete mode 100644 waf/siteground.py delete mode 100644 waf/siteguard.py delete mode 100644 waf/sitelock.py delete mode 100644 waf/sonicwall.py delete mode 100644 waf/sophos.py delete mode 100644 waf/squarespace.py delete mode 100644 waf/stackpath.py delete mode 100644 waf/sucuri.py delete mode 100644 waf/tencent.py delete mode 100644 waf/trafficshield.py delete mode 100644 waf/urlmaster.py delete mode 100644 waf/urlscan.py delete mode 100644 waf/varnish.py delete mode 100644 waf/virusdie.py delete mode 100644 waf/wallarm.py delete mode 100644 waf/watchguard.py delete mode 100644 waf/webknight.py delete mode 100644 waf/webseal.py delete mode 100644 waf/wordfence.py delete mode 100644 waf/wts.py delete mode 100644 waf/yundun.py delete mode 100644 waf/yunsuo.py delete mode 100644 waf/zenedge.py diff --git a/doc/THIRD-PARTY.md b/doc/THIRD-PARTY.md index 468e14c77..eca318269 100644 --- a/doc/THIRD-PARTY.md +++ b/doc/THIRD-PARTY.md @@ -276,6 +276,8 @@ be bound by the terms and conditions of this License Agreement. * The `bottle` web framework library located under `thirdparty/bottle/`. Copyright (C) 2012, Marcel Hellkamp. +* The `identYwaf` library located under `thirdparty/identywaf/`. + Copyright (C) 2019, Miroslav Stampar. * The `ordereddict` library located under `thirdparty/odict/`. Copyright (C) 2009, Raymond Hettinger. * The `six` Python 2 and 3 compatibility library located under `thirdparty/six/`. diff --git a/lib/controller/checks.py b/lib/controller/checks.py index acef09e32..3bb884199 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -108,6 +108,7 @@ from lib.request.templates import getPageTemplate from lib.techniques.union.test import unionTest from lib.techniques.union.use import configUnion from thirdparty import six +from thirdparty.identywaf import identYwaf from thirdparty.six.moves import http_client as _http_client def checkSqlInjection(place, parameter, value): @@ -1402,119 +1403,54 @@ def checkWaf(): kb.resendPostOnRedirect = popValue() kb.redirectChoice = popValue() + # TODO: today if retVal: - warnMsg = "heuristics detected that the target " - warnMsg += "is protected by some kind of WAF/IPS" - logger.critical(warnMsg) + pass + # identYwaf + #if conf.timeout == defaults.timeout: + #logger.warning("dropping timeout to %d seconds (i.e. '--timeout=%d')" % (IDS_WAF_CHECK_TIMEOUT, IDS_WAF_CHECK_TIMEOUT)) + #conf.timeout = IDS_WAF_CHECK_TIMEOUT - if not conf.identifyWaf: - message = "do you want sqlmap to try to detect backend " - message += "WAF/IPS? [y/N] " + # identYwaf - if readInput(message, default='N', boolean=True): - conf.identifyWaf = True + #def _(*args, **kwargs): + #page, headers, code = None, None, None + #try: + #pushValue(kb.redirectChoice) + #pushValue(kb.resendPostOnRedirect) - if conf.timeout == defaults.timeout: - logger.warning("dropping timeout to %d seconds (i.e. '--timeout=%d')" % (IDS_WAF_CHECK_TIMEOUT, IDS_WAF_CHECK_TIMEOUT)) - conf.timeout = IDS_WAF_CHECK_TIMEOUT + #kb.redirectChoice = REDIRECTION.YES + #kb.resendPostOnRedirect = True + + #if kwargs.get("get"): + #kwargs["get"] = urlencode(kwargs["get"]) + #kwargs["raise404"] = False + #kwargs["silent"] = True + #kwargs["finalCode"] = True + + #page, headers, code = Request.getPage(*args, **kwargs) + #except Exception: + #pass + #finally: + #kb.resendPostOnRedirect = popValue() + #kb.redirectChoice = popValue() + + + #message = "are you sure that you want to " + #message += "continue with further target testing? [y/N] " + #choice = readInput(message, default='N', boolean=True) + + #if not conf.tamper: + #warnMsg = "please consider usage of tamper scripts (option '--tamper')" + #singleTimeWarnMessage(warnMsg) + + #if not choice: + #raise SqlmapUserQuitException hashDBWrite(HASHDB_KEYS.CHECK_WAF_RESULT, retVal, True) return retVal -@stackedmethod -def identifyWaf(): - if not conf.identifyWaf: - return None - - if not kb.wafFunctions: - setWafFunctions() - - kb.testMode = True - - infoMsg = "using WAF scripts to detect " - infoMsg += "backend WAF/IPS protection" - logger.info(infoMsg) - - @cachedmethod - def _(*args, **kwargs): - page, headers, code = None, None, None - try: - pushValue(kb.redirectChoice) - pushValue(kb.resendPostOnRedirect) - - kb.redirectChoice = REDIRECTION.YES - kb.resendPostOnRedirect = True - - if kwargs.get("get"): - kwargs["get"] = urlencode(kwargs["get"]) - kwargs["raise404"] = False - kwargs["silent"] = True - kwargs["finalCode"] = True - - page, headers, code = Request.getPage(*args, **kwargs) - except Exception: - pass - finally: - kb.resendPostOnRedirect = popValue() - kb.redirectChoice = popValue() - - return page or "", headers or {}, code - - retVal = [] - - for function, product in kb.wafFunctions: - if retVal and "unknown" in product.lower(): - continue - - try: - logger.debug("checking for WAF/IPS product '%s'" % product) - found = function(_) - except Exception as ex: - errMsg = "exception occurred while running " - errMsg += "WAF script for '%s' ('%s')" % (product, getSafeExString(ex)) - logger.critical(errMsg) - - found = False - - if found: - errMsg = "WAF/IPS identified as '%s'" % product - logger.critical(errMsg) - - retVal.append(product) - - if retVal: - if kb.wafSpecificResponse and "You don't have permission to access" not in kb.wafSpecificResponse and len(retVal) == 1 and "unknown" in retVal[0].lower(): - handle, filename = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.SPECIFIC_RESPONSE) - os.close(handle) - with openFile(filename, "w+b") as f: - f.write(kb.wafSpecificResponse) - - message = "WAF/IPS specific response can be found in '%s'. " % filename - message += "If you know the details on used protection please " - message += "report it along with specific response " - message += "to '%s'" % DEV_EMAIL_ADDRESS - logger.warn(message) - - message = "are you sure that you want to " - message += "continue with further target testing? [y/N] " - choice = readInput(message, default='N', boolean=True) - - if not conf.tamper: - warnMsg = "please consider usage of tamper scripts (option '--tamper')" - singleTimeWarnMessage(warnMsg) - - if not choice: - raise SqlmapUserQuitException - else: - warnMsg = "WAF/IPS product hasn't been identified" - logger.warn(warnMsg) - - kb.testType = None - kb.testMode = False - - return retVal - @stackedmethod def checkNullConnection(): """ @@ -1666,6 +1602,3 @@ def checkInternet(): def setVerbosity(): # Cross-referenced function raise NotImplementedError - -def setWafFunctions(): # Cross-referenced function - raise NotImplementedError diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 655620942..0e260720e 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -20,7 +20,6 @@ from lib.controller.checks import checkInternet from lib.controller.checks import checkNullConnection from lib.controller.checks import checkWaf from lib.controller.checks import heuristicCheckSqlInjection -from lib.controller.checks import identifyWaf from lib.core.agent import agent from lib.core.common import dataToStdout from lib.core.common import extractRegexResult @@ -423,9 +422,6 @@ def start(): checkWaf() - if conf.identifyWaf: - identifyWaf() - if conf.nullConnection: checkNullConnection() diff --git a/lib/core/option.py b/lib/core/option.py index 78cd96e29..b8e893f53 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -904,42 +904,6 @@ def _setPreprocessFunctions(): errMsg += "(Note: find template script at '%s')" % filename raise SqlmapGenericException(errMsg) -def _setWafFunctions(): - """ - Loads WAF/IPS detecting functions from script(s) - """ - - if conf.identifyWaf: - for found in glob.glob(os.path.join(paths.SQLMAP_WAF_PATH, "*.py")): - dirname, filename = os.path.split(found) - dirname = os.path.abspath(dirname) - - if filename == "__init__.py": - continue - - debugMsg = "loading WAF script '%s'" % filename[:-3] - logger.debug(debugMsg) - - if dirname not in sys.path: - sys.path.insert(0, dirname) - - try: - if filename[:-3] in sys.modules: - del sys.modules[filename[:-3]] - module = __import__(safeFilepathEncode(filename[:-3])) - except ImportError as ex: - raise SqlmapSyntaxException("cannot import WAF script '%s' (%s)" % (getUnicode(filename[:-3]), getSafeExString(ex))) - - _ = dict(inspect.getmembers(module)) - if "detect" not in _: - errMsg = "missing function 'detect(get_page)' " - errMsg += "in WAF script '%s'" % found - raise SqlmapGenericException(errMsg) - else: - kb.wafFunctions.append((_["detect"], _.get("__product__", filename[:-3]))) - - kb.wafFunctions = sorted(kb.wafFunctions, key=lambda _: "generic" in _[1].lower()) - def _setThreads(): if not isinstance(conf.threads, int) or conf.threads <= 0: conf.threads = 1 @@ -2394,10 +2358,6 @@ def _basicOptionValidation(): errMsg = "option '-d' is incompatible with option '--dbms'" raise SqlmapSyntaxException(errMsg) - if conf.identifyWaf and conf.skipWaf: - errMsg = "switch '--identify-waf' is incompatible with switch '--skip-waf'" - raise SqlmapSyntaxException(errMsg) - if conf.titles and conf.nullConnection: errMsg = "switch '--titles' is incompatible with switch '--null-connection'" raise SqlmapSyntaxException(errMsg) @@ -2630,7 +2590,6 @@ def init(): _listTamperingFunctions() _setTamperingFunctions() _setPreprocessFunctions() - _setWafFunctions() _setTrafficOutputFP() _setupHTTPCollector() _setHttpChunked() diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py index cce6cc1cf..ccc5cfca1 100644 --- a/lib/core/optiondict.py +++ b/lib/core/optiondict.py @@ -229,7 +229,6 @@ optDict = { "dependencies": "boolean", "disableColoring": "boolean", "googlePage": "integer", - "identifyWaf": "boolean", "listTampers": "boolean", "mobile": "boolean", "offline": "boolean", diff --git a/lib/core/patch.py b/lib/core/patch.py index ac7384332..085e54e1b 100644 --- a/lib/core/patch.py +++ b/lib/core/patch.py @@ -28,7 +28,6 @@ from lib.core.common import shellExec from lib.core.convert import stdoutEncode from lib.core.option import _setHTTPHandlers from lib.core.option import setVerbosity -from lib.core.option import _setWafFunctions from lib.core.settings import IS_WIN from thirdparty.six.moves import http_client as _http_client @@ -70,7 +69,6 @@ def resolveCrossReferences(): lib.request.connect.setHTTPHandlers = _setHTTPHandlers lib.utils.search.setHTTPHandlers = _setHTTPHandlers lib.controller.checks.setVerbosity = setVerbosity - lib.controller.checks.setWafFunctions = _setWafFunctions lib.utils.sqlalchemy.getSafeExString = getSafeExString thirdparty.ansistrm.ansistrm.stdoutEncode = stdoutEncode diff --git a/lib/core/settings.py b/lib/core/settings.py index e300c10a6..a0c908d54 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -18,7 +18,7 @@ from lib.core.enums import OS from thirdparty.six import unichr as _unichr # sqlmap version (...) -VERSION = "1.3.5.130" +VERSION = "1.3.5.131" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index 582715874..c1a270cdb 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -652,9 +652,6 @@ def cmdLineParser(argv=None): miscellaneous.add_option("--gpage", dest="googlePage", type="int", help="Use Google dork results from specified page number") - miscellaneous.add_option("--identify-waf", dest="identifyWaf", action="store_true", - help="Make a thorough testing for a WAF/IPS protection") - miscellaneous.add_option("--list-tampers", dest="listTampers", action="store_true", help="Display list of available tamper scripts") diff --git a/sqlmap.conf b/sqlmap.conf index 772b94ad6..e83e09e80 100644 --- a/sqlmap.conf +++ b/sqlmap.conf @@ -788,10 +788,6 @@ disableColoring = False # Default: 1 googlePage = 1 -# Make a thorough testing for a WAF/IPS protection. -# Valid: True or False -identifyWaf = False - # Display list of available tamper scripts # Valid: True or False listTampers = False diff --git a/swagger.yaml b/swagger.yaml index 6269bba0b..8a79abb23 100644 --- a/swagger.yaml +++ b/swagger.yaml @@ -270,7 +270,6 @@ paths: tmpPath: null titles: false getSchema: false - identifyWaf: false paramDel: null safeReqFile: null regKey: null diff --git a/thirdparty/identywaf/LICENSE b/thirdparty/identywaf/LICENSE new file mode 100644 index 000000000..fbea8d26e --- /dev/null +++ b/thirdparty/identywaf/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2019 Miroslav Stampar + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/thirdparty/identywaf/__init__.py b/thirdparty/identywaf/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/thirdparty/identywaf/data.json b/thirdparty/identywaf/data.json new file mode 100644 index 000000000..66eddc3fb --- /dev/null +++ b/thirdparty/identywaf/data.json @@ -0,0 +1,885 @@ +{ + "__copyright__": "Copyright (c) 2019 Miroslav Stampar (@stamparm), MIT. See the file 'LICENSE' for copying permission", + "__notice__": "The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software", + + "payloads": [ + "HTML::", + "SQLi::1 AND 1", + "SQLi::1/**/AND/**/1", + "SQLi::1/*0AND*/1", + "SQLi::1 AND 1=1", + "SQLi::1 AND 1 LIKE 1", + "SQLi::1 AND 1 BETWEEN 0 AND 1", + "SQLi::1 AND 2>(SELECT 1)-- -", + "SQLi::' OR SLEEP(5) OR '", + "SQLi::admin'-- -", + "SQLi::information_schema", + "SQLi::;DROP TABLE mysql.users", + "SQLi::';DROP DATABASE mysql#", + "SQLi::1/**/UNION/**/SELECT/**/1/**/FROM/**/information_schema.*", + "SQLi::SELECT id FROM users WHERE id>2", + "SQLi::1 UNION SELECT information_schema.*", + "SQLi::1;EXEC xp_cmdshell('type autoexec.bat');", + "SQLi::1;INSERT INTO USERS values('admin', 'foobar')", + "XSS::", + "XSS::", + "XSS::", + "XSS::\\\";alert('XSS');//", + "XSS::1' onerror=alert(String.fromCharCode(88,83,83))>", + "XSS::var n=0;while(true){n++;}]]>", + "XSS::", + "XSS::javascript:alert(/XSS/)", + "XSS::", + "XPATHi::' and count(/*)=1 and '1'='1", + "XPATHi::count(/child::node())", + "XPATHi::' and count(/comment())=1 and '1'='1", + "XPATHi::' or '1'='1", + "XXE::]>&xxe;", + "LDAPi::admin*)((|userpassword=*)", + "LDAPi::user=*)(uid=*))(|(uid=*", + "LDAPi::*(|(objectclass=*))", + "NOSQLi::true, $where: '1 == 1'", + "NOSQLi::{ $ne: 1 }", + "NOSQLi::' } ], $comment:'success'", + "PHPi::", + "ACE::netstat -antup | grep :443; ping 127.0.0.1; curl http://www.google.com", + "PT:://///.htaccess", + "PT::/etc/passwd", + "PT::../../boot.ini", + "PT::C:/inetpub/wwwroot/global.asa" + ], + "wafs": { + "360": { + "company": "360", + "name": "360", + "regex": "493|/wzws-waf-cgi/", + "signatures": [ + "9778:RVZXum61OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTC" + ] + }, + "aesecure": { + "company": "aeSecure", + "name": "aeSecure", + "regex": "aesecure_denied\\.png|aesecure-code: \\d+", + "signatures": [ + "8a4b:RVdXu260OEhCWapBYKcPk4JzWOtohM4JiUcMrmRXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJOdLsXo2tKaK99n+i7c4RmkgI2FZnxtDtBeq+c36A4chW1XaTD" + ] + }, + "airlock": { + "company": "Phion/Ergon", + "name": "Airlock", + "regex": "The server detected a syntax error in your request", + "signatures": [ + "3e2c:RVZXu261OEhCWapBYKcPk4JzWOtohM4IiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXomtKaK59n+i6c4RmkwI2FZjxtDtAeq6c36A5chW1XaTD" + ] + }, + "alertlogic": { + "company": "Alert Logic", + "name": "Alert Logic", + "regex": "(?s)timed_redirect\\(seconds, url\\).+?

