add:主机单独控制bot检测，xss，rce，scan，sqli

2025-12-06 06:58:54 +08:00 · 2024-05-06 15:04:58 +08:00
parent d8a80ae599
commit 2eb35161d7
10 changed files with 604 additions and 400 deletions
--- a/localwaf/src/pages/waf/analysis/index.vue
+++ b/localwaf/src/pages/waf/analysis/index.vue
@@ -18,7 +18,7 @@
      </div>
      <div class="bottom-right">
        <!-- 右边下半部分内容 -->
-        右边下半部分内容
+
      </div>
    </div>
  </div>
@@ -440,8 +440,8 @@
  .bottom-right {
    flex: 1;
    /* 下半部分高度占比，这里为 1，可以根据需要调整 */
-    background-color: #c0c0c0;
+    background-color: #f0f0f0;
    /* 下半部分背景色 */
    padding: 20px;
  }
-</style>
+</style>
--- a/localwaf/src/pages/waf/attack/index.vue
+++ b/localwaf/src/pages/waf/attack/index.vue
@@ -317,7 +317,7 @@
          },
          {
            title: '访问url',
-            width: 300,
+            width: 160,
            ellipsis: true,
            colKey: 'url',
          },
@@ -346,7 +346,7 @@
          },
          {
            align: 'left',
-            width: 200,
+            width: 120,
            colKey: 'op',
            title: '操作',
          },
--- a/localwaf/src/pages/waf/host/index.vue
+++ b/localwaf/src/pages/waf/host/index.vue
--- a/model/hosts.go
+++ b/model/hosts.go
@@ -18,4 +18,13 @@ type Hosts struct {
 	Keyfile       string `json:"keyfile"`       //密钥文件
 	REMARKS       string `json:"remarks"`       //备注
 	GLOBAL_HOST   int    `json:"global_host"`   //默认全局 1 全局 0非全局
+	DEFENSE_JSON  string `json:"defense_json"`  //自身防御 json
+}
+
+type HostsDefense struct {
+	DEFENSE_BOT  int `json:"bot"`  //防御-虚假BOT
+	DEFENSE_SQLI int `json:"sqli"` //防御-Sql注入
+	DEFENSE_XSS  int `json:"xss"`  //防御-xss攻击
+	DEFENSE_SCAN int `json:"scan"` //防御-scan工具扫描
+	DEFENSE_RCE  int `json:"rce"`  //防御-scan工具扫描
 }
--- a/model/request/waf_host_add_req.go
+++ b/model/request/waf_host_add_req.go
@@ -12,4 +12,5 @@ type WafHostAddReq struct {
 	REMARKS       string `json:"remarks"`       //备注
 	Certfile      string `json:"certfile"`      // 证书文件
 	Keyfile       string `json:"keyfile"`       // 密钥文件
+	DEFENSE_JSON  string `json:"defense_json"`  //自身防御 json
 }
--- a/model/request/waf_host_edit_req.go
+++ b/model/request/waf_host_edit_req.go
@@ -13,4 +13,5 @@ type WafHostEditReq struct {
 	REMARKS       string `json:"remarks"`       //备注
 	Certfile      string `json:"certfile"`      // 证书文件
 	Keyfile       string `json:"keyfile"`       // 密钥文件
+	DEFENSE_JSON  string `json:"defense_json"`  //自身防御 json
 }
--- a/service/waf_service/waf_host.go
+++ b/service/waf_service/waf_host.go
@@ -38,6 +38,7 @@ func (receiver *WafHostService) AddApi(wafHostAddReq request.WafHostAddReq) (str
 		Keyfile:       wafHostAddReq.Keyfile,
 		REMARKS:       wafHostAddReq.REMARKS,
 		GLOBAL_HOST:   0,
+		DEFENSE_JSON:  wafHostAddReq.DEFENSE_JSON,
 	}
 	global.GWAF_LOCAL_DB.Create(wafHost)
 	return wafHost.Code, nil
@@ -74,6 +75,7 @@ func (receiver *WafHostService) ModifyApi(wafHostEditReq request.WafHostEditReq)
 		"Certfile":      wafHostEditReq.Certfile,
 		"Keyfile":       wafHostEditReq.Keyfile,
 		"UPDATE_TIME":   customtype.JsonTime(time.Now()),
+		"DEFENSE_JSON":  wafHostEditReq.DEFENSE_JSON,
 	}
 	err := global.GWAF_LOCAL_DB.Debug().Model(model.Hosts{}).Where("CODE=?", wafHostEditReq.CODE).Updates(hostMap).Error

