diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf index d67d7d6ee..916575197 100644 --- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -96,7 +96,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAf # ├── 932105 (2nd part of base rule, PL1) # ├── 932106 (stricter sibling of base rule, PL3 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:[;\n\r`]|\$(?:\(?\(|{)|(?:\|)?\||\(\s*\)|[<>]\(|&?&|\{)\s*(?:(?:\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|(?:\s*\(|!)\s*|\{|\$))*\s*(?:['\"])*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\x5c]+/)?[\x5c'\"]*(?:l[\x5c'\"]*(?:w[\x5c'\"]*p[\x5c'\"]*-[\x5c'\"]*(?:d[\x5c'\"]*(?:o[\x5c'\"]*w[\x5c'\"]*n[\x5c'\"]*l[\x5c'\"]*o[\x5c'\"]*a[\x5c'\"]*d|u[\x5c'\"]*m[\x5c'\"]*p)|r[\x5c'\"]*e[\x5c'\"]*q[\x5c'\"]*u[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*t|m[\x5c'\"]*i[\x5c'\"]*r[\x5c'\"]*r[\x5c'\"]*o[\x5c'\"]*r)|s(?:[\x5c'\"]*(?:b[\x5c'\"]*_[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*l[\x5c'\"]*e[\x5c'\"]*a[\x5c'\"]*s[\x5c'\"]*e|c[\x5c'\"]*p[\x5c'\"]*u|m[\x5c'\"]*o[\x5c'\"]*d|p[\x5c'\"]*c[\x5c'\"]*i|u[\x5c'\"]*s[\x5c'\"]*b|-[\x5c'\"]*F|h[\x5c'\"]*w|o[\x5c'\"]*f))?|z[\x5c'\"]*(?:(?:[ef][\x5c'\"]*)?g[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*p|c[\x5c'\"]*(?:a[\x5c'\"]*t|m[\x5c'\"]*p)|m[\x5c'\"]*(?:o[\x5c'\"]*r[\x5c'\"]*e|a)|d[\x5c'\"]*i[\x5c'\"]*f[\x5c'\"]*f|l[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*s)|o[\x5c'\"]*(?:g[\x5c'\"]*(?:(?:n[\x5c'\"]*a[\x5c'\"]*m|s[\x5c'\"]*a[\x5c'\"]*v)[\x5c'\"]*e|i[\x5c'\"]*n[\x5c'\"]*c[\x5c'\"]*t[\x5c'\"]*l)|c[\x5c'\"]*a[\x5c'\"]*(?:t[\x5c'\"]*e|l)[\x5c'\"]*(?:\s|<|>).*)|e[\x5c'\"]*s[\x5c'\"]*s[\x5c'\"]*(?:(?:f[\x5c'\"]*i[\x5c'\"]*l|p[\x5c'\"]*i[\x5c'\"]*p)[\x5c'\"]*e|e[\x5c'\"]*c[\x5c'\"]*h[\x5c'\"]*o|(?:\s|<|>).*)|a[\x5c'\"]*s[\x5c'\"]*t[\x5c'\"]*(?:l[\x5c'\"]*o[\x5c'\"]*g(?:[\x5c'\"]*i[\x5c'\"]*n)?|c[\x5c'\"]*o[\x5c'\"]*m[\x5c'\"]*m|(?:\s|<|>).*)|d[\x5c'\"]*(?:c[\x5c'\"]*o[\x5c'\"]*n[\x5c'\"]*f[\x5c'\"]*i[\x5c'\"]*g|d[\x5c'\"]*(?:\s|<|>).*)|(?:[np]|i[\x5c'\"]*n[\x5c'\"]*k[\x5c'\"]*s|y[\x5c'\"]*n[\x5c'\"]*x)[\x5c'\"]*(?:\s|<|>).*|u[\x5c'\"]*a[\x5c'\"]*(?:5[\x5c'\"]*\.[\x5c'\"]*[1234]|(?:\s|<|>).*)|f[\x5c'\"]*t[\x5c'\"]*p(?:[\x5c'\"]*g[\x5c'\"]*e[\x5c'\"]*t)?|t[\x5c'\"]*r[\x5c'\"]*a[\x5c'\"]*c[\x5c'\"]*e)|c[\x5c'\"]*(?:o[\x5c'\"]*(?:m[\x5c'\"]*(?:p[\x5c'\"]*(?:r[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*s[\x5c'\"]*(?:\s|<|>).*|o[\x5c'\"]*s[\x5c'\"]*e[\x5c'\"]*r)|m[\x5c'\"]*a[\x5c'\"]*n[\x5c'\"]*d[\x5c'\"]*(?:\s|<|>).*)|p[\x5c'\"]*r[\x5c'\"]*o[\x5c'\"]*c)|h[\x5c'\"]*(?:d[\x5c'\"]*i[\x5c'\"]*r[\x5c'\"]*(?:\s|<|>).*|f[\x5c'\"]*l[\x5c'\"]*a[\x5c'\"]*g[\x5c'\"]*s|a[\x5c'\"]*t[\x5c'\"]*t[\x5c'\"]*r|m[\x5c'\"]*o[\x5c'\"]*d)|p[\x5c'\"]*(?:u[\x5c'\"]*l[\x5c'\"]*i[\x5c'\"]*m[\x5c'\"]*i[\x5c'\"]*t|(?:\s|<|>).*|a[\x5c'\"]*n|i[\x5c'\"]*o)|(?:a[\x5c'\"]*(?:p[\x5c'\"]*s[\x5c'\"]*h|t)|c)[\x5c'\"]*(?:\s|<|>).*|e[\x5c'\"]*r[\x5c'\"]*t[\x5c'\"]*b[\x5c'\"]*o[\x5c'\"]*t|r[\x5c'\"]*o[\x5c'\"]*n[\x5c'\"]*t[\x5c'\"]*a[\x5c'\"]*b|u[\x5c'\"]*r[\x5c'\"]*l|[89][\x5c'\"]*9|s[\x5c'\"]*h)|b[\x5c'\"]*(?:z[\x5c'\"]*(?:(?:[ef][\x5c'\"]*)?g[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*p|d[\x5c'\"]*i[\x5c'\"]*f[\x5c'\"]*f|l[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*s|m[\x5c'\"]*o[\x5c'\"]*r[\x5c'\"]*e|c[\x5c'\"]*a[\x5c'\"]*t|i[\x5c'\"]*p[\x5c'\"]*2)|u[\x5c'\"]*(?:s[\x5c'\"]*(?:y[\x5c'\"]*b[\x5c'\"]*o[\x5c'\"]*x|c[\x5c'\"]*t[\x5c'\"]*l)|n[\x5c'\"]*d[\x5c'\"]*l[\x5c'\"]*e[\x5c'\"]*r[\x5c'\"]*(?:\s|<|>).