Reference ID:", + "signatures": [] + }, + "aliyundun": { + "company": "Alibaba Cloud Computing", + "name": "AliYunDun", + "regex": "Sorry, your request has been blocked as it may cause potential threats to the server's security|//errors\\.aliyun\\.com/", + "signatures": [ + "e082:RVZXum61OElCWapAYKYPkoJzWOpohM4JiUYMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC" + ] + }, + "anquanbao": { + "company": "Anquanbao", + "name": "Anquanbao", + "regex": "/aqb_cc/error/", + "signatures": [ + "c790:RVZXum61OElCWapAYKYPk4JzWOpohM4JiUYMr2RXg1uQJbX3uhdOn9hsOj+hXrAB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "d3d3:RVZXum61OElCWapAYKYPk4JzWOpohM4JiUYMr2RXg1uQJbX3uhdOn9hsOj+hXrAB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC" + ] + }, + "approach": { + "company": "Approach", + "name": "Approach", + "regex": "Approach.+?Web Application (Firewall|Filtering)", + "signatures": [ + "fef0:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A5chW1XKTD" + ] + }, + "armor": { + "company": "Armor Defense", + "name": "Armor Protection", + "regex": "This request has been blocked by website protection from Armor", + "signatures": [ + "03ec:RVZXum60OEhCWapBYKYPk4JzWOtohM4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c36A4chS1XaTC", + "1160:RVZXum60OEhCWapBYKYPk4JyWOtohM4IiUcMr2RWg1qQJbX3uhZOnthsOj6hXrAA16BcPhJOdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC" + ], + "note": "Uses SecureSphere (Imperva) (Reference: https://www.imperva.com/resources/case_studies/CS_Armor.pdf)" + }, + "asm": { + "company": "F5 Networks", + "name": "Application Security Manager", + "regex": "The requested URL was rejected\\. Please consult with your administrator|security\\.f5aas\\.com", + "signatures": [ + "2f81:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI3FZjxtDtAeq+c36A4chS1XaTC", + "4fd0:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtDtAeq6c3qA4chS1XaTC", + "5904:RVZXum60OEhCWapBYKcPk4JzWOpohc4IiUcMr2RWg1uQJbX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtTtAeq+c3qA4chS1XaTC", + "8bcf:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtTtAeq6c36A5chS1XaTC", + "540f:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtTtAeq+c36A5chS1XaTC", + "c7ba:RVZXum60OEhCWKpAYKYPkoJzWOpohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtLaK99n+i7c4VmkwI3FZjxtDtAeq6c3qA4chS1XaTC", + "fb21:RVZXum60OEhCWapBYKcPk4JzWOpohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI3FZjxtDtAeq+c36A5chW1XaTC", + "b6ff:RVZXum61OEhCWapBYKcPkoJzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtDtAeq+c36A4chW1XaTC", + "3b1e:RVZXum60OEhCWapBYKcPk4JyWOpohM4IiUcMr2RWg1qQJLX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tKaK99nui7c4RmkgI2FZjxtDtAeq6c3qA5chS1XKTC", + "620c:RVZXum60OEhCWapBYKcPkoJzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC", + "b9a0:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtDtAeq+c3qA4chW1XaTC", + "ccb6:RVdXum61OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtTtAeq+c36A5chW1XaTC", + "9138:RVZXum60OEhCWapBYKcPk4JzWOpohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtDtAeq6c3qA4chS1XaTC", + "54cc:RVZXum61OEhCWapBYKcPkoJzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtDtAeq6c3qA4chS1XaTC", + "4c83:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTC", + "8453:RVZXum60OEhCWapBYKcPk4JzWOtohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI3FZjxtDtAeq+c36A4chS1XaTC" + ] + }, + "astra": { + "company": "Czar Securities", + "name": "Astra", + "regex": "(?s)unfortunately our website protection system.+?//www\\.getastra\\.com", + "signatures": [] + }, + "aws": { + "company": "Amazon", + "name": "AWS WAF", + "regex": "(?i)HTTP/1.+\\b403\\b.+\\s+Server: aws|(?s)Request blocked.+?Generated by cloudfront", + "signatures": [ + "2998:RVZXu261OEhCWapBYKcPk4JzWOpohM4IiUcMr2RWg1uQJbX3uhZOnthsOj6hXrAA16BcPhJOdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "fffa:RVZXum60OEhCWapAYKYPk4JyWOpohc4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPhJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "9de0:RVZXu261OEhCWapBYKcPk4JzWOpohM4IiUcMr2RWg1uQJbX3uhZOnthtOj+hXrAA16BcPhJOdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "34a8:RVZXu261OEhCWapBYKcPk4JzWOpohM4IiUcMr2RWg1uQJbX3uhdOn9htOj+hXrAB16BcPxJOdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "1104:RVZXum61OEhCWapBYKcPk4JzWOpohM4IiUcMr2RXg1uQJbX3uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "ea40:RVZXu261OEhCWapBYKcPk4JzWOtohM4IiUcMr2RWg1uQJbX3uhdOn9htOj+hXrAB16BcPxJOdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC" + ] + }, + "barracuda": { + "company": "Barracuda Networks", + "name": "Barracuda", + "regex": "\\bbarracuda_|barra_counter_session=|when this page occurred and the event ID found at the bottom of the page", + "signatures": [ + "2676:RVdXum61OElCWapAYKYPk4JzWOtohM4JiUcMr2RWg1qQJbX3uhdOn9htOj+hXrAB16FcPxJPdLsXo2tKaK99n+i6c4VmkwI3FZjxtDtAeq6c36A4chS1XaTC", + "db27:RVdXum61OElCWapAYKYPk4JzWOtohM4JiUcMr2RWg1qQJbX3uhdOn9htOj+hXrAB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XaTC" + ] + }, + "bekchy": { + "company": "Faydata Information Technologies Inc.", + "name": "Bekchy", + "regex": "Bekchy - Access Denided|", + "signatures": [ + "e1c5:RVZXum60OEhCWKpAYKYPk4JzWOtohc4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC" + ] + }, + "bitninja": { + "company": "BitNinja", + "name": "BitNinja", + "regex": "alt=\"BitNinja|Security check by BitNinja|your IP will be removed from BitNinja|Visitor anti-robot validation", + "signatures": [] + }, + "bluedon": { + "company": "Bluedon", + "name": "Bluedon", + "regex": "Bluedon Web Application Firewall|Server: BDWAF", + "signatures": [] + }, + "bulletproof": { + "company": "AITpro Website Security", + "name": "BulletProof Security Pro", + "regex": "(?s)bpsMessage.+?403 Forbidden Error Page.+?If you arrived here due to a search or clicking on a link", + "signatures": [] + }, + "cdnns": { + "company": "CdnNs/WdidcNet", + "name": "CdnNsWAF", + "regex": "by CdnNsWAF Application Gateway", + "signatures": [ + "5c5d:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPhJPdLsXo2tLaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC" + ] + }, + "cerber": { + "company": "Cerber Tech", + "name": "WP Cerber Security", + "regex": "We're sorry, you are not allowed to proceed|Your request looks suspicious or similar to automated requests from spam posting software", + "signatures": [ + "d8c2:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC" + ] + }, + "checkpoint": { + "company": "Check Point", + "name": "Next Generation Firewall", + "regex": "", + "signatures": [ + "b771:RVZXum61OEhCWapAYKYPkoJzWOpohc4JiUYMr2RWg1uQJbX2uhdOnthsOj+hX7AB16BcPhJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "3b40:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUYMrmRWg1qQJLX2uhdOnthsOj+hX7AB16BcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XKTC", + "a332:RVZXum61OEhCWapAYKYPkoJzWOpohc4JiUYMr2RWg1uQJbX2uhdOnthsOj+hX7AB16BcPhJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC", + "a89b:RVZXum61OEhCWapAYKYPkoJzWOpohc4JiUYMr2RWg1uQJbX2uhdOnthsOj+hX7AB16BcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC" + ] + }, + "chuangyu": { + "company": "Yunaq", + "name": "Chuang Yu Shield", + "regex": " \\d+\\.\\d+\\.\\d+\\.\\d+/[0-9a-f]{7} \\[\\d+\\] ", + "signatures": [ + "eda6:RVZXum61OElCWapAYKcPkoJzWOpohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTC", + "5bae:RVZXum61OElCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC" + ] + }, + "cloudbric": { + "company": "Cloudbric", + "name": "Cloudbric", + "regex": "Your request was blocked by Cloudbric", + "signatures": [ + "514d:RVZXum60OEhCWapBYKcPk4JzWOtohM4JiUcMrmRXg1qQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC" + ] + }, + "cloudflare": { + "company": "CloudFlare", + "name": "CloudFlare", + "regex": "Attention Required! \\| Cloudflare|CLOUDFLARE_ERROR_", + "signatures": [ + "956d:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "6b42:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "2295:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "0d86:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RWg1uQJbX2uhdOnthsOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "4849:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMrmRWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "535c:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUYMr2RWg1uQJbX2uhdOnthtOj+hXrAB16FcPxJOdLoXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC", + "675a:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMrmRWg1uQJbX2uhdOnthsOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "4a45:RVZXum60OEhCWKpAYKYPkoJzWOpohM4IiUcMrmRWg1uQJLX2uhdOnthsOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC", + "1f29:RVZXum60OEhCWKpAYKYPkoJzWOpohM4IiUcMrmRWg1uQJLX2uhZOnthtOj+hXrAA16FcPhJOdLoXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC", + "6002:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUcMrmRWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "78df:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMrmRWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTD", + "cf65:RVZXum60OEhCWapBYKcPkoJzWOtohM4IiUcMrmRWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4VmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "85c6:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC", + "9a2d:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMrmRWg1uQJLX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "0576:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMrmRXg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "f3bb:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUYMr2RXg1uQJbX3uhdOnthtOj+hXrAB16FcPxJPdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC", + "471d:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RWg1uQJbX2uhZOnthtOj+hXrAA16FcPhJOdLoXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "8936:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUcMrmRWg1uQJLX2uhdOnthsOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC", + "0ade:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUcMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "22d1:RVZXum60OEhCWapBYKcPkoJzWOpohM4IiUcMr2RWg1uQJbX2uhdOnthtOj+hXrAA16FcPxJOdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "e9bd:RVZXum60OEhCWKpAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOnthsOj+hXrAB16FcPxJPdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC" + ] + }, + "comodo": { + "company": "Comodo", + "name": "Comodo", + "regex": "Server: Protected by COMODO WAF", + "signatures": [ + "ade8:RVZXum60OEhCWapAYKYPkoJzWOpohc4IiUYMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTD", + "f063:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTD", + "985c:RVZXum60OEhCWapAYKYPkoJzWOpohc4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4VmkwI3FZjxtDtAeq+c3qA5chW1XaTD", + "f063:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTD", + "1971:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTD" + ] + }, + "crawlprotect": { + "company": "Jean-Denis Brun", + "name": "CrawlProtect", + "regex": "CrawlProtect|This site is protected by CrawlProtectc|Set-Cookie: crawlprotecttag", + "signatures": [ + "1eca:RVZXum60OEhCWKpBYKYPkoJzWOpohM4IiUYMrmRXg1uQJLX2uhZOnthtOj+hXrAA16FcPhJPdLoXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XKTC" + ] + }, + "distil": { + "company": "Distil Networks", + "name": "Distil", + "regex": "distilCaptchaForm|distilCallbackGuard|cdn\\.distilnetworks\\.com/images/anomaly-detected\\.png", + "signatures": [] + }, + "dotdefender": { + "company": "Applicure Technologies", + "name": "dotDefender", + "regex": "dotDefender Blocked Your Request|Applicure is the leading provider of web application security|Please contact the site administrator, and provide the following Reference ID", + "signatures": [ + "7cce:RVZXum60OEhCWapAYKYPkoJzWOpohM4IiUYMrmRWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "dddb:RVdXum61OElCWapAYKYPk4JzWOtohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC", + "0718:RVZXum61OElCWapAYKYPk4JzWOtohM4IiUYMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "9bf2:RVdXum61OElCWapAYKYPk4JzWOtohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC" + ] + }, + "expressionengine": { + "company": "EllisLab", + "name": "ExpressionEngine", + "regex": "(?s)\\bexp_last_.+?(Invalid GET Data|Invalid URI)", + "signatures": [ + "88ec:RVZXum60OEhCWKpAYKYPkoJyWOpohM4JiUcMrmRWg1qQJbX3uhZOnthsOj6hX7AA16FcPxJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A4chS1XKTC" + ] + }, + "fortiweb": { + "company": "Fortinet", + "name": "FortiWeb", + "regex": "Server Unavailable!", + "signatures": [ + "9d05:RVZXu261OElCWapBYKcPk4JzWOtohM4IiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI3FZjxtDtAeq+c36A5chW1XaTD" + ] + }, + "godaddy": { + "company": "GoDaddy", + "name": "GoDaddy Website Security", + "regex": "GoDaddy Security - Access Denied|Access Denied - GoDaddy Website Firewall", + "signatures": [ + "6cff:RVdXum60OEhCWapAYKYPk4JzWOtohM4IiUYMr2RWg1uQJbX3uhdOn9htOj+hXrAA16FcPxJOdLoXomtKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC" + ] + }, + "greywizard": { + "company": "Grey Wizard", + "name": "Greywizard", + "regex": "(?i)server: greywizard|detected attempted attack or non standard traffic from your IP address|<title>Grey Wizard", + "signatures": [ + "c669:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOnthsOj+hX7AB16FcPhJPdLsXomtKaK59nui7c4RmkwI2FZjxtDtAeq+c3qA5chW1XaTC" + ] + }, + "imunify360": { + "company": "CloudLinux", + "name": "Imunify360", + "regex": "Server: imunify360-webshield|protected by Imunify360|Powered by Imunify360|imunify360 preloader", + "signatures": [] + }, + "incapsula": { + "company": "Incapsula/Imperva", + "name": "Incapsula", + "regex": "Incapsula incident ID", + "signatures": [ + "2770:RVZXum60OEhCWKpAYKYPkoJzWOpohc4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC", + "3193:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZnxtDtAeq6c3qA4chS1XKTC", + "cdd1:RVZXum60OEhCWapAYKcPk4JzWOpohM4IiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtLaK99n+i7c4RmkgI2FZnxtTtBeq+c36A5chW1XaTC" + ] + }, + "isaserver": { + "company": "Microsoft", + "name": "ISA Server", + "regex": "The (ISA Server|server) denied the specified Uniform Resource Locator \\(URL\\)", + "signatures": [] + }, + "janusec": { + "company": "Janusec", + "name": "Janusec Application Gateway", + "regex": "Reason:.+by Janusec Application Gateway", + "signatures": [ + "5c5d:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPhJPdLsXo2tLaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC" + ] + }, + "jiasule": { + "company": "Jiasule", + "name": "Jiasule", + "regex": "Server: jiasule-WAF|notice-jiasule|static\\.jiasule\\.com/static/js/http_error\\.js", + "signatures": [ + "7520:RVZXum61OElCWapAYKYPk4JzWOpohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtBeq+c36A5chW1XaTD", + "001e:RVZXum61OElCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI3FZjxtTtAeq+c36A5chW1XaTC", + "665d:RVZXum61OElCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA5chS1XaTC", + "4fed:RVZXum61OElCWapAYKYPkoJzWOpohM4IiUYMr2RXg1uQJbX2uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC" + ] + }, + "knownsec": { + "company": "Knownsec", + "name": "KS-WAF", + "regex": "url\\('/ks-waf-error\\.png'\\)", + "signatures": [] + }, + "kona": { + "company": "Akamai Technologies", + "name": "Kona Site Defender", + "regex": "(?s)Server: AkamaiGHost.