--- a/utils/desensitization.go
+++ b/utils/desensitization.go
@@ -2,13 +2,15 @@ package utils

 import (
 	"SamWaf/global"
+	"fmt"
 )

 func DeSenText(inStr string) string {
-	if outStr, _, err := global.GWAF_DLP.Deidentify(inStr); err == nil {
-		///fmt.Printf("\t1. Deidentify( inStr: %s )\n", inStr)
-		//fmt.Printf("\toutStr: %s\n", outStr)
-		//eng.ShowResults(results)
+
+	if outStr, results, err := global.GWAF_DLP.Deidentify(inStr); err == nil {
+		fmt.Printf("\t1. Deidentify( inStr: %s )\n", inStr)
+		fmt.Printf("\toutStr: %s\n", outStr)
+		global.GWAF_DLP.ShowResults(results)
 		//fmt.Println()
 		return outStr
 	}
--- a/wafdefenserce/defense_rce_tool.go
+++ b/wafdefenserce/defense_rce_tool.go
@@ -0,0 +1,30 @@
+package wafdefenserce
+
+import "strings"
+
+func DetermineRCE(args ...string) (bool, string) {
+	isRce, RceName := phpRCE(args...)
+	if isRce == true {
+		return isRce, RceName
+	}
+	return false, "未知"
+}
+
+/*
+*
+php rce检测
+*/
+func phpRCE(args ...string) (bool, string) {
+	for _, arg := range args {
+		if strings.Contains(arg, "phpinfo()") {
+			return true, "存在PHP rce攻击"
+		}
+		if strings.Contains(arg, "call_user_func_array") {
+			return true, "存在PHP rce攻击"
+		}
+		if strings.Contains(arg, "invokefunction") {
+			return true, "存在PHP rce攻击"
+		}
+	}
+	return false, "未知"
+}
--- a/wafenginecore/wafengine.go
+++ b/wafenginecore/wafengine.go
@@ -13,6 +13,7 @@ import (
 	"SamWaf/utils"
 	"SamWaf/utils/zlog"
 	"SamWaf/wafbot"
+	"SamWaf/wafdefenserce"
 	"SamWaf/wafproxy"
 	"bufio"
 	"bytes"
@@ -253,71 +254,97 @@ func (waf *WafEngine) ServeHTTP(w http.ResponseWriter, r *http.Request) {

 			if jumpGuardFlag == false {

+				hostDefense := model.HostsDefense{
+					DEFENSE_BOT:  1,
+					DEFENSE_SQLI: 1,
+					DEFENSE_XSS:  1,
+					DEFENSE_SCAN: 1,
+					DEFENSE_RCE:  1,
+				}
+				err := json.Unmarshal([]byte(waf.HostTarget[host].Host.DEFENSE_JSON), &hostDefense)
+				if err != nil {
+					zlog.Error("解析defense json失败")
+				}
 				//检测爬虫bot
-				isBot, isNormalBot, BotName := wafbot.DetermineNormalSearch(weblogbean.USER_AGENT, weblogbean.SRC_IP)
-				if isBot == true {
-					if isNormalBot {
-						weblogbean.GUEST_IDENTIFICATION = BotName
-					} else {
-						weblogbean.GUEST_IDENTIFICATION = BotName
-						weblogbean.RISK_LEVEL = 1
-						EchoErrorInfo(w, r, weblogbean, BotName, "请正确访问")
+				if hostDefense.DEFENSE_BOT == 1 {
+					isBot, isNormalBot, BotName := wafbot.DetermineNormalSearch(weblogbean.USER_AGENT, weblogbean.SRC_IP)
+					if isBot == true {
+						if isNormalBot {
+							weblogbean.GUEST_IDENTIFICATION = BotName
+						} else {
+							weblogbean.GUEST_IDENTIFICATION = BotName
+							weblogbean.RISK_LEVEL = 1
+							EchoErrorInfo(w, r, weblogbean, BotName, "请正确访问")
+							return
+						}
+					}
+				}
+				if hostDefense.DEFENSE_SQLI == 1 {
+					var sqlFlag = false
+					//检测sql注入
+					if libinjection.IsSQLiNotReturnPrint(weblogbean.URL) ||
+						libinjection.IsSQLiNotReturnPrint(weblogbean.BODY) ||
+						libinjection.IsSQLiNotReturnPrint(weblogbean.POST_FORM) {
+						sqlFlag = true
+					}
+					if sqlFlag == false {
+						for _, value := range formValues {
+							for _, v := range value {
+								if libinjection.IsSQLiNotReturnPrint(v) {
+									sqlFlag = true
+								}
+							}
+						}
+					}
+					if sqlFlag == true {
+						weblogbean.RISK_LEVEL = 2
+						EchoErrorInfo(w, r, weblogbean, "SQL注入", "请正确访问")
 						return
 					}
 				}

