feat: 增加 1pwaf 2.0 的相关配置

2024-12-20 12:04:01 +08:00 · 2024-12-20 12:04:01 +08:00 · 7ed83d5576
parent 0634a265d8
commit 7ed83d5576
77 changed files with 1022 additions and 481 deletions
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/conf/global.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/conf/global.json
@ -1,17 +1,9 @@
 {
  "waf": {
-    "state": "off",
+    "state": "on",
    "mode": "protection",
    "secret": ""
  },
-  "redis": {
-    "state": "off",
-    "host": "",
-    "port": 6379,
-    "password": "",
-    "ssl": false,
-    "poolSize": 10
-  },
  "ipWhite": {
    "state": "on",
    "type": "ipWhite",
@ -47,7 +39,7 @@
    "action": "deny"
  },
  "notFoundCount": {
-    "state": "on",
+    "state": "off",
    "type": "notFoundCount",
    "threshold": 30,
    "duration": 10,
@ -62,14 +54,6 @@
    "code": 444,
    "action": "deny"
  },
-  "bot": {
-    "state": "on",
-    "type": "bot",
-    "uri": "/1pwaf/bot/trap",
-    "action": "REDIRECT_JS",
-    "ipBlock": "on",
-    "ipBlockTime": 600
-  },
  "unknownWebsite": {
    "state": "on",
    "type": "unknownWebsite",
@ -104,7 +88,7 @@
    "action": "deny"
  },
  "cc": {
-    "state": "on",
+    "state": "off",
    "type": "cc",
    "rule": "cc",
    "tokenTimeOut": 1800,
@ -115,7 +99,7 @@
    "ipBlockTime": 600,
    "mode": "uri"
  },
-  "ccurl": {
+  "urlcc": {
    "state": "off",
    "type": "urlcc",
    "action": "deny",
@ -123,7 +107,7 @@
    "ipBlockTime": 600
  },
  "attackCount": {
-    "state": "on",
+    "state": "off",
    "type": "attackCount",
    "threshold": 10,
    "duration": 60,
@ -132,7 +116,7 @@
    "ipBlockTime": 3000
  },
  "fileExt": {
-    "state": "off",
+    "state": "on",
    "action": "deny",
    "code": 403,
    "type": "fileExtCheck"
@ -169,5 +153,22 @@
  },
  "cdn": {
    "state": "off"
+  },
+  "vuln": {
+    "state": "on",
+    "type": "vulnCheck",
+    "code": 403,
+    "action": "deny"
+  },
+  "log": {
+    "maxDay": 180,
+    "maxSize": 1,
+    "external": ["acl","ipWhite","ipBlack","geoRestrict","urlWhite","urlBlack","uaWhite","uaBlack"]
+  },
+  "strict": {
+    "state": "on",
+    "type": "strict",
+    "code": 403,
+    "action": "deny"
  }
 }
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/conf/monitor.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/conf/monitor.json
@ -25,6 +25,7 @@
    "ip": []
  },
  "log": {
-    "maxDay": 180
+    "maxDay": 180,
+    "maxSize": 5
  }
 }
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/conf/siteConfig.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/conf/siteConfig.json
@ -21,14 +21,6 @@
    "code": 403,
    "action": "deny"
  },
-  "bot": {
-    "type": "bot",
-    "state": "on",
-    "uri": "/1pwaf/bot/trap",
-    "action": "deny",
-    "ipBlock": "off",
-    "ipBlockTime": 600
-  },
  "geoRestrict": {
    "state": "off",
    "rules": [],
@ -61,13 +53,6 @@
    "ipBlockTime": 600,
    "mode": "uri"
  },
-  "ccurl": {
-    "state": "on",
-    "type": "ccurl",
-    "action": "deny",
-    "ipBlock": "off",
-    "ipBlockTime": 600
-  },
  "fileExt": {
    "state": "off",
    "action": "deny",
@ -94,5 +79,11 @@
  },
  "cdn": {
    "state": "off"
+  },
+  "strict": {
+    "state": "on",
+    "type": "strict",
+    "code": 403,
+    "action": "deny"
  }
 }
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/conf/waf.conf
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/conf/waf.conf
@ -1,10 +1,9 @@
 lua_shared_dict waf_req_count 10m;
-lua_shared_dict waf 50m;
-lua_shared_dict waf_block_ip 10m;
-lua_shared_dict waf_ip_arr 20m;
+lua_shared_dict waf 200m;
+lua_shared_dict waf_block_ip 20m;
 lua_shared_dict waf_limit 10m;
-lua_shared_dict waf_sql 200m;
-lua_shared_dict waf_locks 100k;
+lua_shared_dict waf_sql 300m;
+lua_shared_dict waf_locks 1m;

 lua_code_cache on;
 lua_package_path "/usr/local/openresty/1pwaf/?.lua;/usr/local/openresty/1pwaf/lib/?.lua;;";
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/conf/waf.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/conf/waf.json
@ -1,4 +1,4 @@
 {
  "name": "1Panel WAF",
-  "version": "1.0.0"
+  "version": "2.0"
 }
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/db/global/default.db
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/db/global/default.db
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/default/app/Halo.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/default/app/Halo.json
@ -0,0 +1,21 @@
+{
+  "name":"Halo",
+  "state": "on",
+  "rules": [
+    {
+      "type": "whiteUrl",
+      "pattern": "contain",
+      "values": [
+        "/apis/api.console.halo.run/v1alpha1/posts",
+        "/api/v1alpha1/configmaps/system",
+        "/apis/api.console.halo.run/v1alpha1/singlepage",
+        "/apis/api.console.halo.run/v1alpha1/attachments/upload"
+      ],
+      "check": {
+        "type": "cookie",
+        "pattern": "eq",
+        "values": ["SESSION"]
+      }
+    }
+  ]
+} 
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/default/app/WordPress.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/default/app/WordPress.json
@ -0,0 +1,21 @@
+{
+  "name":"WordPress",
+  "state": "on",
+  "rules": [
+    {
+      "type": "whiteUrl",
+      "pattern": "eq",
+      "method": "POST",
+      "values": [
+        "/wp-admin/admin-ajax.php",
+        "/wp-admin/post.php",