+?You don't have permission to access|\\b18\\.[0-9a-f]{8}.1[0-9]{9}\\.[0-9a-f]{7}\\b", + "signatures": [ + "b996:RVZXum60OEhCWapAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "1893:RVZXum60OEhCWapAYKYPk4JzWOtohM4JiUcMr2RXg1uQJLX3uhZOnthsOj6hXrAA16BcPhJOdLoXo2tKaK99n+i6c4RmkwI2FZjxtDtAeq+c3qA4chS1XKTC", + "165b:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC", + "12b3:RVZXum60OEhCWKpAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "3426:RVZXum60OEhCWapAYKYPk4JzWOtohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC", + "e197:RVZXum60OEhCWKpAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhZOnthsOj6hXrAA16BcPhJOdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC", + "eb57:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hX7AB16FcPxJPdLsXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c36A4chS1XaTC", + "94ed:RVZXum60OEhCWapAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "5ca8:RVZXum60OEhCWKpAYKYPkoJzWOtohM4IiUYMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXomtKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "cc5b:RVZXum60OEhCWKpAYKYPkoJzWOtohM4IiUYMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "e7d9:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "bd78:RVZXum60OEhCWKpAYKYPk4JzWOtohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "6cbc:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTD", + "a40d:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "1f03:RVZXum60OEhCWapBYKYPk4JzWOpohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTD", + "e120:RVZXum60OEhCWKpAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "7ae5:RVZXum60OEhCWKpAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "6bf2:RVZXum60OEhCWapAYKYPkoJzWOtohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "1db3:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC", + "fcbb:RVZXum60OEhCWapAYKYPkoJzWOtohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "d1b6:RVZXum60OEhCWKpAYKYPkoJzWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD", + "8b30:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD", + "8db8:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD", + "8900:RVZXum60OEhCWapAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD", + "677e:RVZXum60OEhCWapAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "a13a:RVZXum60OEhCWKpAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "579e:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "82b4:RVZXum60OEhCWapAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTD", + "22e4:RVZXum60OEhCWapAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhZOnthsOj6hXrAA16BcPhJOdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC", + "bd0e:RVZXum60OEhCWapAYKYPk4JzWOtohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD", + "8976:RVZXum60OEhCWKpAYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "e34c:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMr2RWg1qQJLX2uhdOn9htOj+hX7AB16FcPxJPdLsXomtKaK59nui6c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC" + ] + }, + "malcare": { + "company": "Inactiv", + "name": "MalCare", + "regex": "Blocked because of Malicious Activities|Firewall(<[^>]+>)*powered by(<[^>]+>)*MalCare", + "signatures": [ + "def2:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC" + ] + }, + "modsecurity": { + "company": "Trustwave", + "name": "ModSecurity", + "regex": "(?i)Server:.+mod_security|This error was generated by Mod_Security|/modsecurity\\-errorpage/|One or more things in your request were suspicious|rules of the mod_security module|mod_security rules triggered|Protected by Mod Security|HTTP Error 40\\d\\.0 - ModSecurity Action|40\\d ModSecurity Action|ModSecurity IIS \\(\\d+bits\\)", + "signatures": [ + "46d5:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "1ece:RVZXum61OEhCWapBYKcPk4JzWOpohc4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPhJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "69c6:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthsOj+hX7AB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "28eb:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX2uhZOnthtOj+hXrAB16FcPhJOdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XaTC", + "3918:RVZXum60OEhCWapAYKYPk4JyWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK99n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "511d:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPhJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "f694:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhZOnthtOj+hX7AB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "51ca:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPhJOdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "e18b:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhZOnthtOj+hX7AB16FcPhJOdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "6e99:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hXrAB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "dd72:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "f53e:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "e15c:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhZOnthtOj+hX7AB16FcPhJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "ded8:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhZOnthtOj+hXrAB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "6e99:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hXrAB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "7986:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hXrAB16FcPhJOdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "02b2:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD", + "4602:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPhJOdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "b1a2:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD", + "5e9a:RVZXum60OEhCWapAYKYPk4JyWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hXrAB16FcPhJPdLsXomtKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD", + "35c4:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chS1XKTC", + "c697:RVZXum60OEhCWapAYKYPk4JyWOpohM4JiUcMr2RXg1uQJbX3uhZOnthtOj+hX7AB16FcPhJPdLsXomtKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD", + "85e3:RVZXum60OElCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hX7AB16FcPhJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "7d7f:RVZXum60OEhCWapAYKYPk4JyWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD", + "064b:RVZXum60OEhCWapAYKYPk4JyWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hXrAB16FcPhJOdLsXomtKaK99n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "5659:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUYMr2RXg1uQJbX2uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "94b1:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJbX2uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "7951:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUcMr2RXg1uQJLX2uhdOnthtOj+hXrAB16FcPhJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD", + "b83a:RVZXum60OEhCWKpAYKYPkoJyWOpohM4JiUYMrmRWg1qQJbX2uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTD", + "4191:RVZXum60OEhCWapAYKYPkoJyWOpohM4JiUYMr2RXg1uQJbX2uhdOnthtOj+hX7AB16FcPhJPdLoXomtKaK59n+i7c4RmkgI2FZjxtDtAeq6c36A4chW1XaTD" + ] + }, + "naxsi": { + "company": "NBS System", + "name": "NAXSI", + "regex": "(?i)Blocked By NAXSI|Naxsi Blocked Information|naxsi/waf", + "signatures": [ + "19ee:RVdXum61OElCWKpAYKYPk4JzWOtohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI3FZnxtDtBeq+c36A4chW1XaTC" + ] + }, + "netscaler": { + "company": "Citrix", + "name": "NetScaler AppFirewall", + "regex": "Application Firewall Block Page|Violation Category: APPFW_|AppFW Session ID|Access has been blocked - if you feel this is in error, please contact the site administrators quoting the following", + "signatures": [ + "9c6c:RVdXum60OEhCWKpAYKYPkoJzWOpohM4JiUcMrmRWg1qQJbX3uhdOn9hsOj6hXrAA16BcPhJOdLsXo2tKaK99n+i6c4RmkgI2FZnxtDtAeq6c3qA4chS1XKTC" + ] + }, + "newdefend": { + "company": "Newdefend", + "name": "Newdefend", + "regex": "Server: NewDefend|/nd_block/", + "signatures": [ + "1ba1:RVZXu261OElCWapBYKYPk4JzWOpohM4JiUcMr2RXg1uQJLX3uhdOnthsOj+hX7AB16FcPxJPdLoXo2tKaK99n+i7c4RmkwI3FZjxtDtAeq+c36A4chW1XaTD" + ] + }, + "nexusguard": { + "company": "Nexusguard Limited", + "name": "Nexusguard", + "regex": "speresources\\.nexusguard\\.com/wafpage/[^>]*#\\d{3};|

Powered by Nexusguard

", + "signatures": [ + "869d:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hX7AB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC" + ] + }, + "ninjafirewall": { + "company": "NinTechNet", + "name": "NinjaFirewall", + "regex": "NinjaFirewall: 403 Forbidden|For security reasons?, it was blocked and logged", + "signatures": [ + "2c12:RVZXum60OEhCWapBYKYPkoJzWOtohM4JiUcMr2RXg1uQJLX3uhdOn9hsOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtBeq+c3qA4chW1XaTC" + ] + }, + "onmessageshield": { + "company": "Blackbaud", + "name": "onMessage Shield", + "regex": "This site is protected by an enhanced security system to ensure a safe browsing experience|onMessage SHIELD", + "signatures": [ + "125a:RVdXum61OElCWKpAYKYPk4JzWOtohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI3FZnxtDtBeq+c36A5chW1XaTC" + ] + }, + "paloalto": { + "company": "Palo Alto Networks", + "name": "Palo Alto", + "regex": "has been blocked in accordance with company policy|Palo Alto Next Generation Security Platform", + "signatures": [ + "862a:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX3uhZOnthsOj+hXrAA16BcPhJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c3qA4chW1XKTC", + "5fe6:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMrmRWg1uQJLX2uhZOnthsOj+hXrAA16BcPhJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c3qA4chW1XKTC", + "cffd:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX3uhZOnthsOj+hXrAA16BcPhJPdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chW1XKTC", + "1427:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthtOj+hXrAA16FcPhJPdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "fa37:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX3uhZOnthsOj6hXrAA16BcPhJOdLoXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "9135:RVZXum60OEhCWapAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX3uhZOnthsOj+hXrAA16BcPhJOdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq6c3qA4chW1XKTC", + "953a:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj+hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chW1XKTC" + ] + }, + "perimeterx": { + "company": "PerimeterX", + "name": "PerimeterX", + "regex": "https://www.perimeterx.com/whywasiblocked", + "signatures": [] + }, + "profense": { + "company": "ArmorLogic", + "name": "Profense", + "regex": "Server: Profense", + "signatures": [ + "eaee:RVZXum60OEhCWapAYKYPkoJyWOtohM4JiUcMr2RWg1uQJbX3uhdOnthsOj+hXrAB16FcPxJOdLsXo2tLaK99n+i6c4VmkwI3FZjxtDtAeq6c3qA4chS1XaTC" + ] + }, + "radware": { + "company": "Radware", + "name": "AppWall", + "regex": "Unauthorized Request Blocked|You are seeing this page because we have detected unauthorized activity|mailto:CloudWebSec@radware\\.com", + "signatures": [ + "e68e:RVdXu261OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hXrAB16FcPxJPdLsXo2tKaK99n+i7c4VmkwI3FZnxtDtAeq+c36A5chW1XaTD", + "48fa:RVdXu260OEhCWapBYKcPkoJzWOpohM4JiUYMrmRXg1uQJbX3uhdOn9hsOj+hX7AA16BcPxJOdLsXomtKaK59n+i6c4RmkgI2FZnxtDtAeq6c3qA5chW1XaTD", + "8fc4:RVdXu261OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hXrAB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI3FZnxtDtAeq+c36A5chW1XaTD" + ] + }, + "reblaze": { + "company": "Reblaze", + "name": "Reblaze", + "regex": "For further information, do not hesitate to contact us", + "signatures": [ + "86fb:RVZXum61OElCWKpAYKcPkoJzWOtohM4JiUcMr2RXg1uQJbX3uhdOnthsOj6hXrAB16BcPhJPdLoXo2tLaK99n+i7c4RmkgI2FZjxtDtBeq+c36A5chW1XaTD" + ] + }, + "requestvalidationmode": { + "company": "Microsoft", + "name": "ASP.NET RequestValidationMode", + "regex": "HttpRequestValidationException|Request Validation has detected a potentially dangerous client input value|ASP\\.NET has detected data in the request that is potentially dangerous", + "signatures": [ + "7ecd:RVdXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hXrAA16FcPxJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC", + "919b:RVdXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hXrAA16FcPxJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTD", + "14fa:RVdXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hXrAA16FcPxJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XaTC", + "a10d:RVdXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hXrAA16FcPxJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "7564:RVdXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhdOn9htOj+hXrAA16FcPhJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC" + ] + }, + "rsfirewall": { + "company": "RSJoomla!", + "name": "RSFirewall", + "regex": "COM_RSFIREWALL_", + "signatures": [ + "d829:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XaTC" + ] + }, + "safe3": { + "company": "Safe3", + "name": "Safe3", + "regex": "Server: Safe3 Web Firewall|Safe3waf/", + "signatures": [ + "1b84:RVZXum60OEhCWKpAYKYPk4JyWOpohM4IiUYMr2RWg1uQJbX2uhdOnthtOj+hX7AB16FcPhJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC" + ] + }, + "safedog": { + "company": "Safedog", + "name": "Safedog", + "regex": "Server: Safedog|safedogsite/broswer_logo\\.jpg|404\\.safedog\\.cn/sitedog_stat\\.html|404\\.safedog\\.cn/images/safedogsite/head\\.png", + "signatures": [ + "0ee1:RVdXu261OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AA16FcPhJOdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD", + "28a0:RVZXu261OEhCWapBYKcPk4JzWOpohM4IiUcMr2RXg1uQJbX3uhdOnthsOj+hX7AA16FcPhJOdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC", + "90fa:RVZXu261OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AA16FcPhJOdLoXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD" + ] + }, + "safeline": { + "company": "Chaitin Tech", + "name": "SafeLine Next Gen WAF", + "regex": "<!