*|i[\x5c'\"]*l[\x5c'\"]*t[\x5c'\"]*i[\x5c'\"]*n)|s[\x5c'\"]*d[\x5c'\"]*(?:c[\x5c'\"]*a[\x5c'\"]*t|i[\x5c'\"]*f[\x5c'\"]*f|t[\x5c'\"]*a[\x5c'\"]*r)|a[\x5c'\"]*(?:t[\x5c'\"]*c[\x5c'\"]*h[\x5c'\"]*(?:\s|<|>).*|s[\x5c'\"]*h)|r[\x5c'\"]*e[\x5c'\"]*a[\x5c'\"]*k[\x5c'\"]*s[\x5c'\"]*w)|e[\x5c'\"]*(?:x[\x5c'\"]*(?:p[\x5c'\"]*(?:e[\x5c'\"]*c[\x5c'\"]*t[\x5c'\"]*(?:\s|<|>).*|a[\x5c'\"]*n[\x5c'\"]*d|o[\x5c'\"]*r[\x5c'\"]*t|r)|(?:e[\x5c'\"]*c[\x5c'\"]*)?(?:\s|<|>).*)|n[\x5c'\"]*(?:v(?:[\x5c'\"]*-[\x5c'\"]*u[\x5c'\"]*p[\x5c'\"]*d[\x5c'\"]*a[\x5c'\"]*t[\x5c'\"]*e)?|d[\x5c'\"]*(?:i[\x5c'\"]*f|s[\x5c'\"]*w))|(?:a[\x5c'\"]*s[\x5c'\"]*y[\x5c'\"]*_[\x5c'\"]*i[\x5c'\"]*n[\x5c'\"]*s[\x5c'\"]*t[\x5c'\"]*a[\x5c'\"]*l|v[\x5c'\"]*a)[\x5c'\"]*l|(?:c[\x5c'\"]*h[\x5c'\"]*o|d)[\x5c'\"]*(?:\s|<|>).*|g[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*p|m[\x5c'\"]*a[\x5c'\"]*c[\x5c'\"]*s|s[\x5c'\"]*a[\x5c'\"]*c)|f[\x5c'\"]*(?:i(?:[\x5c'\"]*(?:l[\x5c'\"]*e[\x5c'\"]*(?:t[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*t|(?:\s|<|>).*)|n[\x5c'\"]*d[\x5c'\"]*(?:\s|<|>).*|s[\x5c'\"]*h))?|t[\x5c'\"]*p[\x5c'\"]*(?:s[\x5c'\"]*t[\x5c'\"]*a[\x5c'\"]*t[\x5c'\"]*s|w[\x5c'\"]*h[\x5c'\"]*o|(?:\s|<|>).*)|(?:e[\x5c'\"]*t[\x5c'\"]*c[\x5c'\"]*h|l[\x5c'\"]*o[\x5c'\"]*c[\x5c'\"]*k|c)[\x5c'\"]*(?:\s|<|>).*|u[\x5c'\"]*n[\x5c'\"]*c[\x5c'\"]*t[\x5c'\"]*i[\x5c'\"]*o[\x5c'\"]*n|o[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*a[\x5c'\"]*c[\x5c'\"]*h|g[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*p)|i[\x5c'\"]*(?:p[\x5c'\"]*(?:(?:6[\x5c'\"]*)?t[\x5c'\"]*a[\x5c'\"]*b[\x5c'\"]*l[\x5c'\"]*e[\x5c'\"]*s|c[\x5c'\"]*o[\x5c'\"]*n[\x5c'\"]*f[\x5c'\"]*i[\x5c'\"]*g)|r[\x5c'\"]*b(?:[\x5c'\"]*(?:2[\x5c'\"]*[01234567]|1(?:[\x5c'\"]*[89])?|3[\x5c'\"]*0))?|f[\x5c'\"]*c[\x5c'\"]*o[\x5c'\"]*n[\x5c'\"]*f[\x5c'\"]*i[\x5c'\"]*g|o[\x5c'\"]*n[\x5c'\"]*i[\x5c'\"]*c[\x5c'\"]*e|d[\x5c'\"]*(?:\s|<|>).*)|h[\x5c'\"]*(?:t[\x5c'\"]*(?:d[\x5c'\"]*i[\x5c'\"]*g[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*t|p[\x5c'\"]*a[\x5c'\"]*s[\x5c'\"]*s[\x5c'\"]*w[\x5c'\"]*d)|o[\x5c'\"]*s[\x5c'\"]*t[\x5c'\"]*(?:n[\x5c'\"]*a[\x5c'\"]*m[\x5c'\"]*e|i[\x5c'\"]*d)|(?:e[\x5c'\"]*a[\x5c'\"]*d|u[\x5c'\"]*p)[\x5c'\"]*(?:\s|<|>).*|i[\x5c'\"]*s[\x5c'\"]*t[\x5c'\"]*o[\x5c'\"]*r[\x5c'\"]*y)|a[\x5c'\"]*(?:l[\x5c'\"]*(?:i[\x5c'\"]*a[\x5c'\"]*s[\x5c'\"]*(?:\s|<|>).*|p[\x5c'\"]*i[\x5c'\"]*n[\x5c'\"]*e)|p[\x5c'\"]*t[\x5c'\"]*(?:-[\x5c'\"]*g[\x5c'\"]*e[\x5c'\"]*t|(?:\s|<|>).*)|d[\x5c'\"]*d[\x5c'\"]*u[\x5c'\"]*s[\x5c'\"]*e[\x5c'\"]*r|r[\x5c'\"]*(?:c[\x5c'\"]*h[\x5c'\"]*(?:\s|<|>).*|p)|(?:w[\x5c'\"]*[ks]|t)[\x5c'\"]*(?:\s|<|>).*)|g[\x5c'\"]*(?:(?:e[\x5c'\"]*(?:t[\x5c'\"]*f[\x5c'\"]*a[\x5c'\"]*c[\x5c'\"]*l|m)|r[\x5c'\"]*e[\x5c'\"]*p|o)[\x5c'\"]*(?:\s|<|>).*|z[\x5c'\"]*(?:c[\x5c'\"]*a[\x5c'\"]*t|i[\x5c'\"]*p)|u[\x5c'\"]*n[\x5c'\"]*z[\x5c'\"]*i[\x5c'\"]*p|c[\x5c'\"]*c(?:[\x5c'\"]*(?:\s|<|>).*)?|i[\x5c'\"]*t(?:[\x5c'\"]*(?:\s|<|>).*)?|d[\x5c'\"]*b)|d[\x5c'\"]*(?:h[\x5c'\"]*c[\x5c'\"]*l[\x5c'\"]*i[\x5c'\"]*e[\x5c'\"]*n[\x5c'\"]*t|(?:i[\x5c'\"]*f[\x5c'\"]*f|u)[\x5c'\"]*(?:\s|<|>).