1 2use lib 'lib'; 3use Test::Nginx::Socket; 4 5repeat_each(3); 6 7plan tests => repeat_each(1) * blocks(); 8no_root_location(); 9no_long_string(); 10$ENV{TEST_NGINX_SERVROOT} = server_root(); 11run_tests(); 12 13 14__DATA__ 15=== TEST 1 : sqlmap-master/tamper/randomcomments.py -- I/**/N/**/SERT 16--- main_config 17load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 18--- http_config 19include /tmp/naxsi_ut/naxsi_core.rules; 20--- config 21location / { 22 SecRulesEnabled; 23 DeniedUrl "/RequestDenied"; 24 CheckRule "$SQL >= 8" BLOCK; 25 CheckRule "$RFI >= 8" BLOCK; 26 CheckRule "$TRAVERSAL >= 4" BLOCK; 27 CheckRule "$XSS >= 8" BLOCK; 28 root $TEST_NGINX_SERVROOT/html/; 29 index index.html index.htm; 30} 31location /RequestDenied { 32 return 412; 33} 34--- request 35GET /?I/**/N/**/SERT 36--- error_code: 412 37=== TEST 2 : sqlmap-master/tamper/space2plus.py -- SELECT+id+FROM+users 38--- main_config 39load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 40--- http_config 41include /tmp/naxsi_ut/naxsi_core.rules; 42--- config 43location / { 44 SecRulesEnabled; 45 DeniedUrl "/RequestDenied"; 46 CheckRule "$SQL >= 8" BLOCK; 47 CheckRule "$RFI >= 8" BLOCK; 48 CheckRule "$TRAVERSAL >= 4" BLOCK; 49 CheckRule "$XSS >= 8" BLOCK; 50 root $TEST_NGINX_SERVROOT/html/; 51 index index.html index.htm; 52} 53location /RequestDenied { 54 return 412; 55} 56--- request 57GET /?SELECT+id+FROM+users 58--- error_code: 412 59=== TEST 3 : sqlmap-master/tamper/multiplespaces.py -- 1++++UNION+++++SELECT+++foobar 60--- main_config 61load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 62--- http_config 63include /tmp/naxsi_ut/naxsi_core.rules; 64--- config 65location / { 66 SecRulesEnabled; 67 DeniedUrl "/RequestDenied"; 68 CheckRule "$SQL >= 8" BLOCK; 69 CheckRule "$RFI >= 8" BLOCK; 70 CheckRule "$TRAVERSAL >= 4" BLOCK; 71 CheckRule "$XSS >= 8" BLOCK; 72 root $TEST_NGINX_SERVROOT/html/; 73 index index.html index.htm; 74} 75location /RequestDenied { 76 return 412; 77} 78--- request 79GET /?1++++UNION+++++SELECT+++foobar 80--- error_code: 412 81=== TEST 4 : sqlmap-master/tamper/base64encode.py -- MScgQU5EIFNMRUVQKDUpIw== 82--- main_config 83load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 84--- http_config 85include /tmp/naxsi_ut/naxsi_core.rules; 86--- config 87location / { 88 SecRulesEnabled; 89 DeniedUrl "/RequestDenied"; 90 CheckRule "$SQL >= 8" BLOCK; 91 CheckRule "$RFI >= 8" BLOCK; 92 CheckRule "$TRAVERSAL >= 4" BLOCK; 93 CheckRule "$XSS >= 8" BLOCK; 94 root $TEST_NGINX_SERVROOT/html/; 95 index index.html index.htm; 96} 97location /RequestDenied { 98 return 412; 99} 100--- request 101GET /?MScgQU5EIFNMRUVQKDUpIw== 102--- error_code: 200 103=== TEST 5 : sqlmap-master/tamper/between.py -- 1+AND+A+NOT+BETWEEN+0+AND+B-- 104--- main_config 105load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 106--- http_config 107include /tmp/naxsi_ut/naxsi_core.rules; 108--- config 109location / { 110 SecRulesEnabled; 111 DeniedUrl "/RequestDenied"; 112 CheckRule "$SQL >= 8" BLOCK; 113 CheckRule "$RFI >= 8" BLOCK; 114 CheckRule "$TRAVERSAL >= 4" BLOCK; 115 CheckRule "$XSS >= 8" BLOCK; 116 root $TEST_NGINX_SERVROOT/html/; 117 index index.html index.htm; 118} 119location /RequestDenied { 120 return 412; 121} 122--- request 123GET /?1+AND+A+NOT+BETWEEN+0+AND+B-- 124--- error_code: 200 125=== TEST 6 : sqlmap-master/tamper/unmagicquotes.py -- 1%bf%27+AND+1=1--+ 126--- main_config 