3
use Test::Nginx::Socket;
5
plan tests => repeat_each(2) * blocks();
8
$ENV{TEST_NGINX_SERVROOT} = server_root();
13
=== TODO: naxsi does not support utf8, potential bypass. Still too marginal to be worth checking
15
working_directory /tmp/;
16
worker_rlimit_core 25M;
18
include /etc/nginx/naxsi_core.rules;
23
DeniedUrl "/RequestDenied";
24
CheckRule "$SQL >= 8" BLOCK;
25
CheckRule "$RFI >= 8" BLOCK;
26
CheckRule "$TRAVERSAL >= 4" BLOCK;
27
CheckRule "$XSS >= 8" BLOCK;
28
root $TEST_NGINX_SERVROOT/html/;
29
index index.html index.htm;
31
location /RequestDenied {
35
"GET /?a=AND+%EF%BC%871%EF%BC%87=%EF%BC%871%EF%BC%87 HTTP/1.0
43
working_directory /tmp/;
44
worker_rlimit_core 25M;
46
include /etc/nginx/naxsi_core.rules;
51
DeniedUrl "/RequestDenied";
52
CheckRule "$SQL >= 8" BLOCK;
53
CheckRule "$RFI >= 8" BLOCK;
54
CheckRule "$TRAVERSAL >= 4" BLOCK;
55
CheckRule "$XSS >= 8" BLOCK;
56
root $TEST_NGINX_SERVROOT/html/;
57
index index.html index.htm;
59
location /RequestDenied {
63
"GET /?a=AND+%00%271%00%27=%00%271%00%27 HTTP/1.0
71
working_directory /tmp/;
72
worker_rlimit_core 25M;
74
include /etc/nginx/naxsi_core.rules;
79
DeniedUrl "/RequestDenied";
80
CheckRule "$SQL >= 8" BLOCK;
81
CheckRule "$RFI >= 8" BLOCK;
82
CheckRule "$TRAVERSAL >= 4" BLOCK;
83
CheckRule "$XSS >= 8" BLOCK;
84
root $TEST_NGINX_SERVROOT/html/;
85
index index.html index.htm;
87
location /RequestDenied {
91
"GET /?a=AND+1=1%00 Union select 1 HTTP/1.0
97
=== NOT TODO: base64, not worthing checking
99
working_directory /tmp/;
100
worker_rlimit_core 25M;
102
include /etc/nginx/naxsi_core.rules;
107
DeniedUrl "/RequestDenied";
108
CheckRule "$SQL >= 8" BLOCK;
109
CheckRule "$RFI >= 8" BLOCK;
110
CheckRule "$TRAVERSAL >= 4" BLOCK;
111
CheckRule "$XSS >= 8" BLOCK;
112
root $TEST_NGINX_SERVROOT/html/;
113
index index.html index.htm;
115
location /RequestDenied {
119
"GET /?a=MScgQU5EIFNMRUVQKDUpIw== HTTP/1.0
127
working_directory /tmp/;
128
worker_rlimit_core 25M;
130
include /etc/nginx/naxsi_core.rules;
135
DeniedUrl "/RequestDenied";
136
CheckRule "$SQL >= 8" BLOCK;
137
CheckRule "$RFI >= 8" BLOCK;
138
CheckRule "$TRAVERSAL >= 4" BLOCK;
139
CheckRule "$XSS >= 8" BLOCK;
140
root $TEST_NGINX_SERVROOT/html/;
141
index index.html index.htm;
143
location /RequestDenied {
147
"GET /?a='A+NOT+BETWEEN+0+AND+B' HTTP/1.0
155
working_directory /tmp/;
156
worker_rlimit_core 25M;
158
include /etc/nginx/naxsi_core.rules;
163
DeniedUrl "/RequestDenied";
164
CheckRule "$SQL >= 8" BLOCK;
165
CheckRule "$RFI >= 8" BLOCK;
166
CheckRule "$TRAVERSAL >= 4" BLOCK;
167
CheckRule "$XSS >= 8" BLOCK;
168
root $TEST_NGINX_SERVROOT/html/;
169
index index.html index.htm;
171
location /RequestDenied {
175
"GET /?a=%2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545 HTTP/1.0
183
working_directory /tmp/;
184
worker_rlimit_core 25M;
186
include /etc/nginx/naxsi_core.rules;
191
DeniedUrl "/RequestDenied";
192
CheckRule "$SQL >= 8" BLOCK;
193
CheckRule "$RFI >= 8" BLOCK;
194
CheckRule "$TRAVERSAL >= 4" BLOCK;
195
CheckRule "$XSS >= 8" BLOCK;
196
root $TEST_NGINX_SERVROOT/html/;
197
index index.html index.htm;
199
location /RequestDenied {
203