*|(?:m[\x5c'\"]*e[\x5c'\"]*s|p[\x5c'\"]*k)[\x5c'\"]*g|o[\x5c'\"]*(?:a[\x5c'\"]*s|n[\x5c'\"]*e)|a[\x5c'\"]*s[\x5c'\"]*h)|j[\x5c'\"]*(?:o[\x5c'\"]*(?:u[\x5c'\"]*r[\x5c'\"]*n[\x5c'\"]*a[\x5c'\"]*l[\x5c'\"]*c[\x5c'\"]*t[\x5c'\"]*l|b[\x5c'\"]*s[\x5c'\"]*(?:\s|<|>).*)|a[\x5c'\"]*v[\x5c'\"]*a[\x5c'\"]*(?:\s|<|>).*|e[\x5c'\"]*x[\x5c'\"]*e[\x5c'\"]*c)|k[\x5c'\"]*(?:i[\x5c'\"]*l[\x5c'\"]*l[\x5c'\"]*(?:a[\x5c'\"]*l[\x5c'\"]*l|(?:\s|<|>).*)|s[\x5c'\"]*h)|G[\x5c'\"]*E[\x5c'\"]*T[\x5c'\"]*(?:\s|<|>).*|7[\x5c'\"]*z(?:[\x5c'\"]*[ar])?)\b" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:[;\n\r`]|\$(?:\(?\(|{)|(?:\|)?\||\(\s*\)|[<>]\(|&?&|\{)\s*(?:(?:\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|(?:\s*\(|!)\s*|\{|\$))*\s*(?:['\"])*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\x5c]+/)?[\x5c'\"]*(?:c[\x5c'\"]*(?:h[\x5c'\"]*(?:e[\x5c'\"]*c[\x5c'\"]*k[\x5c'\"]*_[\x5c'\"]*(?:s[\x5c'\"]*(?:t[\x5c'\"]*a[\x5c'\"]*t[\x5c'\"]*u[\x5c'\"]*s[\x5c'\"]*f[\x5c'\"]*i[\x5c'\"]*l[\x5c'\"]*e|s[\x5c'\"]*l[\x5c'\"]*_[\x5c'\"]*c[\x5c'\"]*e[\x5c'\"]*r[\x5c'\"]*t)|b[\x5c'\"]*y[\x5c'\"]*_[\x5c'\"]*s[\x5c'\"]*s[\x5c'\"]*h|m[\x5c'\"]*e[\x5c'\"]*m[\x5c'\"]*o[\x5c'\"]*r[\x5c'\"]*y|c[\x5c'\"]*u[\x5c'\"]*p[\x5c'\"]*s|r[\x5c'\"]*a[\x5c'\"]*i[\x5c'\"]*d|l[\x5c'\"]*o[\x5c'\"]*g)|d[\x5c'\"]*i[\x5c'\"]*r[\x5c'\"]*(?:\s|<|>).*|f[\x5c'\"]*l[\x5c'\"]*a[\x5c'\"]*g[\x5c'\"]*s|o[\x5c'\"]*(?:o[\x5c'\"]*m|w[\x5c'\"]*n)|a[\x5c'\"]*t[\x5c'\"]*t[\x5c'\"]*r|r[\x5c'\"]*o[\x5c'\"]*o[\x5c'\"]*t|m[\x5c'\"]*o[\x5c'\"]*d)|o[\x5c'\"]*(?:m[\x5c'\"]*(?:p[\x5c'\"]*(?:r[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*s[\x5c'\"]*(?:\s|<|>).*|o[\x5c'\"]*s[\x5c'\"]*e[\x5c'\"]*r)|m(?:[\x5c'\"]*a[\x5c'\"]*n[\x5c'\"]*d[\x5c'\"]*(?:\s|<|>).*)?)|w[\x5c'\"]*(?:t[\x5c'\"]*h[\x5c'\"]*i[\x5c'\"]*n[\x5c'\"]*k|s[\x5c'\"]*a[\x5c'\"]*y)|l[\x5c'\"]*u[\x5c'\"]*m[\x5c'\"]*n[\x5c'\"]*(?:\s|<|>).*|(?:p[\x5c'\"]*r[\x5c'\"]*o|b)[\x5c'\"]*c)|u[\x5c'\"]*(?:p[\x5c'\"]*s[\x5c'\"]*f[\x5c'\"]*i[\x5c'\"]*l[\x5c'\"]*t[\x5c'\"]*e[\x5c'\"]*r|t[\x5c'\"]*(?:\s|<|>).*|r[\x5c'\"]*l)|p[\x5c'\"]*(?:u[\x5c'\"]*l[\x5c'\"]*i[\x5c'\"]*m[\x5c'\"]*i[\x5c'\"]*t|(?:\s|<|>).*|a[\x5c'\"]*n|i[\x5c'\"]*o)|r[\x5c'\"]*(?:a[\x5c'\"]*s[\x5c'\"]*h[\x5c'\"]*(?:\s|<|>).*|o[\x5c'\"]*n[\x5c'\"]*t[\x5c'\"]*a[\x5c'\"]*b)|(?:a[\x5c'\"]*(?:n[\x5c'\"]*c[\x5c'\"]*e[\x5c'\"]*l|p[\x5c'\"]*s[\x5c'\"]*h|t)|c)[\x5c'\"]*(?:\s|<|>).*|s[\x5c'\"]*(?:v[\x5c'\"]*t[\x5c'\"]*o[\x5c'\"]*o[\x5c'\"]*l|p[\x5c'\"]*l[\x5c'\"]*i[\x5c'\"]*t|h)|e[\x5c'\"]*r[\x5c'\"]*t[\x5c'\"]*b[\x5c'\"]*o[\x5c'\"]*t|[89][\x5c'\"]*9|m[\x5c'\"]*p)|l[\x5c'\"]*(?:w[\x5c'\"]*p[\x5c'\"]*-[\x5c'\"]*(?:d[\x5c'\"]*(?:o[\x5c'\"]*w[\x5c'\"]*n[\x5c'\"]*l[\x5c'\"]*o[\x5c'\"]*a[\x5c'\"]*d|u[\x5c'\"]*m[\x5c'\"]*p)|r[\x5c'\"]*e[\x5c'\"]*q[\x5c'\"]*u[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*t|m[\x5c'\"]*i[\x5c'\"]*r[\x5c'\"]*r[\x5c'\"]*o[\x5c'\"]*r)|s(?:[\x5c'\"]*(?:b[\x5c'\"]*_[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*l[\x5c'\"]*e[\x5c'\"]*a[\x5c'\"]*s[\x5c'\"]*e|c[\x5c'\"]*p[\x5c'\"]*u|m[\x5c'\"]*o[\x5c'\"]*d|p[\x5c'\"]*c[\x5c'\"]*i|u[\x5c'\"]*s[\x5c'\"]*b|-[\x5c'\"]*F|h[\x5c'\"]*w|o[\x5c'\"]*f))?