From 7d5e68a6915d416a158537aec627d795732847de Mon Sep 17 00:00:00 2001 From: "andre.bolinhas" Date: Sun, 8 Mar 2026 11:58:31 +0000 Subject: [PATCH] Update OWASP CRS rules to v4.24.0 Automated update via update-feed.sh CRS version: v4.24.0 Rules extracted: 310 --- rulesets.json | 468 +++++++++++++++++++++++++++++----------------------------- 1 file changed, 234 insertions(+), 234 deletions(-) diff --git a/rulesets.json b/rulesets.json index 6c5c5f4..b5f5c30 100644 --- a/rulesets.json +++ b/rulesets.json @@ -116,7 +116,7 @@ { "id": "920100", "name": "Invalid HTTP Request Line", - "pattern": "(?i)^(?:get /[^#?]*(?:?[^sx0b#]*)?(?:#[^sx0b]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sx0b]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sx0b#]*)?(?:#[^sx0b]*)?)[sx0b]+[.-9A-Z_a-z]+)$", + "pattern": "(?i)^(?:get /[^#\\?]*(?:\\?[^\\s\\x0b#]*)?(?:#[^\\s\\x0b]*)?|(?:connect (?:(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\\.?(?::[0-9]+)?|[\\--9A-Z_a-z]+:[0-9]+)|options \\*|[a-z]{3,10}[\\s\\x0b]+(?:[0-9A-Z_a-z]{3,7}?://[\\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\\?]*(?:\\?[^\\s\\x0b#]*)?(?:#[^\\s\\x0b]*)?)[\\s\\x0b]+[\\.-9A-Z_a-z]+)$", "targets": [ "uri" ], @@ -136,7 +136,7 @@ { "id": "920120", "name": "Attempted multipart/form-data bypass", - "pattern": "(?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^", + "pattern": "(?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=\\x5c])*$", "targets": [ "all" ], @@ -156,7 +156,7 @@ { "id": "920160", "name": "Content-Length HTTP header is not numeric", - "pattern": "^d+$", + "pattern": "^\\d+$", "targets": [ "headers" ], @@ -216,7 +216,7 @@ { "id": "920190", "name": "Range: Invalid Last Byte Value", - "pattern": "(d+)-(d+)", + "pattern": "(\\d+)-(\\d+)", "targets": [ "headers" ], @@ -236,7 +236,7 @@ { "id": "920210", "name": "Multiple/Conflicting Connection Header Data Found", - "pattern": "b(?:keep-alive|close),s?(?:keep-alive|close)b", + "pattern": "\\b(?:keep-alive|close),\\s?(?:keep-alive|close)\\b", "targets": [ "headers" ], @@ -377,7 +377,7 @@ { "id": "920350", "name": "Host header is a numeric IP address", - "pattern": "(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)", + "pattern": "(?:^([\\d.]+|\\[[\\da-f:]+\\]|[\\da-f:]+)(:[\\d]+)?$)", "targets": [ "headers" ], @@ -397,7 +397,7 @@ { "id": "920470", "name": "Illegal Content-Type header", - "pattern": "^[w/.+*-]+(?:s?;s*(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['", + "pattern": "^[\\w/.+*-]+(?:\\s?;\\s*(?:action|boundary|charset|component|start(?:-info)?|type|version)\\s?=\\s?['\"\\w.()+,/:=?<>@#*-]+)*$", "targets": [ "headers" ], @@ -417,7 +417,7 @@ { "id": "920420", "name": "Request content type is not allowed by policy", - "pattern": "^[^;s]+", + "pattern": "^[^;\\s]+", "targets": [ "headers" ], @@ -437,7 +437,7 @@ { "id": "920480", "name": "Request content type charset is not allowed by policy", - "pattern": "charsets*=s*[", + "pattern": "charset\\s*=\\s*[\"']?([^;\"'\\s]+)", "targets": [ "headers" ], @@ -477,7 +477,7 @@ { "id": "920440", "name": "URL file extension is restricted by policy", - "pattern": ".([^.]+)$", + "pattern": "\\.([^.]+)$", "targets": [ "uri" ], @@ -497,7 +497,7 @@ { "id": "920500", "name": "Attempt to access a backup or working file", - "pattern": ".[^.~]+~(?:/.*|)$", + "pattern": "\\.[^.~]+~(?:/.*|)$", "targets": [ "uri" ], @@ -537,7 +537,7 @@ { "id": "920600", "name": "Illegal Accept header: charset parameter", - "pattern": "^(?:(?:*|[^!", + "pattern": "^(?:(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\x0b]*;[\\s\\x0b]*(?:charset[\\s\\x0b]*=[\\s\\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\"?|(?:[^\\s\\x0b-\"\\(\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!\"\\(\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!\"\\(\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!\"\\(\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!\"\\(\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!\"\\(\\),/:-\\?\\[-\\]e\\{\\}]|e[^!\"\\(\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\x0b]*=[\\s\\x0b]*[^!\\(\\),/:-\\?\\[-\\]\\{\\}]+);?)*(?:[\\s\\x0b]*,[\\s\\x0b]*(?:(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\x0b]*;[\\s\\x0b]*(?:charset[\\s\\x0b]*=[\\s\\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\"?