waf-rules.json

[
    {
      "category_id": "c_02",
      "category": {
        "en": "SQL injection detection",
        "zh": "SQL 注入检测"
      },
      "description": {
        "en": "In the implementation of the website, the filtering of input parameters is not strict, resulting in the illegal acquisition of the contents of the SQL database.",
        "zh": "在网站实现上，对于输入参数过滤不严，导致 SQL 数据库的内容被非法获取。"
      },
      "rules": [
        {
          "id": 302001,
          "level": 1,
          "name": "SQLI-BASE-Having",
          "type": "SQLI",
          "description": "检测条件类SQL注入攻击",
          "expr": "((?:[\\s()]case\\s*?\\()|(?:\\)\\s*?like\\s*?\\()|(?:having\\s*?[^\\s]+\\s*?[^\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*?[=<>~]))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302002,
          "level": 1,
          "name": "SQLI-BASE-Sleeping",
          "type": "SQLI",
          "description": "检测时延类SQL注入攻击",
          "expr": "((sleep\\((\\s*?)(\\d*?)(\\s*?)\\)|benchmark\\((.*?)\\,(.*?)\\)))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302003,
          "level": 2,
          "name": "SQLI-BASE-PRIV",
          "type": "SQLI",
          "description": "检测通过SQL注入提权，文件读写等行为",
          "expr": "((?:\\s*?(?:exec|execute).*?(?:\\W)xp_cmdshell)|(?:[\\\"'`]\\s*?!\\s*?[\\\"'`\\w])|(?:from\\W+information_schema\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\s*?\\([^\\)]*?)|(?:[\\\"'`];?\\s*?(?:select|union|having)\\b\\s*?[^\\s])|(?:\\wiif\\s*?\\()|(?:(?:exec|execute)\\s+master\\.)|(?:union select @)|(?:union[\\w(\\s]*?select)|(?:select.*?\\w?user\\()|(?:into[\\s+]+(?:dump|out)file\\s*?[\\\"'`]))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302004,
          "level": 2,
          "name": "SQLI-BASE-RW",
          "type": "SQLI",
          "description": "常见敏感数据库读取类行为",
          "expr": "((?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\.\\.sysdatabases|ysql\\.db)\\b|s(?:ys(?:\\.database_name|aux)\\b|chema(?:\\W*\\(|_name\\b)|qlite(_temp)?_master\\b)|d(?:atabas|b_nam)e\\W*\\(|information_schema\\b|pg_(catalog|toast)\\b|northwind\\b|tempdb\\b))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302005,
          "level": 1,
          "name": "SQLI-BASE-Union",
          "type": "SQLI",
          "description": "检测联合查询类SQL注入攻击",
          "expr": "((?:(union(.*?)select(.*?)from)))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302006,
          "level": 3,
          "name": "SQLI-BASE-MongoDB",
          "type": "SQLI",
          "description": "检测MongoDB SQL注入行为",
          "expr": "((?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302007,
          "level": 3,
          "name": "SQLI-BASE-Procedure",
          "type": "SQLI",
          "description": "检测Mysql与PostgreSQL基于存储过程的注入行为",
          "expr": "((?:procedure\\s+analyse\\s*?\\()|(?:;\\s*?(declare|open)\\s+[\\w-]+)|(?:create\\s+(procedure|function)\\s*?\\w+\\s*?\\(\\s*?\\)\\s*?-)|(?:declare[^\\w]+[@#]\\s*?\\w+)|(exec\\s*?\\(\\s*?@))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302008,
          "level": 1,
          "name": "SQLI-BASE-Concat",
          "type": "SQLI",
          "description": "检测基于concat及文件读取类SQL注入行为",
          "expr": "((?:[\\d\\W]\\s+as\\s*?[\\\"'`\\w]+\\s*?from)|(?:^[\\W\\d]+\\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc)\\b)|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s+(?:(?:group_)concat|char|load_file)\\s?\\(?)|(?:end\\s*?\\);)|([\\\"'`]\\s+regexp\\W)|(?:[\\s(]load_file\\s*?\\())",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302009,
          "level": 1,
          "name": "SQLI-BASE-Try",
          "type": "SQLI",
          "description": "检测SQL注入尝试行为",
          "expr": "(^[\\\"'`;]+|[\\\"'`]+$)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302010,
          "level": 1,
          "name": "SQLI-BASE-Operater",
          "type": "SQLI",
          "description": "检测SQL常见操作符",
          "expr": "((\\!\\=|\\&\\&|\\|\\||\\bxor\\b|\\brlike\\b|\\bregexp\\b|\\bisnull\\b)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\\\"]+[^()]*\\))|(?:\\bxor\\b|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302011,
          "level": 3,
          "name": "SQLI-BASE-DBname",
          "type": "SQLI",
          "description": "常见数据库名检测",
          "expr": "((?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\.\\.sysdatabases|ysql\\.db)\\b|s(?:ys(?:\\.database_name|aux)\\b|chema(?:\\W*\\(|_name\\b)|qlite(_temp)?_master\\b)|d(?:atabas|b_nam)e\\W*\\(|information_schema\\b|pg_(catalog|toast)\\b|northwind\\b|tempdb\\b))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302012,
          "level": 2,
          "name": "SQLI-BASE-MSdos",
          "type": "SQLI",
          "description": "检测mysql字符转换及mssql dos攻击",
          "expr": "((?:alter\\s*?\\w+.*?(?:character|char)\\s+set\\s+\\w+)|([\\\"'`];*?\\s*?waitfor\\s+(?:time|delay)\\s+[\\\"'`])|(?:[\\\"'`];.*?:\\s*?goto))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302013,
          "level": 2,
          "name": "SQLI-BASE-Func",
          "type": "SQLI",
          "description": "检测特定命令执行函数",
          "expr": "((?:merge.*?using\\s*?\\()|(execute\\s*?immediate\\s*?[\\\"'`])|(?:match\\s*?[\\w(),+-]+\\s*?against\\s*?\\())",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302014,
          "level": 1,
          "name": "SQLI-BASE-Character",
          "type": "SQLI",
          "description": "检测反引号、空格、注释等sql注入绕过行为",
          "expr": "((?:,.*?[)\\da-f\\\"'`][\\\"'`](?:[\\\"'`].*?[\\\"'`]|\\Z|[^\\\"'`]+))|(?:\\Wselect.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302015,
          "level": 1,
          "name": "SQLI-BASE-Usual1",
          "type": "SQLI",
          "description": "检测mysql空格、条件及char注入行为",
          "expr": "((?:\\)\\s*?when\\s*?\\d+\\s*?then)|(?:\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*?\\(\\s*?\\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\\s+|\\|\\||\\&\\&)\\s*?\\w+\\())",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302016,
          "level": 2,
          "name": "SQLI-BASE-Hex",
          "type": "SQLI",
          "description": "检测到sql hex编码",
          "expr": "((?:\\A|[^\\d])0x[a-f\\d]{3,}[a-f\\d]*)+",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302017,
          "level": 1,
          "name": "SQLI-BASE-Usual2",
          "type": "SQLI",
          "description": "可能的注入尝试行为",
          "expr": "((\\'|\\\"){1,}.*(and|or).*(\\+|\\-|\\=))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 302018,
          "level": 1,
          "name": "SQLI-BASE-Probe",
          "type": "SQLI",
          "description": "普通SQL注入探测",
          "expr": "(?:\\\"\\\\s*or\\\\s*\\\"?\\\\d)|(?:\\\\\\\\x(?:23|27|3d))|(?:^.?\\\"$)|(?:(?:^[\\\"\\\\\\\\]*(?:[\\\\d\\\"]+|[^\\\"]+\\\"))+\\\\s*(?:n?and|x?or|not|\\\\|\\\\||\\\\&\\\\&)\\\\s*[\\\\w\\\"[+&!@(),.-])|(?:[^\\\\w\\\\s]\\\\w+\\\\s*[|-]\\\\s*\\\"\\\\s*\\\\w)|(?:@\\\\w+\\\\s+(and|or)\\\\s*[\\\"\\\\d]+)|(?:@[\\\\w-]+\\\\s(and|or)\\\\s*[^\\\\w\\\\s])|(?:[^\\\\w\\\\s:]\\\\s*\\\\d\\\\W+[^\\\\w\\\\s]\\\\s*\\\".)|(?:\\\\Winformation_schema|table_name\\\\W)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_03",