+        "/wp-admin/admin.php"
+      ],
+      "check": {
+        "type": "cookie",
+        "pattern": "startWith",
+        "values": ["wordpress_logged_in_"]
+      }
+    }
+  ]
+} 
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/default/global.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/default/global.json
@ -4,14 +4,6 @@
    "mode": "protection",
    "secret": ""
  },
-  "redis": {
-    "state": "off",
-    "host": "",
-    "port": 6379,
-    "password": "",
-    "ssl": false,
-    "poolSize": 10
-  },
  "ipWhite": {
    "state": "on",
    "type": "ipWhite",
@ -113,14 +105,16 @@
    "action": "deny",
    "ipBlock": "on",
    "ipBlockTime": 600,
-    "mode": "uri"
+    "mode": "uri",
+    "code": 403
  },
-  "ccurl": {
+  "urlcc": {
    "state": "off",
    "type": "urlcc",
    "action": "deny",
    "ipBlock": "on",
-    "ipBlockTime": 600
+    "ipBlockTime": 600,
+    "code": 403
  },
  "attackCount": {
    "state": "on",
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/geo/BlackIP.mmdb
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/geo/BlackIP.mmdb
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/geo/GeoIP.mmdb
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/geo/GeoIP.mmdb
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/geo/SpiderIP.mmdb
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/geo/SpiderIP.mmdb
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/html/5s.html
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/html/5s.html
@ -2,12 +2,14 @@
 <html lang="en">
 <head>
 <title>5s</title>
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
 <style>
 #loadingContainer { position: absolute; top: 50%%; left: 50%%; transform: translate(-50%%, -50%%); display: flex; align-items: center; justify-content: center; flex-direction: column; background: #e8e8e8; width: 300px; height: 100px; border: 2px solid #e8e8e8; }
 #loadingText { font-size: 18px; margin-top: 10px; }
 #loadingSuccess { display: none; font-size: 24px; color: #7ac23c; margin-top: 10px; }
 .loadingSpinner { border: 4px solid rgba(0, 0, 0, 0.1); border-top: 4px solid #7ac23c; border-radius: 50%%; width: 20px; height: 20px; animation: spin 1s linear infinite; margin-top: 10px; }
@keyframes spin { 0%% { transform: rotate(0deg); } 100%% { transform: rotate(360deg); } }
+@media screen and (max-width: 768px) { #loadingContainer { width: 90%%; height: auto;padding: 20px;}  #loadingText {font-size: 16px;}  #loadingSuccess {font-size: 20px;}  .loadingSpinner {width: 30px;height: 30px;border-width: 5px;}  }
 </style>
 </head>
 <body>
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/html/slide.html
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/html/slide.html
@ -9,8 +9,7 @@
 #dragHandler {position:absolute;width:40px;height:100%%;cursor:pointer;box-sizing:border-box;overflow:hidden;}
 #dragHandler.dragHandlerBg {background-color:#c0c0c0;}
 #dragHandler.dragHandlerBg::before {content:'»';font-size:24px;position:absolute;top:50%%;left:50%%;transform:translate(-50%%, -50%%);color:#7ac23c;}
-.dragHandlerOkBg {position:absolute;border-radius:50%%;background-color:#7ac23c;display:flex;justify-content:center;align-items:center;}
-.dragHandlerOkBg::before {content:'\2713';font-size:16px;color:white;}
+@media screen and (max-width: 768px) {  #dragContainer {height: 40px;width: 90%%;}  #dragText {line-height: 40px;font-size: 18px;}  #dragHandler {width: 50px;}  #dragHandler.dragHandlerBg::before {font-size: 28px;}  }
 </style>
 </head>
 <body>
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/args.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/args.json
@ -2,156 +2,51 @@
  "rules": [
    {
      "state": "on",
-      "name": "sqlInject1",
-      "rule": "select.+(from|limit)",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject2",
-      "rule": "(?:(union(.*?)select))",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject3",
-      "rule": "having|rongjitest",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject4",
+      "name": "000001",
      "rule": "sleep\\((\\s*)(\\d*)(\\s*)\\)",
      "type": "sqlInject"
    },
    {
      "state": "on",
-      "name": "sqlInject5",
-      "rule": "benchmark\\((.*)\\,(.*)\\)",
+      "name": "000002",
+      "rule": "(exists\\(|select\\#|\\(select|select\\()",
      "type": "sqlInject"
    },
    {
      "state": "on",
-      "name": "sqlInject6",
-      "rule": "group\\s+by.+\\(",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject7",
-      "rule": "(?:from\\W+information_schema\\W)",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject8",
-      "rule": "(?:(?:current_)user|database|schema|connection_id)\\s*\\(",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject9",
-      "rule": "into(\\s+)+(?:dump|out)file\\s*",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject10",
-      "rule": "\\s+(or|xor|and)\\s+.*(=|<|>|'|\")",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "args1",
-      "rule": "xwork.MethodAccessor",
-      "type": "args",
-      "description": "Struts 恶意参数过滤"
-    },
-    {
-      "state": "on",
-      "name": "args2",
-      "rule": "xwork\\.MethodAccessor",
-      "type": "args",
-      "description": "Struts 恶意参数过滤"
-    },
-    {
-      "state": "on",
-      "name": "oneWordTrojan1",