|(?:[^\\s\\x0b-\"\\(\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!\"\\(\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!\"\\(\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!\"\\(\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!\"\\(\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!\"\\(\\),/:-\\?\\[-\\]e\\{\\}]|e[^!\"\\(\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\x0b]*=[\\s\\x0b]*[^!\\(\\),/:-\\?\\[-\\]\\{\\}]+);?)*)*$", "targets": [ "headers" ], @@ -556,7 +556,7 @@ { "id": "920200", "name": "Range: Too many fields (6 or more)", - "pattern": "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}", + "pattern": "^bytes=(?:(?:\\d+)?-(?:\\d+)?\\s*,?\\s*){6}", "targets": [ "headers" ], @@ -596,7 +596,7 @@ { "id": "920121", "name": "Attempted multipart/form-data bypass", - "pattern": "['", + "pattern": "['\";=\\x5c]", "targets": [ "all" ], @@ -656,7 +656,7 @@ { "id": "920521", "name": "Illegal Accept-Encoding header", - "pattern": "br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)", + "pattern": "br|compress|deflate|(?:pack200-)?gzip|identity|\\*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)", "targets": [ "headers" ], @@ -676,7 +676,7 @@ { "id": "920275", "name": "Invalid character in request headers (outside of very strict set)", - "pattern": "^(?:?[01])?$", + "pattern": "^(?:\\?[01])?$", "targets": [ "headers" ], @@ -696,7 +696,7 @@ { "id": "920460", "name": "Abnormal character escapes in request", - "pattern": "(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]", + "pattern": "(?:^|[^\\x5c])\\x5c[cdeghijklmpqwxyz123456789]", "targets": [ "all" ], @@ -728,7 +728,7 @@ { "id": "921110", "name": "HTTP Request Smuggling Attack", - "pattern": "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d", + "pattern": "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d", "targets": [ "body", "query" @@ -749,7 +749,7 @@ { "id": "921120", "name": "HTTP Response Splitting Attack", - "pattern": "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w", + "pattern": "[\\r\\n]\\W*?(?:content-(?:type|length)|set-cookie|location):\\s*\\w", "targets": [ "all" ], @@ -769,7 +769,7 @@ { "id": "921130", "name": "HTTP Response Splitting Attack", - "pattern": "(?:bhttp/d|<(?:html|meta)b)", + "pattern": "(?:\\bhttp/\\d|<(?:html|meta)\\b)", "targets": [ "all" ], @@ -789,7 +789,7 @@ { "id": "921140", "name": "HTTP Header Injection Attack via headers", - "pattern": "[nr]", + "pattern": "[\\n\\r]", "targets": [ "headers" ], @@ -809,7 +809,7 @@ { "id": "921150", "name": "HTTP Header Injection Attack via payload (CR/LF detected)", - "pattern": "[nr]", + "pattern": "[\\n\\r]", "targets": [ "query" ], @@ -829,7 +829,7 @@ { "id": "921160", "name": "HTTP Header Injection Attack via payload (CR/LF and header-name detected)", - "pattern": "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:", + "pattern": "[\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:", "targets": [ "query" ], @@ -849,7 +849,7 @@ { "id": "921190", "name": "HTTP Splitting (CR/LF in request filename detected)", - "pattern": "[nr]", + "pattern": "[\\n\\r]", "targets": [ "uri" ], @@ -869,7 +869,7 @@ { "id": "921200", "name": "LDAP Injection Attack", - "pattern": "^[^!&():<>|~]*)[sx0b]*(?:((?:[^!&(),<->|~]+[<>~]?=|[sx0b]*[!&|][sx0b]*[()]?[sx0b]*)|)[sx0b]*([sx0b]*[!&|][sx0b]*|[!&|][sx0b]*([^!&(),<->|~]+[<>~]?=[^!&():<>|~]*)", + "pattern": "^[^!&\\(\\):<>\\|~]*\\)[\\s\\x0b]*(?:\\((?:[^!&\\(\\),<->\\|~]+[<>~]?=|[\\s\\x0b]*[!&\\|][\\s\\x0b]*[\\(\\)]?[\\s\\x0b]*)|\\)[\\s\\x0b]*\\([\\s\\x0b]*[!&\\|][\\s\\x0b]*|[!&\\|][\\s\\x0b]*\\([^!&\\(\\),<->\\|~]+[<>~]?=[^!&\\(\\):<>\\|~]*)", "targets": [ "all" ], @@ -888,7 +888,7 @@ { "id": "921421", "name": "Content-Type header: Dangerous content type outside the mime type declaration", - "pattern": "^[^sx0b,;]+[sx0b,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)", + "pattern": "^[^\\s\\x0b,;]+[\\s\\x0b,;].*?(?:application/(?:.+\\+)?json|(?:application/(?:soap\\+)?