      "category": {
        "en": "XSS detection",
        "zh": "XSS 检测"
      },
      "description": {
        "en": "XSS flaws occur when new web pages for an application contain untrusted, improperly validated or escaped data, or when existing web pages are updated using browser APIs that can create HTML or JavaScript. XSS allows an attacker to execute script in a victim's browser and hijack user sessions, deface websites, or redirect users to malicious sites.",
        "zh": "当应用程序的新网页中包含不受信任的、未经恰当验证或转义的数据，或者使用可以创建 HTML 或 JavaScript 的浏览器 API更新现有的网页时，会出现 XSS 缺陷。XSS 让攻击者能够在受害者的浏览器中执行脚本，并劫持用户会话、破坏网站或将用户重定向到恶意站点。"
      },
      "rules": [
        {
          "id": 303001,
          "level": 1,
          "name": "XSS-BASE-Script",
          "type": "XSS",
          "description": "script标签检测",
          "expr": "(?i)([<＜]script[^>＞]*[>＞][\\s\\S]*?)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303002,
          "level": 1,
          "name": "XSS-BASE-TagAction",
          "type": "XSS",
          "description": "标签内事件检测",
          "expr": "(?i)([\\s\\\"'`;\\/0-9\\=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]+on[a-zA-Z]+[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303003,
          "level": 1,
          "name": "XSS-BASE-TagAttribute",
          "type": "XSS",
          "description": "标签属性向量检测",
          "expr": "(?i)[\\s\\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\\/html|pattern(?=.*?=)|formaction|\\@import|base64)\\b",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303004,
          "level": 1,
          "name": "XSS-BASE-JsURI",
          "type": "XSS",
          "description": "Javascript URI向量检测",
          "expr": "(?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\\b[^>]*?>[\\s\\S]*?|(?:=|U\\s*?R\\s*?L\\s*?\\()\\s*?[^>]*?\\s*?S\\s*?C\\s*?R\\s*?I\\s*?P\\s*?T\\s*?:)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303005,
          "level": 2,
          "name": "XSS-BASE-HtmlInjetion",
          "type": "XSS",
          "description": "非Script Html注入类检查",
          "expr": "(?i)<[^\\w<>]*(?:[^<>\\\"'\\s]*:)?[^\\w<>]*(?:\\W*?s\\W*?c\\W*?r\\W*?i\\W*?p\\W*?t|\\W*?f\\W*?o\\W*?r\\W*?m|\\W*?s\\W*?t\\W*?y\\W*?l\\W*?e|\\W*?s\\W*?v\\W*?g|\\W*?m\\W*?a\\W*?r\\W*?q\\W*?u\\W*?e\\W*?e|(?:\\W*?l\\W*?i\\W*?n\\W*?k|\\W*?o\\W*?b\\W*?j\\W*?e\\W*?c\\W*?t|\\W*?e\\W*?m\\W*?b\\W*?e\\W*?d|\\W*?a\\W*?p\\W*?p\\W*?l\\W*?e\\W*?t|\\W*?p\\W*?a\\W*?r\\W*?a\\W*?m|\\W*?i?\\W*?f\\W*?r\\W*?a\\W*?m\\W*?e|\\W*?b\\W*?a\\W*?s\\W*?e|\\W*?b\\W*?o\\W*?d\\W*?y|\\W*?m\\W*?e\\W*?t\\W*?a|\\W*?i\\W*?m\\W*?a?\\W*?g\\W*?e?|\\W*?v\\W*?i\\W*?d\\W*?e\\W*?o|\\W*?a\\W*?u\\W*?d\\W*?i\\W*?o|\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g\\W*?s|\\W*?s\\W*?e\\W*?t|\\W*?a\\W*?n\\W*?i\\W*?m\\W*?a\\W*?t\\W*?e)[^>\\w])|(?:<\\w[\\s\\S]*[\\s\\/]|['\\\"](?:[\\s\\S]*[\\s\\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\\s\\x08]*?=",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303006,
          "level": 1,
          "name": "XSS-BASE-AttributionInjetct",
          "type": "XSS",
          "description": "非Script 属性类注入检查",
          "expr": "(?i)(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\\\\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\\\[ux]\\d))|data:(?:(?:[a-z]\\w+\\/\\w[\\w+-]+\\w)?[;,]|[\\s\\S]*?;[\\s\\S]*?\\b(?:base64|charset=)|[\\s\\S]*?,[\\s\\S]*?<[\\s\\S]*?\\w[\\s\\S]*?>))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:\\/\\*[\\s\\S]*?)?(?:[\\\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|\\W*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[\\s\\S]*?:[\\s\\S]*?\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303007,
          "level": 1,
          "name": "XSS-BASE-BadAttribution",
          "type": "XSS",
          "description": "禁止的Html属性",
          "expr": "(?i)\\b(?:s(?:tyle|rc)|href)\\b[\\s\\S]*?=",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303008,
          "level": 2,
          "name": "XSS-BASE-TAGCheck",
          "type": "XSS",
          "description": "HTML标签检查",
          "expr": "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303009,
          "level": 3,
          "name": "XSS-BASE-IE1",
          "type": "XSS",
          "description": "IE的XSS过滤器规则1",
          "expr": "(?:<style.*?>.*?((@[i\\\\\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303010,
          "level": 2,
          "name": "XSS-BASE-IE2",
          "type": "XSS",
          "description": "IE的XSS过滤器规则2",
          "expr": "(?:<.*[:]?vmlframe.*?[\\s/+]*?src[\\s/+]*=)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303011,
          "level": 3,
          "name": "XSS-BASE-IE3",
          "type": "XSS",
          "description": "IE的XSS过滤器规则3",
          "expr": "(?:<EMBED[\\s/+].*?((src)|(type)).*?=)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303012,
          "level": 2,
          "name": "XSS-BASE-IE4",
          "type": "XSS",
          "description": "IE的XSS过滤器规则4",
          "expr": "<[?]?import[\\s\\/+\\S]*?implementation[\\s\\/+]*?=",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303013,
          "level": 3,
          "name": "XSS-BASE-IE5",
          "type": "XSS",
          "description": "IE的XSS过滤器规则5",
          "expr": "(?:<META[\\s/+].*?http-equiv[\\s/+]*=[\\s/+]*[\\\"\\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303014,
          "level": 2,
          "name": "XSS-BASE-IE6",
          "type": "XSS",
          "description": "IE的XSS过滤器规则6",
          "expr": "(?:<META[\\s/+].*?charset[\\s/+]*=)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303015,
          "level": 1,
          "name": "XSS-BASE-IE7",
          "type": "XSS",
          "description": "IE的XSS过滤器规则7",
          "expr": "(?:<LINK[\\s/+].*?href[\\s/+]*=)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303016,
          "level": 1,
          "name": "XSS-BASE-IE8",
          "type": "XSS",
          "description": "IE的XSS过滤器规则8",
          "expr": "(?:<BASE[\\s/+].*?href[\\s/+]*=)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303017,
          "level": 2,
          "name": "XSS-BASE-IE9",
          "type": "XSS",
          "description": "IE的XSS过滤器规则9",
          "expr": "(?:<OBJECT[\\s\\/ ].*?((type)|(codetype)|(classid)|(code)|(data))[\\s\\/ ]*=)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 303018,
          "level": 1,
          "name": "XSS-BASE-Probe",
          "type": "XSS",
          "description": "常规xss攻击探测",
          "expr": "(?:,\\\\s*(?:alert|showmodaldialog|eval)\\\\s*,)|(?::\\\\s*eval\\\\s*[^\\\\s])|([^:\\\\s\\\\w,.\\\\\\/?+-]\\\\s*)?(?<![a-z\\\\\\/_@])(\\\\s*return\\\\s*)?(?:(?:document\\\\s*\\\\.)?(?:.+\\\\\\/)?(?:alert|eval|msgbox|showmod(?:al|eless)dialog|showhelp|prompt|write(?:ln)?|confirm|dialog|open))\\\\s*(?:[^.a-z\\\\s\\\\-]|(?:\\\\s*[^\\\\s\\\\w,.@\\\\\\/+-])|(?:java[\\\\s\\\\\\/]*\\\\.[\\\\s\\\\\\/]*lang)|(?:\\\\w\\\\s*=\\\\s*new\\\\s+\\\\w+)|(?:&\\\\s*\\\\w+\\\\s*\\\\)[^,])|(?:\\\\+[\\\\W\\\\d]*new\\\\s+\\\\w+[\\\\W\\\\d]*\\\\+)|(?:document\\\\.\\\\w)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_01",