-				var sqlFlag = false
-				//检测sql注入
-				if libinjection.IsSQLiNotReturnPrint(weblogbean.URL) ||
-					libinjection.IsSQLiNotReturnPrint(weblogbean.BODY) ||
-					libinjection.IsSQLiNotReturnPrint(weblogbean.POST_FORM) {
-					sqlFlag = true
-				}
-				if sqlFlag == false {
-					for _, value := range formValues {
-						for _, v := range value {
-							if libinjection.IsSQLiNotReturnPrint(v) {
-								sqlFlag = true
-							}
-						}
-					}
-				}
-				if sqlFlag == true {
-					weblogbean.RISK_LEVEL = 2
-					EchoErrorInfo(w, r, weblogbean, "SQL注入", "请正确访问")
-					return
-				}
 				//检测xss注入
-				var xssFlag = false
-				if libinjection.IsXSS(weblogbean.URL) ||
-					libinjection.IsXSS(weblogbean.POST_FORM) {
-					xssFlag = true
-				}
-				if xssFlag == false {
-					for _, value := range formValues {
-						for _, v := range value {
-							if libinjection.IsXSS(v) {
-								//xssFlag = true
+				if hostDefense.DEFENSE_XSS == 1 {
+					var xssFlag = false
+					if libinjection.IsXSS(weblogbean.URL) ||
+						libinjection.IsXSS(weblogbean.POST_FORM) {
+						xssFlag = true
+					}
+					if xssFlag == false {
+						for _, value := range formValues {
+							for _, v := range value {
+								if libinjection.IsXSS(v) {
+									//xssFlag = true
+								}
 							}
 						}
 					}
+					if xssFlag == true {
+						weblogbean.RISK_LEVEL = 2
+						EchoErrorInfo(w, r, weblogbean, "XSS跨站注入", "请正确访问")
+						return
+					}
 				}
-				if xssFlag == true {
-					weblogbean.RISK_LEVEL = 2
-					EchoErrorInfo(w, r, weblogbean, "XSS跨站注入", "请正确访问")
-					return
-				}
-				//检测xss
-
 				//检测扫描工具
-				var scanFlag = false
-				if libinjection.IsScan(weblogbean) {
-					scanFlag = true
+				if hostDefense.DEFENSE_SCAN == 1 {
+					var scanFlag = false
+					if libinjection.IsScan(weblogbean) {
+						scanFlag = true
+					}
+					if scanFlag == true {
+						weblogbean.RISK_LEVEL = 1
+						EchoErrorInfo(w, r, weblogbean, "扫描工具", "请正确访问")
+						return
+					}
 				}
-				if scanFlag == true {
-					weblogbean.RISK_LEVEL = 1
-					EchoErrorInfo(w, r, weblogbean, "扫描工具", "请正确访问")
-					return
+				//检测RCE
+				if hostDefense.DEFENSE_RCE == 1 {
+					isRce, RceName := wafdefenserce.DetermineRCE(weblogbean.URL, weblogbean.COOKIES, weblogbean.POST_FORM)
+					if isRce == true {
+						weblogbean.RISK_LEVEL = 3
+						EchoErrorInfo(w, r, weblogbean, "RCE:"+RceName, "请正确访问")
+						return
+					}
 				}
 				// cc 防护 (局部检测 )
 				if waf.HostTarget[host].PluginIpRateLimiter != nil {
@@ -383,7 +410,10 @@ func (waf *WafEngine) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			}

 		}
-
+		//日志保存时候也是脱敏保存防止，数据库密码被破解，遭到敏感信息遭到泄露
+		if weblogbean.BODY != "" {
+			weblogbean.BODY = utils.DeSenText(weblogbean.BODY)
+		}
 		//global.GQEQUE_LOG_DB.PushBack(weblogbean)
 		remoteUrl, err := url.Parse(target.TargetHost)
 		if err != nil {