|text/)xml)", "targets": [ "headers" ], @@ -908,7 +908,7 @@ { "id": "921240", "name": "mod_proxy attack attempt detected", - "pattern": "unix:[^|]*|", + "pattern": "unix:[^|]*\\|", "targets": [ "uri" ], @@ -928,7 +928,7 @@ { "id": "921151", "name": "HTTP Header Injection Attack via payload (CR/LF detected)", - "pattern": "[nr]", + "pattern": "[\\n\\r]", "targets": [ "query" ], @@ -948,7 +948,7 @@ { "id": "921422", "name": "Content-Type header: Dangerous content type outside the mime type declaration", - "pattern": "^[^sx0b,;]+[sx0b,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b", + "pattern": "^[^\\s\\x0b,;]+[\\s\\x0b,;].*?\\b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([\\+/]))\\b", "targets": [ "headers" ], @@ -968,7 +968,7 @@ { "id": "921210", "name": "HTTP Parameter Pollution after detecting bogus char after parameter array", - "pattern": "(][^]]+$|][^]]+[)", + "pattern": "(][^\\]]+$|][^\\]]+\\[)", "targets": [ "query" ], @@ -988,7 +988,7 @@ { "id": "921220", "name": "HTTP Parameter Pollution possible via array notation", - "pattern": "[", + "pattern": "\\[", "targets": [ "query" ], @@ -1020,7 +1020,7 @@ { "id": "922110", "name": "Illegal MIME Multipart Header content-type: charset parameter", - "pattern": "^(?:(?:*|[^!", + "pattern": "^(?:(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\x0b]*;[\\s\\x0b]*(?:charset[\\s\\x0b]*=[\\s\\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\"?|(?:[^\\s\\x0b-\"\\(\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!\"\\(\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!\"\\(\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!\"\\(\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!\"\\(\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!\"\\(\\),/:-\\?\\[-\\]e\\{\\}]|e[^!\"\\(\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\x0b]*=[\\s\\x0b]*[^!\\(\\),/:-\\?\\[-\\]\\{\\}]+);?)*(?:[\\s\\x0b]*,[\\s\\x0b]*(?:(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\x0b]*;[\\s\\x0b]*(?:charset[\\s\\x0b]*=[\\s\\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\"?|(?:[^\\s\\x0b-\"\\(\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!\"\\(\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!\"\\(\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!\"\\(\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!\"\\(\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!\"\\(\\),/:-\\?\\[-\\]e\\{\\}]|e[^!\"\\(\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\x0b]*=[\\s\\x0b]*[^!\\(\\),/:-\\?\\[-\\]\\{\\}]+);?)*)*$", "targets": [ "all" ], @@ -1062,7 +1062,7 @@ { "id": "922130", "name": "Multipart header contains characters outside of valid range", - "pattern": "[^x21-x7E][x21-x39x3B-x7E]*:", + "pattern": "[^\\x21-\\x7E][\\x21-\\x39\\x3B-\\x7E]*:", "targets": [ "all" ], @@ -1094,7 +1094,7 @@ { "id": "930100", "name": "Path Traversal Attack (/../) or (/.../)", - "pattern": "(?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[01]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[256aef]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))", + "pattern": "(?i)(?:[/\\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\\.(?:%0[01]|\\?)?|\\?\\.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:\\.|%[256aef]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/\\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))", "targets": [ "all" ], @@ -1114,7 +1114,7 @@ { "id": "930110", "name": "Path Traversal Attack (/../) or (/.../)", - "pattern": "(?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}[x5c/;])", + "pattern": "(?:(?:^|[\\x5c/;])\\.{2,3}[\\x5c/;]|[\\x5c/;]\\.{2,3}[\\x5c/;])", "targets": [ "all" ], @@ -1146,7 +1146,7 @@ { "id": "931100", "name": "Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address", - "pattern": "(?i)^(file|ftps?|https?|ssh)://(?:[?[a-f0-9]+:[a-f0-9:]+]?|d{1,3}.d{1,3}.d{1,3}.d{1,3})", + "pattern": "(?i)^(file|ftps?|https?|ssh)://(?:\\[?[a-f0-9]+:[a-f0-9:]+\\]?|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})", "targets": [ "body", "query" @@ -1167,7 +1167,7 @@ { "id": "931110", "name": "Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload", - "pattern": "(?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://", + "pattern": "(?i)(?:\\binclude\\s*\\([^)]*|mosConfig_absolute_path|_CONF\\[path\\]|_SERVER\\[DOCUMENT_ROOT\\]|GALLERY_BASEDIR|path\\[docroot\\]|appserv_root|config\\[root_dir\\])=(?:file|ftps?