      "category": {
        "en": "Command Injection Detection",
        "zh": "命令注入检测"
      },
      "description": {
        "en": "A type of injection attack, including shell command injection, PHP code injection, Java code injection, etc. If the attacker successfully exploits it, it can cause the website to execute the code injected by the attacker.",
        "zh": "注入攻击的一种，包含 shell 命令注入，PHP 代码注入，Java 代码注入等，若被攻击者成功利用，可导致网站执行攻击者注入的代码。"
      },
      "rules": [
        {
          "id": 301001,
          "level": 1,
          "name": "RCE_OS-BASE-1",
          "type": "RCE_OS",
          "description": "Linux命令注入检测1",
          "expr": "(?:;|\\{|\\||\\|\\||&|&&|\\n|\\r|\\$\\(|\\$\\(\\(|`|\\${|<\\(|>\\(|\\(\\s*\\))\\s*(?:{|\\s*\\(\\s*|\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|!\\s*|\\$)*\\s*(?:'|\\\")*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\\\\\\\]+/)?[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*(?:w[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*w[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*d|u[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*p)|r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*q[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r)|s(?:[\\\\\\\\'\\\"]*(?:b[\\\\\\\\'\\\"]*_[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*e|c[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*u|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*d|p[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*i|u[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*b|-[\\\\\\\\'\\\"]*F|h[\\\\\\\\'\\\"]*w|o[\\\\\\\\'\\\"]*f))?|z[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*p)|m[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|a)|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s)|e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*(?:(?:f[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l|p[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*p)[\\\\\\\\'\\\"]*e|e[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o|(?:\\s|<|>).*)|a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*g(?:[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n)?|c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*m|(?:\\s|<|>).*)|o[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*e|l)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|g[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e)|d[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*g|d[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|f[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t)?|(?:[np]|y[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*x)[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|b[\\\\\\\\'\\\"]*(?:z[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t|i[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*2)|s[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t|i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*r)|a[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*(?:\\s|<|>).*|s[\\\\\\\\'\\\"]*h)|r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*k[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*w|u[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n)|c[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*(?:m[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*d)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|p[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*c)|h[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*(?:\\s|<|>).*|f[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*s|a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*r|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*d)|r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*b|(?:[cp]|a[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|u[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*l|s[\\\\\\\\'\\\"]*h)|f[\\\\\\\\'\\\"]*(?:i(?:[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t|(?:\\s|<|>).*)|n[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*(?:\\s|<|>).*))?|t[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*(?:s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*s|w[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o|(?:\\s|<|>).*)|u[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n|(?:e[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h|c)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h|g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p)|e[\\\\\\\\'\\\"]*(?:n[\\\\\\\\'\\\"]*(?:v(?:[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e)?|d[\\\\\\\\'\\\"]*(?:i[\\\\\\\\'\\\"]*f|s[\\\\\\\\'\\\"]*w))|x[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*d|o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*t|r)|e[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*(?:\\s|<|>).*|i[\\\\\\\\'\\\"]*t)|c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*(?:\\s|<|>).*|g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|s[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c|v[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*l)|h[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t|p[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*w[\\\\\\\\'\\\"]*d)|o[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*(?:n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e|i[\\\\\\\\'\\\"]*d)|(?:e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*d|u[\\\\\\\\'\\\"]*p)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|i[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*y)|i[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*(?:(?:6[\\\\\\\\'\\\"]*)?t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s|c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*g)|r[\\\\\\\\'\\\"]*b(?:[\\\\\\\\'\\\"]*(?:1(?:[\\\\\\\\'\\\"]*[89])?|2[\\\\\\\\'\\\"]*[012]))?|f[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*g|d[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|g[\\\\\\\\'\\\"]*(?:(?:e[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*l|r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*c|i[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|z[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t|i[\\\\\\\\'\\\"]*p)|u[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*z[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*p|d[\\\\\\\\'\\\"]*b)|a[\\\\\\\\'\\\"]*(?:(?:l[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*s|w[\\\\\\\\'\\\"]*k)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|d[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r|p[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t|r[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*(?:\\s|<|>).