127load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 128--- http_config 129include /tmp/naxsi_ut/naxsi_core.rules; 130--- config 131location / { 132 SecRulesEnabled; 133 DeniedUrl "/RequestDenied"; 134 CheckRule "$SQL >= 8" BLOCK; 135 CheckRule "$RFI >= 8" BLOCK; 136 CheckRule "$TRAVERSAL >= 4" BLOCK; 137 CheckRule "$XSS >= 8" BLOCK; 138 root $TEST_NGINX_SERVROOT/html/; 139 index index.html index.htm; 140} 141location /RequestDenied { 142 return 412; 143} 144--- request 145GET /?1%bf%27+AND+1=1--+ 146--- error_code: 412 147=== TEST 7 : sqlmap-master/tamper/appendnullbyte.py -- 1+AND+1=1%00 148--- main_config 149load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 150--- http_config 151include /tmp/naxsi_ut/naxsi_core.rules; 152--- config 153location / { 154 SecRulesEnabled; 155 DeniedUrl "/RequestDenied"; 156 CheckRule "$SQL >= 8" BLOCK; 157 CheckRule "$RFI >= 8" BLOCK; 158 CheckRule "$TRAVERSAL >= 4" BLOCK; 159 CheckRule "$XSS >= 8" BLOCK; 160 root $TEST_NGINX_SERVROOT/html/; 161 index index.html index.htm; 162} 163location /RequestDenied { 164 return 412; 165} 166--- request 167GET /?1+AND+1=1%00 168--- error_code: 412 169=== TEST 8 : sqlmap-master/tamper/unionalltounion.py -- -1+UNION+SELECT 170--- main_config 171load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 172--- http_config 173include /tmp/naxsi_ut/naxsi_core.rules; 174--- config 175location / { 176 SecRulesEnabled; 177 DeniedUrl "/RequestDenied"; 178 CheckRule "$SQL >= 8" BLOCK; 179 CheckRule "$RFI >= 8" BLOCK; 180 CheckRule "$TRAVERSAL >= 4" BLOCK; 181 CheckRule "$XSS >= 8" BLOCK; 182 root $TEST_NGINX_SERVROOT/html/; 183 index index.html index.htm; 184} 185location /RequestDenied { 186 return 412; 187} 188--- request 189GET /?-1+UNION+SELECT 190--- error_code: 412 191=== TEST 9 : sqlmap-master/tamper/greatest.py -- 1+AND+GREATEST(A,B+1)=A 192--- main_config 193load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 194--- http_config 195include /tmp/naxsi_ut/naxsi_core.rules; 196--- config 197location / { 198 SecRulesEnabled; 199 DeniedUrl "/RequestDenied"; 200 CheckRule "$SQL >= 8" BLOCK; 201 CheckRule "$RFI >= 8" BLOCK; 202 CheckRule "$TRAVERSAL >= 4" BLOCK; 203 CheckRule "$XSS >= 8" BLOCK; 204 root $TEST_NGINX_SERVROOT/html/; 205 index index.html index.htm; 206} 207location /RequestDenied { 208 return 412; 209} 210--- request 211GET /?1+AND+GREATEST(A,B+1)=A 212--- error_code: 412 213=== TEST 10 : sqlmap-master/tamper/chardoubleencode.py -- %2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545 214--- main_config 215load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 216--- http_config 217include /tmp/naxsi_ut/naxsi_core.rules; 218--- config 219location / { 220 SecRulesEnabled; 221 DeniedUrl "/RequestDenied"; 222 CheckRule "$SQL >= 8" BLOCK; 223 CheckRule "$RFI >= 8" BLOCK; 224 CheckRule "$TRAVERSAL >= 4" BLOCK; 225 CheckRule "$XSS >= 8" BLOCK; 226 root $TEST_NGINX_SERVROOT/html/; 227 index index.html index.htm; 228} 229location /RequestDenied { 230 return 412; 231} 232--- request 233GET /?