ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: opt / bitninja-waf3 / coreruleset / regex-assembly / include

##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! This assembly file generates a prefix match for unix shell RCE
##! evasions. Command words, in this case, must folow the prefix.
##! Separate rules target commands that do not follow this prefix,
##! as the chance of false positives is higher without a prefix match.

##! <some command> ifconfig
##!> cmdline unix
  busybox
  command
  env
  eval
  ltrace
  nohup
  strace
  time
  timeout
  watch
##!<
##! ;ifconfig
;
##! =ifconfig
=
##! {ifconfig}
\{
##! |ifconfig
\|
##! ||ifconfig
\|\|
##! &ifconfig
&
##! & &ifconfig
&&
##! ;\nifconfig
\n
##! ;\rifconfig
\r
##! $(ifconfig)
\$$
##! $((ifconfig))
\$\(\(
##! `ifconfig`
`
##! ${ifconfig}
\${
##! <( ifconfig )
<\(
##! >( ifconfig )
>\(
##! a() ( ifconfig; ); a
\(\s*$
##! `cat<<<ifconfig` or `cat<<< ifconfig`
<<<
##!=>

##! match possible white space between prefix expressions
\s*
##!=>

##! commands prefix
##!> assemble
  ##! { ifconfig }
  \{
  ##! ( ifconfig )
  \s*\(\s*
  ##! VARNAME=xyz ifconfig
  \w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+
  ##! ! ifconfig
  !\s*
  ##! $ifconfig
  \$
##!<
##!=>

*
##!=>

##! match possible white space between prefix expressions
\s*
##!=>

##! quoting prefix
##!> assemble
  ##! 'ifconfig'
  '
  ##! "ifconfig"
  \"
##!<
##!=>

*
##!=>

##! paths prefix (+ evasion prevention suffix [\x5c'\"]*)
(?:[\?\*\[\]\-\|+\w'\"\./\x5c]+/)?[\x5c'\"]*
##!=>

[-] url-schemes.ra [edit]
[-] charset-specification-no-anchors.ra [edit]
[-] windows-commands-prefix.ra [edit]
[+] ..
[-] unix-shell-pl3.ra [edit]
[-] 932130.ra [edit]
[-] unix-shell-upto3.ra [edit]
[-] js-truthy-values.ra [edit]
[-] unix-shell-evasion-prefix.ra [edit]
[-] charset-specification.ra [edit]
[-] sql-injection-function-names.ra [edit]
[-] unix-shell-evasion-prefix-start-of-string.ra [edit]
[-] windows-commands.ra [edit]
[-] sql-injection-mysql-postgresql-procedures-functions.ra [edit]
[-] allowed-charsets.ra [edit]
[-] unix-shell-4andup.ra [edit]