*|p))|d[\\\\\\\\'\\\"]*(?:h[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t|(?:i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|u)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|(?:m[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s|p[\\\\\\\\'\\\"]*k)[\\\\\\\\'\\\"]*g|o[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*s|n[\\\\\\\\'\\\"]*e)|a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*h)|m[\\\\\\\\'\\\"]*(?:(?:k[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*r|o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|a[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*(?:x[\\\\\\\\'\\\"]*(?:\\s|<|>).*|q)|l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e)|j[\\\\\\\\'\\\"]*(?:(?:a[\\\\\\\\'\\\"]*v[\\\\\\\\'\\\"]*a|o[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*s)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|e[\\\\\\\\'\\\"]*x[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*c)|k[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*l|(?:\\s|<|>).*)|(?:G[\\\\\\\\'\\\"]*E[\\\\\\\\'\\\"]*T[\\\\\\\\'\\\"]*(?:\\s|<|>)|\\.\\s).*|7[\\\\\\\\'\\\"]*z(?:[\\\\\\\\'\\\"]*[ar])?)\\b",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 301002,
          "level": 1,
          "name": "RCE_OS-BASE-2",
          "type": "RCE_OS",
          "description": "Linux命令注入检测2",
          "expr": "(?:;|\\{|\\||\\|\\||&|&&|\\n|\\r|\\$\\(|\\$\\(\\(|`|\\${|<\\(|>\\(|\\(\\s*\\))\\s*(?:{|\\s*\\(\\s*|\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|!\\s*|\\$)*\\s*(?:'|\\\")*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\\\\\\\]+/)?[\\\\\\\\'\\\"]*(?:s[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*(?:(?:f[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*)?(?:\\s|<|>).*|e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*v|s[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*d)|n[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l|d[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|h[\\\\\\\\'\\\"]*(?:\\.[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*b|u[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*w[\\\\\\\\'\\\"]*n|(?:\\s|<|>).*)|o[\\\\\\\\'\\\"]*(?:(?:u[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e|r[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|c[\\\\\\\\'\\\"]*(?:h[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*d|p[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*s|(?:l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*e|f[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*p|y[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*l|u[\\\\\\\\'\\\"]*(?:(?:\\s|<|>).*|d[\\\\\\\\'\\\"]*o)|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|s[\\\\\\\\'\\\"]*h|v[\\\\\\\\'\\\"]*n)|p[\\\\\\\\'\\\"]*(?:k[\\\\\\\\'\\\"]*(?:g(?:(?:[\\\\\\\\'\\\"]*_)?[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*o)?|e[\\\\\\\\'\\\"]*x[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*c|i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*l)|t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*r(?:[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p))?|a[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*(?:\\s|<|>).*|s[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*w[\\\\\\\\'\\\"]*d)|r[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*v|f[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|y[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n(?:[\\\\\\\\'\\\"]*(?:3(?:[\\\\\\\\'\\\"]*m)?|2))?|e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*(?:l(?:[\\\\\\\\'\\\"]*(?:s[\\\\\\\\'\\\"]*h|5))?|m[\\\\\\\\'\\\"]*s)|(?:g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|f[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*p|(?:u[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*h|o[\\\\\\\\'\\\"]*p)[\\\\\\\\'\\\"]*d|h[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*[57])?|i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g|s[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|n[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*(?:\\.[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*l|o[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*d)|(?:\\s|<|>).*|a[\\\\\\\\'\\\"]*t)|e[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*(?:k[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*p|(?:s[\\\\\\\\'\\\"]*t|c)[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t|(?:\\s|<|>).*)|s[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*k[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*p|t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|(?:a[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*o|i[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|(?:o[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*u|m[\\\\\\\\'\\\"]*a)[\\\\\\\\'\\\"]*p|p[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g)|r[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*(?:(?:p[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e|e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|a[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*h)|m[\\\\\\\\'\\\"]*(?:(?:d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*)?(?:\\s|<|>).*|u[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r)|u[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*y(?:[\\\\\\\\'\\\"]*(?:1(?:[\\\\\\\\'\\\"]*[89])?|2[\\\\\\\\'\\\"]*[012]))?|(?:a[\\\\\\\\'\\\"]*r|c[\\\\\\\\'\\\"]*p|p[\\\\\\\\'\\\"]*m)[\\\\\\\\'\\\"]*(?:\\s|<|>).*|n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*o|o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e|s[\\\\\\\\'\\\"]*y[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*c)|t[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e|i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g)|s[\\\\\\\\'\\\"]*h)|r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e(?:[\\\\\\\\'\\\"]*6)?|e[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t|e[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|i[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t|(?:\\s|<|>).*)|a[\\\\\\\\'\\\"]*(?:i[\\\\\\\\'\\\"]*l(?:[\\\\\\\\'\\\"]*f)?|r[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|o[\\\\\\\\'\\\"]*(?:u[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*(?:\\s|<|>).*|p))|u[\\\\\\\\'\\\"]*(?:n[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*(?:i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*k[\\\\\\\\'\\\"]*(?:\\s|<|>).*|z[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*a)|c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e|r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*r|s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t|z[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*p|x[\\\\\\\\'\\\"]*z)|s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*(?:(?:a[\\\\\\\\'\\\"]*d|m[\\\\\\\\'\\\"]*o)[\\\\\\\\'\\\"]*d|d[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*l)|l[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|m[\\\\\\\\'\\\"]*(?:y[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*q[\\\\\\\\'\\\"]*l(?:[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*w)?