|https?)://", "targets": [ "body", "query" @@ -1188,7 +1188,7 @@ { "id": "931120", "name": "Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)", - "pattern": "^(?i:file|ftps?|https?).*??+$", + "pattern": "^(?i:file|ftps?|https?).*?\\?$", "targets": [ "query" ], @@ -1208,7 +1208,7 @@ { "id": "931130", "name": "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link", - "pattern": "(?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://?(?:[^@]+@)?([^/]*)", + "pattern": "(?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://?(?:[^@]+@)?([^/]*)", "targets": [ "query" ], @@ -1228,7 +1228,7 @@ { "id": "931131", "name": "Possible Remote File Inclusion (RFI) Attack", - "pattern": "(?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)", + "pattern": "(?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)", "targets": [ "uri" ], @@ -1260,7 +1260,7 @@ { "id": "932230", "name": "Remote Command Execution: Unix Command Injection (2-3 chars)", - "pattern": "(?i)(?:b[", + "pattern": "(?i)(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?:[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:7[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[arx][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z|c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[89][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?9|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?f|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|q[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)|f[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:g|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s|q)|[kz][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|(?:k[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?g|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z)|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|(?:s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?h|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n)|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:3[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|c)|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|z)|y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|l[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:4[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?))[\\s\\x0b&\\),<>\\|].*|a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?-[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*)|g[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|[hr][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?g)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*))\\b", "targets": [ "all" ], @@ -1280,7 +1280,7 @@ { "id": "932235", "name": "Remote Command Execution: Unix Command Injection (command without evasion)", - "pattern": "(?i)(?:b[", + "pattern": "(?i)(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?:[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\\s\\x0b&\\),<>\\|]|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|tobm|xel)[\\s\\x0b&\\),<>\\|]|nsible|p(?:parmor_[^\\s\\x0b]{1,10}\\b|t(?:-get|itude[\\s\\x0b&\\),<>\\|]))|r(?:ch[\\s\\x0b&\\),<>\\|]|ia2c|j(?:-register|disp))|s(?:cii(?:-xfr|85)|pell)|u(?:ditctl|repot|search))|b(?:a(?:s(?:e(?:32|64|n(?:ame[\\s\\x0b&\\),<>\\|]|c))|h[\\s\\x0b&\\),<>\\|])|tch[\\s\\x0b&\\),<>\\|])|lkid[\\s\\x0b&\\),<>\\|]|pftrace|r(?:eaksw|(?:idge|wap)[\\s\\x0b&\\),<>\\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\\s\\x0b&\\),<>\\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[\\s\\x0b&\\),<>\\|])|z(?:c(?:at|mp)[\\s\\x0b&\\),<>\\|]|diff|e(?:grep|xe[\\s\\x0b&\\),<>\\|])|f?grep|ip2(?:[\\s\\x0b&\\),<>\\|]|recover)|less|more))|c(?:[89]9-gcc|a(?:ncel|psh)[\\s\\x0b&\\),<>\\|]|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[\\s\\x0b&\\),<>\\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\\s\\x0b&\\),\\-<>\\|])|(?:flag|pas)s|g(?:passwd|rp[\\s\\x0b&\\),<>\\|]))|lang(?:\\+\\+|[\\s\\x0b&\\),<>\\|])|o(?:bc(?:[\\s\\x0b&\\),<>\\|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\\s\\x0b&\\),<>\\|]|proc|w(?:say|think))|p(?:(?:an|io)[\\s\\x0b&\\),<>\\|]|ulimit)|r(?:ash[\\s\\x0b&\\),<>\\|]|on(?:[\\s\\x0b&\\),<>\\|]|tab))|s(?:cli[\\s\\x0b&\\),<>\\|]|plit|vtool)|u(?:psfilter|rl[\\s\\x0b&\\),