HEX
Server: Apache
System: Linux dinesh8189 5.15.98-grsec-sharedvalley-2.lc.el8.x86_64 #1 SMP Thu Mar 9 09:07:30 -03 2023 x86_64
User: cgmgerenciamento1 (814285)
PHP: 8.1.26
Disabled: apache_child_terminate,dl,escapeshellarg,escapeshellcmd,exec,link,mail,openlog,passthru,pcntl_alarm,pcntl_exec,pcntl_fork,pcntl_get_last_error,pcntl_getpriority,pcntl_setpriority,pcntl_signal,pcntl_signal_dispatch,pcntl_sigprocmask,pcntl_sigtimedwait,pcntl_sigwaitinfo,pcntl_strerror,pcntl_wait,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,php_check_syntax,php_strip_whitespace,popen,proc_close,proc_open,shell_exec,symlink,system
$ pwd: /usr/local/modsecurity-crs/regex-assembly/
Upload Files
File: //usr/local/modsecurity-crs/regex-assembly/932240.ra
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! Rule 932240 (Generic RCE Unix command evasion detection)
##!
##! Conceptually, we want to match:
##! - at least one character
##! - at least one character from an evasion technique

##!+ i

##! The previous cmdline evasion detection was based on the one from modsecurity: `[\x5c'\"]*`
##! We extended the evasion detection from the cmdline processor with `(?:\$[a-z0-9_@?!#{*-]*)?(?:\x5c)?` to match:
##! - non-existing vars: cu$@rl, una$$me -a, uname$$u -a
##! - vars + spacing: v='u';cu$v\r\l google.com
##! - globbing pattern expansion: {n$u\c$u,-nlvp,777}
##! - globbing: garb=cur[l];$garb+google.com

##! kill '-'9
##!> assemble
  [a-z0-9_-]+
  ##!=>
  \s*['\"][^'\"\s]+['\"]
  ##!=>
  [a-z0-9_-]+
##!<

##!> assemble
  [a-z0-9_-]+
  ##!=>
  ##! py""thon
  ['\"]['\"]+
  [\x5c\[\]]+
  \$+[\x5ca-z0-9_@?!#{*-]+
  ##! process substitution
  ``
  \$\(\)
  <\(\)
  >\(\)
  ##!=>

  \s*[a-z0-9_-]+
  ##!=>
##!<
@ Telegram