|h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*y|a[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n|s[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*w))?|(?:(?:o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*n|u[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*t|v)[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|x[\\\\\\\\'\\\"]*(?:z[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|d[\\\\\\\\'\\\"]*(?:i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|e[\\\\\\\\'\\\"]*c)|c[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*p)|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|(?:\\s|<|>).*)|a[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*s|t[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*m|x[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*(?:\\s|<|>).*)|z[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*p)|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|i[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*(?:\\s|<|>).*|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|r[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*n|s[\\\\\\\\'\\\"]*h)|o[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*l|n[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*r)|w[\\\\\\\\'\\\"]*(?:h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*i|(?:\\s|<|>).*)|g[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t|3[\\\\\\\\'\\\"]*m)|v[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*(?:m[\\\\\\\\'\\\"]*(?:\\s|<|>).*|g[\\\\\\\\'\\\"]*r|p[\\\\\\\\'\\\"]*w)|y[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*m)\\b",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 301003,
          "level": 1,
          "name": "RCE_OS-BASE-3",
          "type": "RCE_OS",
          "description": "Linux命令注入检测3",
          "expr": "(?:^|=)\\s*(?:{|\\s*\\(\\s*|\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\\\".*\\\")\\s+|!\\s*|\\$)*\\s*(?:'|\\\")*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\\\"\\./\\\\\\\\]+/)?[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*(?:s(?:[\\\\\\\\'\\\"]*(?:b[\\\\\\\\'\\\"]*_[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*e|c[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*u|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*d|p[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*i|u[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*b|-[\\\\\\\\'\\\"]*F|o[\\\\\\\\'\\\"]*f))?|z[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*p)|m[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|a)|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s)|e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*(?:(?:f[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l|p[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*p)[\\\\\\\\'\\\"]*e|e[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o)|a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*g(?:[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n)?|c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*m)|w[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*w[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*d)?|f[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t)?|y[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*x)|s[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*v|s[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*d)|n[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l|d)|h(?:[\\\\\\\\'\\\"]*\\.[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*b)?|o[\\\\\\\\'\\\"]*(?:u[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e|c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*s|y[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*l|c[\\\\\\\\'\\\"]*(?:h[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*d|p)|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|f[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*p|u[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*o|s[\\\\\\\\'\\\"]*h|v[\\\\\\\\'\\\"]*n)|p[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*r(?:[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p))?|y[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n(?:[\\\\\\\\'\\\"]*(?:3(?:[\\\\\\\\'\\\"]*m)?|2))?|k[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*x[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*c|i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*l)|r[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*v|(?:g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|f[\\\\\\\\'\\\"]*t)[\\\\\\\\'\\\"]*p|e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*l(?:[\\\\\\\\'\\\"]*5)?|h[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*[57])?|i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g)|n[\\\\\\\\'\\\"]*(?:c(?:[\\\\\\\\'\\\"]*(?:\\.[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*l|o[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*d)|a[\\\\\\\\'\\\"]*t))?|e[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*(?:k[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*p|(?:s[\\\\\\\\'\\\"]*t|c)[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|o[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*p|p[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g|s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|t[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e|i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*g)|s[\\\\\\\\'\\\"]*h)|r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e(?:[\\\\\\\\'\\\"]*6)?|i[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e(?:[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*t)?|a[\\\\\\\\'\\\"]*(?:i[\\\\\\\\'\\\"]*l(?:[\\\\\\\\'\\\"]*f)?|r)|e[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t)|r[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*(?:p[\\\\\\\\'\\\"]*(?:l[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*e|e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|a[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*h|n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e)|u[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*y(?:[\\\\\\\\'\\\"]*(?:1(?:[\\\\\\\\'\\\"]*[89])?|2[\\\\\\\\'\\\"]*[012]))?|m[\\\\\\\\'\\\"]*(?:u[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*e|d[\\\\\\\\'\\\"]*i)[\\\\\\\\'\\\"]*r|n[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*o|s[\\\\\\\\'\\\"]*y[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*c|c[\\\\\\\\'\\\"]*p)|b[\\\\\\\\'\\\"]*(?:z[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t)|s[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t|i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*r)|u[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n|a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*h)|m[\\\\\\\\'\\\"]*(?:y[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*q[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*(?:d[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*p(?:[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*w)?