\\-\\- event_id: [0-9a-f]{32} \\-\\->", + "signatures": [] + }, + "secureentry": { + "company": "United Security Providers", + "name": "Secure Entry Server", + "regex": "Server: Secure Entry Server", + "signatures": [ + "6249:RVZXum60OEhCWKpAYKYPk4JzWOpohM4IiUcMr2RWg1uQJbX3uhdOn9htOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC" + ] + }, + "secureiis": { + "company": "BeyondTrust", + "name": "SecureIIS Web Server Security", + "regex": "//www\\.eeye\\.com/SecureIIS/|\\?subject=[^>]*SecureIIS Error|SecureIIS[^<]+Web Server Protection", + "signatures": [ + "b43e:RVZXum60OEhCWKpAYKYPkoJzWOtohM4IiUcMrmRWg1qQJbX3uhdOnthsOj+hX7AB16BcPhJOdLoXo2tKaK99n+i6c4VmkwI3FZnxtDtBeq6c36A4chS1XaTC", + "71c7:RVZXum61OElCWKpAYKYPk4JyWOpohc4IiUYMr2RWg1uQJbX2uhdOnthtOj+hXrAB16FcPhJOdLoXo2tLaK99nui7c4RmkwI2FZjxtDtAeq+c36A4chW1XaTC", + "f2ed:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJbX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4VmkwI3FZjxtDtAeq6c36A4chS1XaTC" + ] + }, + "secupress": { + "company": "SecuPress", + "name": "SecuPress", + "regex": "<h1>SecuPress</h1><h2>\\d{3}", + "signatures": [ + "bcb4:RVZXum60OEhCWKpAYKYPkoJyWOpohc4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC" + ] + }, + "shieldsecurity": { + "company": "One Dollar Plugin", + "name": "Shield Security", + "regex": "Something in the URL, Form or Cookie data wasn't appropriate", + "signatures": [ + "e41d:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD", + "389c:RVZXum61OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD", + "a79a:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTD" + ] + }, + "securesphere": { + "company": "Imperva", + "name": "SecureSphere", + "regex": "<H2>Error</H2>.+?#FEEE7A.+?<STRONG>Error</STRONG>|Contact support for additional information.<br/>The incident ID is: (\\d{19}|N/A)", + "signatures": [ + "c055:RVZXum60OEhCWapAYKYPkoJzWOpohM4JiUcMr2RWg1uQJbX2uhZOnthsOj+hX7AB16FcPxJPdLoXomtKaK59n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC", + "f460:RVZXum60OEhCWapBYKYPk4JzWOtohM4JiUcMr2RWg1uQJbX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC", + "9113:RVZXum60OEhCWapBYKYPk4JzWOtohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC", + "dc2c:RVZXum60OEhCWapBYKYPk4JzWOtohM4JiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC", + "599d:RVZXum60OEhCWapBYKYPk4JzWOtohM4JiUcMr2RWg1uQJbX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC", + "a86e:RVZXum60OEhCWapBYKYPk4JyWOtohM4JiUcMr2RWg1uQJbX3uhdOnthtOj+hXrAB16FcPxJPdLsXo2tKaK99n+i6c4RmkgI2FZjxtDtAeq+c36A4chS1XaTC", + "81ca:RVZXum60OEhCWapBYKYPk4JzWOtohM4IiUcMr2RWg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC" + ] + }, + "siteground": { + "company": "SiteGround", + "name": "SiteGround", + "regex": "The page you are trying to access is restricted due to a security rule|Our system thinks you might be a robot!|/.well-known/captcha/", + "signatures": [ + "da25:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA5chW1XKTC" + ] + }, + "siteguard": { + "company": "JP-Secure", + "name": "SiteGuard", + "regex": "Powered by SiteGuard|The server refuse to browse the page", + "signatures": [ + "6e49:RVZXum61OElCWapBYKcPk4JzWOtohM4JiUYMr2RWg1qQJbX3uhdOnthtOj+hX7AB16FcPhJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "9839:RVZXum61OElCWapBYKcPk4JzWOtohM4JiUYMr2RWg1qQJbX3uhdOnthtOj+hX7AB16FcPhJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq6c36A4chS1XaTC", + "bc2d:RVZXum61OElCWapBYKcPk4JzWOtohM4JiUYMr2RWg1qQJLX3uhdOnthtOj+hX7AB16FcPhJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC" + ] + }, + "sitelock": { + "company": "SiteLock", + "name": "TrueShield", + "regex": "SiteLock Incident ID|SiteLock will remember you and will not show this page again|<span class=\\\"value INCIDENT_ID\\\">", + "signatures": [], + "note": "Uses Incapsula (Reference: https://www.whitefirdesign.com/blog/2016/11/08/more-evidence-that-sitelocks-trueshield-web-application-firewall-is-really-incapsulas-waf/)" + }, + "sonicwall": { + "company": "Dell", + "name": "SonicWALL", + "regex": "Server: SonicWALL|(?s)<title>Web Site Blocked.+?nsa_banner", + "signatures": [ + "f85c:RVZXum61OElCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1qQJLX2uhZOnthsOj+hX7AA16FcPxJPdLoXo2tLaK99nui7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTD" + ] + }, + "sophos": { + "company": "Sophos", + "name": "UTM Web Protection", + "regex": "Powered by UTM Web Protection", + "signatures": [] + }, + "squarespace": { + "company": "Squarespace", + "name": "Squarespace", + "regex": "(?s) @ .+?BRICK-50", + "signatures": [ + "b012:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC", + "4381:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOn9hsOj6hXrAA16BcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTC" + ] + }, + "stackpath": { + "company": "StackPath", + "name": "StackPath", + "regex": "You performed an action that triggered the service and blocked your request", + "signatures": [ + "5ab0:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUYMr2RWg1uQJbX2uhdOn9hsOj+hXrAA16FcPhJOdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD", + "7e0a:RVZXum60OEhCWKpAYKYPkoJzWOpohM4JiUYMr2RWg1uQJbX2uhdOn9htOj+hXrAA16FcPxJOdLsXomtKaK59n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD" + ] + }, + "sucuri": { + "company": "Sucuri", + "name": "Sucuri", + "regex": "Access Denied - Sucuri Website Firewall|Sucuri WebSite Firewall - CloudProxy - Access Denied|Questions\\?.+cloudproxy@sucuri\\.net", + "signatures": [ + "60a9:RVZXum61OElCWapAYKYPk4JzWOpohM4JiUYMr2RXg1uQJbX3uhdOn9htOj+hXrAB16FcPxJPdLsXo2tLaK99n+i7c4RmkwI2FZjxtDtAeq+c36A5chW1XaTC" + ] + }, + "tencent": { + "company": "Tencent Cloud Computing", + "name": "Tencent Cloud", + "regex": "waf\\.tencent-cloud\\.com", + "signatures": [ + "3f82:RVZXum60OEhCWapBYKcPk4JzWOpohM4IiUYMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tKaK99nui7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTD" + ] + }, + "tmg": { + "company": "Microsoft", + "name": "Forefront Threat Management Gateway", + "regex": "", + "signatures": [ + "4d00:RVZXum60OEhCWKpAYKYPkoJyWOpohM4JiUYMr2RWg1qQJLX3uhdOnthsOj+hX7AB16BcPhJPdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq+c3qA4chS1XaTC" + ] + }, + "urlmaster": { + "company": "iFinity/DotNetNuke", + "name": "Url Master SecurityCheck", + "regex": "UrlRewriteModule\\.SecurityCheck|X-UrlMaster-(Debug|Ex):", + "signatures": [ + "ddd8:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthsOj6hXrAA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XaTC" + ] + }, + "urlscan": { + "company": "Microsoft", + "name": "UrlScan", + "regex": "Rejected-By-UrlScan", + "signatures": [ + "0294:RVdXum60OEhCWKpAYKYPk4JyWOpohM4IiUYMrmRXg1qQJLX2uhdOn9htOj+hXrAB16FcPxJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC" + ] + }, + "vfw": { + "company": "OWASP", + "name": "Varnish Firewall", + "regex": "Request rejected by xVarnish-WAF", + "signatures": [] + }, + "virusdie": { + "company": "Virusdie LLC", + "name": "Virusdie", + "regex": "Virusdie|http://cdn\\.virusdie\\.ru/splash/firewallstop\\.png|403 Naughty, not nice!", + "signatures": [ + "26fa:RVZXum60OEhCWKpAYKYPkoJyWOpohM4JiUcMr2RXg1qQJLX3uhZOnthsOj+hXrAA16FcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTD" + ] + }, + "wallarm": { + "company": "Wallarm", + "name": "Wallarm", + "regex": "Server: nginx-wallarm", + "signatures": [ + "c02b:RVZXu261OElCWapBYKcPk4JzWOpohM4JiUcMr2RWg1uQJbX3uhdOnthsOj+hXrAB16FcPxJOdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC" + ] + }, + "watchguard": { + "company": "WatchGuard Technologies", + "name": "WatchGuard", + "regex": "Server: WatchGuard|Request denied by WatchGuard Firewall", + "signatures": [ + "4f4f:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RWg1uQJLX2uhZOnthsOj+hXrAA16FcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC", + "2a3c:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RXg1uQJLX2uhZOnthsOj+hX7AA16FcPhJOdLoXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTC", + "aa64:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RXg1uQJLX2uhZOnthsOj+hX7AA16FcPhJOdLoXomtKaK59nui7c4RmkgI3FZjxtDtAeq+c3qA4chW1XaTC" + ] + }, + "webarx": { + "company": "WebARX", + "name": "WebARX", + "regex": "/wp-content/plugins/webarx/includes/|This request has been blocked by.+?>WebARX<", + "signatures": [] + }, + "webknight": { + "company": "AQTRONIX", + "name": "WebKnight", + "regex": "WebKnight Application Firewall Alert|AQTRONIX WebKnight|HTTP Error 999\\.0 - AW Special Error", + "signatures": [ + "80f9:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJbX2uhdOnthtOj+hXrAB16FcPhJPdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "73e5:RVZXum60OEhCWKpAYKYPk4JyWOtohM4JiUcMrmRXg1uQJbX3uhZOnthsOj6hX7AA16BcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XaTC", + "d0f0:RVdXum60OEhCWKpAYKYPk4JyWOtohM4JiUcMrmRXg1uQJbX3uhdOn9htOj+hX7AA16FcPxJOdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC", + "f0c3:RVZXum61OElCWKpAYKYPk4JyWOtohM4JiUcMr2RXg1uQJbX3uhZOnthsOj6hX7AA16BcPhJOdLoXo2tKaK59n+i6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "6763:RVZXum61OElCWKpAYKYPk4JzWOtohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "7701:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJbX2uhdOn9htOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "902b:RVdXum60OEhCWKpAYKYPk4JyWOpohM4IiUYMrmRXg1qQJbX2uhdOn9htOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c36A4chW1XaTC", + "4d4d:RVdXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJbX2uhdOn9htOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC", + "17a8:RVZXum60OEhCWKpAYKYPkoJyWOpohM4JiUcMrmRXg1qQJbX3uhdOnthtOj+hXrAB16FcPhJPdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq+c3qA4chS1XKTC" + ] + }, + "webseal": { + "company": "IBM", + "name": "WebSEAL", + "regex": "(?i)Server: WebSEAL|This is a WebSEAL error message template file|The Access Manager WebSEAL server received an invalid HTTP request", + "signatures": [ + "0338:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRWg1qQJLX2uhZOnthtOj+hXrAA16FcPhJOdLoXomtKaK59nui6c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC" + ] + }, + "webtotem": { + "company": "WebTotem", + "name": "WebTotem", + "regex": "The current request was blocked by.+?>WebTotem<", + "signatures": [] + }, + "wordfence": { + "company": "Feedjit", + "name": "Wordfence", + "regex": "Generated by Wordfence|This response was generated by Wordfence|broke one of the Wordfence (advanced )?blocking rules|: wfWAF|/plugins/wordfence", + "signatures": [ + "d04a:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC", + "26b1:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAA16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC", + "09cf:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtBeq6c3qA4chW1XaTC", + "1834:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RXg1uQJLX3uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c36A4chW1XaTC", + "d38c:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkwI3FZjxtDtAeq6c3qA4chW1XaTC", + "d5bb:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1uQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC", + "3f1c:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA4chW1XaTD", + "dbfe:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA5chW1XaTC", + "5b85:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMr2RXg1uQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq+c3qA5chW1XaTD", + "f806:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hX7AB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC", + "0f0d:RVZXum61OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkwI3FZjxtDtAeq6c3qA4chW1XaTC", + "b13e:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJbX3uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC", + "40eb:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16BcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XaTC", + "93cd:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chS1XKTC", + "ba7d:RVZXum60OEhCWKpAYKYPkoJyWOpohM4IiUYMrmRXg1qQJLX2uhdOnthtOj+hXrAB16FcPxJPdLsXomtKaK59nui7c4RmkgI2FZjxtDtAeq6c3qA4chW1XKTC" + ] + }, + "wts": { + "company": "WTS", + "name": "WTS", + "regex": "Server: wts/|>WTS\\-WAF", + "signatures": [ + "e94f:RVZXum61OElCWapAYKYPkoJzWOpohM4JiUcMr2RXg1uQJLX3uhdOnthtOj+hX7AB16FcPhJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XKTC", + "12ce:RVZXum61OElCWapAYKYPkoJzWOpohM4IiUYMr2RWg1uQJLX3uhdOnthtOj+hX7AB16FcPhJPdLsXo2tKaK99n+i7c4RmkgI2FZjxtDtAeq+c3qA4chW1XKTC" + ] + }, + "yundun": { + "company": "Yundun", + "name": "Yundun", + "regex": "Blocked by YUNDUN Cloud WAF|yundun\\.com/yd_http_error/", + "signatures": [ + "4853:RVZXum61OEhCWapBYKcPk4JzWOtohM4JiUcMr2RXg1uQJbX3uhdOnthtOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4RmkgI2FZjxtDtAeq+c36A5chW1XaTC" + ] + }, + "yunsuo": { + "company": "Yunsuo", + "name": "Yunsuo", + "regex": "yunsuo_session|403", + "signatures": [ + "a8fb:RVdXu260OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI2FZnxtDtBeq+c36A4chW1XaTD", + "ba3d:RVdXu260OEhCWapBYKcPk4JzWOpohM4JiUcMr2RXg1uQJbX3uhdOn9htOj+hX7AB16FcPxJPdLsXo2tLaK99n+i7c4VmkwI2FZjxtDtAeq+c36A4chW1XaTD" + ] + } + } +} diff --git a/thirdparty/identywaf/identYwaf.py b/thirdparty/identywaf/identYwaf.py new file mode 100755 index 000000000..3a9148bc7 --- /dev/null +++ b/thirdparty/identywaf/identYwaf.py @@ -0,0 +1,585 @@ +#!/usr/bin/env python + +""" +Copyright (c) 2019 Miroslav Stampar (@stamparm), MIT +See the file 'LICENSE' for copying permission + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. +""" + +from __future__ import print_function + +import base64 +import codecs +import difflib +import json +import locale +import optparse +import os +import random +import re +import ssl +import socket +import string +import struct +import subprocess +import sys +import time +import zlib + +if sys.version_info >= (3, 0): + import http.cookiejar + import http.client as httplib + import urllib.request + + IS_WIN = subprocess._mswindows + + build_opener = urllib.request.build_opener + install_opener = urllib.request.install_opener + quote = urllib.parse.quote + urlopen = urllib.request.urlopen + CookieJar = http.cookiejar.CookieJar + ProxyHandler = urllib.request.ProxyHandler + Request = urllib.request.Request + HTTPCookieProcessor = urllib.request.HTTPCookieProcessor + + xrange = range +else: + import cookielib + import httplib + import urllib + import urllib2 + + IS_WIN = subprocess.mswindows + + build_opener = urllib2.build_opener + install_opener = urllib2.install_opener + quote = urllib.quote + urlopen = urllib2.urlopen + CookieJar = cookielib.CookieJar + ProxyHandler = urllib2.ProxyHandler + Request = urllib2.Request + HTTPCookieProcessor = urllib2.HTTPCookieProcessor + + # Reference: http://blog.mathieu-leplatre.info/python-utf-8-print-fails-when-redirecting-stdout.html + sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.stdout) + +NAME = "identYwaf" +VERSION = "1.0.108" +BANNER = """ + ` __ __ ` + ____ ___ ___ ____ ______ `| T T` __ __ ____ _____ +l j| \ / _]| \ | T`| | |`| T__T T / T| __| + | T | \ / [_ | _ Yl_j l_j`| ~ |`| | | |Y o || l_ + | | | D YY _]| | | | | `|___ |`| | | || || _| + j l | || [_ | | | | | `| !` \ / | | || ] +|____jl_____jl_____jl__j__j l__j `l____/ ` \_/\_/ l__j__jl__j (%s)%s""".strip("\n") % (VERSION, "\n") + +RAW, TEXT, HTTPCODE, SERVER, TITLE, HTML, URL = xrange(7) +COOKIE, UA, REFERER = "Cookie", "User-Agent", "Referer" +GET, POST = "GET", "POST" +GENERIC_PROTECTION_KEYWORDS = ("rejected", "forbidden", "suspicious", "malicious", "captcha", "invalid", "your ip", "please contact", "terminated", "protected", "unauthorized", "blocked", "protection", "incident", "denied", "detected", "dangerous", "firewall", "fw_block", "unusual activity", "bad request", "request id", "injection", "permission", "not acceptable", "security policy", "security reasons") +GENERIC_PROTECTION_REGEX = r"(?i)\b(%s)\b" +GENERIC_ERROR_MESSAGE_REGEX = r"\b[A-Z][\w, '-]*(protected by|security|unauthorized|detected|attack|error|rejected|allowed|suspicious|automated|blocked|invalid|denied|permission)[\w, '!