"GET /?a=%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45 HTTP/1.0
211
working_directory /tmp/;
212
worker_rlimit_core 25M;
214
include /etc/nginx/naxsi_core.rules;
219
DeniedUrl "/RequestDenied";
220
CheckRule "$SQL >= 8" BLOCK;
221
CheckRule "$RFI >= 8" BLOCK;
222
CheckRule "$TRAVERSAL >= 4" BLOCK;
223
CheckRule "$XSS >= 8" BLOCK;
224
root $TEST_NGINX_SERVROOT/html/;
225
index index.html index.htm;
227
location /RequestDenied {
231
"GET /?a=%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045' HTTP/1.0
239
working_directory /tmp/;
240
worker_rlimit_core 25M;
242
include /etc/nginx/naxsi_core.rules;
247
DeniedUrl "/RequestDenied";
248
CheckRule "$SQL >= 8" BLOCK;
249
CheckRule "$RFI >= 8" BLOCK;
250
CheckRule "$TRAVERSAL >= 4" BLOCK;
251
CheckRule "$XSS >= 8" BLOCK;
252
root $TEST_NGINX_SERVROOT/html/;
253
index index.html index.htm;
255
location /RequestDenied {
259
"GET /?a=SELECT+*+FROM+users+WHERE+id+LIKE+1 HTTP/1.0
267
working_directory /tmp/;
268
worker_rlimit_core 25M;
270
include /etc/nginx/naxsi_core.rules;
275
DeniedUrl "/RequestDenied";
276
CheckRule "$SQL >= 8" BLOCK;
277
CheckRule "$RFI >= 8" BLOCK;
278
CheckRule "$TRAVERSAL >= 4" BLOCK;
279
CheckRule "$XSS >= 8" BLOCK;
280
root $TEST_NGINX_SERVROOT/html/;
281
index index.html index.htm;
283
location /RequestDenied {
287
"GET /?a=value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),+NULL,+NULL#/*!0AND+'QDWa'='QDWa HTTP/1.0
295
working_directory /tmp/;
296
worker_rlimit_core 25M;
298
include /etc/nginx/naxsi_core.rules;
303
DeniedUrl "/RequestDenied";
304
CheckRule "$SQL >= 8" BLOCK;
305
CheckRule "$RFI >= 8" BLOCK;
306
CheckRule "$TRAVERSAL >= 4" BLOCK;
307
CheckRule "$XSS >= 8" BLOCK;
308
root $TEST_NGINX_SERVROOT/html/;
309
index index.html index.htm;
311
location /RequestDenied {
315
"GET /?a=IF(ISNULL(1),+2,+1) HTTP/1.0
323
working_directory /tmp/;
324
worker_rlimit_core 25M;
326
include /etc/nginx/naxsi_core.rules;
331
DeniedUrl "/RequestDenied";
332
CheckRule "$SQL >= 8" BLOCK;
333
CheckRule "$RFI >= 8" BLOCK;
334
CheckRule "$TRAVERSAL >= 4" BLOCK;
335
CheckRule "$XSS >= 8" BLOCK;
336
root $TEST_NGINX_SERVROOT/html/;
337
index index.html index.htm;
339
location /RequestDenied {
343
"GET /?a=1+/*!30000AND+2>1*/-- HTTP/1.0
351
working_directory /tmp/;
352
worker_rlimit_core 25M;
354
include /etc/nginx/naxsi_core.rules;
359
DeniedUrl "/RequestDenied";
360
CheckRule "$SQL >= 8" BLOCK;
361
CheckRule "$RFI >= 8" BLOCK;
362
CheckRule "$TRAVERSAL >= 4" BLOCK;
363
CheckRule "$XSS >= 8" BLOCK;
364
root $TEST_NGINX_SERVROOT/html/;
365
index index.html index.htm;
367
location /RequestDenied {
371
"GET /?a=1+/*!00000AND+2>1*/-- HTTP/1.0
379
working_directory /tmp/;
380
worker_rlimit_core 25M;
382
include /etc/nginx/naxsi_core.rules;
387
DeniedUrl "/RequestDenied";
388
CheckRule "$SQL >= 8" BLOCK;
389
CheckRule "$RFI >= 8" BLOCK;
390
CheckRule "$TRAVERSAL >= 4" BLOCK;
391
CheckRule "$XSS >= 8" BLOCK;
392
root $TEST_NGINX_SERVROOT/html/;
393
index index.html index.htm;
395
location /RequestDenied {
399
"GET /?a=+UNION+++SELECT++ HTTP/1.0
405
=== NOT TODO: I don't know any server/interpreter decoding this ?