|h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*y|a[\\\\\\\\'\\\"]*d[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n|s[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*w)|l[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e|a[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*q)|u[\\\\\\\\'\\\"]*(?:n[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|l[\\\\\\\\'\\\"]*z[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*a|a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*e|r[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*r|s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t|z[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*p|x[\\\\\\\\'\\\"]*z)|s[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*(?:(?:a[\\\\\\\\'\\\"]*d|m[\\\\\\\\'\\\"]*o)[\\\\\\\\'\\\"]*d|d[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*l))|x[\\\\\\\\'\\\"]*(?:z(?:[\\\\\\\\'\\\"]*(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|d[\\\\\\\\'\\\"]*(?:i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|e[\\\\\\\\'\\\"]*c)|c[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*p)|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e))?|a[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*g[\\\\\\\\'\\\"]*s)|z[\\\\\\\\'\\\"]*(?:(?:(?:[ef][\\\\\\\\'\\\"]*)?g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|i)[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*(?:a[\\\\\\\\'\\\"]*t|m[\\\\\\\\'\\\"]*p)|d[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*s|m[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e|r[\\\\\\\\'\\\"]*u[\\\\\\\\'\\\"]*n|s[\\\\\\\\'\\\"]*h)|f[\\\\\\\\'\\\"]*(?:t[\\\\\\\\'\\\"]*p[\\\\\\\\'\\\"]*(?:s[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*s|w[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o)|i[\\\\\\\\'\\\"]*l[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*t|e[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*c[\\\\\\\\'\\\"]*h|g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p)|c[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*(?:m[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*d|p[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*c)|u[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*l|s[\\\\\\\\'\\\"]*h|c)|e[\\\\\\\\'\\\"]*(?:g[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*h[\\\\\\\\'\\\"]*o|v[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*l|x[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*c|n[\\\\\\\\'\\\"]*v)|d[\\\\\\\\'\\\"]*(?:m[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*g|a[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*h|i[\\\\\\\\'\\\"]*f[\\\\\\\\'\\\"]*f|o[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*s)|g[\\\\\\\\'\\\"]*(?:z[\\\\\\\\'\\\"]*(?:c[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*t|i[\\\\\\\\'\\\"]*p)|r[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*p|c[\\\\\\\\'\\\"]*c)|w[\\\\\\\\'\\\"]*(?:h[\\\\\\\\'\\\"]*o[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*m[\\\\\\\\'\\\"]*i|g[\\\\\\\\'\\\"]*e[\\\\\\\\'\\\"]*t|3[\\\\\\\\'\\\"]*m)|j[\\\\\\\\'\\\"]*(?:o[\\\\\\\\'\\\"]*b[\\\\\\\\'\\\"]*s[\\\\\\\\'\\\"]*\\s[\\\\\\\\'\\\"]*-[\\\\\\\\'\\\"]*x|a[\\\\\\\\'\\\"]*v[\\\\\\\\'\\\"]*a)|i[\\\\\\\\'\\\"]*r[\\\\\\\\'\\\"]*b(?:[\\\\\\\\'\\\"]*(?:1(?:[\\\\\\\\'\\\"]*[89])?|2[\\\\\\\\'\\\"]*[012]))?|o[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*n[\\\\\\\\'\\\"]*t[\\\\\\\\'\\\"]*r|h[\\\\\\\\'\\\"]*(?:e[\\\\\\\\'\\\"]*a[\\\\\\\\'\\\"]*d|u[\\\\\\\\'\\\"]*p)|v[\\\\\\\\'\\\"]*i[\\\\\\\\'\\\"]*(?:g[\\\\\\\\'\\\"]*r|p[\\\\\\\\'\\\"]*w)|G[\\\\\\\\'\\\"]*E[\\\\\\\\'\\\"]*T)[\\\\\\\\'\\\"]*(?:\\s|;|\\||&|<|>)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_05",
      "category": {
        "en": "path crossing detection",
        "zh": "路径穿越检测"
      },
      "description": {
        "en": "An attacker could exploit this vulnerability to gain access to unauthorized files or directories, possibly resulting in the disclosure of sensitive information or the execution of arbitrary code.",
        "zh": "攻击者可以利用此漏洞访问未授权的文件或目录，可能导致敏感信息泄露或执行任意代码。"
      },
      "rules": [
        {
          "id": 305001,
          "level": 1,
          "name": "DT-BASE-UsualDT",
          "type": "DT",
          "description": "常规路径穿越检测",
          "expr": "(?i)(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\\.))|\\.(?:%0[01]|\\?)?|\\?\\.?|0x2e){2}(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/))",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 305002,
          "level": 1,
          "name": "DT-BASE-SpecialPath",
          "type": "DT",
          "description": "特殊路径包含检测",
          "expr": "(?:%c0%ae\\/)|(?:(?:\\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\\/|\\\\))|(?:(?:\\/|\\\\)inetpub|localstart\\.asp|boot\\.ini)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 305003,
          "level": 3,
          "name": "DT-BASE-1",
          "type": "DT",
          "description": "常规本地文件包含",
          "expr": "(?:^|[\\\\/])\\.\\.(?:[\\\\/]|$)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_08",
      "category": {
        "en": "PHP Code Injection Detection",
        "zh": "PHP 代码注入检测"
      },
      "description": {
        "en": "Allow attackers to execute malicious PHP system commands, endangering server security.",
        "zh": "允许攻击者执行恶意的PHP系统命令，危及服务器安全。"
      },
      "rules": [
        {
          "id": 308001,
          "level": 1,
          "name": "RCE_PHP-BASE-PHPTag",
          "type": "RCE_PHP",
          "description": "发现PHP标签",
          "expr": "(?:<\\?php|\\[(?:/|\\\\\\\\)?php\\]|<script.*language=('|\\\"){0,1}php)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 308002,
          "level": 2,
          "name": "RCE_PHP-BASE-PHPProtocol",
          "type": "RCE_PHP",
          "description": "PHP协议文件读写流",
          "expr": "(?i)php://(std(in|out|err)|(in|out)put|fd|memory|temp|filter)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 308003,
          "level": 2,
          "name": "RCE_PHP-BASE-RiskFunc",
          "type": "RCE_PHP",
          "description": "发现PHP危险函数",
          "expr": "(?i)\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\(.*\\)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 308004,
          "level": 3,
          "name": "RCE_PHP-BASE-Serialized",
          "type": "RCE_PHP",
          "description": "PHP序列化注入",
          "expr": "\\:\\d+:{\\w:\\d+.*}$",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 308005,
          "level": 3,
          "name": "RCE_PHP-BASE-VariableFunc",
          "type": "RCE_PHP",
          "description": "PHP变量函数调用",
          "expr": "\\$+(?:[a-zA-Z_\\x7f-\\xff][a-zA-Z0-9_\\x7f-\\xff]*|\\s*{.+})|(?:\\s|\\[.+\\]|{.+}|/\\*.*\\*/|//.*|#.*)*\\(.*\\)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 308006,
          "level": 3,
          "name": "RCE_PHP-BASE-LowRiskFunc",
          "type": "RCE_PHP",
          "description": "低风险PHP函数发现",
