php WAF线下攻防用，模块化设计，功能可调，支持SQL AST分析

<?php /* * Aegis_lib * 本php为Aegis函数库，仅提供功能性函数 * 若需要实现灵活性地使用Aegis各项功能，请在引用之后合理地调用Aegis函数即可 * 若只引用此文件，但不调用Aegis函数，则WAF不会开启 * 若要傻瓜式加载本WAF,直接引用Aegis.php即可 * 作者：isd12345678 */ function GetAbsolutePath($dir){ if($dir==="")return FALSE; if(stripos(php_uname('s'),"windows")!==FALSE){ if(substr($dir,1,1)===":")return $dir; $islinux=FALSE; $dir=str_replace("\\","/",$dir); }else { if(substr($dir,0,1)==="/")return $dir; $islinux=TRUE; } $path=""; $arr=explode("/",dirname($_SERVER['SCRIPT_FILENAME'])."/".$dir); $_path=array(); for($i=0;$i<count($arr);$i++){ if($arr[$i]==="."){ }else if($arr[$i]===".."){ if($islinux)array_pop($_path); else { if(count($_path)>1)array_pop($_path); } }else array_push($_path,$arr[$i]); } for($i=0;$i<count($_path);$i++){ if($i===0){ if($islinux)$path=$path."/"; }else $path=$path."/"; $path=$path.$_path[$i]; } $path=str_replace("//","/",$path); return $path; } function DieWAF($WriteLog,$WriteDir,$reason){ if($WriteLog!==0)$content=writelog($WriteDir,"Warning",$reason); $DieType=3;//die出方式，0：普通信息，1：炸死浏览器，2：图片和音乐，3：debug信息，其他为空白 if($DieType===0){ $n="flag:"; $n.=md5(date("m-d H-i",round(time()/1800))*1800);//30分钟变一次23333 die($n); }else if($DieType===1){//最基础的炸死浏览器，去掉alert更邪恶，hahahaha~~~ $docu="<center><h1>========Forbidden By Aegis========<br /></h1></center>"; $d=""; for($i=0;$i<10;$i++)$d=$d.$docu; die($d."<script>alert(\"Forbidden By Aegis\");while(1){document.writeln(\"".$docu."\");}</script>"); }else if($DieType===2){//返回pic.jpg与music.mp3，能卡死很多批量攻击脚本233333 $n="<html><body style=\"margin:0\"><img src=\"data:image/jpg;base64,"; $n.=base64_encode(file_get_contents(dirname(__FILE__)."/pic.jpg")); $n.="\" style=\"margin:0;width:100%;height: 100%;\">"; $n.="<audio src=\"data:audio/x-wav;base64,"; $n.=base64_encode(file_get_contents(dirname(__FILE__)."/music.mp3")); $n.="\" autoplay />"; $n.="</body></html>"; die($n); }else if($DieType===3){//debug用，如果WAF影响了网站正常功能，可以用这个调试 $debug="<html><head><meta charset=\"utf-8\"></head><body>\n"; $debug.="Aegis die tracert:<br />\n".$GLOBALS['AegisErrorLine']."<br />\n"; $debug.="php script tracert:<br />\n".$GLOBALS['Aegistracert']; $debug.="<br />\nreason:<br />\n"; $debug.=$reason."<br />\n"; $debug.="details:<br />\n"; $content=str_replace("\r\n", "<br />\n", $content); $debug.=$content; $debug.="</body></html>"; die($debug); }else die(); } function writelog($WriteDir,$level,$reason){ $content="IP:".$_SERVER['REMOTE_ADDR']."\r\n"; $content=$content."URL:".$_SERVER['SCRIPT_FILENAME']."\r\nGET:"; $temp=stripos($_SERVER['REQUEST_URI'],"?"); if($temp!==FALSE)$content.=substr($_SERVER['REQUEST_URI'],$temp); $content=$content."\r\nPOST:".file_get_contents("php://input"); $first=TRUE; $content=$content."\r\nCOOKIE:"; foreach($GLOBALS['AegisWaf_cookie'] as $key =>$value){ if($first===FALSE)$content=$content."&"; $content=$content.$key."=".$value; $first=FALSE; } $contents=$content."\r\nWAF debug:\r\n"; $contents.=$reason."\r\n".$GLOBALS['AegisErrorLine']."\r\n".$GLOBALS['Aegistracert']; $contents.="\r\n\r\n"; //如果不想要log里写出debug信息，直接$contents=$content;就行了 if(!file_exists($WriteDir.$level))mkdir($WriteDir.$level); $filename=$WriteDir.$level."/".$level."_".date("m-d H-i",time()).".txt"; file_put_contents($filename, $contents,FILE_APPEND); return $content; } function CheckVarName(){ $black=GetBlackWords(); $re=$_GET+$_POST+$_COOKIE; foreach($re as $key =>$value){ for($i=0;$i<count($black);$i++){ if($key===$black[$i]){ $GLOBALS['AegisErrorLine'].="->".