%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545 234--- error_code: 412 235=== TEST 11 : sqlmap-master/tamper/space2comment.py -- SELECT/**/id/**/FROM/**/users 236--- main_config 237load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 238--- http_config 239include /tmp/naxsi_ut/naxsi_core.rules; 240--- config 241location / { 242 SecRulesEnabled; 243 DeniedUrl "/RequestDenied"; 244 CheckRule "$SQL >= 8" BLOCK; 245 CheckRule "$RFI >= 8" BLOCK; 246 CheckRule "$TRAVERSAL >= 4" BLOCK; 247 CheckRule "$XSS >= 8" BLOCK; 248 root $TEST_NGINX_SERVROOT/html/; 249 index index.html index.htm; 250} 251location /RequestDenied { 252 return 412; 253} 254--- request 255GET /?SELECT/**/id/**/FROM/**/users 256--- error_code: 412 257=== TEST 12 : sqlmap-master/tamper/apostrophenullencode.py -- 1+AND+%00%271%00%27=%00%271 258--- main_config 259load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 260--- http_config 261include /tmp/naxsi_ut/naxsi_core.rules; 262--- config 263location / { 264 SecRulesEnabled; 265 DeniedUrl "/RequestDenied"; 266 CheckRule "$SQL >= 8" BLOCK; 267 CheckRule "$RFI >= 8" BLOCK; 268 CheckRule "$TRAVERSAL >= 4" BLOCK; 269 CheckRule "$XSS >= 8" BLOCK; 270 root $TEST_NGINX_SERVROOT/html/; 271 index index.html index.htm; 272} 273location /RequestDenied { 274 return 412; 275} 276--- request 277GET /?1+AND+%00%271%00%27=%00%271 278--- error_code: 412 279=== TEST 13 : sqlmap-master/tamper/bluecoat.py -- SELECT%09id+FROM+users+where+id+LIKE+1 280--- main_config 281load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 282--- http_config 283include /tmp/naxsi_ut/naxsi_core.rules; 284--- config 285location / { 286 SecRulesEnabled; 287 DeniedUrl "/RequestDenied"; 288 CheckRule "$SQL >= 8" BLOCK; 289 CheckRule "$RFI >= 8" BLOCK; 290 CheckRule "$TRAVERSAL >= 4" BLOCK; 291 CheckRule "$XSS >= 8" BLOCK; 292 root $TEST_NGINX_SERVROOT/html/; 293 index index.html index.htm; 294} 295location /RequestDenied { 296 return 412; 297} 298--- request 299GET /?SELECT%09id+FROM+users+where+id+LIKE+1 300--- error_code: 412 301=== TEST 14 : sqlmap-master/tamper/halfversionedmorekeywords.py -- /*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND+QDWa= 302--- main_config 303load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 304--- http_config 305include /tmp/naxsi_ut/naxsi_core.rules; 306--- config 307location / { 308 SecRulesEnabled; 309 DeniedUrl "/RequestDenied"; 310 CheckRule "$SQL >= 8" BLOCK; 311 CheckRule "$RFI >= 8" BLOCK; 312 CheckRule "$TRAVERSAL >= 4" BLOCK; 313 CheckRule "$XSS >= 8" BLOCK; 314 root $TEST_NGINX_SERVROOT/html/; 315 index index.html index.htm; 316} 317location /RequestDenied { 318 return 412; 319} 320--- request 321GET /?/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND+QDWa= 322--- error_code: 412 323=== TEST 15 : sqlmap-master/tamper/space2dash.py -- 1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227 324--- main_config 325load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 326--- http_config 327include /tmp/naxsi_ut/naxsi_core.rules; 328--- config 329location / { 330 SecRulesEnabled; 331 DeniedUrl "/RequestDenied"; 332 CheckRule "$SQL >= 8" BLOCK; 333 CheckRule "$RFI >= 8" BLOCK; 334 CheckRule "$TRAVERSAL >= 4" BLOCK; 335 CheckRule "$XSS >= 8" BLOCK; 336 root $TEST_NGINX_SERVROOT/html/; 337 index index.html index.htm; 338} 339location /RequestDenied { 340 return 412; 341} 342--- request 343GET /?1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227 344--- error_code: 412 345=== TEST 16 : sqlmap-master/tamper/space2randomblank.py -- SELECT%0Did%0DFROM%0Ausers 346--- main_config 347load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 348--- http_config 349include /tmp/naxsi_ut/naxsi_core.rules; 350--- config 351location / { 352 SecRulesEnabled; 353 DeniedUrl "/RequestDenied"; 354 CheckRule "$SQL >= 8" BLOCK; 