-]*" +WAF_RECOGNITION_REGEX = None +HEURISTIC_PAYLOAD = "1 AND 1=1 UNION ALL SELECT 1,NULL,'',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#" # Reference: https://github.com/sqlmapproject/sqlmap/blob/master/lib/core/settings.py +PAYLOADS = [] +SIGNATURES = {} +DATA_JSON = {} +DATA_JSON_FILE = os.path.join(os.path.dirname(__file__), "data.json") +MAX_HELP_OPTION_LENGTH = 18 +IS_TTY = sys.stdout.isatty() +COLORIZE = not IS_WIN and IS_TTY +LEVEL_COLORS = {"o": "\033[00;94m", "x": "\033[00;91m", "!": "\033[00;93m", "i": "\033[00;95m", "=": "\033[00;93m", "+": "\033[00;92m", "-": "\033[00;91m"} +VERIFY_OK_INTERVAL = 5 +VERIFY_RETRY_TIMES = 3 +MIN_MATCH_PARTIAL = 5 +DEFAULTS = {"timeout": 10} +MAX_MATCHES = 5 +QUICK_RATIO_THRESHOLD = 0.2 +MAX_JS_CHALLENGE_SNAPLEN = 120 +ENCODING_TRANSLATIONS = {"windows-874": "iso-8859-11", "utf-8859-1": "utf8", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8", "utc8": "utf8", "ebcdic": "ebcdic-cp-be", "iso-8859": "iso8859-1", "iso-8859-0": "iso8859-1", "ansi": "ascii", "gbk2312": "gbk", "windows-31j": "cp932", "en": "us"} # Reference: https://github.com/sqlmapproject/sqlmap/blob/master/lib/request/basic.py +PROXY_TESTING_PAGE = "https://myexternalip.com/raw" + +if COLORIZE: + for _ in re.findall(r"`.+?`", BANNER): + BANNER = BANNER.replace(_, "\033[01;92m%s\033[00;49m" % _.strip('`')) + for _ in re.findall(r" [Do] ", BANNER): + BANNER = BANNER.replace(_, "\033[01;93m%s\033[00;49m" % _.strip('`')) + BANNER = re.sub(VERSION, r"\033[01;91m%s\033[00;49m" % VERSION, BANNER) +else: + BANNER = BANNER.replace('`', "") + +_ = random.randint(20, 64) +DEFAULT_USER_AGENT = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; %s; rv:%d.0) Gecko/20100101 Firefox/%d.0" % (NAME, _, _) +HEADERS = {"User-Agent": DEFAULT_USER_AGENT, "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "identity", "Cache-Control": "max-age=0"} + +original = None +options = None +intrusive = None +heuristic = None +chained = False +locked_code = None +locked_regex = None +non_blind = set() +seen = set() +blocked = [] +servers = set() +codes = set() +proxies = list() +proxies_index = 0 + +_exit = exit + +def exit(message=None): + if message: + print("%s%s" % (message, ' ' * 20)) + _exit(1) + +def retrieve(url, data=None): + global proxies_index + + retval = {} + + if proxies: + while True: + try: + opener = build_opener(ProxyHandler({"http": proxies[proxies_index], "https": proxies[proxies_index]})) + install_opener(opener) + proxies_index = (proxies_index + 1) % len(proxies) + urlopen(PROXY_TESTING_PAGE).read() + except KeyboardInterrupt: + raise + except: + pass + else: + break + + try: + req = Request("".join(url[_].replace(' ', "%20") if _ > url.find('?') else url[_] for _ in xrange(len(url))), data, HEADERS) + resp = urlopen(req, timeout=options.timeout) + retval[URL] = resp.url + retval[HTML] = resp.read() + retval[HTTPCODE] = resp.code + retval[RAW] = "%s %d %s\n%s\n%s" % (httplib.HTTPConnection._http_vsn_str, retval[HTTPCODE], resp.msg, str(resp.headers), retval[HTML]) + except Exception as ex: + retval[URL] = getattr(ex, "url", url) + retval[HTTPCODE] = getattr(ex, "code", None) + try: + retval[HTML] = ex.read() if hasattr(ex, "read") else getattr(ex, "msg", str(ex)) + except: + retval[HTML] = "" + retval[RAW] = "%s %s %s\n%s\n%s" % (httplib.HTTPConnection._http_vsn_str, retval[HTTPCODE] or "", getattr(ex, "msg", ""), str(ex.headers) if hasattr(ex, "headers") else "", retval[HTML]) + + for encoding in re.findall(r"charset=[\s\"']?([\w-]+)", retval[RAW])[::-1] + ["utf8"]: + encoding = ENCODING_TRANSLATIONS.get(encoding, encoding) + try: + retval[HTML] = retval[HTML].decode(encoding, errors="replace") + break + except: + pass + + match = re.search(r"\s*(?P<result>[^<]+?)\s*", retval[HTML], re.I) + retval[TITLE] = match.group("result") if match and "result" in match.groupdict() else None + retval[TEXT] = re.sub(r"(?si)|||<[^>]+>|\s+", " ", retval[HTML]) + match = re.search(r"(?im)^Server: (.+)", retval[RAW]) + retval[SERVER] = match.group(1).strip() if match else "" + return retval + +def calc_hash(value, binary=True): + value = value.encode("utf8") if not isinstance(value, bytes) else value + result = zlib.crc32(value) & 0xffff + if binary: + result = struct.pack(">H", result) + return result + +def single_print(message): + if message not in seen: + print(message) + seen.add(message) + +def check_payload(payload, protection_regex=GENERIC_PROTECTION_REGEX % '|'.join(GENERIC_PROTECTION_KEYWORDS)): + global chained + global heuristic + global intrusive + global locked_code + global locked_regex + + time.sleep(options.delay or 0) + if options.post: + _ = "%s=%s" % ("".join(random.sample(string.ascii_letters, 3)), quote(payload)) + intrusive = retrieve(options.url, _) + else: + _ = "%s%s%s=%s" % (options.url, '?' if '?' not in options.url else '&', "".join(random.sample(string.ascii_letters, 3)), quote(payload)) + intrusive = retrieve(_) + + if options.lock and not payload.isdigit(): + if payload == HEURISTIC_PAYLOAD: + match = re.search(re.sub(r"Server:|Protected by", "".join(random.sample(string.ascii_letters, 6)), WAF_RECOGNITION_REGEX, flags=re.I), intrusive[RAW] or "") + if match: + result = True + + for _ in match.groupdict(): + if match.group(_): + waf = re.sub(r"\Awaf_", "", _) + locked_regex = DATA_JSON["wafs"][waf]["regex"] + locked_code = intrusive[HTTPCODE] + break + else: + result = False + + if not result: + exit(colorize("[x] can't lock results to a non-blind match")) + else: + result = re.search(locked_regex, intrusive[RAW]) is not None and locked_code == intrusive[HTTPCODE] + elif options.string: + result = options.string in (intrusive[RAW] or "") + elif options.code: + result = options.code == intrusive[HTTPCODE] + else: + result = intrusive[HTTPCODE] != original[HTTPCODE] or (intrusive[HTTPCODE] != 200 and intrusive[TITLE] != original[TITLE]) or (re.search(protection_regex, intrusive[HTML]) is not None and re.search(protection_regex, original[HTML]) is None) or (difflib.SequenceMatcher(a=original[HTML] or "", b=intrusive[HTML] or "").quick_ratio() < QUICK_RATIO_THRESHOLD) + + if not payload.isdigit(): + if result: + if options.debug: + print("\r---%s" % (40 * ' ')) + print(payload) + print(intrusive[HTTPCODE], intrusive[RAW]) + print("---") + + if intrusive[SERVER]: + servers.add(re.sub(r"\s*\(.+\)\Z", "", intrusive[SERVER])) + if len(servers) > 1: + chained = True + single_print(colorize("[!] multiple (reactive) rejection HTTP 'Server' headers detected (%s)" % ', '.join("'%s'" % _ for _ in sorted(servers)))) + + if intrusive[HTTPCODE]: + codes.add(intrusive[HTTPCODE]) + if len(codes) > 1: + chained = True + single_print(colorize("[!] multiple (reactive) rejection HTTP codes detected (%s)" % ', '.join("%s" % _ for _ in sorted(codes)))) + + if heuristic and heuristic[HTML] and intrusive[HTML] and difflib.SequenceMatcher(a=heuristic[HTML] or "", b=intrusive[HTML] or "").quick_ratio() < QUICK_RATIO_THRESHOLD: + chained = True + single_print(colorize("[!] multiple (reactive) rejection HTML responses detected")) + + if payload == HEURISTIC_PAYLOAD: + heuristic = intrusive + + return result + +def colorize(message): + if COLORIZE: + message = re.sub(r"\[(.)\]", lambda match: "[%s%s\033[00;49m]" % (LEVEL_COLORS[match.group(1)], match.group(1)), message) + + if any(_ in message for _ in ("rejected summary", "challenge detected")): + for match in re.finditer(r"[^\w]'([^)]+)'" if "rejected summary" in message else r"\('(.+)'\)", message): + message = message.replace("'%s'" % match.group(1), "'\033[37m%s\033[00;49m'" % match.group(1), 1) + else: + for match in re.finditer(r"[^\w]'([^']+)'", message): + message = message.replace("'%s'" % match.group(1), "'\033[37m%s\033[00;49m'" % match.group(1), 1) + + if "blind match" in message: + for match in re.finditer(r"\(((\d+)%)\)", message): + message = message.replace(match.group(1), "\033[%dm%s\033[00;49m" % (92 if int(match.group(2)) >= 95 else (93 if int(match.group(2)) > 80 else 90), match.group(1))) + + if "hardness" in message: + for match in re.finditer(r"\(((\d+)%)\)", message): + message = message.replace(match.group(1), "\033[%dm%s\033[00;49m" % (95 if " insane " in message else (91 if " hard " in message else (93 if " moderate " in message else 92)), match.group(1))) + + return message + +def parse_args(): + global options + + parser = optparse.OptionParser(version=VERSION) + parser.add_option("--delay", dest="delay", type=int, help="Delay (sec) between tests (default: 0)") + parser.add_option("--timeout", dest="timeout", type=int, help="Response timeout (sec) (default: 10)") + parser.add_option("--proxy", dest="proxy", help="HTTP proxy address (e.g. \"http://127.0.0.1:8080\")") + parser.add_option("--proxy-file", dest="proxy_file", help="Load (rotating) HTTP(s) proxy list from a file") + parser.add_option("--random-agent", dest="random_agent", action="store_true", help="Use random HTTP User-Agent header value") + parser.add_option("--code", dest="code", type=int, help="Expected HTTP code in rejected responses") + parser.add_option("--string", dest="string", help="Expected string in rejected responses") + parser.add_option("--post", dest="post", action="store_true", help="Use POST body for sending payloads") + parser.add_option("--debug", dest="debug", action="store_true", help=optparse.SUPPRESS_HELP) + parser.add_option("--fast", dest="fast", action="store_true", help=optparse.SUPPRESS_HELP) + parser.add_option("--lock", dest="lock", action="store_true", help=optparse.SUPPRESS_HELP) + + # Dirty hack(s) for help message + def _(self, *args): + retval = parser.formatter._format_option_strings(*args) + if len(retval) > MAX_HELP_OPTION_LENGTH: + retval = ("%%.%ds.." % (MAX_HELP_OPTION_LENGTH - parser.formatter.indent_increment)) % retval + return retval + + parser.usage = "python %s " % parser.usage + parser.formatter._format_option_strings = parser.formatter.format_option_strings + parser.formatter.format_option_strings = type(parser.formatter.format_option_strings)(_, parser) + + for _ in ("-h", "--version"): + option = parser.get_option(_) + option.help = option.help.capitalize() + + try: + options, _ = parser.parse_args() + except SystemExit: + raise + + if len(sys.argv) > 1: + url = sys.argv[-1] + if not url.startswith("http"): + url = "http://%s" % url + options.url = url + else: + parser.print_help() + raise SystemExit + + for key in DEFAULTS: + if getattr(options, key, None) is None: + setattr(options, key, DEFAULTS[key]) + +def load_data(): + global WAF_RECOGNITION_REGEX + + if os.path.isfile(DATA_JSON_FILE): + with codecs.open(DATA_JSON_FILE, "rb", encoding="utf8") as f: + DATA_JSON.update(json.load(f)) + + WAF_RECOGNITION_REGEX = "" + for waf in DATA_JSON["wafs"]: + if DATA_JSON["wafs"][waf]["regex"]: + WAF_RECOGNITION_REGEX += "%s|" % ("(?P%s)" % (waf, DATA_JSON["wafs"][waf]["regex"])) + for signature in DATA_JSON["wafs"][waf]["signatures"]: + SIGNATURES[signature] = waf + WAF_RECOGNITION_REGEX = WAF_RECOGNITION_REGEX.strip('|') + + flags = "".join(set(_ for _ in "".join(re.findall(r"\(\?(\w+)\)", WAF_RECOGNITION_REGEX)))) + WAF_RECOGNITION_REGEX = "(?%s)%s" % (flags, re.sub(r"\(\?\w+\)", "", WAF_RECOGNITION_REGEX)) # patch for "DeprecationWarning: Flags not at the start of the expression" in Python3.7 + else: + exit(colorize("[x] file '%s' is missing" % DATA_JSON_FILE)) + +def init(): + os.chdir(os.path.abspath(os.path.dirname(__file__))) + + print(colorize("[o] initializing handlers...")) + + # Reference: https://stackoverflow.com/a/28052583 + if hasattr(ssl, "_create_unverified_context"): + ssl._create_default_https_context = ssl._create_unverified_context + + if options.proxy_file: + if os.path.isfile(options.proxy_file): + print(colorize("[o] loading proxy list...")) + + with codecs.open(options.proxy_file, "rb", encoding="utf8") as f: + proxies.extend(re.sub(r"\s.*", "", _.strip()) for _ in f.read().strip().split('\n') if _.startswith("http")) + random.shuffle(proxies) + else: + exit(colorize("[x] file '%s' does not exist" % options.proxy_file)) + + + cookie_jar = CookieJar() + opener = build_opener(HTTPCookieProcessor(cookie_jar)) + install_opener(opener) + + if options.proxy: + opener = build_opener(ProxyHandler({"http": options.proxy, "https": options.proxy})) + install_opener(opener) + + if options.random_agent: + revision = random.randint(20, 64) + platform = random.sample(("X11; %s %s" % (random.sample(("Linux", "Ubuntu; Linux", "U; Linux", "U; OpenBSD", "U; FreeBSD"), 1)[0], random.sample(("amd64", "i586", "i686", "amd64"), 1)[0]), "Windows NT %s%s" % (random.sample(("5.0", "5.1", "5.2", "6.0", "6.1", "6.2", "6.3", "10.0"), 1)[0], random.sample(("", "; Win64", "; WOW64"), 1)[0]), "Macintosh; Intel Mac OS X 10.%s" % random.randint(1, 11)), 1)[0] + user_agent = "Mozilla/5.0 (%s; rv:%d.0) Gecko/20100101 Firefox/%d.0" % (platform, revision, revision) + HEADERS["User-Agent"] = user_agent + +def format_name(waf): + return "%s%s" % (DATA_JSON["wafs"][waf]["name"], (" (%s)" % DATA_JSON["wafs"][waf]["company"]) if DATA_JSON["wafs"][waf]["name"] != DATA_JSON["wafs"][waf]["company"] else "") + +def non_blind_check(raw): + retval = False + match = re.search(WAF_RECOGNITION_REGEX, raw or "") + if match: + retval = True + for _ in match.groupdict(): + if match.group(_): + waf = re.sub(r"\Awaf_", "", _) + non_blind.add(waf) + single_print(colorize("[+] non-blind match: '%s'%s" % (format_name(waf), 20 * ' '))) + return retval + +def run(): + global original + + hostname = options.url.split("//")[-1].split('/')[0].split(':')[0] + + if not hostname.replace('.', "").isdigit(): + print(colorize("[i] checking hostname '%s'..." % hostname)) + try: + socket.getaddrinfo(hostname, None) + except socket.gaierror: + exit(colorize("[x] host '%s' does not exist" % hostname)) + + results = "" + signature = b"" + counter = 0 + original = retrieve(options.url) + + if 300 <= (original[HTTPCODE] or 0) < 400 and original[URL]: + original = retrieve(original[URL]) + + options.url = original[URL] + + if original[HTTPCODE] is None: + exit(colorize("[x] missing valid response")) + + if not any((options.string, options.code)) and original[HTTPCODE] >= 400: + non_blind_check(original[RAW]) + if options.debug: + print("\r---%s" % (40 * ' ')) + print(original[HTTPCODE], original[RAW]) + print("---") + exit(colorize("[x] access to host '%s' seems to be restricted%s" % (hostname, (" (%d: '%s')" % (original[HTTPCODE], original[TITLE].strip())) if original[TITLE] else ""))) + + challenge = None + if all(_ in original[HTML].lower() for _ in ("eval", "]*>(.