__LINE__;return TRUE; break; } } } return FALSE; } function checkname_length($key,$value){ //这里是特定参数名所允许的长度 if(strtolower($key)==="username" && strlen($value)>18){$GLOBALS['AegisErrorLine'].="->".__LINE__;return TRUE;} if(strtolower($key)==="user" && strlen($value)>18){$GLOBALS['AegisErrorLine'].="->".__LINE__;return TRUE;} if(strtolower($key)==="name" && strlen($value)>18){$GLOBALS['AegisErrorLine'].="->".__LINE__;return TRUE;} if(strtolower($key)==="password" && strlen($value)>18){$GLOBALS['AegisErrorLine'].="->".__LINE__;return TRUE;} if(strtolower($key)==="passwd" && strlen($value)>18){$GLOBALS['AegisErrorLine'].="->".__LINE__;return TRUE;} if(strtolower($key)==="file" && strlen($value)>32){$GLOBALS['AegisErrorLine'].="->".__LINE__;return TRUE;} if(strtolower($key)==="page" && strlen($value)>32){$GLOBALS['AegisErrorLine'].="->".__LINE__;return TRUE;} return false; } function SmartLength(){ foreach($_GET as $key => $value)if(checkname_length($key,$value)===TRUE){$GLOBALS['AegisErrorLine'].="->".__LINE__;return TRUE;} foreach($_POST as $key => $value)if(checkname_length($key,$value)===TRUE){$GLOBALS['AegisErrorLine'].="->".__LINE__;return TRUE;} foreach($_COOKIE as $key => $value)if(checkname_length($key,$value)===TRUE){$GLOBALS['AegisErrorLine'].="->".__LINE__;return TRUE;} return false; } function filterwords($key,$value){ if($key==="source")return FALSE;//白名单变量名 $j=1;while($j!==0)$value=str_ireplace("%25", "%", $value,$j); $value=urldecode($value); $defence=FALSE; $resulta=SqlAstAnalysis("select * from tables where id='".$value."';"); $resultb=SqlAstAnalysis("select * from tables where id=".$value.";"); $resultc=SqlAstAnalysis("select * from tables where id=\"".$value."\";"); $num=-1;$p=-1; if($resulta!==FALSE){if($resulta['num']>$num){$num=$resulta['num'];$p=0;}} if($resultb!==FALSE){if($resultb['num']>$num){$num=$resultb['num'];$p=1;}} if($resultc!==FALSE){if($resultc['num']>$num){$num=$resultc['num'];$p=2;}} if($p<0)return FALSE; else if($p===0)$result=$resulta; else if($p===1)$result=$resultb; else if($p===2)$result=$resultc; if($result['num']===1){ if(substr($value,0,1)==="'"){ $defence=TRUE; $GLOBALS['AegisErrorLine'].="->".__LINE__."(".$value.")"; $value="′".substr($value,0,1-strlen($value)); } if(substr($value,0,1)==="\""){ $defence=TRUE; $GLOBALS['AegisErrorLine'].="->".__LINE__."(".$value.")"; $value="″".substr($value,0,1-strlen($value)); } if($result['tips']===TRUE){ $defence=TRUE; $value=str_ireplace("#", "＃", $value); $value=str_ireplace("--", "——", $value); $value=str_ireplace("/*", "/x", $value); $GLOBALS['AegisErrorLine'].="->".__LINE__; } } else{ $sqlwords=array("select","insert","update","delete","drop","truncate", "'","(","into outfile","into dumpfi1e"," or ","load_file"); $switchwords=array("se1ect","insart","updata","de1ete","jrop","truncata", "′","〔","into outfi1e","into dumpfi1e"," 0r ","load_fi1e"); for($i=0;$i<count($sqlwords);$i++){ $value=str_ireplace($sqlwords[$i], $switchwords[$i], $value,$j); if($j!==0){ $defence=TRUE; $GLOBALS['AegisErrorLine'].="->".__LINE__."(".$sqlwords[$i].")";break; } } } $sqlwords=array("insert","update","delete","drop","truncate","into outfile","into dumpfi1e","load_file"); $switchwords=array("insart","updata","de1ete","jrop","truncata","into outfi1e","into dumpfi1e","load_fi1e"); for($i=0;$i<count($sqlwords);$i++){ $value=str_ireplace($sqlwords[$i], $switchwords[$i], $value,$j); if($j!==0){ $defence=TRUE; $GLOBALS['AegisErrorLine'].="->".__LINE__."(".$sqlwords[$i].")";break; } } $arr=array($value,$defence); return $arr; } function CheckSqlWord($SqlCheckDown,$WriteLog,$WriteDir){ $defence=FALSE; if(isse