355 CheckRule "$RFI >= 8" BLOCK; 356 CheckRule "$TRAVERSAL >= 4" BLOCK; 357 CheckRule "$XSS >= 8" BLOCK; 358 root $TEST_NGINX_SERVROOT/html/; 359 index index.html index.htm; 360} 361location /RequestDenied { 362 return 412; 363} 364--- request 365GET /?SELECT%0Did%0DFROM%0Ausers 366--- error_code: 412 367=== TEST 17 : sqlmap-master/tamper/randomcase.py -- INseRt 368--- main_config 369load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 370--- http_config 371include /tmp/naxsi_ut/naxsi_core.rules; 372--- config 373location / { 374 SecRulesEnabled; 375 DeniedUrl "/RequestDenied"; 376 CheckRule "$SQL >= 8" BLOCK; 377 CheckRule "$RFI >= 8" BLOCK; 378 CheckRule "$TRAVERSAL >= 4" BLOCK; 379 CheckRule "$XSS >= 8" BLOCK; 380 root $TEST_NGINX_SERVROOT/html/; 381 index index.html index.htm; 382} 383location /RequestDenied { 384 return 412; 385} 386--- request 387GET /?INseRt+UnIon+plz 388--- error_code: 412 389=== TEST 18 : sqlmap-master/tamper/versionedmorekeywords.py -- 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))# 390--- main_config 391load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 392--- http_config 393include /tmp/naxsi_ut/naxsi_core.rules; 394--- config 395location / { 396 SecRulesEnabled; 397 DeniedUrl "/RequestDenied"; 398 CheckRule "$SQL >= 8" BLOCK; 399 CheckRule "$RFI >= 8" BLOCK; 400 CheckRule "$TRAVERSAL >= 4" BLOCK; 401 CheckRule "$XSS >= 8" BLOCK; 402 root $TEST_NGINX_SERVROOT/html/; 403 index index.html index.htm; 404} 405location /RequestDenied { 406 return 412; 407} 408--- request 409GET /?1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))# 410--- error_code: 412 411=== TEST 19 : sqlmap-master/tamper/percentage.py -- %S%E%L%E%C%T+%F%I%E%L%D+%F%R%O%M+%T%A%B%L%E 412--- main_config 413load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 414--- http_config 415include /tmp/naxsi_ut/naxsi_core.rules; 416--- config 417location / { 418 SecRulesEnabled; 419 DeniedUrl "/RequestDenied"; 420 CheckRule "$SQL >= 8" BLOCK; 421 CheckRule "$RFI >= 8" BLOCK; 422 CheckRule "$TRAVERSAL >= 4" BLOCK; 423 CheckRule "$XSS >= 8" BLOCK; 424 root $TEST_NGINX_SERVROOT/html/; 425 index index.html index.htm; 426} 427location /RequestDenied { 428 return 412; 429} 430--- request 431GET /?%S%E%L%E%C%T+%F%I%E%L%D+%F%R%O%M+%T%A%B%L%E 432--- error_code: 412 433=== TEST 20 : sqlmap-master/tamper/ifnull2ifisnull.py -- IF(ISNULL(1),2,1) 434--- main_config 435load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 436--- http_config 437include /tmp/naxsi_ut/naxsi_core.rules; 438--- config 439location / { 440 SecRulesEnabled; 441 DeniedUrl "/RequestDenied"; 442 CheckRule "$SQL >= 8" BLOCK; 443 CheckRule "$RFI >= 8" BLOCK; 444 CheckRule "$TRAVERSAL >= 4" BLOCK; 445 CheckRule "$XSS >= 8" BLOCK; 446 root $TEST_NGINX_SERVROOT/html/; 447 index index.html index.htm; 448} 449location /RequestDenied { 450 return 412; 451} 452--- request 453GET /?IF(ISNULL(1),2,1) 454--- error_code: 412 455=== TEST 21 : sqlmap-master/tamper/equaltolike.py -- SELECT+*+FROM+users+WHERE+id+LIKE+1 456--- main_config 457load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 458--- http_config 459include /tmp/naxsi_ut/naxsi_core.rules; 460--- config 461location / { 462 SecRulesEnabled; 463 DeniedUrl "/RequestDenied"; 464 CheckRule "$SQL >= 8" BLOCK; 465 CheckRule "$RFI >= 8" BLOCK; 466 CheckRule "$TRAVERSAL >= 4" BLOCK; 467 CheckRule "$XSS >= 8" BLOCK; 468 root $TEST_NGINX_SERVROOT/html/; 469 