+      "name": "000003",
      "rule": "(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\\(",
      "type": "oneWordTrojan"
    },
    {
      "state": "on",
-      "name": "oneWordTrojan2",
-      "rule": "\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[",
-      "type": "oneWordTrojan"
-    },
-    {
-      "state": "on",
-      "name": "protocolFilter1",
-      "rule": "(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/",
-      "type": "protocolFilter",
-      "description": "协议过滤"
-    },
-    {
-      "state": "on",
-      "name": "dirFilter1",
+      "name": "000004",
      "rule": "(?:etc\\/\\W*passwd)",
      "type": "dirFilter"
    },
    {
      "state": "on",
-      "name": "dirFilter2",
+      "name": "000004",
      "rule": "java\\.lang",
      "type": "dirFilter"
    },
    {
      "state": "on",
-      "name": "dirFilter3",
-      "rule": "(?:etc\\/\\W*shadow)",
-      "type": "dirFilter"
-    },
-    {
-      "state": "on",
-      "name": "dirFilter4",
-      "rule": "(?:bin\\/\\W*sh)",
-      "type": "dirFilter"
-    },
-    {
-      "state": "on",
-      "name": "xss1",
-      "rule": "\\<(iframe|script|body|img|layer|div|meta|style|base|object|input)",
+      "name": "000005",
+      "rule": "(window\\['|globalThis\\[|self\\[|top\\[|this\\[|parent\\[)",
      "type": "xss"
    },
    {
      "state": "on",
-      "name": "xss2",
-      "rule": "(onmouseover|onerror|onload)\\=",
-      "type": "xss"
+      "name": "000006",
+      "rule": "(invokefunction|call_user_func_array|\\\\think\\\\)",
+      "type": "args"
    },
    {
      "state": "on",
-      "name": "xss3",
-      "rule": "base64_decode\\(",
-      "type": "xss"
-    },
-    {
-      "state": "on",
-      "name": "webshell1",
-      "rule": "/shell?cd+/tmp;\\s*rm+-rf\\+\\*;\\s*wget",
-      "type": "webshell"
-    },
-    {
-      "state": "on",
-      "name": "phpExec1",
-      "rule": "/systembc/password.php",
-      "type": "phpExec"
-    },
-    {
-      "state": "on",
-      "name": "scannerFilter1",
-      "rule": "(Acunetix-Aspect|Acunetix-Aspect-Password|Acunetix-Aspect-Queries|X-WIPP|X-RequestManager-Memo|X-Request-Memo|X-Scan-Memo)",
-      "type": "scannerFilter"
+      "name": "000007",
+      "rule": "\\${jndi:",
+      "type": "args"
    }
  ]
 }
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/cookie.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/cookie.json
@ -1,138 +1,10 @@
 {
  "rules": [
-    {
-      "state": "on",
-      "name": "dirFilter1",
-      "rule": "\\.\\./",
-      "type": "dirFilter"
-    },
-    {
-      "state": "on",
-      "name": "dirFilter2",
-      "rule": "\\:\\$",
-      "type": "dirFilter"
-    },
-    {
-      "state": "on",
-      "name": "dirFilter3",
-      "rule": "\\$\\{",
-      "type": "dirFilter"
-    },
-    {
-      "state": "on",
-      "name": "dirFilter4",
-      "rule": "(?:etc\\/\\W*passwd)",
-      "type": "dirFilter"
-    },
-    {
-      "state": "on",
-      "name": "dirFilter5",
-      "rule": "java\\.lang",
-      "type": "dirFilter"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject1",
-      "rule": "select.+(from|limit)",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject2",
-      "rule": "(?:(union(.*?)select))",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject3",
-      "rule": "having|rongjitest",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject4",
-      "rule": "sleep\\((\\s*)(\\d*)(\\s*)\\)",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject5",
-      "rule": "benchmark\\((.*)\\,(.*)\\)",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject6",
-      "rule": "group\\s+by.+\\(",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject7",
-      "rule": "(?:from\\W+information_schema\\W)",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject8",
-      "rule": "(?:(?:current_)user|database|schema|connection_id)\\s*\\(",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject9",
-      "rule": "into(\\s+)+(?:dump|out)file\\s*",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "sqlInject10",
-      "rule": "\\s+(or|xor|and)\\s+.*(=|<|>|'|\")",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "name": "args1",
-      "rule": "xwork.MethodAccessor",
-      "type": "args",
-      "description": "Struts 恶意参数过滤"
-    },
-    {
-      "state": "on",
-      "name": "args2",
-      "rule": "xwork\\.MethodAccessor",
-      "type": "args",
-      "description": "Struts 恶意参数过滤"
-    },
-    {
-      "state": "on",
-      "name": "oneWordTrojan1",
-      "rule": "(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\\(",
-      "type": "oneWordTrojan"
-    },
-    {
-      "state": "on",
-      "name": "oneWordTrojan2",
-      "rule": "\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[",
-      "type": "oneWordTrojan"
-    },
-    {
-      "state": "on",
-      "name": "protocolFilter1",
-      "rule": "(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/",
-      "type": "protocolFilter"
-    },
    {
      "state":"on",
      "name":"scannerFilter1",
      "rule":"(CustomCookie|acunetixCookie)",
      "type": "scannerFilter"
-    },
-    {
-      "state": "on",
-      "name": "xss1",
-      "rule": "base64_decode\\(",
-      "type": "xss"
    }
  ]
 }
