HEX
Server: Apache
System: Linux dinesh8189 5.15.98-grsec-sharedvalley-2.lc.el8.x86_64 #1 SMP Thu Mar 9 09:07:30 -03 2023 x86_64
User: cgmgerenciamento1 (814285)
PHP: 8.1.26
Disabled: apache_child_terminate,dl,escapeshellarg,escapeshellcmd,exec,link,mail,openlog,passthru,pcntl_alarm,pcntl_exec,pcntl_fork,pcntl_get_last_error,pcntl_getpriority,pcntl_setpriority,pcntl_signal,pcntl_signal_dispatch,pcntl_sigprocmask,pcntl_sigtimedwait,pcntl_sigwaitinfo,pcntl_strerror,pcntl_wait,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,php_check_syntax,php_strip_whitespace,popen,proc_close,proc_open,shell_exec,symlink,system
$ pwd: /proc/thread-self/root/proc/self/root/usr/local/modsecurity-crs/regex-assembly/
Upload Files
File: //proc/thread-self/root/proc/self/root/usr/local/modsecurity-crs/regex-assembly/941220.ra
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! This rule tries to match all the possible ways to write 'vbscript' using
##! html entities, and javascript escape sequences.
##! See https://html.spec.whatwg.org/multipage/named-characters.html#named-character-references for examples.
##! And https://www.w3schools.com/charsets/ref_html_ascii.asp for the list of
##! all the possible html entities.

##!+ i

##! Matched order is sequential: we first match 'v', then 'b', then 's', etc.

##!> define html_entity_hex_prefix &#x0*
##!> define html_entity_dec_prefix &#0*
##!> define whitespaces [\t\n\r]

##! html_encoded_whitespace is a list of all the possible ways to write an encoded whitespace
##!> assemble
  ##! canonical form
  {{whitespaces}}
  ##! alternative forms
  ##!> assemble
    ##! 09 horizontal tab
    ##! 10 line feed
    ##! 13 carriage return
    ##! 0A line feed (hex)
    ##! 0D carriage return (hex)
    {{html_entity_dec_prefix}}9;?
    {{html_entity_dec_prefix}}10;?
    {{html_entity_dec_prefix}}13;?
    {{html_entity_hex_prefix}}A;?
    {{html_entity_hex_prefix}}D;?
    &tab;
    &newline;
    ##!=>
  ##!<
  ##!=>
  *
  ##!=< html_encoded_whitespace
##!<

##! all the possible ways to end the word 'vbscript', plus whitespaces
##!> assemble
  ##! canonical form
  :
  ##! alternative forms
  ##!> assemble
    ##! 58 : colon
    ##! 3A : colon (hex)
    {{html_entity_dec_prefix}}58;?
    {{html_entity_hex_prefix}}3A;?
    &colon;
  ##!<
  ##!=>
  .
  ##!=< end_vbscript
##!<

##!=>
##! all the possible ways to write 'v', plus whitespaces
##! canonical form
v
##! alternative forms
##!> assemble
  ##! v 118 lowercase v
  ##! v 76 lowercase v (hex)
  ##! V 86 uppercase V
  ##! V 56 uppercase V (hex)
  {{html_entity_dec_prefix}}118;
  {{html_entity_hex_prefix}}76;
  {{html_entity_dec_prefix}}86;
  {{html_entity_hex_prefix}}56;
##!<
##!=>
##!=> html_encoded_whitespace

##!=>

##! all the possible ways to write 'b', plus whitespaces
##! canonical form
b
##! alternative forms
##!> assemble
  ##! b 98 lowercase b
  ##! b 62 lowercase b (hex)
  ##! B 66 uppercase B
  ##! B 42 uppercase B (hex)
  {{html_entity_dec_prefix}}98;
  {{html_entity_hex_prefix}}62;
  {{html_entity_dec_prefix}}66;
  {{html_entity_hex_prefix}}42;
##!<
##!=>
##!=> html_encoded_whitespace

##!=>

##! all the possible ways to write 's', plus whitespaces
##! canonical form
s
##! alternative forms
##!> assemble
  ##! s 115 lowercase s
  ##! s 73 lowercase s (hex)
  ##! S 83 uppercase S
  ##! S 53 uppercase S (hex)
  {{html_entity_dec_prefix}}115;
  {{html_entity_hex_prefix}}73;
  {{html_entity_dec_prefix}}83;
  {{html_entity_hex_prefix}}53;
##!<
##!=>
##!=> html_encoded_whitespace

##!=>

##! all the possible ways to write 'c', plus whitespaces
##! canonical form
c
##! alternative forms
##!> assemble
  ##! c 63 lowercase C (hex)
  ##! c 99 lowercase c
  ##! C 43 uppercase c (hex)
  ##! C 67 uppercase C
  {{html_entity_hex_prefix}}63;
  {{html_entity_dec_prefix}}99;
  {{html_entity_hex_prefix}}43;
  {{html_entity_dec_prefix}}67;
##!<
##!=>
##!=> html_encoded_whitespace

##!=>

##! all the possible ways to write 'r', plus whitespaces
##! canonical form
r
##! alternative forms
##!> assemble
  ##! r 72 lowercase R (hex)
  ##! r 114 lowercase r
  ##! r 52 uppercase r (hex)
  ##! R 82 uppercase R
  {{html_entity_hex_prefix}}72;
  {{html_entity_dec_prefix}}114;
  {{html_entity_hex_prefix}}52;
  {{html_entity_dec_prefix}}82;
##!<
##!=>
##!=> html_encoded_whitespace

##!=>

##! all the possible ways to write 'i', plus whitespaces
##! canonical form
i
##! alternative forms
##!> assemble
  ##! i 69 lowercase i (hex)
  ##! i 105 lowercase i
  ##! I 49 uppercase i (hex)
  ##! I 73 uppercase I
  {{html_entity_hex_prefix}}69;
  {{html_entity_dec_prefix}}105;
  {{html_entity_hex_prefix}}49;
  {{html_entity_dec_prefix}}73;
##!<
##!=>
##!=> html_encoded_whitespace

##!=>

##! all the possible ways to write 'p', plus whitespaces
##! canonical form
p
##! alternative forms
##!> assemble
  ##! p 70 lowercase p (hex)
  ##! p 112 lowercase p
  ##! P 50 uppercase p (hex)
  ##! P 80 uppercase P
  {{html_entity_hex_prefix}}70;
  {{html_entity_dec_prefix}}112;
  {{html_entity_hex_prefix}}50;
  {{html_entity_dec_prefix}}80;
##!<
##!=>
##!=> html_encoded_whitespace

##!=>

##! all the possible ways to write 't', plus whitespaces
##! canonical form
t
##! alternative forms
##!> assemble
  ##! t 74 lowercase t (hex)
  ##! t 116 lowercase t
  ##! T 54 uppercase t (hex)
  ##! T 84 uppercase T
  {{html_entity_hex_prefix}}74;
  {{html_entity_dec_prefix}}116;
  {{html_entity_hex_prefix}}54;
  {{html_entity_dec_prefix}}84;
##!<
##!=>
##!=> html_encoded_whitespace
##!=>

##!=> end_vbscript
@ Telegram