          "expr": "(?i)\\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|o(?:undex|rt)|leep|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?|py)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|a(?:ster_da(?:te|ys)|ch)|r(?:ror_log|egi?)|mpty|cho|nd)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein|trim)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l|ate)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|an(?:ge|d)|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch|ime|rim)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot|ash)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual|join)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\(.*\\)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_09",
      "category": {
        "en": "JAVA code injection detection",
        "zh": "JAVA 代码注入检测"
      },
      "description": {
        "en": "Allow attackers to execute malicious JAVA system commands, endangering server security.",
        "zh": "允许攻击者执行恶意的JAVA系统命令，危及服务器安全。"
      },
      "rules": [
        {
          "id": 309001,
          "level": 1,
          "name": "RCE_JAVA-BASE-Struts2RCE",
          "type": "RCE_JAVA",
          "description": "常见的struts2命令注入攻击行为",
          "expr": "(%|#){0,}.*(\\[|\\{|\\().*(@ognl.OgnlContext|java.lang.Runtime@getRuntime|java.io.BufferedReader|java.lang.ProcessBuilder)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 309002,
          "level": 1,
          "name": "RCE_JAVA-BASE-JavaFunc",
          "type": "RCE_JAVA",
          "description": "敏感java函数调用",
          "expr": "java\\.lang\\.(?:runtime|processbuilder|invoke|getInputStream|boolean)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 309003,
          "level": 2,
          "name": "RCE_JAVA-BASE-CVE-2017-9805",
          "type": "RCE_JAVA",
          "description": "针对CVE-2017-9805的检测规则",
          "expr": "(?:runtime|processbuilder)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 309004,
          "level": 2,
          "name": "RCE_JAVA-BASE-Sensitive",
          "type": "RCE_JAVA",
          "description": "java敏感函数调用检测",
          "expr": "(?:runtime|processbuilder)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_14",
      "category": {
        "en": "File upload detection",
        "zh": "文件上传检测"
      },
      "description": {
        "en": "When the uploaded file is disguised as a malicious script with a normal suffix, the attacker can use the local file inclusion vulnerability to execute the file.",
        "zh": "当上传文件伪装成正常后缀的恶意脚本时，攻击者可借助本地文件包含漏洞执行该文件。"
      },
      "rules": [
        {
          "id": 314001,
          "level": 2,
          "name": "UFL-BASE-1",
          "type": "UFL",
          "description": "未授权文件上传1",
          "expr": "(.*\\.(php|php5|jsp|jspx|asp|aspx|asa))",
          "mode": "match(urlDecode(body_para['filename']))"
        },
        {
          "id": 314002,
          "level": 2,
          "name": "UFL-BASE-2",
          "type": "UFL",
          "description": "未授权文件上传2",
          "expr": "(Content-Type:.*application/.*)",
          "mode": "match(urlDecode(substr(body_buf,0,1024)))"
        },
        {
          "id": 314003,
          "level": 2,
          "name": "UFL-PHP-Webshell",
          "type": "UFL",
          "description": "疑似PHP webshell文件上传",
          "expr": "(<\\?php.*)",
          "mode": "match(urlDecode(substr(body_buf,0,2028)))"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_11",
      "category": {
        "en": "Remote file inclusion detection",
        "zh": "远程文件包含检测"
      },
      "description": {
        "en": "Attackers read or execute unauthorized files, which may lead to disclosure of sensitive information or execute the file with the help of file inclusion vulnerabilities.",
        "zh": "攻击者读取或执行未授权的文件，可能导致敏感信息泄露或借助文件包含漏洞执行该文件。"
      },
      "rules": [
        {
          "id": 311001,
          "level": 1,
          "name": "RFI-BASE-IncludeIP",
          "type": "RFI",
          "description": "远程文件包含协议中发现ip",
          "expr": "(file|ftp?|ftps?|https?):\\/\\/(?:\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})",
          "mode": "match(iterator(urlDecode(header_para|body_buf)))"
        },
        {
          "id": 311002,
          "level": 2,
          "name": "RFI-BASE-IncludePara",
          "type": "RFI",
          "description": "远程文件包含URL结尾中发现?",
          "expr": "(file|ftp?|ftps?|https?).*?\\?+",
          "mode": "match(iterator(urlDecode(header_para|body_buf)))"
        },
        {
          "id": 311003,
          "level": 3,
          "name": "RFI-BASE-Usual1",
          "type": "RFI",
          "description": "远程文件包含检测1",
          "expr": "(file|ftp?|ftps?|https?)://([^/]*).*",
          "mode": "match(iterator(urlDecode(header_para|body_buf)))"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_06",
      "category": {
        "en": "Sensitive Information Leakage Detection",
        "zh": "敏感信息泄露检测"
      },
      "description": {
        "en": "Information such as source code and configuration files may be leaked to endanger system security.",
        "zh": "可能泄露源码、配置文件等信息危害系统安全。"
      },
      "rules": [
        {
          "id": 306001,
          "level": 1,
          "name": "DL-BASE-BadSuffixes",
          "type": "DL",
          "description": "危险后缀文件",
          "expr": "(\\\\|\\/).*(.sql|.db|.war|.conf|.bak|.mdb|.properties|.ds_store)$",
          "mode": "match(urlDecode(header_uri))"
        },
        {
          "id": 306002,
          "level": 1,
          "name": "DL-BASE-BadPath",
          "type": "DL",
          "description": "危险文件路径",
          "expr": "(/WEB-INF/.*\\.xml)|(/.svn/.*)|(/.git/.*)",
          "mode": "match(urlDecode(header_path))"
        },
        {
          "id": 306003,
          "level": 3,
          "name": "DL-BASE-RiskSuffixes",
          "type": "DL",
          "description": "敏感文件后缀",
          "expr": "(\\\\|\\/).*(.rar|.zip|.tar|.tar.gz|.mdb|.dtd|.chm)$",
          "mode": "match(urlDecode(header_uri))"
        },
        {
          "id": 306004,
          "level": 1,
          "name": "DL-BASE-RiskFile",
          "type": "DL",
          "description": "可能存在风险的文件",
          "expr": ".*(web.xml|www.rar|wwwroot.rar|log4net.xml|server.xml|applicationContext.xml|jdbc.properties|server.properties)$",
          "mode": "match(urlDecode(header_uri))"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_16",
      "category": {
        "en": "malicious scan",
        "zh": "恶意扫描"
      },
      "description": {
        "en": "Detects whether a website has been scanned for malware.",
        "zh": "检测网站是否被恶意扫描。"
      },
      "rules": [
        {
          "id": 316001,
          "level": 3,
          "name": "SS-Protocol-Scan",
          "type": "SS",
          "description": "使用不常见协议对网站发起探测",
          "expr": "(TRACE|PUT|DELETE|OPTIONS).*",
          "mode": "match(header_method)"
        },
        {
          "id": 316002,
          "level": 3,
          "name": "SS-Masscan",
          "type": "SS",