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/defaultUaBlack.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/defaultUaBlack.json
@ -3,7 +3,7 @@
    {
      "state": "on",
      "name": "uaBlock1",
-      "rule": "HTTrack|Apache-HttpClient|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF/",
+      "rule": "Fuzz|Nuclei|OpenVAS-VT|HTTrack|Apache-HttpClient|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF/",
      "type": "scannerFilter"
    }
  ]
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/defaultUrlBlack.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/defaultUrlBlack.json
@ -2,194 +2,38 @@
  "rules": [
    {
      "state": "on",
-      "rule": "\\.(htaccess|mysql_history|bash_history|DS_Store|git|idea|user\\.ini)",
-      "name": "dirFilter1",
+      "rule": "\\.(htaccess|mysql_history|bash_history|DS_Store|git|env|idea|user\\.ini)",
+      "name": "000001",
      "type": "dirFilter"
    },
    {
      "state": "on",
-      "rule": "\\.(bak|inc|old|mdb|sql|backup|java|class)$",
-      "name": "dirFilter2",
-      "type": "dirFilter"
-    },
-    {
-      "state": "on",
-      "rule": "^/(vhost|bbs|host|wwwroot|www|site|root|backup|data|ftp|db|admin|website|web).*\\.(rar|sql|zip|tar\\.gz|tar)$",
-      "name": "dirFilter3",
-      "type": "dirFilter"
-    },
-    {
-      "state": "on",
-      "rule": "java\\.lang",
-      "name": "dirFilter4",
-      "type": "dirFilter"
-    },
-    {
-      "state": "on",
-      "name": "dirFilter5",
+      "name": "000002",
      "rule": "(?:etc\\/\\W*passwd)",
      "type": "dirFilter"
    },
    {
      "state": "on",
-      "name": "dirFilter6",
-      "rule": "(?:bin\\/\\W*sh)",
+      "name": "000004",
+      "rule": "\\.{2,}[\\/\\\\]|%2e%2e[%2f%5c]",
      "type": "dirFilter"
    },
    {
      "state": "on",
-      "rule": "/(hack|shell|spy|phpspy)\\.php$",
-      "name": "phpExec1",
-      "type": "phpExec"
-    },
-    {
-      "state": "on",
-      "rule": "/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\\\w+).(php|jsp)",
-      "name": "phpExec2",
-      "type": "phpExec"
-    },
-    {
-      "state": "on",
-      "rule": "(?:phpMyAdmin2|phpMyAdmin|phpmyadmin|dbadmin|pma|myadmin|admin|mysql)/scripts/setup%.php",
-      "name": "phpExec3",
-      "type": "phpExec"
-    },
-    {
-      "state": "on",
-      "rule": "(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\\(",
-      "name": "oneWordTrojan1",
-      "type": "oneWordTrojan"
-    },
-    {
-      "state": "on",
-      "rule": "(?:(union(.*?)select))",
-      "name": "sqlInject1",
-      "type": "sqlInject"
-    },
-    {
-      "state": "on",
-      "rule": "(phpmyadmin|jmx-console|jmxinvokerservlet)",
-      "name": "appFilter1",
+      "name": "000005",
+      "rule": "WEB-INF/web.xml",
      "type": "appFilter"
    },
    {
      "state": "on",
+      "name": "000006",
+      "rule": "boaform/admin/formLogin",
+      "type": "appFilter"
+    },
+    {
+      "state": "on",
+      "name": "000007",
      "rule": "wp-includes/wlwmanifest.xml",
-      "name": "appFilter2",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "<php>die(@md5(HelloThinkCMF))</php>",
-      "name": "appFilter3",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/boaform/admin/formLogin",
-      "name": "appFilter4",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/password_change.cgi",
-      "name": "appFilter5",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/service/extdirect",
-      "name": "appFilter6",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/api/jsonws/invoke",
-      "name": "appFilter7",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/jars/upload",
-      "name": "appFilter8",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/example/tree/a/search",
-      "name": "appFilter9",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/actuator/gateway/routes/hacktest",
-      "name": "appFilter10",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/api/v1/method.callAnon/getPasswordPolicy",
-      "name": "appFilter11",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/functionRouter",
-      "name": "appFilter12",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/uploadfiles/apache.php.jpeg",
-      "name": "appFilter14",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/xxx/..;/admin/",
-      "name": "appFilter15",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/dvwa/js/dvwaPage.js",
-      "name": "appFilter16",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/api/index.php/v1/config/application",
-      "name": "appFilter17",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/WEB-INF/web.xml",
-      "name": "appFilter18",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/rest/tinymce/1/macro/preview",
-      "name": "appFilter19",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/pages/doenterpagevariables.action",
-      "name": "appFilter20",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/service/rest/beta/repositories/go/group",
-      "name": "appFilter21",
-      "type": "appFilter"
-    },
-    {
-      "state": "on",
-      "rule": "/dvwa/js/add_event_listeners.js",
-      "name": "appFilter22",
      "type": "appFilter"
    }
  ]
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/header.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/header.json