<>\\|]))|d(?:(?:ash|i(?:alog|ff)|vips)[\\s\\x0b&\\),<>\\|]|hclient|m(?:esg[\\s\\x0b&\\),<>\\|]|idecode|setup)|o(?:(?:as|ne)[\\s\\x0b&\\),<>\\|]|cker[\\s\\x0b&\\),\\-<>\\|]|sbox)|pkg[\\s\\x0b&\\),\\-<>\\|])|e(?:2fsck|asy_install|(?:cho|fax|grep|macs|sac|val)[\\s\\x0b&\\),<>\\|]|n(?:d(?:if|sw)[\\s\\x0b&\\),<>\\|]|v-update)|x(?:(?:ec|p(?:and|(?:ec|or)t|r))[\\s\\x0b&\\),<>\\|]|iftool))|f(?:acter|d(?:(?:find|isk)[\\s\\x0b&\\),<>\\|]|u?mount)|(?:etch|grep|lock|unction)[\\s\\x0b&\\),<>\\|]|i(?:le(?:[\\s\\x0b&\\),<>\\|]|test)|(?:n(?:d|ger)|sh)[\\s\\x0b&\\),<>\\|])|o(?:ld[\\s\\x0b&\\),<>\\|]|reach)|ping[\\s\\x0b&\\),6<>\\|]|tp(?:stats|who))|g(?:(?:awk|core|i(?:mp|nsh)|z(?:cat|exe|ip))[\\s\\x0b&\\),<>\\|]|e(?:ni(?:e[\\s\\x0b&\\),<>\\|]|soimage)|t(?:cap|facl[\\s\\x0b&\\),<>\\|]))|hc(?:-[\\s\\x0b&\\),<>\\|]|i[\\s\\x0b&\\),\\-<>\\|])|r(?:(?:cat|ep)[\\s\\x0b&\\),<>\\|]|oupmod)|tester|unzip)|h(?:(?:ash|i(?:ghlight|story))[\\s\\x0b&\\),<>\\|]|e(?:ad[\\s\\x0b&\\),<>\\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[\\s\\x0b&\\),<>\\|]|passwd))|i(?:(?:conv|nstall)[\\s\\x0b&\\),<>\\|]|f(?:config|top[\\s\\x0b&\\),<>\\|])|onice|p(?:6?tables|config|p(?:eveprinter|find|tool))|spell)|j(?:(?:ava|exec)[\\s\\x0b&\\),<>\\|]|o(?:in[\\s\\x0b&\\),<>\\|]|urnalctl)|runscript)|k(?:ill(?:[\\s\\x0b&\\),<>\\|]|all)|nife[\\s\\x0b&\\),<>\\|]|sshell)|l(?:a(?:st(?:comm[\\s\\x0b&\\),<>\\|]|log(?:in)?)|tex[\\s\\x0b&\\),<>\\|])|dconfig|ess(?:echo|(?:fil|pip)e)|ftp(?:[\\s\\x0b&\\),<>\\|]|get)|o(?:(?:cate|ok)[\\s\\x0b&\\),<>\\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:(?:-F|cpu|hw|mod|of|pci|usb)[\\s\\x0b&\\),<>\\|]|b_release)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|ynx[\\s\\x0b&\\),<>\\|]|z(?:4c(?:[\\s\\x0b&\\),<>\\|]|at)|c(?:at|mp)[\\s\\x0b&\\),<>\\|]|diff|[ef]?grep|less|m(?:a(?:[\\s\\x0b&\\),<>\\|]|dec|info)|ore)))|m(?:(?:a(?:il[qx]?|ke|wk)|utt)[\\s\\x0b&\\),<>\\|]|k(?:(?:dir|nod)[\\s\\x0b&\\),<>\\|]|fifo|temp)|locate|o(?:squitto|unt[\\s\\x0b&\\),<>\\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\\s\\x0b&\\),<>\\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:no|sm|wk)|ice|map|o(?:de|hup)|ping|roff)[\\s\\x0b&\\),<>\\|]|c(?:\\.(?:openbsd|traditional)|at[\\s\\x0b&\\),<>\\|])|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|s(?:enter|lookup|tat[\\s\\x0b&\\),<>\\|]))|o(?:ctave[\\s\\x0b&\\),<>\\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[\\s\\x0b&\\),<>\\|]))|p(?:a(?:(?:cman|rted|tch)[\\s\\x0b&\\),<>\\|]|s(?:swd|te[\\s\\x0b&\\),<>\\|]))|d(?:b(?:2mb|3[\\s\\x0b&\\),\\.<>\\|])|f(?:la)?tex|ksh[\\s\\x0b&\\),<>\\|])|er(?:(?:f|ms)[\\s\\x0b&\\),<>\\|]|l(?:5?[\\s\\x0b&\\),<>\\|]|sh))|(?:(?:ft|gre)p|opd|u(?:ppet|shd))[\\s\\x0b&\\),<>\\|]|hp(?:-cgi|[57][\\s\\x0b&\\),<>\\|])|i(?:(?:co|gz|ng6?)[\\s\\x0b&\\),<>\\|]|dstat)|k(?:exec|g_?info|ill[\\s\\x0b&\\),<>\\|])|rint(?:env|f[\\s\\x0b&\\),<>\\|])|s(?:(?:ed|ql)[\\s\\x0b&\\),<>\\|]|ftp)|tar(?:[\\s\\x0b&\\),<>\\|]|diff|grep)|y(?:3?versions|thon(?:[23]|[^\\s\\x0b]{1,10}\\b)))|r(?:(?:ak[eu]|bash|nano|oute|vi(?:ew|m))[\\s\\x0b&\\),<>\\|]|e(?:a(?:delf|lpath)|(?:(?:boo|dcarpe)t|name|p(?:eat|lace))[\\s\\x0b&\\),<>\\|]|stic)|l(?:ogin|wrap)|m(?:dir[\\s\\x0b&\\),<>\\|]|t-(?:dump|tar)|user)|pm(?:db[\\s\\x0b&\\),<>\\|]|(?:quer|verif)y)|sync(?:-ssl|[\\s\\x0b&\\),<>\\|])|u(?:by[^\\s\\x0b]{1,10}\\b|n(?:-(?:mailcap|parts)|c[\\s\\x0b&\\),<>\\|])))|s(?:(?:ash|c(?:hed|r(?:een|ipt))|diff|(?:ft|na)p|l(?:eep|sh)|plit)[\\s\\x0b&\\),<>\\|]|e(?:(?:ndmail|rvice)[\\s\\x0b&\\),<>\\|]|t(?:arch|cap|env|facl[\\s\\x0b&\\),<>\\|]|sid))|h(?:\\.distrib|u(?:f|tdown)[\\s\\x0b&\\),<>\\|])|mbclient|o(?:(?:ca|r)t[\\s\\x0b&\\),<>\\|]|elim)|qlite3|sh(?:-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass)|t(?:art-stop-daemon|dbuf|r(?:ace|ings[\\s\\x0b&\\),<>\\|]))|udo(?:-rs|[\\s\\x0b&\\),<>_\\|]|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:ilf?[\\s\\x0b&\\),<>\\|]|sk(?:[\\s\\x0b&\\),<>\\|]|set))|c(?:l?sh[\\s\\x0b&\\),<>\\|]|p(?:dump|ing|traceroute))|elnet|(?:ftp|mux|ouch)[\\s\\x0b&\\),<>\\|]|ime(?:datectl|out[\\s\\x0b&\\),<>\\|])|r(?:a(?:ceroute6?|p[\\s\\x0b&\\),<>\\|])|off[\\s\\x0b&\\),<>\\|])|shark)|u(?:limit[\\s\\x0b&\\),<>\\|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[\\s\\x0b&\\),<>\\|]|expand|l(?:ink[\\s\\x0b&\\),<>\\|]|z(?:4[\\s\\x0b&\\),<>\\|]|ma))|pigz|z(?:ip[\\s\\x0b&\\),<>\\|]|std))|p(?:2date[\\s\\x0b&\\),<>\\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:(?:[ep]w|gr|rsh)[\\s\\x0b&\\),<>\\|]|mdiff|sudo(?:-rs)?)