|z[\x5c'\"]*(?:(?:[ef][\x5c'\"]*)?g[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*p|c[\x5c'\"]*(?:a[\x5c'\"]*t|m[\x5c'\"]*p)|m[\x5c'\"]*(?:o[\x5c'\"]*r[\x5c'\"]*e|a)|d[\x5c'\"]*i[\x5c'\"]*f[\x5c'\"]*f|l[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*s)|o[\x5c'\"]*(?:g[\x5c'\"]*(?:(?:n[\x5c'\"]*a[\x5c'\"]*m|s[\x5c'\"]*a[\x5c'\"]*v)[\x5c'\"]*e|i[\x5c'\"]*n[\x5c'\"]*c[\x5c'\"]*t[\x5c'\"]*l)|(?:c[\x5c'\"]*a[\x5c'\"]*(?:t[\x5c'\"]*e|l)|o[\x5c'\"]*k)[\x5c'\"]*(?:\s|<|>).*)|a[\x5c'\"]*(?:s[\x5c'\"]*t[\x5c'\"]*(?:l[\x5c'\"]*o[\x5c'\"]*g(?:[\x5c'\"]*i[\x5c'\"]*n)?|c[\x5c'\"]*o[\x5c'\"]*m[\x5c'\"]*m|(?:\s|<|>).*)|t[\x5c'\"]*e[\x5c'\"]*x[\x5c'\"]*(?:\s|<|>).*)|e[\x5c'\"]*s[\x5c'\"]*s[\x5c'\"]*(?:(?:f[\x5c'\"]*i[\x5c'\"]*l|p[\x5c'\"]*i[\x5c'\"]*p)[\x5c'\"]*e|e[\x5c'\"]*c[\x5c'\"]*h[\x5c'\"]*o|(?:\s|<|>).*)|d[\x5c'\"]*(?:c[\x5c'\"]*o[\x5c'\"]*n[\x5c'\"]*f[\x5c'\"]*i[\x5c'\"]*g|(?:d[\x5c'\"]*)?(?:\s|<|>).*)|(?:[np]|i[\x5c'\"]*n[\x5c'\"]*k[\x5c'\"]*s|y[\x5c'\"]*n[\x5c'\"]*x)[\x5c'\"]*(?:\s|<|>).*|u[\x5c'\"]*a[\x5c'\"]*(?:(?:l[\x5c'\"]*a[\x5c'\"]*)?t[\x5c'\"]*e[\x5c'\"]*x|(?:\s|<|>).*)|f[\x5c'\"]*t[\x5c'\"]*p(?:[\x5c'\"]*g[\x5c'\"]*e[\x5c'\"]*t)?|t[\x5c'\"]*r[\x5c'\"]*a[\x5c'\"]*c[\x5c'\"]*e)|b[\x5c'\"]*(?:z[\x5c'\"]*(?:(?:[ef][\x5c'\"]*)?g[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*p|d[\x5c'\"]*i[\x5c'\"]*f[\x5c'\"]*f|l[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*s|m[\x5c'\"]*o[\x5c'\"]*r[\x5c'\"]*e|c[\x5c'\"]*a[\x5c'\"]*t|i[\x5c'\"]*p[\x5c'\"]*2)|u[\x5c'\"]*(?:s[\x5c'\"]*(?:y[\x5c'\"]*b[\x5c'\"]*o[\x5c'\"]*x|c[\x5c'\"]*t[\x5c'\"]*l)|n[\x5c'\"]*d[\x5c'\"]*l[\x5c'\"]*e[\x5c'\"]*r[\x5c'\"]*(?:\s|<|>).*|i[\x5c'\"]*l[\x5c'\"]*t[\x5c'\"]*i[\x5c'\"]*n)|a[\x5c'\"]*(?:s[\x5c'\"]*(?:e[\x5c'\"]*(?:3[\x5c'\"]*2|6[\x5c'\"]*4|n[\x5c'\"]*c)|h)|t[\x5c'\"]*c[\x5c'\"]*h[\x5c'\"]*(?:\s|<|>).*)|r[\x5c'\"]*(?:i[\x5c'\"]*d[\x5c'\"]*g[\x5c'\"]*e[\x5c'\"]*(?:\s|<|>).*|e[\x5c'\"]*a[\x5c'\"]*k[\x5c'\"]*s[\x5c'\"]*w)|s[\x5c'\"]*d[\x5c'\"]*(?:c[\x5c'\"]*a[\x5c'\"]*t|i[\x5c'\"]*f[\x5c'\"]*f|t[\x5c'\"]*a[\x5c'\"]*r)|p[\x5c'\"]*f[\x5c'\"]*t[\x5c'\"]*r[\x5c'\"]*a[\x5c'\"]*c[\x5c'\"]*e|y[\x5c'\"]*e[\x5c'\"]*b[\x5c'\"]*u[\x5c'\"]*g)|a[\x5c'\"]*(?:s[\x5c'\"]*(?:c[\x5c'\"]*i[\x5c'\"]*i[\x5c'\"]*(?:-[\x5c'\"]*x[\x5c'\"]*f[\x5c'\"]*r|8[\x5c'\"]*5)|p[\x5c'\"]*e[\x5c'\"]*l[\x5c'\"]*l|(?:h[\x5c'\"]*)?(?:\s|<|>).*)|n[\x5c'\"]*s[\x5c'\"]*i[\x5c'\"]*b[\x5c'\"]*l[\x5c'\"]*e[\x5c'\"]*-[\x5c'\"]*p[\x5c'\"]*l[\x5c'\"]*a[\x5c'\"]*y[\x5c'\"]*b[\x5c'\"]*o[\x5c'\"]*o[\x5c'\"]*k|(?:l[\x5c'\"]*(?:p[\x5c'\"]*i[\x5c'\"]*n[\x5c'\"]*e|i[\x5c'\"]*a[\x5c'\"]*s)|w[\x5c'\"]*[ks]|b)[\x5c'\"]*(?:\s|<|>).*|r[\x5c'\"]*(?:[jp]|(?:c[\x5c'\"]*h[\x5c'\"]*)?(?:\s|<|>).*|i[\x5c'\"]*a[\x5c'\"]*2[\x5c'\"]*c)|p[\x5c'\"]*t[\x5c'\"]*(?:-[\x5c'\"]*g[\x5c'\"]*e[\x5c'\"]*t|(?:\s|<|>).*)|d[\x5c'\"]*d[\x5c'\"]*u[\x5c'\"]*s[\x5c'\"]*e[\x5c'\"]*r|t[\x5c'\"]*(?:o[\x5c'\"]*b[\x5c'\"]*m|(?:\s|<|>).*)|g[\x5c'\"]*e[\x5c'\"]*t[\x5c'\"]*t[\x5c'\"]*y)|e[\x5c'\"]*(?:x[\x5c'\"]*(?:p[\x5c'\"]*(?:(?:(?:e[\x5c'\"]*c|o[\x5c'\"]*r)[\x5c'\"]*t|a[\x5c'\"]*n[\x5c'\"]*d)[\x5c'\"]*(?:\s|<|>).*|r)|i[\x5c'\"]*f[\x5c'\"]*t[\x5c'\"]*o[\x5c'\"]*o[\x5c'\"]*l|(?:e[\x5c'\"]*c[\x5c'\"]*)?(?:\s|<|>).*)|n[\x5c'\"]*(?:v[\x5c'\"]*(?:-[\x5c'\"]*u[\x5c'\"]*p[\x5c'\"]*d[\x5c'\"]*a[\x5c'\"]*t[\x5c'\"]*e|(?:\s|<|>).*)|d[\x5c'\"]*(?:i[\x5c'\"]*f|s[\x5c'\"]*w))|(?:a[\x5c'\"]*s[\x5c'\"]*y[\x5c'\"]*_[\x5c'\"]*i[\x5c'\"]*n[\x5c'\"]*s[\x5c'\"]*t[\x5c'\"]*a[\x5c'\"]*l|v[\x5c'\"]*a)[\x5c'\"]*l|(?:[bd]|c[\x5c'\"]*h[\x5c'\"]*o)[\x5c'\"]*(?:\s|<|>).