@ -12,12 +12,6 @@
      "rule": "j\\S*ndi\\S*:\\S*(?:dap|dns)\\S+",
      "type": "appFilter"
    },
-    {
-      "state": "on",
-      "name": "appFilter3",
-      "rule": "(?:etc\\/\\W*passwd)",
-      "type": "appFilter"
-    },
    {
      "state": "on",
      "name": "scannerFilter1",
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/urlcc.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/urlcc.json
@ -0,0 +1,4 @@
+{
+  "rules": [
+  ]
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10000.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10000.json
@ -0,0 +1,14 @@
+{
+  "id":"10000",
+  "state": "on",
+  "name": "Webmin",
+  "cve": "CVE-2019-15107",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "uri",
+    "uri": "/password_change.cgi",
+    "pattern": "eq"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10001.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10001.json
@ -0,0 +1,17 @@
+{
+  "id":"10001",
+  "state": "on",
+  "name": "Drupal",
+  "cve": "CVE-2018-7600",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/user/register",
+    "pattern": "contain",
+    "args": {
+      "element_parents": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10002.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10002.json
@ -0,0 +1,14 @@
+{
+  "id":"10002",
+  "state": "on",
+  "name": "Struts2",
+  "cve": "CVE-2013-2251",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/index\\.action\\?redirect",
+    "pattern": "contain"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10003.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10003.json
@ -0,0 +1,17 @@
+{
+  "id":"10003",
+  "state": "on",
+  "name": "AJ-Report",
+  "cve": "CNVD-2024-15077",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/dataSetParam/verification;swagger-ui",
+    "pattern": "contain",
+    "params": {
+      "validationRules": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10004.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10004.json
@ -0,0 +1,14 @@
+{
+  "id":"10004",
+  "state": "on",
+  "name": "Jira",
+  "cve": "CVE-2019-8451",
+  "type": "ssrf",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/plugins/servlet/gadgets/makeRequest\\?url",
+    "pattern": "contain"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10005.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10005.json
@ -0,0 +1,17 @@
+{
+  "id":"10005",
+  "state": "on",
+  "name": "SaltStack",
+  "cve": "CVE-2020-16846",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/run",
+    "pattern": "eq",
+    "params": {
+      "ssh_priv": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10006.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10006.json
@ -0,0 +1,14 @@
+{
+  "id":"10006",
+  "state": "on",
+  "name": "Apache Spark",
+  "cve": "CVE-2022-33891",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/\\?doAs",
+    "pattern": "contain"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10007.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10007.json
@ -0,0 +1,17 @@
+{
+  "id":"10007",
+  "state": "on",
+  "name": "Apache Ofbiz XML-RPC ",
+  "cve": "CVE-2023-49070",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/webtools/control/xmlrpc;/",
+    "pattern": "contain",
+    "args": {
+      "requirePasswordChange": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10008.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10008.json
@ -0,0 +1,14 @@
+{
+  "id":"10008",
+  "state": "on",
+  "name": "Apache OFBiz",
+  "cve": "CVE-2021-26295",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/webtools/control/SOAPServic",
+    "pattern": "contain"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10009.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10009.json
@ -0,0 +1,14 @@
+{
+  "id":"10009",
+  "state": "on",
+  "name": "elFinder",
+  "cve": "CVE-2022-26960",
+  "type": "afr",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/connector.minimal.php",
+    "pattern": "contain"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10010.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10010.json
@ -0,0 +1,14 @@
+{
+  "id":"10010",
+  "state": "on",
+  "name": "Joomla",
+  "cve": "CVE-2023-23752",
+  "type": "ua",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/api/index.php/v1/config/application\\?public=true",
+    "pattern": "contain"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10011.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10011.json
@ -0,0 +1,17 @@
+{
+  "id":"10011",
+  "state": "on",
+  "name": "Nexus Repository Manager",
+  "cve": "CVE-2018-16621",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/service/extdirect",
+    "pattern": "eq",
+    "params": {
+      "roles": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10012.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10012.json
@ -0,0 +1,14 @@
+{
+  "id":"10012",
+  "state": "on",
+  "name": "Jetty",
+  "cve": "CVE-2021-28169",
+  "type": "id",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/static?/%2557EB-INF/web.xml",
+    "pattern": "eq"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10013.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10013.json
@ -0,0 +1,14 @@
+{
+  "id":"10013",
+  "state": "on",
+  "name": "Gitlist",