|olatility[\\s\\x0b&\\),<>\\|])|w(?:(?:all|get)[\\s\\x0b&\\),<>\\|]|h(?:iptail[\\s\\x0b&\\),<>\\|]|o(?:ami|is[\\s\\x0b&\\),<>\\|]))|i(?:reshark|sh[\\s\\x0b&\\),<>\\|]))|x(?:(?:args|pad|term)[\\s\\x0b&\\),<>\\|]|e(?:latex|tex[\\s\\x0b&\\),<>\\|])|mo(?:dmap|re[\\s\\x0b&\\),<>\\|])|z(?:c(?:at|mp)[\\s\\x0b&\\),<>\\|]|d(?:ec[\\s\\x0b&\\),<>\\|]|iff)|[ef]?grep|less|more))|z(?:athura|(?:c(?:at|mp)|diff|grep|less|run)[\\s\\x0b&\\),<>\\|]|[ef]grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|mo(?:dload|re[\\s\\x0b&\\),<>\\|])|s(?:oelim|td(?:[\\s\\x0b&\\),<>\\|]|(?:ca|m)t|grep|less))|ypper))", "targets": [ "all" ], @@ -1300,7 +1300,7 @@ { "id": "932125", "name": "Remote Command Execution: Windows Powershell Alias Command Injection", - "pattern": "(?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b", + "pattern": "(?i)(?:[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\x0b]*[\\s\\x0b\"'\\(,@]*(?:[\"'\\.-9A-Z_a-z]+/|(?:[\"'\\x5c\\^]*[0-9A-Z_a-z][\"'\\x5c\\^]*:.*|[ \"'\\.-9A-Z\\x5c\\^_a-z]*)\\x5c)?[\"\\^]*(?:(?:a[\"\\^]*(?:c|s[\"\\^]*n[\"\\^]*p)|e[\"\\^]*(?:b[\"\\^]*p|p[\"\\^]*(?:a[\"\\^]*l|c[\"\\^]*s[\"\\^]*v|s[\"\\^]*n)|[tx][\"\\^]*s[\"\\^]*n)|f[\"\\^]*(?:[cltw]|o[\"\\^]*r[\"\\^]*e[\"\\^]*a[\"\\^]*c[\"\\^]*h)|i[\"\\^]*(?:[cr][\"\\^]*m|e[\"\\^]*x|h[\"\\^]*y|i|p[\"\\^]*(?:a[\"\\^]*l|c[\"\\^]*s[\"\\^]*v|m[\"\\^]*o|s[\"\\^]*n)|s[\"\\^]*e|w[\"\\^]*(?:m[\"\\^]*i|r))|m[\"\\^]*(?:[dpv]|o[\"\\^]*u[\"\\^]*n[\"\\^]*t)|o[\"\\^]*g[\"\\^]*v|p[\"\\^]*(?:o[\"\\^]*p|u[\"\\^]*s[\"\\^]*h)[\"\\^]*d|t[\"\\^]*r[\"\\^]*c[\"\\^]*m|w[\"\\^]*j[\"\\^]*b)[\"\\^]*[\\s\\x0b,\\./;<>].*|c[\"\\^]*(?:(?:(?:d|h[\"\\^]*d[\"\\^]*i[\"\\^]*r|v[\"\\^]*p[\"\\^]*a)[\"\\^]*|p[\"\\^]*(?:[ip][\"\\^]*)?)[\\s\\x0b,\\./;<>].*|l[\"\\^]*(?:(?:[cipv]|h[\"\\^]*y)[\"\\^]*[\\s\\x0b,\\./;<>].*|s)|n[\"\\^]*s[\"\\^]*n)|d[\"\\^]*(?:(?:b[\"\\^]*p|e[\"\\^]*l|i[\"\\^]*(?:f[\"\\^]*f|r))[\"\\^]*[\\s\\x0b,\\./;<>].*|n[\"\\^]*s[\"\\^]*n)|g[\"\\^]*(?:(?:(?:(?:a[\"\\^]*)?l|b[\"\\^]*p|d[\"\\^]*r|h[\"\\^]*y|(?:w[\"\\^]*m[\"\\^]*)?i|j[\"\\^]*b|[uv])[\"\\^]*|c[\"\\^]*(?:[ims][\"\\^]*)?|m[\"\\^]*(?:o[\"\\^]*)?|s[\"\\^]*(?:n[\"\\^]*(?:p[\"\\^]*)?|v[\"\\^]*))[\\s\\x0b,\\./;<>].*|e[\"\\^]*r[\"\\^]*r|p[\"\\^]*(?:(?:s[\"\\^]*)?[\\s\\x0b,\\./;<>].*|v))|l[\"\\^]*s|n[\"\\^]*(?:(?:a[\"\\^]*l|d[\"\\^]*r|[iv]|m[\"\\^]*o|s[\"\\^]*n)[\"\\^]*[\\s\\x0b,\\./;<>].*|p[\"\\^]*s[\"\\^]*s[\"\\^]*c)|r[\"\\^]*(?:(?:(?:(?:b[\"\\^]*)?p|e[\"\\^]*n|(?:w[\"\\^]*m[\"\\^]*)?i|j[\"\\^]*b|n[\"\\^]*[ip])[\"\\^]*|d[\"\\^]*(?:r[\"\\^]*)?|m[\"\\^]*(?:(?:d[\"\\^]*i[\"\\^]*r|o)[\"\\^]*)?|s[\"\\^]*n[\"\\^]*(?:p[\"\\^]*)?|v[\"\\^]*(?:p[\"\\^]*a[\"\\^]*)?)[\\s\\x0b,\\./;<>].*|c[\"\\^]*(?:j[\"\\^]*b[\"\\^]*[\\s\\x0b,\\./;<>].*|s[\"\\^]*n)|u[\"\\^]*j[\"\\^]*b)|s[\"\\^]*(?:(?:(?:a[\"\\^]*(?:j[\"\\^]*b|l|p[\"\\^]*s|s[\"\\^]*v)|b[\"\\^]*p|[cv]|w[\"\\^]*m[\"\\^]*i)[\"\\^]*|l[\"\\^]*(?:s[\"\\^]*)?|p[\"\\^]*(?:(?:j[\"\\^]*b|p[\"\\^]*s|s[\"\\^]*v)[\"\\^]*)?)[\\s\\x0b,\\./;<>].*|h[\"\\^]*c[\"\\^]*m|u[\"\\^]*j[\"\\^]*b))(?:\\.[\"\\^]*[0-9A-Z_a-z]+)?\\b", "targets": [ "all" ], @@ -1320,7 +1320,7 @@ { "id": "932130", "name": "Remote Command Execution: Unix Shell Expression Found", - "pattern": "$(?:((?:[^)]+|([^)]+)))|{[^}]+}|[[^]]*])|[<>]([^)]+)|/[0-9A-Z_a-z]*[[^]]+]", + "pattern": "\\$(?:\\((?:[^\\)]+|\\([^\\)]+\\))\\)|\\{[^\\}]+\\}|\\[[^\\]]*\\])|[<>]\\([^\\)]+\\)|/[0-9A-Z_a-z]*\\[[^\\]]+\\]", "targets": [ "all" ], @@ -1340,7 +1340,7 @@ { "id": "932140", "name": "Remote Command Execution: Windows FOR/IF Command Found", - "pattern": "b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sx0b]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))", + "pattern": "\\b(?:for(?:/[dflr].*)? %+[^ ]+ in\\(.*\\)[\\s\\x0b]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)\\b|[ \\(].