*)", re.sub(r"(?is)", "", original[HTML])) + if re.search(r"(?i)<(body|div)", original[HTML]) is None or (match and len(match.group(1)) == 0): + challenge = re.search(r"(?is)", original[HTML]).group(0).replace("\n", "\\n") + print(colorize("[x] anti-robot JS challenge detected ('%s%s')" % (challenge[:MAX_JS_CHALLENGE_SNAPLEN], "..." if len(challenge) > MAX_JS_CHALLENGE_SNAPLEN else ""))) + + protection_keywords = GENERIC_PROTECTION_KEYWORDS + protection_regex = GENERIC_PROTECTION_REGEX % '|'.join(keyword for keyword in protection_keywords if keyword not in original[HTML].lower()) + + print(colorize("[i] running basic heuristic test...")) + if not check_payload(HEURISTIC_PAYLOAD): + check = False + if options.url.startswith("https://"): + options.url = options.url.replace("https://", "http://") + check = check_payload(HEURISTIC_PAYLOAD) + if not check: + if non_blind_check(intrusive[RAW]): + exit(colorize("[x] unable to continue due to static responses%s" % (" (captcha)" if re.search(r"(?i)captcha", intrusive[RAW]) is not None else ""))) + elif challenge is None: + exit(colorize("[x] host '%s' does not seem to be protected" % hostname)) + else: + exit(colorize("[x] response not changing without JS challenge solved")) + + if options.fast and not non_blind: + exit(colorize("[x] fast exit because of missing non-blind match")) + + if not intrusive[HTTPCODE]: + print(colorize("[i] rejected summary: RST|DROP")) + else: + _ = "...".join(match.group(0) for match in re.finditer(GENERIC_ERROR_MESSAGE_REGEX, intrusive[HTML])).strip().replace(" ", " ") + print(colorize(("[i] rejected summary: %d ('%s%s')" % (intrusive[HTTPCODE], ("%s" % intrusive[TITLE]) if intrusive[TITLE] else "", "" if not _ or intrusive[HTTPCODE] < 400 else ("...%s" % _))).replace(" ('')", ""))) + + found = non_blind_check(intrusive[RAW] if intrusive[HTTPCODE] is not None else original[RAW]) + + if not found: + print(colorize("[-] non-blind match: -")) + + for item in DATA_JSON["payloads"]: + info, payload = item.split("::", 1) + counter += 1 + + if IS_TTY: + sys.stdout.write(colorize("\r[i] running payload tests... (%d/%d)\r" % (counter, len(DATA_JSON["payloads"])))) + sys.stdout.flush() + + if counter % VERIFY_OK_INTERVAL == 0: + for i in xrange(VERIFY_RETRY_TIMES): + if not check_payload(str(random.randint(1, 9)), protection_regex): + break + elif i == VERIFY_RETRY_TIMES - 1: + exit(colorize("[x] host '%s' seems to be misconfigured or rejecting benign requests%s" % (hostname, (" (%d: '%s')" % (intrusive[HTTPCODE], intrusive[TITLE].strip())) if intrusive[TITLE] else ""))) + else: + time.sleep(5) + + last = check_payload(payload, protection_regex) + non_blind_check(intrusive[RAW]) + signature += struct.pack(">H", ((calc_hash(payload, binary=False) << 1) | last) & 0xffff) + results += 'x' if last else '.' + + if last and info not in blocked: + blocked.append(info) + + _ = calc_hash(signature) + signature = "%s:%s" % (_.encode("hex") if not hasattr(_, "hex") else _.hex(), base64.b64encode(signature).decode("ascii")) + + print(colorize("%s[=] results: '%s'" % ("\n" if IS_TTY else "", results))) + + hardness = 100 * results.count('x') / len(results) + print(colorize("[=] hardness: %s (%d%%)" % ("insane" if hardness >= 80 else ("hard" if hardness >= 50 else ("moderate" if hardness >= 30 else "easy")), hardness))) + + if blocked: + print(colorize("[=] blocked categories: %s" % ", ".join(blocked))) + + if not results.strip('.') or not results.strip('x'): + print(colorize("[-] blind match: -")) + + if re.search(r"(?i)captcha", original[HTML]) is not None: + exit(colorize("[x] there seems to be an activated captcha")) + else: + print(colorize("[=] signature: '%s'" % signature)) + + if signature in SIGNATURES: + waf = SIGNATURES[signature] + print(colorize("[+] blind match: '%s' (100%%)" % format_name(waf))) + elif results.count('x') < MIN_MATCH_PARTIAL: + print(colorize("[-] blind match: -")) + else: + matches = {} + markers = set() + decoded = base64.b64decode(signature.split(':')[-1]) + for i in xrange(0, len(decoded), 2): + part = struct.unpack(">H", decoded[i: i + 2])[0] + markers.add(part) + + for candidate in SIGNATURES: + counter_y, counter_n = 0, 0 + decoded = base64.b64decode(candidate.split(':')[-1]) + for i in xrange(0, len(decoded), 2): + part = struct.unpack(">H", decoded[i: i + 2])[0] + if part in markers: + counter_y += 1 + elif any(_ in markers for _ in (part & ~1, part | 1)): + counter_n += 1 + result = int(round(100 * counter_y / (counter_y + counter_n))) + if SIGNATURES[candidate] in matches: + if result > matches[SIGNATURES[candidate]]: + matches[SIGNATURES[candidate]] = result + else: + matches[SIGNATURES[candidate]] = result + + if chained: + for _ in list(matches.keys()): + if matches[_] < 90: + del matches[_] + + if not matches: + print(colorize("[-] blind match: - ")) + print(colorize("[!] probably chained web protection systems")) + else: + matches = [(_[1], _[0]) for _ in matches.items()] + matches.sort(reverse=True) + + print(colorize("[+] blind match: %s" % ", ".join("'%s' (%d%%)" % (format_name(matches[i][1]), matches[i][0]) for i in xrange(min(len(matches), MAX_MATCHES) if matches[0][0] != 100 else 1)))) + + print() + +def main(): + if "--version" not in sys.argv: + print(BANNER) + + parse_args() + init() + run() + +load_data() + +if __name__ == "__main__": + try: + main() + except KeyboardInterrupt: + exit(colorize("\r[x] Ctrl-C pressed")) diff --git a/waf/360.py b/waf/360.py deleted file mode 100644 index 9342d3321..000000000 --- a/waf/360.py +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "360 Web Application Firewall (360)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= headers.get("X-Powered-By-360wzb") is not None - retval |= code == 493 and "/wzws-waf-cgi/" in (page or "") - retval |= all(_ in (page or "") for _ in ("eventID", "If you are the Webmaster", "493")) - if retval: - break - - return retval diff --git a/waf/__init__.py b/waf/__init__.py deleted file mode 100644 index c654cbef7..000000000 --- a/waf/__init__.py +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -pass diff --git a/waf/aesecure.py b/waf/aesecure.py deleted file mode 100644 index 46bf75fb6..000000000 --- a/waf/aesecure.py +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "aeSecure (aeSecure)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= headers.get("aeSecure-code") is not None - retval |= all(_ in (page or "") for _ in ("aeSecure", "aesecure_denied.png")) - if retval: - break - - return retval diff --git a/waf/airlock.py b/waf/airlock.py deleted file mode 100644 index 3ef082d82..000000000 --- a/waf/airlock.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Airlock (Phion/Ergon)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"\AAL[_-]?(SESS|LB)", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - retval |= all(_ in (page or "") for _ in ("The server detected a syntax error in your request", "Check your request and all parameters", "Bad Request", "Your request ID was")) - if retval: - break - - return retval diff --git a/waf/anquanbao.py b/waf/anquanbao.py deleted file mode 100644 index d2d86bd0c..000000000 --- a/waf/anquanbao.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Anquanbao Web Application Firewall (Anquanbao)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= code == 405 and any(_ in (page or "") for _ in ("/aqb_cc/error/", "hidden_intercept_time")) - if retval: - break - - return retval diff --git a/waf/approach.py b/waf/approach.py deleted file mode 100644 index b44eddbdc..000000000 --- a/waf/approach.py +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Approach Web Application Firewall (Approach)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= re.search(r"Approach Web Application Firewall", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= re.search(r"Approach()? Web Application Firewall", page or "", re.I) is not None - retval |= " Your IP address has been logged and this information could be used by authorities to track you." in (page or "") - retval |= all(_ in (page or "") for _ in ("Sorry for the inconvenience!", "If this was an legitimate request please contact us with details!")) - if retval: - break - - return retval diff --git a/waf/armor.py b/waf/armor.py deleted file mode 100644 index 63c240135..000000000 --- a/waf/armor.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Armor Protection (Armor Defense)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= "This request has been blocked by website protection from Armor" in (page or "") - if retval: - break - - return retval diff --git a/waf/asm.py b/waf/asm.py deleted file mode 100644 index 4e0837914..000000000 --- a/waf/asm.py +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Application Security Manager (F5 Networks)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= "The requested URL was rejected. Please consult with your administrator." in (page or "") - retval |= all(_ in (page or "") for _ in ("security.f5aas.com", "Please enable JavaScript to view the page content")) - if retval: - break - - return retval diff --git a/waf/astra.py b/waf/astra.py deleted file mode 100644 index 3160b5706..000000000 --- a/waf/astra.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Astra (Czar Securities)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= all(_ in (page or "") for _ in ("unfortunately our website protection system", "//www.getastra.com")) - if retval: - break - - return retval diff --git a/waf/aws.py b/waf/aws.py deleted file mode 100644 index 624db991a..000000000 --- a/waf/aws.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Amazon Web Services Web Application Firewall (Amazon)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= code == 403 and re.search(r"\bAWS", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - if retval: - break - - return retval diff --git a/waf/barracuda.py b/waf/barracuda.py deleted file mode 100644 index d19ec04f9..000000000 --- a/waf/barracuda.py +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Barracuda Web Application Firewall (Barracuda Networks)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"\Abarra_counter_session=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - retval |= re.search(r"(\A|\b)barracuda_", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - retval |= "when this page occurred and the event ID found at the bottom of the page" in (page or "") - if retval: - break - - return retval diff --git a/waf/bekchy.py b/waf/bekchy.py deleted file mode 100644 index ca4932ed0..000000000 --- a/waf/bekchy.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Bekchy (Faydata Information Technologies Inc.)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= any(_ in (page or "") for _ in ("Bekchy - Access Denided", "")) - if retval: - break - - return retval diff --git a/waf/bitninja.py b/waf/bitninja.py deleted file mode 100644 index ee405b6ed..000000000 --- a/waf/bitninja.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "BitNinja (BitNinja)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= any(_ in (page or "") for _ in ("alt=\"BitNinja|Security check by BitNinja", "your IP will be removed from BitNinja", "Visitor anti-robot validation")) - if retval: - break - - return retval diff --git a/waf/bluedon.py b/waf/bluedon.py deleted file mode 100644 index f4dbf7814..000000000 --- a/waf/bluedon.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Bluedon Web Application Firewall (Bluedon Information Security Technology)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= re.search(r"BDWAF", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= re.search(r"Bluedon Web Application Firewall", page or "", re.I) is not None - if retval: - break - - return retval diff --git a/waf/cerber.py b/waf/cerber.py deleted file mode 100644 index 1fda49d82..000000000 --- a/waf/cerber.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "WP Cerber Security (Cerber Tech)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= any(_ in (page or "") for _ in ("We're sorry, you are not allowed to proceed", "Your request looks suspicious or similar to automated requests from spam posting software")) - if retval: - break - - return retval diff --git a/waf/chinacache.py b/waf/chinacache.py deleted file mode 100644 index eaf4ccc10..000000000 --- a/waf/chinacache.py +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'doc/COPYING' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "ChinaCache (ChinaCache Networks)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= (code or 0) >= 400 and headers.get("Powered-By-ChinaCache") is not None - - if retval: - break - - return retval diff --git a/waf/ciscoacexml.py b/waf/ciscoacexml.py deleted file mode 100644 index 156cadb28..000000000 --- a/waf/ciscoacexml.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Cisco ACE XML Gateway (Cisco Systems)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - _, headers, _ = get_page(get=vector) - retval |= re.search(r"ACE XML Gateway", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - if retval: - break - - return retval diff --git a/waf/cloudbric.py b/waf/cloudbric.py deleted file mode 100644 index 649c1e54b..000000000 --- a/waf/cloudbric.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Cloudbric Web Application Firewall (Cloudbric)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= (code or 0) >= 400 and all(_ in (page or "") for _ in ("Cloudbric", "Malicious Code Detected")) - if retval: - break - - return retval diff --git a/waf/cloudflare.py b/waf/cloudflare.py deleted file mode 100644 index 1322882ea..000000000 --- a/waf/cloudflare.py +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "CloudFlare Web Application Firewall (CloudFlare)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - - if (code or 0) >= 400: - retval |= re.search(r"cloudflare", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= re.search(r"\A__cfduid=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - retval |= headers.get("cf-ray") is not None - retval |= re.search(r"CloudFlare Ray ID:|var CloudFlare=", page or "") is not None - retval |= all(_ in (page or "") for _ in ("Attention Required! | Cloudflare", "Please complete the security check to access")) - retval |= all(_ in (page or "") for _ in ("Attention Required! | Cloudflare", "Sorry, you have been blocked")) - retval |= any(_ in (page or "") for _ in ("CLOUDFLARE_ERROR_500S_BOX", "::CAPTCHA_BOX::")) - - if retval: - break - - return retval diff --git a/waf/cloudfront.py b/waf/cloudfront.py deleted file mode 100644 index b18cade57..000000000 --- a/waf/cloudfront.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "CloudFront (Amazon)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= all(_ in (page or "") for _ in ("Generated by cloudfront", "Request blocked")) - if retval: - break - - return retval diff --git a/waf/comodo.py b/waf/comodo.py deleted file mode 100644 index c3cb35083..000000000 --- a/waf/comodo.