+  "cve": "CVE-2018-1000533",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "^/[^/]+/tree/[^/]+/search$",
+    "pattern": "regex"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10014.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10014.json
@ -0,0 +1,14 @@
+{
+  "id":"10014",
+  "state": "on",
+  "name": "Shiro",
+  "cve": "CVE-2020-1957",
+  "type": "aa",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/..;/admin/",
+    "pattern": "regex"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10015.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10015.json
@ -0,0 +1,17 @@
+{
+  "id":"10015",
+  "state": "on",
+  "name": "Spring Cloud Gateway",
+  "cve": "CVE-2022-22947",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/actuator/gateway/routes/hacktest",
+    "pattern": "eq",
+    "params": {
+      "name": "AddResponseHeader"
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10016.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10016.json
@ -0,0 +1,14 @@
+{
+  "id":"10016",
+  "state": "on",
+  "name": "Apache Flink",
+  "cve": "CVE-2020-17519",
+  "type": "dr",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/jobmanager/logs/",
+    "pattern": "contain"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10017.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10017.json
@ -0,0 +1,18 @@
+{
+  "id":"10017",
+  "state": "on",
+  "name": "Nette",
+  "cve": "CVE-2020-15227",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/nette.micro",
+    "pattern": "contain",
+    "args": {
+      "callback": "shell_exec",
+      "cmd": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10018.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10018.json
@ -0,0 +1,14 @@
+{
+  "id":"10018",
+  "state": "on",
+  "name": "泛微E-cology",
+  "cve": "QVD-2023-16177",
+  "type": "xxe",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/rest/ofs/deleteUserRequestInfoByXml",
+    "pattern": "eq"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10019.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10019.json
@ -0,0 +1,14 @@
+{
+  "id":"10019",
+  "state": "on",
+  "name": "极通EWEBS",
+  "cve": "",
+  "type": "afr",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/casmain.xgi",
+    "pattern": "eq"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10020.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10020.json
@ -0,0 +1,17 @@
+{
+  "id":"10020",
+  "state": "on",
+  "name": "Apache apisix",
+  "cve": "CVE-2020-13945",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/apisix/admin/routes",
+    "pattern": "eq",
+    "params": {
+      "script": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10021.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10021.json
@ -0,0 +1,17 @@
+{
+  "id":"10021",
+  "state": "on",
+  "name": "Apache apisix",
+  "cve": "CVE-2020-13945",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/apisix/admin/routes",
+    "pattern": "eq",
+    "params": {
+      "script": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10022.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10022.json
@ -0,0 +1,17 @@
+{
+  "id":"10022",
+  "state": "on",
+  "name": "Metabase",
+  "cve": "CVE-2021-41277",
+  "type": "afr",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/api/geojson",
+    "pattern": "eq",
+    "args": {
+      "url": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10023.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10023.json
@ -0,0 +1,14 @@
+{
+  "id":"10023",
+  "state": "on",
+  "name": "Ofbiz",
+  "cve": "CVE-2020-9496",
+  "type": "suid",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "uri",
+    "uri": "/webtools/control/xmlrpc",
+    "pattern": "eq"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10024.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10024.json
@ -0,0 +1,18 @@
+{
+  "id":"10024",
+  "state": "on",
+  "name": "Kibana",
+  "cve": "CVE-2018-17246",
+  "type": "afr",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/api/console/api_server",
+    "pattern": "eq",
+    "args": {
+      "sense_version": "",
+      "apis": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10025.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10025.json
@ -0,0 +1,18 @@
+{
+  "id":"10025",
+  "state": "on",
+  "name": "Jenkins",
+  "cve": "CVE-2018-1000861",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript",
+    "pattern": "eq",
+    "args": {
+      "sandbox": "true",
+      "value": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10026.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10026.json
@ -0,0 +1,14 @@
+{
+  "id":"10026",
+  "state": "on",
+  "name": "WebLogic",
+  "cve": "CVE-2017-3506",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/wls-wsat/CoordinatorPortType",
+    "pattern": "eq"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10027.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10027.json
@ -0,0 +1,17 @@
+{
+  "id":"10027",
+  "state": "on",
+  "name": "Apache druid",
+  "cve": "CVE-2021-36749",
+  "type": "afr",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "uri",
+    "uri": "/druid/indexer/v1/sampler",
+    "pattern": "eq",
+    "args": {
+      "for": "connect"
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10028.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10028.json