index index.html index.htm; 470} 471location /RequestDenied { 472 return 412; 473} 474--- request 475GET /?SELECT+*+FROM+users+WHERE+id+LIKE+1 476--- error_code: 412 477=== TEST 22 : sqlmap-master/tamper/space2mysqlblank.py -- SELECT%0Bid%0DFROM%0Cusers 478--- main_config 479load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 480--- http_config 481include /tmp/naxsi_ut/naxsi_core.rules; 482--- config 483location / { 484 SecRulesEnabled; 485 DeniedUrl "/RequestDenied"; 486 CheckRule "$SQL >= 8" BLOCK; 487 CheckRule "$RFI >= 8" BLOCK; 488 CheckRule "$TRAVERSAL >= 4" BLOCK; 489 CheckRule "$XSS >= 8" BLOCK; 490 root $TEST_NGINX_SERVROOT/html/; 491 index index.html index.htm; 492} 493location /RequestDenied { 494 return 412; 495} 496--- request 497GET /?SELECT%0Bid%0DFROM%0Cusers 498--- error_code: 412 499=== TEST 23 : sqlmap-master/tamper/space2mssqlblank.py -- SELECT%0Eid%0DFROM%07users 500--- main_config 501load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 502--- http_config 503include /tmp/naxsi_ut/naxsi_core.rules; 504--- config 505location / { 506 SecRulesEnabled; 507 DeniedUrl "/RequestDenied"; 508 CheckRule "$SQL >= 8" BLOCK; 509 CheckRule "$RFI >= 8" BLOCK; 510 CheckRule "$TRAVERSAL >= 4" BLOCK; 511 CheckRule "$XSS >= 8" BLOCK; 512 root $TEST_NGINX_SERVROOT/html/; 513 index index.html index.htm; 514} 515location /RequestDenied { 516 return 412; 517} 518--- request 519GET /?SELECT%0Eid%0DFROM%07users 520--- error_code: 412 521=== TEST 24 : sqlmap-master/tamper/space2hash.py -- 1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227 522--- main_config 523load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 524--- http_config 525include /tmp/naxsi_ut/naxsi_core.rules; 526--- config 527location / { 528 SecRulesEnabled; 529 DeniedUrl "/RequestDenied"; 530 CheckRule "$SQL >= 8" BLOCK; 531 CheckRule "$RFI >= 8" BLOCK; 532 CheckRule "$TRAVERSAL >= 4" BLOCK; 533 CheckRule "$XSS >= 8" BLOCK; 534 root $TEST_NGINX_SERVROOT/html/; 535 index index.html index.htm; 536} 537location /RequestDenied { 538 return 412; 539} 540--- request 541GET /?1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227 542--- error_code: 412 543=== TEST 25 : sqlmap-master/tamper/modsecurityversioned.py -- 1+/*!30874AND+2>1*/-- 544--- main_config 545load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 546--- http_config 547include /tmp/naxsi_ut/naxsi_core.rules; 548--- config 549location / { 550 SecRulesEnabled; 551 DeniedUrl "/RequestDenied"; 552 CheckRule "$SQL >= 8" BLOCK; 553 CheckRule "$RFI >= 8" BLOCK; 554 CheckRule "$TRAVERSAL >= 4" BLOCK; 555 CheckRule "$XSS >= 8" BLOCK; 556 root $TEST_NGINX_SERVROOT/html/; 557 index index.html index.htm; 558} 559location /RequestDenied { 560 return 412; 561} 562--- request 563GET /?1+/*!30874AND+2>1*/-- 564--- error_code: 412 565=== TEST 26 : sqlmap-master/tamper/versionedkeywords.py -- 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,+CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))# 566--- main_config 567load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 568--- http_config 569include /tmp/naxsi_ut/naxsi_core.rules; 570--- config 571location / { 572 SecRulesEnabled; 573 DeniedUrl "/RequestDenied"; 574 CheckRule "$SQL >= 8" BLOCK; 575 CheckRule "$RFI >= 8" BLOCK; 576 CheckRule "$TRAVERSAL >= 4" BLOCK; 577 CheckRule "$XSS >= 8" BLOCK; 578 root $TEST_NGINX_SERVROOT/html/; 579 index index.html index.htm; 580} 581location /RequestDenied { 582 return 412; 583} 584--- request 585GET /?1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,+CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))# 586--- error_code: 412 587=== TEST 27 : sqlmap-master/tamper/apostrophemask.py -- 1+AND+%EF%BC%871%EF%BC%87=%EF%BC%871 588--- main_config 589load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 590--- http_config 591include /tmp/naxsi_ut/naxsi_core.rules; 592--- config 593location / { 594 SecRulesEnabled; 595 DeniedUrl "/RequestDenied"; 596 CheckRule "$SQL >= 8" BLOCK; 597 CheckRule "$RFI >= 8" BLOCK; 598 CheckRule "$TRAVERSAL >= 4" BLOCK; 599 CheckRule "$XSS >= 8" BLOCK; 600 root $TEST_NGINX_SERVROOT/html/; 601 index index.html index.htm; 602} 603location /RequestDenied { 604 return 412; 605} 606--- request 607GET /?1+AND+%EF%BC%871%EF%BC%87=%EF%BC%871 608--- error_code: 200 609=== TEST 28 : sqlmap-master/tamper/space2morehash.py -- 1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227 610--- main_config 611load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 612--- http_config 613include /tmp/naxsi_ut/naxsi_core.rules; 614--- config 615location / { 616 SecRulesEnabled; 617 DeniedUrl "/RequestDenied"; 618 CheckRule "$SQL >= 8" BLOCK; 619 CheckRule "$RFI >= 8" BLOCK; 620 CheckRule "$TRAVERSAL >= 4" BLOCK; 621 CheckRule "$XSS >= 8" BLOCK; 622 root $TEST_NGINX_SERVROOT/html/; 623 index index.html index.htm; 624} 625location /RequestDenied { 626 return 412; 627} 628--- request 629GET /?1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227 630--- error_code: 412 631=== TEST 29 : sqlmap-master/tamper/securesphere.py -- 0having=0having 632--- main_config 633load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 634--- http_config 635include /tmp/naxsi_ut/naxsi_core.rules; 636--- config 637location / { 638 SecRulesEnabled; 639 DeniedUrl "/RequestDenied"; 640 CheckRule "$SQL >= 8" BLOCK; 641 CheckRule "$RFI >= 8" BLOCK; 642 CheckRule "$TRAVERSAL >= 4" BLOCK; 643 CheckRule "$XSS >= 8" BLOCK; 644 root $TEST_NGINX_SERVROOT/html/; 645 index index.html index.htm; 646} 647location /RequestDenied { 648 return 412; 649} 650--- request 651GET /?0having=0having 652--- error_code: 200 653=== TEST 30 : sqlmap-master/tamper/sp_password.py -- 1+AND+9227=9227--+sp_password 654--- main_config 655load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 656--- http_config 657include /tmp/naxsi_ut/naxsi_core.rules; 658--- config 659location / { 660 SecRulesEnabled; 661 DeniedUrl "/RequestDenied"; 662 CheckRule "$SQL >= 8" BLOCK; 663 CheckRule "$RFI >= 8" BLOCK; 664 CheckRule "$TRAVERSAL >= 4" BLOCK; 665 CheckRule "$XSS >= 8" BLOCK; 666 root $TEST_NGINX_SERVROOT/html/; 667 index index.html index.htm; 668} 669location /RequestDenied { 670 return 412; 671} 672--- request 673GET /?1+AND+9227=9227--+sp_password 674--- error_code: 200 675=== TEST 31 : sqlmap-master/tamper/nonrecursivereplacement.py -- 1+UNIOUNIONN+SELESELECTCT+2-- 676--- main_config 677load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 678--- http_config 679include /tmp/naxsi_ut/naxsi_core.rules; 680--- config 681location / { 682 SecRulesEnabled; 683 DeniedUrl "/RequestDenied"; 684 CheckRule "$SQL >= 8" BLOCK; 685 CheckRule "$RFI >= 8" BLOCK; 686 CheckRule "$TRAVERSAL >= 4" BLOCK; 687 CheckRule "$XSS >= 8" BLOCK; 688 root $TEST_NGINX_SERVROOT/html/; 689 index index.html index.htm; 690} 691location /RequestDenied { 692 return 412; 693} 