*|g[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*p|m[\x5c'\"]*a[\x5c'\"]*c[\x5c'\"]*s|f[\x5c'\"]*a[\x5c'\"]*x|s[\x5c'\"]*a[\x5c'\"]*c|q[\x5c'\"]*n)|g[\x5c'\"]*(?:e[\x5c'\"]*(?:n[\x5c'\"]*i[\x5c'\"]*(?:s[\x5c'\"]*o[\x5c'\"]*i[\x5c'\"]*m[\x5c'\"]*a[\x5c'\"]*g[\x5c'\"]*e|e[\x5c'\"]*(?:\s|<|>).*)|(?:t[\x5c'\"]*f[\x5c'\"]*a[\x5c'\"]*c[\x5c'\"]*l|m)[\x5c'\"]*(?:\s|<|>).*)|c[\x5c'\"]*(?:c[\x5c'\"]*(?:(?:<|>)|(?:[\w\d._-][\x5c'\"]*)+(?:\s|<|>)).*|o[\x5c'\"]*r[\x5c'\"]*e)|i[\x5c'\"]*(?:(?:m[\x5c'\"]*p|t)[\x5c'\"]*(?:\s|<|>).*|n[\x5c'\"]*s[\x5c'\"]*h)|t[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*t[\x5c'\"]*e[\x5c'\"]*r|r[\x5c'\"]*(?:e[\x5c'\"]*p[\x5c'\"]*(?:\s|<|>).*|c)|z[\x5c'\"]*(?:c[\x5c'\"]*a[\x5c'\"]*t|i[\x5c'\"]*p)|u[\x5c'\"]*n[\x5c'\"]*z[\x5c'\"]*i[\x5c'\"]*p|h[\x5c'\"]*c(?:[\x5c'\"]*i)?|a[\x5c'\"]*w[\x5c'\"]*k|o[\x5c'\"]*(?:\s|<|>).*|d[\x5c'\"]*b)|f[\x5c'\"]*(?:i(?:[\x5c'\"]*(?:(?:n[\x5c'\"]*(?:g[\x5c'\"]*e[\x5c'\"]*r|d)|s[\x5c'\"]*h)[\x5c'\"]*(?:\s|<|>).*|l[\x5c'\"]*e[\x5c'\"]*(?:t[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*t|(?:\s|<|>).*)))?|t[\x5c'\"]*p[\x5c'\"]*(?:s[\x5c'\"]*t[\x5c'\"]*a[\x5c'\"]*t[\x5c'\"]*s|w[\x5c'\"]*h[\x5c'\"]*o|(?:\s|<|>).*)|(?:e[\x5c'\"]*t[\x5c'\"]*c[\x5c'\"]*h|l[\x5c'\"]*o[\x5c'\"]*c[\x5c'\"]*k|c)[\x5c'\"]*(?:\s|<|>).*|o[\x5c'\"]*(?:r[\x5c'\"]*e[\x5c'\"]*a[\x5c'\"]*c[\x5c'\"]*h|l[\x5c'\"]*d[\x5c'\"]*(?:\s|<|>).*)|u[\x5c'\"]*n[\x5c'\"]*c[\x5c'\"]*t[\x5c'\"]*i[\x5c'\"]*o[\x5c'\"]*n|a[\x5c'\"]*c[\x5c'\"]*t[\x5c'\"]*e[\x5c'\"]*r|g[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*p|p[\x5c'\"]*i[\x5c'\"]*n[\x5c'\"]*g|m[\x5c'\"]*t)|d[\x5c'\"]*(?:m[\x5c'\"]*(?:i[\x5c'\"]*d[\x5c'\"]*e[\x5c'\"]*c[\x5c'\"]*o[\x5c'\"]*d[\x5c'\"]*e|s[\x5c'\"]*e[\x5c'\"]*t[\x5c'\"]*u[\x5c'\"]*p|e[\x5c'\"]*s[\x5c'\"]*g)|o[\x5c'\"]*(?:(?:c[\x5c'\"]*k[\x5c'\"]*e[\x5c'\"]*r|n[\x5c'\"]*e)[\x5c'\"]*(?:\s|<|>).*|s[\x5c'\"]*b[\x5c'\"]*o[\x5c'\"]*x|a[\x5c'\"]*s)|i[\x5c'\"]*(?:(?:a[\x5c'\"]*l[\x5c'\"]*o[\x5c'\"]*g|f[\x5c'\"]*f)[\x5c'\"]*(?:\s|<|>).*|g)|(?:[du]|a[\x5c'\"]*(?:s[\x5c'\"]*h|t[\x5c'\"]*e))[\x5c'\"]*(?:\s|<|>).*|h[\x5c'\"]*c[\x5c'\"]*l[\x5c'\"]*i[\x5c'\"]*e[\x5c'\"]*n[\x5c'\"]*t|v[\x5c'\"]*i[\x5c'\"]*p[\x5c'\"]*s|p[\x5c'\"]*k[\x5c'\"]*g|n[\x5c'\"]*f)|i[\x5c'\"]*(?:(?:(?:n[\x5c'\"]*s[\x5c'\"]*t[\x5c'\"]*a[\x5c'\"]*l[\x5c'\"]*l|d)[\x5c'\"]*(?:\s|<|>)|r[\x5c'\"]*b[\x5c'\"]*(?:(?:<|>)|(?:[\w\d._-][\x5c'\"]*)+(?:\s|<|>))).*|p[\x5c'\"]*(?:(?:6[\x5c'\"]*)?t[\x5c'\"]*a[\x5c'\"]*b[\x5c'\"]*l[\x5c'\"]*e[\x5c'\"]*s|c[\x5c'\"]*o[\x5c'\"]*n[\x5c'\"]*f[\x5c'\"]*i[\x5c'\"]*g|(?:\s|<|>).*)|f[\x5c'\"]*(?:c[\x5c'\"]*o[\x5c'\"]*n[\x5c'\"]*f[\x5c'\"]*i[\x5c'\"]*g|t[\x5c'\"]*o[\x5c'\"]*p)|o[\x5c'\"]*n[\x5c'\"]*i[\x5c'\"]*c[\x5c'\"]*e|s[\x5c'\"]*p[\x5c'\"]*e[\x5c'\"]*l[\x5c'\"]*l|c[\x5c'\"]*o[\x5c'\"]*n[\x5c'\"]*v)|h[\x5c'\"]*(?:(?:i[\x5c'\"]*(?:g[\x5c'\"]*h[\x5c'\"]*l[\x5c'\"]*i[\x5c'\"]*g[\x5c'\"]*h[\x5c'\"]*t|s[\x5c'\"]*t[\x5c'\"]*o[\x5c'\"]*r[\x5c'\"]*y)|u[\x5c'\"]*p|d)[\x5c'\"]*(?:\s|<|>).*|t[\x5c'\"]*(?:d[\x5c'\"]*i[\x5c'\"]*g[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*t|p[\x5c'\"]*a[\x5c'\"]*s[\x5c'\"]*s[\x5c'\"]*w[\x5c'\"]*d)|e[\x5c'\"]*(?:x[\x5c'\"]*d[\x5c'\"]*u[\x5c'\"]*m[\x5c'\"]*p|a[\x5c'\"]*d[\x5c'\"]*(?:\s|<|>).