@ -0,0 +1,14 @@
+{
+  "id":"10028",
+  "state": "on",
+  "name": "Apache HTTPD",
+  "cve": "",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "^/uploadfiles/.*\\.php\\.(?:jpg|jpeg)$",
+    "pattern": "regex"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10029.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10029.json
@ -0,0 +1,17 @@
+{
+  "id":"10029",
+  "state": "on",
+  "name": "Rocket.Chat",
+  "cve": "CVE-2021-22911",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/api/v1/method.callAnon/getPasswordPolicy",
+    "pattern": "eq",
+    "params": {
+      "message": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10030.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10030.json
@ -0,0 +1,14 @@
+{
+  "id":"10030",
+  "state": "on",
+  "name": "Spring Security",
+  "cve": "CVE-2022-22978",
+  "type": "aa",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "/admin/%0d",
+    "pattern": "contain"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10031.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10031.json
@ -0,0 +1,14 @@
+{
+  "id":"10031",
+  "state": "on",
+  "name": "Spring Cloud",
+  "cve": "CVE-2022-22963",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "uri",
+    "uri": "/functionRouter",
+    "pattern": "eq"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10032.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10032.json
@ -0,0 +1,14 @@
+{
+  "id":"10032",
+  "state": "on",
+  "name": "mongo-express",
+  "cve": "CVE-2019-10758",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "uri",
+    "uri": "/checkValid",
+    "pattern": "eq"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10033.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10033.json
@ -0,0 +1,17 @@
+{
+  "id":"10033",
+  "state": "on",
+  "name": "Nexus Repository Manager3",
+  "cve": "CVE-2020-10199",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "uri",
+    "uri": "/service/rest/beta/repositories/go/group",
+    "pattern": "eq",
+    "params": {
+      "memberNames": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10034.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10034.json
@ -0,0 +1,14 @@
+{
+  "id":"10034",
+  "state": "on",
+  "name": "Ruby On Rails",
+  "cve": "CVE-2018-3760",
+  "type": "dr",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/assets/file:",
+    "pattern": "contain"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10035.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10035.json
@ -0,0 +1,17 @@
+{
+  "id":"10035",
+  "state": "on",
+  "name": "Cacti",
+  "cve": "CVE-2022-46169",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/remote_agent.php",
+    "pattern": "eq",
+    "args": {
+      "poller_id": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10036.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10036.json
@ -0,0 +1,14 @@
+{
+  "id":"10036",
+  "state": "on",
+  "name": "Drupal",
+  "cve": "CVE-2014-9016",
+  "type": "dos",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/?q=node&destination=node",
+    "pattern": "eq"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10037.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10037.json
@ -0,0 +1,17 @@
+{
+  "id":"10037",
+  "state": "on",
+  "name": "Atlassian Confluence",
+  "cve": "CVE-2021-26084",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/pages/doenterpagevariables.action",
+    "pattern": "eq",
+    "params": {
+      "queryString": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10038.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10038.json
@ -0,0 +1,17 @@
+{
+  "id":"10038",
+  "state": "on",
+  "name": "Atlassian Confluence",
+  "cve": "CVE-2015-7808",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/ajax/api/hook/decodeArguments",
+    "pattern": "eq",
+    "args": {
+      "arguments": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10039.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10039.json
@ -0,0 +1,17 @@
+{
+  "id":"10039",
+  "state": "on",
+  "name": "DedeCMS",
+  "cve": "CVE-2018-7700",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/tag_test_action.php",
+    "pattern": "eq",
+    "args": {
+      "partcode": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10040.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10040.json
@ -0,0 +1,14 @@
+{
+  "id":"10040",
+  "state": "on",
+  "name": "Log4j",
+  "cve": "CVE-2021-44228",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "request_uri",
+    "uri": "jndi:ldap:",
+    "pattern": "contain"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10041.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10041.json
@ -0,0 +1,17 @@
+{
+  "id":"10041",
+  "state": "on",
+  "name": "Confluence",
+  "cve": "CVE-2019-3396",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/rest/tinymce/1/macro/preview",
+    "pattern": "eq",
+    "params": {
+      "_template": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10042.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10042.json
@ -0,0 +1,17 @@
+{
+  "id":"10042",
+  "state": "on",
+  "name": "Solr",
+  "cve": "CVE-2019-0193",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "^/solr/[\\w-]+/dataimport(?:\\?.*)?$",
+    "pattern": "regex",
+    "params": {