          "description": "使用Masscan进行扫描",
          "expr": "([^\\x0A\\x0D]*masscan)",
          "mode": "match(header_User-Agent)"
        },
        {
          "id": 316003,
          "level": 3,
          "name": "SS-OpenVAS",
          "type": "SS",
          "description": "使用OpenVAS进行扫描",
          "expr": "[^\\x0A\\x0D]*OpenVAS",
          "mode": "match(header_User-Agent)"
        },
        {
          "id": 316004,
          "level": 4,
          "name": "SS-Webfuck",
          "type": "SS",
          "description": "使用Webfuck进行扫描",
          "expr": "[^\\x0A\\x0D]*WebFuck|[^\\x0A\\x0D]*T0PHackTeam",
          "mode": "match(header_User-Agent)"
        },
        {
          "id": 316005,
          "level": 3,
          "name": "SS-Nikto",
          "type": "SS",
          "description": "使用Nikto进行扫描",
          "expr": ".{0,50}Nikto",
          "mode": "match(header_User-Agent)"
        },
        {
          "id": 316006,
          "level": 2,
          "name": "SS-Sqlmap",
          "type": "SS",
          "description": "使用sqlmap进行注入",
          "expr": "(sqlmap\\/[0-9]{1}.*-dev-)",
          "mode": "match(header_User-Agent)"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_15",
      "category": {
        "en": "XXE attack detection",
        "zh": "XXE 攻击检测"
      },
      "description": {
        "en": "Due to the XML processor there is an external entity reference in the XML file. An attacker could use an external entity to steal internal and shared files using URI file handlers, listen on internal scan ports, execute remote code, and perform denial-of-service attacks.",
        "zh": "由于 XML 处理器在XML 文件中存在外部实体引用。攻击者可利用外部实体窃取使用 URI 文件处理器的内部文件和共享文件、监听内部扫描端口、执行远程代码和实施拒绝服务攻击。"
      },
      "rules": [
        {
          "id": 315001,
          "level": 2,
          "name": "GR-BASE-XMLInjection",
          "type": "GR",
          "description": "一般xml注入",
          "expr": "(<!entity.*(system|internal) \\\"(file|php://|phar|ftp|http).*\\\">)",
          "mode": "match(urlDecode(body_buf))"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_19",
      "category": {
        "en": "SSTI template injection detection",
        "zh": "SSTI 模板注入检测"
      },
      "description": {
        "en": "Inject malicious code into the template engine, causing the server to perform unexpected operations or leak sensitive information.",
        "zh": "注入恶意代码到模板引擎中，导致服务器执行非预期操作或泄露敏感信息。"
      },
      "rules": [
        {
          "id": 319003,
          "level": 3,
          "name": "Other_SSTI",
          "type": "Other",
          "description": "SSTI模板注入漏洞",
          "expr": "({\\w{1,}(\\*|\\+|\\-|\\/)\\w{1,}})",
          "mode": "match(urlDecode(header_uri|body_buf))"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_18",
      "category": {
        "en": "Nday attack detection",
        "zh": "Nday 攻击检测"
      },
      "description": {
        "en": "Detect possible Nday attacks and prevent attacks and intrusions on the system by exploiting undisclosed vulnerabilities.",
        "zh": "检测可能的 Nday 攻击，防止利用尚未公开的漏洞对系统进行攻击和入侵。"
      },
      "rules": [
        {
          "id": 318001,
          "level": 1,
          "name": "FAPPV-JAVA-Log4j2",
          "type": "FAPPV",
          "description": "针对CVE-2021-44228的探测",
          "expr": "(\\${jndi:(ldap|rmi):.*})",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 318002,
          "level": 3,
          "name": "FAPPV-Grafana-Plugin",
          "type": "FAPPV",
          "description": "针对CVE-2021-43798 Grafana插件任意文件读取漏洞",
          "expr": "(/public/plugins/.*/(../){1,})",
          "mode": "match(urlDecode(header_uri))"
        },
        {
          "id": 318003,
          "level": 2,
          "name": "FAPPV-RCE-Apache-httpd",
          "type": "FAPPV",
          "description": "针对CVE-2021-41773 apache httpd server任意文件读取漏洞",
          "expr": "((.%2e/){1,4}(%2e%2e/){0,4})",
          "mode": "match(urlDecode(header_uri))"
        },
        {
          "id": 318004,
          "level": 3,
          "name": "FAPPV-BT-pma",
          "type": "FAPPV",
          "description": "宝塔phpmyadmin未授权访问漏洞",
          "expr": "(:888/pma$)",
          "mode": "match(urlDecode(header_path))"
        },
        {
          "id": 318005,
          "level": 1,
          "name": "FAPPV-ThinkPHP5-1",
          "type": "FAPPV",
          "description": "thinkphp5.0远程命令执行漏洞",
          "expr": "((s=index\\/\\\\think\\\\app\\/invokefunction).*(system|call_user_func_array|passthru|exec|shell_exec))",
          "mode": "match(urlDecode(header_uri))"
        },
        {
          "id": 318006,
          "level": 1,
          "name": "FAPPV-ThinkPHP5-2",
          "type": "FAPPV",
          "description": "thinkphp5.1远程命令执行漏洞",
          "expr": "((index\\/\\\\think\\\\).*(request|template|view|Container).*(system|call_user_func_array|passthru|exec|shell_exec))",
          "mode": "match(urlDecode(header_uri))"
        },
        {
          "id": 318007,
          "level": 2,
          "name": "FAPPV-Wordpress-1",
          "type": "FAPPV",
          "description": "wordpress xmlrpc远程代码执行漏洞",
          "expr": "(<methodName>(system|pingback|wp).*<\\/methodName>)",
          "mode": "match(urlDecode(substr(body_buf,0,1024)))"
        },
        {
          "id": 318008,
          "level": 1,
          "name": "FAPPV_Conflunce-1",
          "type": "FAPPV",
          "description": "针对CVE-2022-26134 conflunce远程代码执行漏洞",
          "expr": "\\$\\{.*\\(.*com.opensymphony.webwork.ServletActionContext.*getmethod\\(\"",
          "mode": "match(urlDecode(header_uri|body_buf))"
        }
      ],
      "status": 0
    },
    {
      "category_id": "c_20",
      "category": {
        "en": "Other attack detection",
        "zh": "其它攻击检测"
      },
      "description": {
        "en": "Attacks caused by the security of the web server itself and other software configuration security or vulnerabilities.",
        "zh": "由于Web服务器本身安全和其他软件配置安全或漏洞引起的攻击。"
      },
      "rules": [
        {
          "id": 319001,
          "level": 1,
          "name": "Other_JAVA-Spring-core",
          "type": "Other",
          "description": "spring core spring bean rce漏洞",
          "expr": "(class\\.\\w+|Class\\.\\w+|\\w+\\.class\\.\\w+|\\w+\\.Class\\.\\w+)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 319002,
          "level": 2,
          "name": "Other_JAVA-Spring-BASE-1",
          "type": "Other",
          "description": "针对CVE-2022-22965 spring远程命令执行漏洞",
          "expr": "suffix=.jsp\\S{1,100}(directory=webapps/ROOT)",
          "mode": "match(urlDecode(header_uri|body_buf))"
        },
        {
          "id": 319004,
          "level": 3,
          "name": "Other_JAVA-SpringCloud",
          "type": "Other_JAVA",
          "description": "CVE-2022-22963 SpringCloud Function远程命令执行漏洞",
          "expr": "(spring.cloud.function.routing-expression:.*T\\()",
          "mode": "match(urlDecode(substr(body_buf,0,1024)))"
        }
      ],
      "status": 0
    }
  ]