*)|o[\x5c'\"]*s[\x5c'\"]*t[\x5c'\"]*(?:n[\x5c'\"]*a[\x5c'\"]*m[\x5c'\"]*e|i[\x5c'\"]*d)|p[\x5c'\"]*i[\x5c'\"]*n[\x5c'\"]*g[\x5c'\"]*3)|j[\x5c'\"]*(?:o[\x5c'\"]*(?:u[\x5c'\"]*r[\x5c'\"]*n[\x5c'\"]*a[\x5c'\"]*l[\x5c'\"]*c[\x5c'\"]*t[\x5c'\"]*l|(?:b[\x5c'\"]*s|i[\x5c'\"]*n)[\x5c'\"]*(?:\s|<|>).*)|r[\x5c'\"]*u[\x5c'\"]*n[\x5c'\"]*s[\x5c'\"]*c[\x5c'\"]*r[\x5c'\"]*i[\x5c'\"]*p[\x5c'\"]*t|a[\x5c'\"]*v[\x5c'\"]*a[\x5c'\"]*(?:\s|<|>).*|e[\x5c'\"]*x[\x5c'\"]*e[\x5c'\"]*c|j[\x5c'\"]*s|q)|k[\x5c'\"]*(?:i[\x5c'\"]*l[\x5c'\"]*l[\x5c'\"]*(?:a[\x5c'\"]*l[\x5c'\"]*l|(?:\s|<|>).*)|s[\x5c'\"]*(?:s[\x5c'\"]*h[\x5c'\"]*e[\x5c'\"]*l[\x5c'\"]*l|h)|n[\x5c'\"]*i[\x5c'\"]*f[\x5c'\"]*e[\x5c'\"]*(?:\s|<|>).*)|G[\x5c'\"]*E[\x5c'\"]*T[\x5c'\"]*(?:\s|<|>).*|7[\x5c'\"]*z(?:[\x5c'\"]*[ar])?)\b" \ "id:932100,\ phase:2,\ block,\ diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932100.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932100.yaml index f73ae9772..6754f9d70 100644 --- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932100.yaml +++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932100.yaml @@ -45,8 +45,8 @@ tests: version: HTTP/1.0 output: log_contains: id "932100" - - test_title: True Positive Fix Test 1 - desc: ISO-8859-2, ISO-8859-3, ISO-8859-4, ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-10, ISO-8859-14, ISO-8859-15 are affected because the chars are encoded as decimal html %26%238222%3B and %26%238221%3B entities + - test_title: 932100-3 + desc: True Positive Fix Test 1 ISO-8859-2, ISO-8859-3, ISO-8859-4, ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-10, ISO-8859-14, ISO-8859-15 are affected because the chars are encoded as decimal html %26%238222%3B and %26%238221%3B entities stages: - stage: input: @@ -65,8 +65,8 @@ tests: version: HTTP/1.0 output: no_log_contains: "id \"932100\"" - - test_title: True Positive Fix Test 2 - desc: Like True Positive Fix Test 1 but instead of space sign using new line sign + - test_title: 932100-4 + desc: Like 932100-3 but instead of space sign using new line sign stages: - stage: input: @@ -85,7 +85,7 @@ tests: version: HTTP/1.0 output: no_log_contains: "id \"932100\"" - - test_title: True Positive Fix Test 3 + - test_title: 932100-5 desc: Another html entity - decimal 9977 (person with ball) with space sign after entity and dot stages: - stage: @@ -105,7 +105,7 @@ tests: version: HTTP/1.0 output: no_log_contains: "id \"932100\"" - - test_title: True Positive Fix Test 4 + - test_title: 932100-6 desc: Another html entity - decimal 128 (euro) with new line sign after entity and dot stages: - stage: @@ -125,7 +125,7 @@ tests: version: HTTP/1.0 output: no_log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 1 + - test_title: 932100-7 desc: arg value of ";ifconfig Something „The Title”. After space or new line more characters" is blocked stages: - stage: @@ -145,7 +145,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 2 + - test_title: 932100-8 desc: arg value of "Something „The Title”. After ;ifconfig something" is blocked stages: - stage: @@ -165,8 +165,8 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 3 - desc: RCE passed in one of the args + - test_title: 932100-9 + desc: True Negative Rule Integrity 3 - RCE passed in one of the args stages: - stage: input: @@ -185,7 +185,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 4 + - test_title: 932100-10 desc: RCE from test 932100.yaml combined with html entities in the middle stages: - stage: @@ -205,7 +205,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 5 + - test_title: 932100-11 desc: RCE from test 932100.yaml combined with html entities at the beginning stages: - stage: @@ -225,7 +225,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 6 + - test_title: 932100-12 desc: RCE from test 932100.yaml combined with html entities at the end stages: - stage: @@ -245,7 +245,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 7 + - test_title: 932100-13 desc: RCE from https://github.com/payloadbox/command-injection-payload-list and html entities stages: - stage: @@ -265,7 +265,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 8 + - test_title: 932100-14 desc: RCE from https://github.com/payloadbox/command-injection-payload-list combined with html entities stages: - stage: @@ -285,7 +285,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 10 + - test_title: 932100-15 desc: RCE from https://github.com/payloadbox/command-injection-payload-list combined with html entities stages: - stage: @@ -305,7 +305,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 11 + - test_title: 932100-16 desc: RCE from https://github.com/payloadbox/command-injection-payload-list combined with html entities stages: - stage: @@ -325,7 +325,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 12 + - test_title: 932100-17 desc: RCE ;ifconfig with html entities two digit decimal of 59 (;) stages: - stage: @@ -345,7 +345,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 13 + - test_title: 932100-18 desc: Like rule True Negative Rule Integrity 9 but the html entity is concatenation with RCE at the end stages: - stage: @@ -365,7 +365,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 14 + - test_title: 932100-19 desc: Like rule True Negative Rule Integrity 9 but the html entity is concatenation with RCE at the beginning stages: - stage: @@ -385,7 +385,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 15 + - test_title: 932100-20 desc: Like rule True Negative Rule Integrity 10 but the html entity is concatenation with RCE at the end stages: - stage: @@ -405,7 +405,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 16 + - test_title: 932100-21 desc: Like rule True Negative Rule Integrity 10 but the html entity is concatenation with RCE at the beginning stages: - stage: @@ -425,7 +425,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 17 + - test_title: 932100-22 desc: Like rule True Negative Rule Integrity 11 but the html entity is concatenation with RCE at the end stages: - stage: @@ -445,7 +445,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 18 + - test_title: 932100-23 desc: Like rule True Negative Rule Integrity 11 but the html entity is concatenation with RCE at the beginning stages: - stage: @@ -465,7 +465,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 19 + - test_title: 932100-24 desc: RCE in arg and html entity is sent in cookie stages: - stage: @@ -486,7 +486,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: True Negative Rule Integrity 20 + - test_title: 932100-25 desc: RCE in arg and html entity is