694--- request 695GET /?1+UNIOUNIONN+SELESELECTCT+2-- 696--- error_code: 412 697=== TEST 32 : sqlmap-master/tamper/charencode.py -- %53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45 698--- main_config 699load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 700--- http_config 701include /tmp/naxsi_ut/naxsi_core.rules; 702--- config 703location / { 704 SecRulesEnabled; 705 DeniedUrl "/RequestDenied"; 706 CheckRule "$SQL >= 8" BLOCK; 707 CheckRule "$RFI >= 8" BLOCK; 708 CheckRule "$TRAVERSAL >= 4" BLOCK; 709 CheckRule "$XSS >= 8" BLOCK; 710 root $TEST_NGINX_SERVROOT/html/; 711 index index.html index.htm; 712} 713location /RequestDenied { 714 return 412; 715} 716--- request 717GET /?%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45 718--- error_code: 412 719=== TEST 33 : sqlmap-master/tamper/modsecurityzeroversioned.py -- 1+/*!00000AND+2>1*/-- 720--- main_config 721load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 722--- http_config 723include /tmp/naxsi_ut/naxsi_core.rules; 724--- config 725location / { 726 SecRulesEnabled; 727 DeniedUrl "/RequestDenied"; 728 CheckRule "$SQL >= 8" BLOCK; 729 CheckRule "$RFI >= 8" BLOCK; 730 CheckRule "$TRAVERSAL >= 4" BLOCK; 731 CheckRule "$XSS >= 8" BLOCK; 732 root $TEST_NGINX_SERVROOT/html/; 733 index index.html index.htm; 734} 735location /RequestDenied { 736 return 412; 737} 738--- request 739GET /?1+/*!00000AND+2>1*/-- 740--- error_code: 412 741=== TEST 34 : sqlmap-master/tamper/charunicodeencode.py -- %u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045 742--- main_config 743load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 744--- http_config 745include /tmp/naxsi_ut/naxsi_core.rules; 746--- config 747location / { 748 SecRulesEnabled; 749 DeniedUrl "/RequestDenied"; 750 CheckRule "$SQL >= 8" BLOCK; 751 CheckRule "$RFI >= 8" BLOCK; 752 CheckRule "$TRAVERSAL >= 4" BLOCK; 753 CheckRule "$XSS >= 8" BLOCK; 754 root $TEST_NGINX_SERVROOT/html/; 755 index index.html index.htm; 756} 757location /RequestDenied { 758 return 412; 759} 760--- request 761GET /?%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045 762--- error_code: 412 763=== TEST 35 : sqlmap-master/tamper/space2mysqldash.py -- 1--%0AAND--%0A9227=9227 764--- main_config 765load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 766--- http_config 767include /tmp/naxsi_ut/naxsi_core.rules; 768--- config 769location / { 770 SecRulesEnabled; 771 DeniedUrl "/RequestDenied"; 772 CheckRule "$SQL >= 8" BLOCK; 773 CheckRule "$RFI >= 8" BLOCK; 774 CheckRule "$TRAVERSAL >= 4" BLOCK; 775 CheckRule "$XSS >= 8" BLOCK; 776 root $TEST_NGINX_SERVROOT/html/; 777 index index.html index.htm; 778} 779location /RequestDenied { 780 return 412; 781} 782--- request 783GET /?1--%0AAND--%0A9227=9227 784--- error_code: 412 785=== TEST 36 : sqlmap-master/tamper/space2mssqlhash.py -- 1%23%0AAND%23%0A9227=9227 786--- main_config 787load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 788--- http_config 789include /tmp/naxsi_ut/naxsi_core.rules; 790--- config 791location / { 792 SecRulesEnabled; 793 DeniedUrl "/RequestDenied"; 794 CheckRule "$SQL >= 8" BLOCK; 795 CheckRule "$RFI >= 8" BLOCK; 796 CheckRule "$TRAVERSAL >= 4" BLOCK; 797 CheckRule "$XSS >= 8" BLOCK; 798 root $TEST_NGINX_SERVROOT/html/; 799 index index.html index.htm; 800} 801location /RequestDenied { 802 return 412; 803} 804--- request 805GET /?1%23%0AAND%23%0A9227=9227 806--- error_code: 412 807