+      "command": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10043.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10043.json
@ -0,0 +1,17 @@
+{
+  "id":"10043",
+  "state": "on",
+  "name": "若依管理系统",
+  "cve": "CNVD-2021-01931",
+  "type": "afd",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/common/download/resource",
+    "pattern": "eq",
+    "args": {
+      "resource": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10044.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10044.json
@ -0,0 +1,17 @@
+{
+  "id":"10044",
+  "state": "on",
+  "name": "Coremail",
+  "cve": "",
+  "type": "il",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/mailsms/s",
+    "pattern": "eq",
+    "args": {
+      "func": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10045.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10045.json
@ -0,0 +1,17 @@
+{
+  "id":"10045",
+  "state": "on",
+  "name": "F5 BIG-IP",
+  "cve": "CVE-2020-5902",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp",
+    "pattern": "eq",
+    "args": {
+      "fileName": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10046.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10046.json
@ -0,0 +1,17 @@
+{
+  "id":"10046",
+  "state": "on",
+  "name": "齐治堡垒机",
+  "cve": "",
+  "type": "aa",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/audit/gui_detail_view.php",
+    "pattern": "eq",
+    "args": {
+      "token": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10047.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10047.json
@ -0,0 +1,17 @@
+{
+  "id":"10047",
+  "state": "on",
+  "name": "Craft",
+  "cve": "CVE-2020-9757",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/actions/seomatic/meta-container/meta-link-container/",
+    "pattern": "eq",
+    "args": {
+      "uri": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10048.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10048.json
@ -0,0 +1,17 @@
+{
+  "id":"10048",
+  "state": "on",
+  "name": "Laravel",
+  "cve": "CVE-2021-3129",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "uri",
+    "uri": "/_ignition/execute-solution",
+    "pattern": "eq",
+    "params": {
+      "solution": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10049.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10049.json
@ -0,0 +1,17 @@
+{
+  "id":"10049",
+  "state": "on",
+  "name": "Liferay Portal",
+  "cve": "CVE-2020-7961",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "uri",
+    "uri": "/api/jsonws/invoke",
+    "pattern": "eq",
+    "params": {
+      "cmd": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10050.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10050.json
@ -0,0 +1,17 @@
+{
+  "id":"10050",
+  "state": "on",
+  "name": "GeoServer",
+  "cve": "CVE-2023-25157",
+  "type": "sqlInjection",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/geoserver/ows",
+    "pattern": "eq",
+    "args": {
+      "service": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10051.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10051.json
@ -0,0 +1,14 @@
+{
+  "id":"10051",
+  "state": "on",
+  "name": "Flink",
+  "cve": "CVE-2020-17518",
+  "type": "afw",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "uri",
+    "uri": "/jars/upload",
+    "pattern": "eq"
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10052.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10052.json
@ -0,0 +1,17 @@
+{
+  "id":"10052",
+  "state": "on",
+  "name": "Nexus Repository Manager",
+  "cve": "CVE-2019-7238",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "request_uri",
+    "uri": "/service/extdirect",
+    "pattern": "eq",
+    "params": {
+      "action": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10053.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10053.json
@ -0,0 +1,17 @@
+{
+  "id":"10053",
+  "state": "on",
+  "name": "Apache druid",
+  "cve": "CVE-2021-25646",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "uri",
+    "uri": "/druid/indexer/v1/sampler",
+    "pattern": "eq",
+    "params": {
+      "function": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10054.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10054.json
@ -0,0 +1,17 @@
+{
+  "id":"10054",
+  "state": "on",
+  "name": "Apache Unomi",
+  "cve": "CVE-2020-13942",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "uri",
+    "uri": "/context.json",
+    "pattern": "eq",
+    "params": {
+      "filters": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10055.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10055.json
@ -0,0 +1,17 @@
+{
+  "id":"10055",
+  "state": "on",
+  "name": "F5 BIG-IP",
+  "cve": "CVE-2023-46747",
+  "type": "rce",
+  "remark": "",
+  "rule": {
+    "method":"POST",
+    "type": "uri",
+    "uri": "/mgmt/tm/util/bash",
+    "pattern": "eq",
+    "params": {
+      "command": ""
+    }
+  }
+}
--- a/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10056.json
+++ b/openresty/1.25.3.2-0-1-focal/1pwaf/data/rules/vuln/10056.json
@ -0,0 +1,17 @@
+{
+  "id":"10056",
+  "state": "on",
+  "name": "MetInfo",
+  "cve": "",
+  "type": "afr",
+  "remark": "",
+  "rule": {
+    "method":"GET",
+    "type": "uri",
+    "uri": "/include/thumb.php",
+    "pattern": "eq",
+    "args": {
+      "dir": ""
+    }
+  }
+}