sent in cookie stages: - stage: @@ -507,7 +507,7 @@ tests: version: HTTP/1.0 output: log_contains: "id \"932100\"" - - test_title: 932100-21 + - test_title: 932100-26 desc: "Unix command injection" stages: - stage: @@ -524,7 +524,7 @@ tests: version: HTTP/1.0 output: log_contains: id "932100" - - test_title: 932100-22 + - test_title: 932100-27 desc: "Unix command injection" stages: - stage: @@ -541,3 +541,43 @@ tests: version: HTTP/1.0 output: log_contains: id "932100" + - test_title: 932100-28 + desc: Test RCE with new semantic versions - ;gcc10.1 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: OWASP ModSecurity Core Rule Set + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate, br + Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: "/post" + data: "arg=;gcc10.1<<( ifconfig ) >\( -##! a() ( ifconfig; ); a +##! a() ( ifconfig; ); a \(\s*\) ##!=> ##! match possible white space between prefix expressions \s* -##!=> +##!=> ##! commands prefix (?: @@ -96,20 +101,36 @@ 7z 7za 7zr -GET@ +ab@ adduser +agetty alias@ -alpine +alpine@ +ansible-playbook apt-get apt@ +ar@ arch@ +aria2c +arj arp +as@ +ascii-xfr +ascii85 +ash@ +aspell at@ +atobm awk@ aws@ +base32 +base64 +basenc bash batch@ +bpftrace breaksw +bridge@ bsdcat bsdiff bsdtar @@ -117,6 +138,7 @@ builtin bundler@ busctl busybox +byebug bzcat bzdiff bzegrep @@ -127,50 +149,87 @@ bzless bzmore c89 c99 +cancel@ capsh@ cat@ cc@ certbot chattr chdir@ +check_by_ssh +check_cups +check_log +check_memory +check_raid +check_ssl_cert +check_statusfile chflags chmod +choom +chown +chroot +cmp +cobc +column@ +comm command@ composer compress@ coproc +cowsay +cowthink cp@ cpan cpio cpulimit +crash@ crontab csh +csplit +csvtool +cupsfilter curl -dash +cut@ +dash@ +date@ +dd@ dhclient +dialog@ diff@ +dig dmesg +dmidecode +dmsetup +dnf doas -done +docker@ +done@ +dosbox dpkg du@ +dvips easy_install +eb@ echo@ ed@ +efax egrep emacs endif endsw -env +env@ env-update +eqn esac eval ex@ exec@ -expand +exiftool +expand@ expect@ -export +export@ expr +facter fc@ fetch@ fgrep @@ -178,65 +237,82 @@ fi file@ filetest find@ -fish +finger@ +fish@ flock@ +fmt +fold@ foreach +fping ftp@ ftpstats ftpwho function -gcc -gcc@ +gawk +gcc~ +gcore gdb gem@ +genie@ +genisoimage +GET@ getfacl@ -git +ghc +ghci +gimp@ +ginsh git@ -##! golang compiler/command go@ +grc grep@ +gtester gunzip gzcat gzip +hd@ head@ -history +hexdump +highlight@ +history@ hostid hostname +hping3 htdigest htpasswd hup@ +iconv ##! 'id' causes way too much FP, so we require whitespace; this will allow ##! injecting ';id' unfortunately. id@ ifconfig +iftop +install@ ionice +ip@ ip6tables ipconfig iptables -irb -irb1 -irb18 -irb19 -irb20 -irb21 -irb22 -irb23 -irb24 -irb25 -irb26 -irb27 -irb30 +irb~ +ispell java@ jexec +jjs jobs@ +join@ journalctl +jq +jrunscript kill@ killall +knife@ ksh +ksshell last@ lastcomm lastlog lastlogin +latex@ +ld@ ldconfig ldd@ less@ @@ -252,6 +328,7 @@ locate@ loginctl logname logsave +look@ lp@ ls ls-F @@ -263,11 +340,9 @@ lsof lspci lsusb ltrace -lua5.1 -lua5.2 -lua5.3 -lua5.4 lua@ +lualatex +luatex lwp-download lwp-dump lwp-mirror @@ -282,5 +357,8 @@ lzgrep lzless lzma lzmore -##! words starting with m continue in 932105.data + ##!< + ##!< + +##! words starting with m continue in 932105.data