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Comodo Web Application Firewall (Comodo)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - _, headers, _ = get_page(get=vector) - retval |= re.search(r"Protected by COMODO WAF", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - if retval: - break - - return retval diff --git a/waf/crawlprotect.py b/waf/crawlprotect.py deleted file mode 100644 index c88e62527..000000000 --- a/waf/crawlprotect.py +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "CrawlProtect (Jean-Denis Brun)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, code = get_page(get=vector) - retval |= (code or 0) >= 400 and "This site is protected by CrawlProtect" in (page or "") - retval |= "CrawlProtect" in (page or "") - if retval: - break - - return retval diff --git a/waf/distil.py b/waf/distil.py deleted file mode 100644 index 77a213eed..000000000 --- a/waf/distil.py +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Distil Web Application Firewall Security (Distil Networks)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= headers.get("x-distil-cs") is not None - retval |= any(_ in (page or "") for _ in ("distilCaptchaForm", "distilCallbackGuard", "cdn.distilnetworks.com/images/anomaly-detected.png")) - if retval: - break - - return retval diff --git a/waf/dotdefender.py b/waf/dotdefender.py deleted file mode 100644 index 57e9402d9..000000000 --- a/waf/dotdefender.py +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "dotDefender (Applicure Technologies)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= headers.get("X-dotDefender-denied", "") == "1" - retval |= any(_ in (page or "") for _ in ("dotDefender Blocked Your Request", '<meta name="description" content="Applicure is the leading provider of web application security', "Please contact the site administrator, and provide the following Reference ID:")) - if retval: - break - - return retval diff --git a/waf/edgecast.py b/waf/edgecast.py deleted file mode 100644 index 4a7ed503e..000000000 --- a/waf/edgecast.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "EdgeCast Web Application Firewall (Verizon)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - _, headers, code = get_page(get=vector) - retval |= code == 400 and re.search(r"\AECDF", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - if retval: - break - - return retval diff --git a/waf/expressionengine.py b/waf/expressionengine.py deleted file mode 100644 index 9879d34a8..000000000 --- a/waf/expressionengine.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "ExpressionEngine (EllisLab)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= any((page or "").strip() == _ for _ in ("Invalid GET Data", "Invalid URI")) and re.search(r"\bexp_last_", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - if retval: - break - - return retval diff --git a/waf/fortiweb.py b/waf/fortiweb.py deleted file mode 100644 index b5d2c1b75..000000000 --- a/waf/fortiweb.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "FortiWeb Web Application Firewall (Fortinet)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"\AFORTIWAFSID=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - retval |= all(_ in (page or "") for _ in (".fgd_icon", ".blocked", ".authenticate")) - if retval: - break - - return retval diff --git a/waf/generic.py b/waf/generic.py deleted file mode 100644 index a1d9e9e2d..000000000 --- a/waf/generic.py +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.convert import getUnicode -from lib.core.data import kb -from lib.core.settings import GENERIC_PROTECTION_REGEX -from lib.core.settings import IPS_WAF_CHECK_PAYLOAD -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Generic (Unknown)" - -def detect(get_page): - retval = False - - original, _, code = get_page() - if original is None or (code or 0) >= 400: - return False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - - if (code or 0) >= 400 or (IPS_WAF_CHECK_PAYLOAD in vector and (code is None or re.search(GENERIC_PROTECTION_REGEX, page or "") and not re.search(GENERIC_PROTECTION_REGEX, original or ""))): - if code is not None: - kb.wafSpecificResponse = "HTTP/1.1 %s\n%s\n%s" % (code, "".join(getUnicode(_) for _ in (headers.headers if headers else {}) or [] if not _.startswith("URI")), getUnicode(page or "")) - - retval = True - break - - return retval diff --git a/waf/godaddy.py b/waf/godaddy.py deleted file mode 100644 index 8989a77c4..000000000 --- a/waf/godaddy.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "GoDaddy Website Firewall (GoDaddy Inc.)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= any(_ in (page or "") for _ in ("Access Denied - GoDaddy Website Firewall", "<title>GoDaddy Security - Access Denied")) - if retval: - break - - return retval diff --git a/waf/greywizard.py b/waf/greywizard.py deleted file mode 100644 index 73b60134d..000000000 --- a/waf/greywizard.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Greywizard (Grey Wizard)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"\Agreywizard", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= any(_ in (page or "") for _ in ("We've detected attempted attack or non standard traffic from your IP address", "Grey Wizard")) - if retval: - break - - return retval diff --git a/waf/imunify360.py b/waf/imunify360.py deleted file mode 100644 index 1fdcd175c..000000000 --- a/waf/imunify360.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Imunify360 (CloudLinux Inc.)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"\Aimunify360", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= any(_ in (page or "") for _ in ("protected by Imunify360", "Powered by Imunify360", "imunify360 preloader")) - if retval: - break - - return retval diff --git a/waf/incapsula.py b/waf/incapsula.py deleted file mode 100644 index eff9954e3..000000000 --- a/waf/incapsula.py +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Incapsula Web Application Firewall (Incapsula/Imperva)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"incap_ses|visid_incap", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - retval |= re.search(r"Incapsula", headers.get("X-CDN", ""), re.I) is not None - retval |= "Incapsula incident ID" in (page or "") - retval |= all(_ in (page or "") for _ in ("Error code 15", "This request was blocked by the security rules")) - retval |= re.search(r"(?i)incident.{1,100}?\b\d{19}\-\d{17}\b", page or "") is not None - retval |= headers.get("X-Iinfo") is not None - if retval: - break - - return retval diff --git a/waf/isaserver.py b/waf/isaserver.py deleted file mode 100644 index 2f4f11137..000000000 --- a/waf/isaserver.py +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.common import randomInt - -__product__ = "ISA Server (Microsoft)" - -def detect(get_page): - page, _, _ = get_page(host=randomInt(6)) - retval = "The server denied the specified Uniform Resource Locator (URL). Contact the server administrator." in (page or "") - retval |= "The ISA Server denied the specified Uniform Resource Locator (URL)" in (page or "") - return retval diff --git a/waf/janusec.py b/waf/janusec.py deleted file mode 100644 index ac6850a26..000000000 --- a/waf/janusec.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Janusec Application Gateway (Janusec)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= all(_ in (page or "") for _ in ("Reason:", "by Janusec Application Gateway")) - if retval: - break - - return retval diff --git a/waf/jiasule.py b/waf/jiasule.py deleted file mode 100644 index 9f3de7b59..000000000 --- a/waf/jiasule.py +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Jiasule Web Application Firewall (Jiasule)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= re.search(r"jiasule-WAF", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= re.search(r"__jsluid=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - retval |= re.search(r"jsl_tracking", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - retval |= re.search(r"static\.jiasule\.com/static/js/http_error\.js", page or "", re.I) is not None - retval |= code == 403 and "notice-jiasule" in (page or "") - if retval: - break - - return retval diff --git a/waf/knownsec.py b/waf/knownsec.py deleted file mode 100644 index 13232c7b6..000000000 --- a/waf/knownsec.py +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "KS-WAF (Knownsec)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= re.search(r"url\('/ks-waf-error\.png'\)", page or "", re.I) is not None - if retval: - break - - return retval diff --git a/waf/kona.py b/waf/kona.py deleted file mode 100644 index c34f2d973..000000000 --- a/waf/kona.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "KONA Security Solutions (Akamai Technologies)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= (code or 0) >= 400 and re.search(r"AkamaiGHost", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - if retval: - break - - return retval diff --git a/waf/malcare.py b/waf/malcare.py deleted file mode 100644 index 85902f2fd..000000000 --- a/waf/malcare.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "MalCare (Inactiv.com Media Solutions Pvt Ltd.)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= "Blocked because of Malicious Activities" in (page or "") - retval |= re.search(r"Firewall(<[^>]+>)*powered by(<[^>]+>)*MalCare", page or "") is not None - if retval: - break - - return retval diff --git a/waf/modsecurity.py b/waf/modsecurity.py deleted file mode 100644 index 74f651498..000000000 --- a/waf/modsecurity.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "ModSecurity: Open Source Web Application Firewall (Trustwave)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= re.search(r"Mod_Security|NOYB", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= any(_ in (page or "") for _ in ("This error was generated by Mod_Security", "One or more things in your request were suspicious", "rules of the mod_security module", "Protected by Mod Security")) - if retval: - break - - return retval diff --git a/waf/naxsi.py b/waf/naxsi.py deleted file mode 100644 index 67638bc27..000000000 --- a/waf/naxsi.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "NAXSI (NBS System)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - _, headers, _ = get_page(get=vector) - retval |= re.search(r"naxsi/waf", headers.get(HTTP_HEADER.X_DATA_ORIGIN, ""), re.I) is not None - if retval: - break - - return retval diff --git a/waf/netscaler.py b/waf/netscaler.py deleted file mode 100644 index c3a5472fd..000000000 --- a/waf/netscaler.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "NetScaler AppFirewall (Citrix)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= any(_ in (page or "") for _ in ("Application Firewall Block Page", "Violation Category: APPFW_", "AppFW Session ID", "Access has been blocked - if you feel this is in error, please contact the site administrators quoting the following")) - if retval: - break - - return retval diff --git a/waf/newdefend.py b/waf/newdefend.py deleted file mode 100644 index c52d61b0d..000000000 --- a/waf/newdefend.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Newdefend Web Application Firewall (Newdefend)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"NewDefend", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= any(_ in (page or "") for _ in ("/nd_block/", "http://www.newdefend.com/feedback/misinformation/")) - if retval: - break - - return retval diff --git a/waf/nexusguard.py b/waf/nexusguard.py deleted file mode 100644 index 29b385a09..000000000 --- a/waf/nexusguard.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Nexusguard (Nexusguard Limited)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= "

Powered by Nexusguard

" in (page or "") - retval |= re.search(r"speresources\.nexusguard\.com/wafpage/[^>]*#\d{3};", page or "") is not None - if retval: - break - - return retval diff --git a/waf/ninjafirewall.py b/waf/ninjafirewall.py deleted file mode 100644 index c6bddca41..000000000 --- a/waf/ninjafirewall.py +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "NinjaFirewall (NinTechNet)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= "NinjaFirewall: 403 Forbidden" in (page or "") - retval |= all(_ in (page or "") for _ in ("For security reasons, it was blocked and logged", "NinjaFirewall")) - if retval: - break - - return retval diff --git a/waf/onmessageshield.py b/waf/onmessageshield.py deleted file mode 100644 index 5f5325b25..000000000 --- a/waf/onmessageshield.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "onMessage Shield (Blackbaud)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"onMessage Shield", headers.get("X-Engine", ""), re.I) is not None - retval |= "This site is protected by an enhanced security system to ensure a safe browsing experience" in (page or "") - retval |= "onMessage SHIELD" in (page or "") - if retval: - break - - return retval diff --git a/waf/paloalto.py b/waf/paloalto.py deleted file mode 100644 index 0faaeb2de..000000000 --- a/waf/paloalto.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Palo Alto Firewall (Palo Alto Networks)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= re.search(r"has been blocked in accordance with company policy", page or "", re.I) is not None - retval |= all(_ in (page or "") for _ in ("Palo Alto Next Generation Security Platform", "Download Blocked")) - if retval: - break - - return retval diff --git a/waf/perimeterx.py b/waf/perimeterx.py deleted file mode 100644 index 298ebdb07..000000000 --- a/waf/perimeterx.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "PerimeterX (PerimeterX, Inc.)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= "https://www.perimeterx.com/whywasiblocked" in (page or "") - if retval: - break - - return retval diff --git a/waf/profense.py b/waf/profense.py deleted file mode 100644 index b210dab91..000000000 --- a/waf/profense.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Profense Web Application Firewall (Armorlogic)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - _, headers, _ = get_page(get=vector) - retval |= re.search(r"\APLBSID=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - retval |= re.search(r"Profense", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - if retval: - break - - return retval diff --git a/waf/proventia.py b/waf/proventia.py deleted file mode 100644 index 3aca6a3d6..000000000 --- a/waf/proventia.py +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -__product__ = "Proventia Web Application Security (IBM)" - -def detect(get_page): - page, _, _ = get_page() - if page is None: - return False - page, _, _ = get_page(url="/Admin_Files/") - return page is None diff --git a/waf/radware.py b/waf/radware.py deleted file mode 100644 index cf12b495b..000000000 --- a/waf/radware.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "AppWall (Radware)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"Unauthorized Activity Has Been Detected.