*(?:\\b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))\\b|==)))", "targets": [ "all" ], @@ -1360,7 +1360,7 @@ { "id": "932270", "name": "Remote Command Execution: Unix Shell Expression Found", - "pattern": "~[+-](?:$|[0-9]+)", + "pattern": "~[\\+\\-](?:$|[0-9]+)", "targets": [ "all" ], @@ -1380,7 +1380,7 @@ { "id": "932280", "name": "Remote Command Execution: Brace Expansion Found", - "pattern": "{[0-9A-Z_a-z]*,[,-0-9A-Z_a-z]*}", + "pattern": "\\{[0-9A-Z_a-z]*,[,\\-0-9A-Z_a-z]*\\}", "targets": [ "all" ], @@ -1400,7 +1400,7 @@ { "id": "932250", "name": "Remote Command Execution: Direct Unix Command Execution", - "pattern": "(?i)(?:^|b[", + "pattern": "(?i)(?:^|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?:[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:7[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[arx][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z|c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[89][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?9|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?f|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|q[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)|f[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:g|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s|q)|[kz][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|(?:k[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?g|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z)|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|(?:s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?h|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n)|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:3[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|c)|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|z)|y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|l[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:4[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?))[\\s\\x0b&\\),<>\\|].*|a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?-[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*)|g[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|[hr][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?g)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*))", "targets": [ "all" ], @@ -1420,7 +1420,7 @@ { "id": "932260", "name": "Remote Command Execution: Direct Unix Command Execution", - "pattern": "(?i)(?:^|b[", + "pattern": "(?i)(?:^|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?:[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:a(?:ddgroup|nsible|pparmor_[^\\s\\x0b]{1,10}\\b|rj(?:-register|disp)|tobm[\\s\\x0b&\\),<>\\|]|u(?:ditctl|repot|search))|b(?:ase(?:32|64|nc)|(?:lkid|rwap|yobu)[\\s\\x0b&\\),<>\\|]|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)[\\s\\x0b&\\),<>\\|]|diff|e(?:grep|xe[\\s\\x0b&\\),<>\\|])|f?grep|ip2(?:[\\s\\x0b&\\),<>\\|]|recover)|less|more))|c(?:[89]9-gcc|h(?:(?:attr|mod|o(?:om|wn)|sh)[\\s\\x0b&\\),<>\\|]|ef-|g(?:passwd|rp[\\s\\x0b&\\),<>\\|])|pass)|lang\\+\\+|o(?:bc(?:[\\s\\x0b&\\),<>\\|]|run)|mm[\\s\\x0b&\\),<>\\|]|proc)|(?:p(?:an|io)|scli)[\\s\\x0b&\\),<>\\|])|d(?:(?:iff|mesg|vips)[\\s\\x0b&\\),<>\\|]|o(?:as[\\s\\x0b&\\),<>\\|]|cker-)|pkg[\\s\\x0b&\\),\\-<>\\|])|e(?:2fsck|(?:fax|grep|macs|nd(?:if|sw)|sac|xpr)[\\s\\x0b&\\),<>\\|])|f(?:d(?:(?:find|isk)[\\s\\x0b&\\),<>\\|]|u?mount)|grep[\\s\\x0b&\\),<>\\|]|iletest|ping[\\s\\x0b&\\),6<>\\|]|tp(?:stats|who))|g(?:(?:core|insh|z(?:cat|exe|ip))[\\s\\x0b&\\),<>\\|]|(?:etca|unzi)p|hc(?:-[\\s\\x0b&\\),<>\\|]|i[\\s\\x0b&\\),\\-<>\\|])|r(?:(?:cat|ep)[\\s\\x0b&\\),<>\\|]|oupmod))|(?:htop|jexec)[\\s\\x0b&\\),<>\\|]|i(?:(?:conv|ftop)[\\s\\x0b&\\),<>\\|]|pp(?:eveprinter|find|tool))|l(?:ast(?:comm[\\s\\x0b&\\),<>\\|]|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:[\\s\\x0b&\\),<>\\|]|get)|osetup|s(?:(?:-F|cpu|hw|mod|of|pci|usb)[\\s\\x0b&\\),<>\\|]|b_release)|wp-download|z(?:4c(?:[\\s\\x0b&\\),<>\\|]|at)|c(?:at|mp)[\\s\\x0b&\\),<>\\|]|diff|[ef]?grep|less|m(?:a(?:[\\s\\x0b&\\),<>\\|]|dec|info)|ore)))|m(?:a(?:ilq|wk)[\\s\\x0b&\\),<>\\|]|k(?:fifo|nod[\\s\\x0b&\\),<>\\|]|temp)|locate|ysql(?:[\\s\\x0b&\\),<>\\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:sm|wk)|(?:ma|ohu)p|ping|roff|stat)[\\s\\x0b&\\),<>\\|]|c(?:\\.(?:openbsd|traditional)|at[\\s\\x0b&\\),<>\\|])|et(?:(?:c|st)at|kit-ftp|plan))|o(?:nintr|pkg[\\s\\x0b&\\),<>\\|])|p(?:d(?:b(?:2mb|3[\\s\\x0b&\\),\\.<>\\|])|ksh[\\s\\x0b&\\),<>\\|])|(?:er(?:f|l5?)