407
working_directory /tmp/;
408
worker_rlimit_core 25M;
410
include /etc/nginx/naxsi_core.rules;
415
DeniedUrl "/RequestDenied";
416
CheckRule "$SQL >= 8" BLOCK;
417
CheckRule "$RFI >= 8" BLOCK;
418
CheckRule "$TRAVERSAL >= 4" BLOCK;
419
CheckRule "$XSS >= 8" BLOCK;
420
root $TEST_NGINX_SERVROOT/html/;
421
index index.html index.htm;
423
location /RequestDenied {
427
"GET /?a=%S%E%L%E%C%T+%F%I%E%L%D+%F%R%O%M+%T%A%B%L%E HTTP/1.0
435
working_directory /tmp/;
436
worker_rlimit_core 25M;
438
include /etc/nginx/naxsi_core.rules;
443
DeniedUrl "/RequestDenied";
444
CheckRule "$SQL >= 8" BLOCK;
445
CheckRule "$RFI >= 8" BLOCK;
446
CheckRule "$TRAVERSAL >= 4" BLOCK;
447
CheckRule "$XSS >= 8" BLOCK;
448
root $TEST_NGINX_SERVROOT/html/;
449
index index.html index.htm;
451
location /RequestDenied {
455
"GET /?a=1 UnioN SeLEct 1 HTTP/1.0
463
working_directory /tmp/;
464
worker_rlimit_core 25M;
466
include /etc/nginx/naxsi_core.rules;
471
DeniedUrl "/RequestDenied";
472
CheckRule "$SQL >= 8" BLOCK;
473
CheckRule "$RFI >= 8" BLOCK;
474
CheckRule "$TRAVERSAL >= 4" BLOCK;
475
CheckRule "$XSS >= 8" BLOCK;
476
root $TEST_NGINX_SERVROOT/html/;
477
index index.html index.htm;
479
location /RequestDenied {
483
"GET /?a=AND+1=1+and+'0having'='0having' HTTP/1.0
491
working_directory /tmp/;
492
worker_rlimit_core 25M;
494
include /etc/nginx/naxsi_core.rules;
499
DeniedUrl "/RequestDenied";
500
CheckRule "$SQL >= 8" BLOCK;
501
CheckRule "$RFI >= 8" BLOCK;
502
CheckRule "$TRAVERSAL >= 4" BLOCK;
503
CheckRule "$XSS >= 8" BLOCK;
504
root $TEST_NGINX_SERVROOT/html/;
505
index index.html index.htm;
507
location /RequestDenied {
511
"GET /?a=SELECT/**/id/**/FROM/**/users HTTP/1.0
519
working_directory /tmp/;
520
worker_rlimit_core 25M;
522
include /etc/nginx/naxsi_core.rules;
527
DeniedUrl "/RequestDenied";
528
CheckRule "$SQL >= 8" BLOCK;
529
CheckRule "$RFI >= 8" BLOCK;
530
CheckRule "$TRAVERSAL >= 4" BLOCK;
531
CheckRule "$XSS >= 8" BLOCK;
532
root $TEST_NGINX_SERVROOT/html/;
533
index index.html index.htm;
535
location /RequestDenied {
539
"GET /?a=1--PTTmJopxdWJ%0AAND--cWfcVRPV%0A9227=9227 HTTP/1.0
547
working_directory /tmp/;
548
worker_rlimit_core 25M;
550
include /etc/nginx/naxsi_core.rules;
555
DeniedUrl "/RequestDenied";
556
CheckRule "$SQL >= 8" BLOCK;
557
CheckRule "$RFI >= 8" BLOCK;
558
CheckRule "$TRAVERSAL >= 4" BLOCK;
559
CheckRule "$XSS >= 8" BLOCK;
560
root $TEST_NGINX_SERVROOT/html/;
561
index index.html index.htm;
563
location /RequestDenied {
567
"GET /?a=1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227 HTTP/1.0
575
working_directory /tmp/;
576
worker_rlimit_core 25M;
578
include /etc/nginx/naxsi_core.rules;
583
DeniedUrl "/RequestDenied";
584
CheckRule "$SQL >= 8" BLOCK;
585
CheckRule "$RFI >= 8" BLOCK;
586
CheckRule "$TRAVERSAL >= 4" BLOCK;
587
CheckRule "$XSS >= 8" BLOCK;
588
root $TEST_NGINX_SERVROOT/html/;
589
index index.html index.htm;
591
location /RequestDenied {
595
"GET /?a=1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227 HTTP/1.0
603
working_directory /tmp/;
604
worker_rlimit_core 25M;
606
include /etc/nginx/naxsi_core.rules;
611
DeniedUrl "/RequestDenied";
612
CheckRule "$SQL >= 8" BLOCK;
613
CheckRule "$RFI >= 8" BLOCK;
614