+Case Number:", page or "", re.I | re.S) is not None - retval |= headers.get("X-SL-CompState") is not None - if retval: - break - - return retval diff --git a/waf/reblaze.py b/waf/reblaze.py deleted file mode 100644 index e86372df3..000000000 --- a/waf/reblaze.py +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Reblaze Web Application Firewall (Reblaze)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"\Arbzid=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - retval |= re.search(r"Reblaze Secure Web Gateway", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= all(_ in (page or "") for _ in ("Current session has been terminated", "For further information, do not hesitate to contact us", "Access denied (403)")) - if retval: - break - - return retval diff --git a/waf/requestvalidationmode.py b/waf/requestvalidationmode.py deleted file mode 100644 index e60890537..000000000 --- a/waf/requestvalidationmode.py +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "ASP.NET RequestValidationMode (Microsoft)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, code = get_page(get=vector) - retval |= "ASP.NET has detected data in the request that is potentially dangerous" in (page or "") - retval |= "Request Validation has detected a potentially dangerous client input value" in (page or "") - retval |= code == 500 and "HttpRequestValidationException" in page - if retval: - break - - return retval diff --git a/waf/rsfirewall.py b/waf/rsfirewall.py deleted file mode 100644 index 740434fa4..000000000 --- a/waf/rsfirewall.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "RSFirewall (RSJoomla!)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= any(_ in (page or "") for _ in ("COM_RSFIREWALL_403_FORBIDDEN", "COM_RSFIREWALL_EVENT")) - if retval: - break - - return retval diff --git a/waf/safe3.py b/waf/safe3.py deleted file mode 100644 index 2c2a50049..000000000 --- a/waf/safe3.py +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Safe3 Web Application Firewall" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"Safe3WAF", headers.get(HTTP_HEADER.X_POWERED_BY, ""), re.I) is not None - retval |= re.search(r"Safe3 Web Firewall", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= all(_ in (page or "") for _ in ("403 Forbidden", "Safe3waf/")) - if retval: - break - - return retval diff --git a/waf/safedog.py b/waf/safedog.py deleted file mode 100644 index 7f32eecb4..000000000 --- a/waf/safedog.py +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Safedog Web Application Firewall (Safedog)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"WAF/2\.0", headers.get(HTTP_HEADER.X_POWERED_BY, ""), re.I) is not None - retval |= re.search(r"Safedog", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= re.search(r"safedog", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - retval |= any(_ in (page or "") for _ in ("safedogsite/broswer_logo.jpg", "404.safedog.cn/sitedog_stat.html")) - if retval: - break - - return retval diff --git a/waf/safeline.py b/waf/safeline.py deleted file mode 100644 index 7d63ea9a0..000000000 --- a/waf/safeline.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "SafeLine Next Gen WAF (Chaitin Tech)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= all(_ in (page or "") for _ in ("SafeLine", "<!-- event_id:")) - if retval: - break - - return retval diff --git a/waf/secureentry.py b/waf/secureentry.py deleted file mode 100644 index a75efd622..000000000 --- a/waf/secureentry.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Secure Entry Server (United Security Providers)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= (code or 0) >= 400 and re.search(r"Secure Entry Server", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - if retval: - break - - return retval diff --git a/waf/secureiis.py b/waf/secureiis.py deleted file mode 100644 index 32221667a..000000000 --- a/waf/secureiis.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "SecureIIS Web Server Security (BeyondTrust)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= re.search(r"SecureIIS[^<]+Web Server Protection", page or "") is not None - retval |= "http://www.eeye.com/SecureIIS/" in (page or "") - retval |= re.search(r"\?subject=[^>]*SecureIIS Error", page or "") is not None - if retval: - break - - return retval diff --git a/waf/securesphere.py b/waf/securesphere.py deleted file mode 100644 index ec633fbe3..000000000 --- a/waf/securesphere.py +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "SecureSphere Web Application Firewall (Imperva)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= re.search(r"<H2>Error</H2>.+?#FEEE7A.+?<STRONG>Error</STRONG>|Contact support for additional information.<br/>The incident ID is: (\\d{19}|N/A)", page or "", re.I) is not None - if retval: - break - - return retval diff --git a/waf/senginx.py b/waf/senginx.py deleted file mode 100644 index d1bdfff8f..000000000 --- a/waf/senginx.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "SEnginx (Neusoft Corporation)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= "SENGINX-ROBOT-MITIGATION" in (page or "") - if retval: - break - - return retval diff --git a/waf/shieldsecurity.py b/waf/shieldsecurity.py deleted file mode 100644 index 4f78f06bb..000000000 --- a/waf/shieldsecurity.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Shield Security (One Dollar Plugin)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= "Something in the URL, Form or Cookie data wasn't appropriate" in (page or "") - if retval: - break - - return retval diff --git a/waf/siteground.py b/waf/siteground.py deleted file mode 100644 index c412a1406..000000000 --- a/waf/siteground.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "SiteGround Web Application Firewall (SiteGround)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= "The page you are trying to access is restricted due to a security rule" in (page or "") - if retval: - break - - return retval diff --git a/waf/siteguard.py b/waf/siteguard.py deleted file mode 100644 index 27843f172..000000000 --- a/waf/siteguard.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "SiteGuard (JP-Secure)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= any(_ in (page or "") for _ in ("Powered by SiteGuard", "The server refuse to browse the page")) - if retval: - break - - return retval diff --git a/waf/sitelock.py b/waf/sitelock.py deleted file mode 100644 index 42cb0e768..000000000 --- a/waf/sitelock.py +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "TrueShield Web Application Firewall (SiteLock)" - -# Note: https://www.whitefirdesign.com/blog/2016/11/08/more-evidence-that-sitelocks-trueshield-web-application-firewall-is-really-incapsulas-waf/ -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= any(_ in (page or "") for _ in ("SiteLock Incident ID", '<span class="value INCIDENT_ID">')) - if retval: - break - - return retval diff --git a/waf/sonicwall.py b/waf/sonicwall.py deleted file mode 100644 index 9cbec14b8..000000000 --- a/waf/sonicwall.py +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "SonicWALL (Dell)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= "This request is blocked by the SonicWALL" in (page or "") - retval |= all(_ in (page or "") for _ in ("#shd", "#nsa_banner")) - retval |= re.search(r"Web Site Blocked.+\bnsa_banner", page or "", re.I) is not None - retval |= re.search(r"SonicWALL", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - if retval: - break - - return retval diff --git a/waf/sophos.py b/waf/sophos.py deleted file mode 100644 index 189a4201c..000000000 --- a/waf/sophos.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "UTM Web Protection (Sophos)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= "Powered by UTM Web Protection" in (page or "") - if retval: - break - - return retval diff --git a/waf/squarespace.py b/waf/squarespace.py deleted file mode 100644 index 790c278a6..000000000 --- a/waf/squarespace.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Squarespace Web Application Firewall (Squarespace)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= all(_ in (page or "") for _ in ("BRICK-50", " @ ", "404 Not Found")) - if retval: - break - - return retval diff --git a/waf/stackpath.py b/waf/stackpath.py deleted file mode 100644 index 1ffc1b0fd..000000000 --- a/waf/stackpath.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "StackPath Web Application Firewall (StackPath LLC)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= all(_ in (page or "") for _ in ("You performed an action that triggered the service and blocked your request",)) - if retval: - break - - return retval diff --git a/waf/sucuri.py b/waf/sucuri.py deleted file mode 100644 index c4c2de813..000000000 --- a/waf/sucuri.py +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "CloudProxy WebSite Firewall (Sucuri)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= code == 403 and re.search(r"Sucuri/Cloudproxy", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= "Access Denied - Sucuri Website Firewall" in (page or "") - retval |= "Sucuri WebSite Firewall - CloudProxy - Access Denied" in (page or "") - retval |= re.search(r"Questions\?.+cloudproxy@sucuri\.net", (page or "")) is not None - retval |= headers.get("X-Sucuri-ID") is not None - retval |= headers.get("X-Sucuri-Cache") is not None - if retval: - break - - return retval diff --git a/waf/tencent.py b/waf/tencent.py deleted file mode 100644 index 75609ae50..000000000 --- a/waf/tencent.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Tencent Cloud Web Application Firewall (Tencent Cloud Computing)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, code = get_page(get=vector) - retval |= code == 405 and "waf.tencent-cloud.com" in (page or "") - if retval: - break - - return retval diff --git a/waf/trafficshield.py b/waf/trafficshield.py deleted file mode 100644 index c5e694b82..000000000 --- a/waf/trafficshield.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "TrafficShield (F5 Networks)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - _, headers, _ = get_page(get=vector) - retval |= re.search(r"F5-TrafficShield", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= re.search(r"\AASINFO=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None - if retval: - break - - return retval diff --git a/waf/urlmaster.py b/waf/urlmaster.py deleted file mode 100644 index 1f6f56082..000000000 --- a/waf/urlmaster.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Url Master SecurityCheck (iFinity/DotNetNuke)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, code = get_page(get=vector) - retval |= (code or 0) >= 400 and all(_ in (page or "") for _ in ("UrlMaster", "UrlRewriteModule", "SecurityCheck")) - if retval: - break - - return retval diff --git a/waf/urlscan.py b/waf/urlscan.py deleted file mode 100644 index 6fea0d2c4..000000000 --- a/waf/urlscan.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "UrlScan (Microsoft)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= re.search(r"Rejected-By-UrlScan", headers.get(HTTP_HEADER.LOCATION, ""), re.I) is not None - retval |= code != 200 and re.search(r"/Rejected-By-UrlScan", page or "", re.I) is not None - if retval: - break - - return retval diff --git a/waf/varnish.py b/waf/varnish.py deleted file mode 100644 index e2c23a921..000000000 --- a/waf/varnish.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Varnish FireWall (OWASP)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, code = get_page(get=vector) - retval |= (code or 0) >= 400 and "Request rejected by xVarnish-WAF" in (page or "") - if retval: - break - - return retval diff --git a/waf/virusdie.py b/waf/virusdie.py deleted file mode 100644 index 8f395e909..000000000 --- a/waf/virusdie.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Virusdie (Virusdie LLC)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= any(_ in (page or "") for _ in ("| Virusdie", "http://cdn.virusdie.ru/splash/firewallstop.png", "© Virusdie.ru

", '= 400 and re.search(r"\AWatchGuard", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= "Request denied by WatchGuard Firewall" in (page or "") - if retval: - break - - return retval diff --git a/waf/webknight.py b/waf/webknight.py deleted file mode 100644 index 5bbb7c394..000000000 --- a/waf/webknight.py +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "WebKnight Application Firewall (AQTRONIX)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, code = get_page(get=vector) - retval |= code == 999 - retval |= re.search(r"WebKnight", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= any(_ in (page or "") for _ in ("WebKnight Application Firewall Alert", "AQTRONIX WebKnight")) - if retval: - break - - return retval diff --git a/waf/webseal.py b/waf/webseal.py deleted file mode 100644 index 105f35668..000000000 --- a/waf/webseal.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "WebSEAL (IBM)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"WebSEAL", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= any(_ in (page or "") for _ in ("This is a WebSEAL error message template file", "The Access Manager WebSEAL server received an invalid HTTP request")) - if retval: - break - - return retval diff --git a/waf/wordfence.py b/waf/wordfence.py deleted file mode 100644 index fd98eb4d5..000000000 --- a/waf/wordfence.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Wordfence (Feedjit)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, _, _ = get_page(get=vector) - retval |= any(_ in (page or "") for _ in ("A potentially unsafe operation has been detected in your request to this site", "Generated by Wordfence", "Your access to this site has been limited", "This response was generated by Wordfence")) - if retval: - break - - return retval diff --git a/waf/wts.py b/waf/wts.py deleted file mode 100644 index 38d4a0b1e..000000000 --- a/waf/wts.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "WTS Web Application Firewall" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= ">WTS-WAF" in (page or "") - retval |= re.search(r"\Awts/", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - if retval: - break - - return retval diff --git a/waf/yundun.py b/waf/yundun.py deleted file mode 100644 index 96dee5a79..000000000 --- a/waf/yundun.py +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Yundun Web Application Firewall (Yundun)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"YUNDUN", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= re.search(r"YUNDUN", headers.get("X-Cache", ""), re.I) is not None - retval |= "Blocked by YUNDUN Cloud WAF" in (page or "") - if retval: - break - - return retval diff --git a/waf/yunsuo.py b/waf/yunsuo.py deleted file mode 100644 index e9052141c..000000000 --- a/waf/yunsuo.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import re - -from lib.core.enums import HTTP_HEADER -from lib.core.settings import WAF_ATTACK_VECTORS - -__product__ = "Yunsuo Web Application Firewall (Yunsuo)" - -def detect(get_page): - retval = False - - for vector in WAF_ATTACK_VECTORS: - page, headers, _ = get_page(get=vector) - retval |= re.search(r"= 400 and re.search(r"\AZENEDGE", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None - retval |= all(_ in (page or "") for _ in ("Your request has been blocked", "Incident ID", "/__zenedge/assets/")) - if retval: - break - - return retval