HEX
Server: Apache
System: Linux dinesh8189 5.15.98-grsec-sharedvalley-2.lc.el8.x86_64 #1 SMP Thu Mar 9 09:07:30 -03 2023 x86_64
User: cgmgerenciamento1 (814285)
PHP: 8.1.26
Disabled: apache_child_terminate,dl,escapeshellarg,escapeshellcmd,exec,link,mail,openlog,passthru,pcntl_alarm,pcntl_exec,pcntl_fork,pcntl_get_last_error,pcntl_getpriority,pcntl_setpriority,pcntl_signal,pcntl_signal_dispatch,pcntl_sigprocmask,pcntl_sigtimedwait,pcntl_sigwaitinfo,pcntl_strerror,pcntl_wait,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,php_check_syntax,php_strip_whitespace,popen,proc_close,proc_open,shell_exec,symlink,system
$ pwd: /usr/local/modsecurity-crs/regex-assembly/
Upload Files
File: //usr/local/modsecurity-crs/regex-assembly/930100.ra
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! Source: https://github.com/wireghoul/dotdotpwn/blob/master/DotDotPwn/TraversalEngine.pm
##! Attack description: https://doc.lagout.org/security/McGraw.Hill.HackNotes.Web.Security.Portable.Reference.eBook-DDU.pdf
##! Excerpt:
##! In short, IIS turns %c0%af into
##! the ASCII / character, but parses it at a point where security checks for
##! ‘../’ traversals have already occurred!
##! What has really happened? The attack uses an overlong Unicode
##! representation for a forward or backward slash (/ or \).
##! Unicode permits multibyte encoding of the same character.
##! The fundamental representation can be referred to as a one (character) to one (byte field)
##! representation. The overlong representation is a one (character) to many
##! (bytes) version.
##! Two more valid strings that represent the backward slash are %c1%1c
##! and %c1%9c. The difference between these two hex values is 128. More
##! valid slash representations boil down to a matter of math. For example,
##! %c0%9v works even though %9v isn’t a hexadecimal value. Try adding
##! the value for “9” (57) to “v” (118); if the result is greater than 127, then
##! subtract 128—hint, the final result should be 47.

##!+ i

##! slash patterns
##!> assemble
  \x5c
  ##! URI encoded
  %2f
  %5c
  ##! Hex encoded
  0x2f
  0x5c
  ##! Double URI encoded
  %252f
  %255c
  ##! Overlong Unicode sequences (target IIS)
  %c0%2f
  %c0%af
  %c0%5c
  %c1%9c
  %c1%pc
  %c0%9v
  %c0%qf
  %c1%8s
  %c1%1c
  %c1%af
  %bg%qf
  ##! Unicode 16 "alternative" glyphs
  %u2215
  %u2216
  ##! Unknown
  %uEFC8
  %uF025
  ##! More double encoding and variations on the above
  %%32%%66
  %%35%%63
  %e0%80%af
  %25c1%259c
  %25c0%25af
  %f0%80%80%af
  %f8%80%80%80%af
  %2%46
  %%32%46
  %%32F
  %u002f
  %1u
  /
  ##!=< slashes
  ##!=> slashes

  ##! dot patterns
  ##! These use the same techniques as for slashes to evade the detection of '.'
  \.
  \.%00
  \.%01
  \.\?
  \?\.
  \?
  %2e
  0x2e
  %c0\.
  %252e
  %c0%2e
  %c0%ae
  %c0%5e
  %c0%ee
  %c0%fe
  %uff0e
  %%32%%65
  %e0%80%ae
  %25c0%25ae
  %f0%80%80%ae
  %f8%80%80%80%ae
  %fc%80%80%80%80%ae
  %2%45
  %u002e
  %uff0e
  %u2024
  %%32%45
  %%32E
  %c0%6e
  ##!=>

  ##! Append {2,3} to the result, as we're looking for two or three dots (e.g. /../, /.../)
  {2,3}
  ##!=>

  ##!=> slashes
##!<
@ Telegram