CheckRule "$TRAVERSAL >= 4" BLOCK;
615
CheckRule "$XSS >= 8" BLOCK;
616
root $TEST_NGINX_SERVROOT/html/;
617
index index.html index.htm;
619
location /RequestDenied {
623
"GET /?a=SELECT%08id%02FROM%0Fusers HTTP/1.0
631
working_directory /tmp/;
632
worker_rlimit_core 25M;
634
include /etc/nginx/naxsi_core.rules;
639
DeniedUrl "/RequestDenied";
640
CheckRule "$SQL >= 8" BLOCK;
641
CheckRule "$RFI >= 8" BLOCK;
642
CheckRule "$TRAVERSAL >= 4" BLOCK;
643
CheckRule "$XSS >= 8" BLOCK;
644
root $TEST_NGINX_SERVROOT/html/;
645
index index.html index.htm;
647
location /RequestDenied {
651
"GET /?a=1%23%0A9227=922%237 HTTP/1.0
659
working_directory /tmp/;
660
worker_rlimit_core 25M;
662
include /etc/nginx/naxsi_core.rules;
667
DeniedUrl "/RequestDenied";
668
CheckRule "$SQL >= 8" BLOCK;
669
CheckRule "$RFI >= 8" BLOCK;
670
CheckRule "$TRAVERSAL >= 4" BLOCK;
671
CheckRule "$XSS >= 8" BLOCK;
672
root $TEST_NGINX_SERVROOT/html/;
673
index index.html index.htm;
675
location /RequestDenied {
679
"GET /?a=SELECT%0Bid%0BFROM%A0users HTTP/1.0
687
working_directory /tmp/;
688
worker_rlimit_core 25M;
690
include /etc/nginx/naxsi_core.rules;
695
DeniedUrl "/RequestDenied";
696
CheckRule "$SQL >= 8" BLOCK;
697
CheckRule "$RFI >= 8" BLOCK;
698
CheckRule "$TRAVERSAL >= 4" BLOCK;
699
CheckRule "$XSS >= 8" BLOCK;
700
root $TEST_NGINX_SERVROOT/html/;
701
index index.html index.htm;
703
location /RequestDenied {
707
"GET /?a=1--%0AAND--%0A9227=9227 HTTP/1.0
715
working_directory /tmp/;
716
worker_rlimit_core 25M;
718
include /etc/nginx/naxsi_core.rules;
723
DeniedUrl "/RequestDenied";
724
CheckRule "$SQL >= 8" BLOCK;
725
CheckRule "$RFI >= 8" BLOCK;
726
CheckRule "$TRAVERSAL >= 4" BLOCK;
727
CheckRule "$XSS >= 8" BLOCK;
728
root $TEST_NGINX_SERVROOT/html/;
729
index index.html index.htm;
731
location /RequestDenied {
735
"GET /?a=SELECT+id+FROM+users HTTP/1.0
744
working_directory /tmp/;
745
worker_rlimit_core 25M;
747
include /etc/nginx/naxsi_core.rules;
752
DeniedUrl "/RequestDenied";
753
CheckRule "$SQL >= 8" BLOCK;
754
CheckRule "$RFI >= 8" BLOCK;
755
CheckRule "$TRAVERSAL >= 4" BLOCK;
756
CheckRule "$XSS >= 8" BLOCK;
757
root $TEST_NGINX_SERVROOT/html/;
758
index index.html index.htm;
760
location /RequestDenied {
764
"GET /?a=1%bf%27+AND+1=1--%20 HTTP/1.0
772
working_directory /tmp/;
773
worker_rlimit_core 25M;
775
include /etc/nginx/naxsi_core.rules;
780
DeniedUrl "/RequestDenied";
781
CheckRule "$SQL >= 8" BLOCK;
782
CheckRule "$RFI >= 8" BLOCK;
783
CheckRule "$TRAVERSAL >= 4" BLOCK;
784
CheckRule "$XSS >= 8" BLOCK;
785
root $TEST_NGINX_SERVROOT/html/;
786
index index.html index.htm;
788
location /RequestDenied {
792
"GET /?a=1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,+CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))# HTTP/1.0
800
working_directory /tmp/;
801
worker_rlimit_core 25M;
803
include /etc/nginx/naxsi_core.rules;
808
DeniedUrl "/RequestDenied";
809
CheckRule "$SQL >= 8" BLOCK;
810
CheckRule "$RFI >= 8" BLOCK;
811
CheckRule "$TRAVERSAL >= 4" BLOCK;
812
CheckRule "$XSS >= 8" BLOCK;
813
root $TEST_NGINX_SERVROOT/html/;
814
index index.html index.htm;
816
location /RequestDenied {
820
"GET /?a=1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))# HTTP/1.0