How to configure a waf rule to block a exploit

What is the name of the domain?

example

What is the issue you’re encountering

The waf rule doesn’t work

What steps have you taken to resolve the issue?

HI
I want to block these requests that appears in my nginx server. How do I must setup WAF rules?

/index.php?lang=…/…/…/…/…/…/…/…/tmp/index1 HTTP Response 200
/index.php?lang=…/…/…/…/…/…/…/…/usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/tmp/index1.php HTTP Response 200

May I ask if you could share a screenshot of the WAF Custom Rule which you’ve created and tried with?

Example to block by some terms being used in the URI path:

(http.request.uri.path contains "tmp") or (http.request.uri.path contains "config") or (http.request.uri.path contains "echo") or (http.request.uri.path contains "md5") or (http.request.uri.path contains "pearcmd")

Make sure to setup WAF rules and that your DNS records for your domain are :orange: proxied so the WAF rule would apply and work as expected.

You can combine even with adding ?%00 or eval or %3Cscript or (0x or shell or DROP, even block HTTP 1/0 requests, user-agents such as python etc.

Combine for URI Path where contains, between use OR for operator to catch them and do not forget to select action “block” at the end, save and make sure it’s active and enabled rule.

Some useful resources and examples:

These are the rules I have configured, but it stills appears those messages in my nginx log:

(http.request.uri.path contains “…/”) or (http.request.uri.path contains “/etc/”) or (http.request.uri.path contains “/usr/”) or (http.request.uri.path contains “/tmp/”)

General nginx error log or rather vhost for some domain? :thinking:

Are DNS records proxied :orange: ?

It’s not the error log. It’s the access.log of a vhost.

The DNS are proxied.

May I ask if you’ve tested yourself the WAF Custom Rules which you have with your domain and URL example? :thinking:

Yes, I have tested, and it works for me. For example, if I write www.example.com/md5/, it appears a cloudflare advice that I have been blocked. But then, every day, I see those messages in the nginx log that seems that someone is bypassing the rule.

This topic was automatically closed after 15 days. New replies are no longer allowed.