|(?:ft|gre)p|i(?:gz|ng6)|(?:op|ush)d|s(?:ed|ql))[\\s\\x0b&\\),<>\\|]|hp(?:-cgi|[57][\\s\\x0b&\\),<>\\|])|k(?:exec|ill[\\s\\x0b&\\),<>\\|])|rint(?:env|f[\\s\\x0b&\\),<>\\|])|tar(?:[\\s\\x0b&\\),<>\\|]|diff|grep)|y(?:3?versions|thon[23]))|r(?:(?:aku|bash|nano|pmdb|unc|vi(?:ew|m))[\\s\\x0b&\\),<>\\|]|e(?:alpath|boot[\\s\\x0b&\\),<>\\|])|m(?:dir[\\s\\x0b&\\),<>\\|]|t-(?:dump|tar)|user)|sync(?:-ssl|[\\s\\x0b&\\),<>\\|]))|s(?:(?:diff|ftp|lsh|ocat)[\\s\\x0b&\\),<>\\|]|e(?:ndmail[\\s\\x0b&\\),<>\\|]|t(?:cap|env|sid))|h(?:\\.distrib|uf[\\s\\x0b&\\),<>\\|])|sh-(?:a(?:dd|gent)|copy-id)|udo(?:-rs|[\\s\\x0b&\\),<>_\\|]|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ysctl)|t(?:(?:ailf|ftp|imeout|mux)[\\s\\x0b&\\),<>\\|]|c(?:l?sh[\\s\\x0b&\\),<>\\|]|p(?:ing|traceroute))|elnet|r(?:a(?:ceroute6?|p[\\s\\x0b&\\),<>\\|])|off[\\s\\x0b&\\),<>\\|]))|u(?:n(?:(?:ame|iq|rar|xz)[\\s\\x0b&\\),<>\\|]|lz(?:4[\\s\\x0b&\\),<>\\|]|ma)|pigz|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:(?:gr|pw|rsh)[\\s\\x0b&\\),<>\\|]|sudo(?:-rs)?)|w(?:get[\\s\\x0b&\\),<>\\|]|ho(?:ami|is[\\s\\x0b&\\),<>\\|]))|x(?:(?:args|etex|more|pad|term)[\\s\\x0b&\\),<>\\|]|z(?:c(?:at|mp)[\\s\\x0b&\\),<>\\|]|d(?:ec[\\s\\x0b&\\),<>\\|]|iff)|[ef]?grep|less|more))|z(?:(?:c(?:at|mp)|diff|grep|less|run)[\\s\\x0b&\\),<>\\|]|[ef]grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|mo(?:dload|re[\\s\\x0b&\\),<>\\|])|std(?:[\\s\\x0b&\\),<>\\|]|(?:ca|m)t|grep|less)))", "targets": [ "all" ], @@ -1440,7 +1440,7 @@ { "id": "932340", "name": "Remote Command Execution: Direct Unix Command Execution (No Arguments)", - "pattern": "(?i)(?:b[", + "pattern": "(?i)(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?:[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:aptitude|d(?:f|mesg)|env|h(?:ostname|top)|(?:(?:io|vm)sta|reboo)t|l(?:ast|s)|mysql(?:[^\\s\\x0b]{1,10}\\b)?|ps(?:ql)?|s(?:et|hutdown|u)|w(?:ho(?:ami|is)?)?)$", "targets": [ "all" ], @@ -1460,7 +1460,7 @@ { "id": "932330", "name": "Remote Command Execution: Unix shell history invocation", - "pattern": "!-d", + "pattern": "!-\\d", "targets": [ "all" ], @@ -1480,7 +1480,7 @@ { "id": "932170", "name": "Remote Command Execution: Shellshock (CVE-2014-6271)", - "pattern": "^(s*)s+{", + "pattern": "^\\(\\s*\\)\\s+\\{", "targets": [ "headers", "uri" @@ -1501,7 +1501,7 @@ { "id": "932171", "name": "Remote Command Execution: Shellshock (CVE-2014-6271)", - "pattern": "^(s*)s+{", + "pattern": "^\\(\\s*\\)\\s+\\{", "targets": [ "query" ], @@ -1521,7 +1521,7 @@ { "id": "932175", "name": "Remote Command Execution: Unix shell alias invocation", - "pattern": "ba[", + "pattern": "\\ba[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s\\b[\\s\\x0b]+(?:[\\+\\-][a-z]+\\+?[\\s\\x0b]+)?[!\"%',-\\.0-9@-Z_a-z]+=[^\\s\\x0b]", "targets": [ "all" ], @@ -1541,7 +1541,7 @@ { "id": "932370", "name": "Remote Command Execution: Windows Command Injection", - "pattern": "(?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b", + "pattern": "(?i)(?:[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\x0b]*[\\s\\x0b\"'\\(,@]*(?:[\"'\\.-9A-Z_a-z]+/|(?:[\"'\\x5c\\^]*[0-9A-Z_a-z][\"'\\x5c\\^]*:[^\\x5c]*|[ \"'\\.-9A-Z\\x5c\\^_a-z]*)\\x5c)?[\"\\^]*(?:a[\"\\^]*(?:c[\"\\^]*c[\"\\^]*c[\"\\^]*h[\"\\^]*e[\"\\^]*c[\"\\^]*k[\"\\^]*c[\"\\^]*o[\"\\^]*n[\"\\^]*s[\"\\^]*o[\"\\^]*l[\"\\^]*e|d[\"\\^]*(?:p[\"\\^]*l[\"\\^]*u[\"\\^]*s|v[\"\\^]*p[\"\\^]*a[\"\\^]*c[\"\\^]*k)|(?:g[\"\\^]*e[\"\\^]*n[\"\\^]*t[\"\\^]*e[\"\\^]*x[\"\\^]*e[\"\\^]*c[\"\\^]*u[\"\\^]*t[\"\\^]*o|(?:s[\"\\^]*p[\"\\^]*n[\"\\^]*e[\"\\^]*t[\"\\^]*_[\"\\^]*c[\"\\^]*o[\"\\^]*m[\"\\^]*p[\"\\^]*i[\"\\^]*l|t[\"\\^]*b[\"\\^]*r[\"\\^]*o[\"\\^]*k)[\"\\^]*e)[\"\\^]*r|p[\"\\^]*p[\"\\^]*(?:i[\"\\^]*n[\"\\^]*s[\"\\^]*t[\"\\^]*a[\"\\^]*l[\"\\^]*l[\"\\^]*e[\"\\^]*r|v[\"\\^]*l[\"\\^]*p))|b[\"\\^]*(?:a[\"\\^]*s[\"\\^]*h|g[\"\\^]*i[\"\\^]*n[\"\\^]*f[\"\\^]*o|i[\"\\^]*t[\"\\^]*s[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i[\"\\^]*n)|c[\"\\^]*(?:d[\"\\^]*b|e[\"\\^]*r[\"\\^]*t[\"\\^]*(?:o[\"\\^]*c|r[\"\\^]*e[\"\\^]*q|u[\"\\^]*t[\"\\^]*i[\"\\^]*l)|l[\"\\^]*_[\"\\^]*(?:i[\"\\^]*n[\"\\^]*v[\"\\^]*o[\"\\^]*c[\"\\^]*a[\"\\^]*t[\"\\^]*i[\"\\^]*o[\"\\^]*n|l[\"\\^]*o[\"\\^]*a[\"\\^]*d[\"\\^]*a[\"\\^]*s[\"\\^]*s[\"\\^]*e[\"\\^]*m[\"\\^]*b[\"\\^]*l[\"\\^]*y|m[\"\\^]*u[\"\\^]*t[\"\\^]*e[\"\\^]*x[\"\\^]*v[\"\\^]*e[\"\\^]*r[\"\\^]*i[\"\\^]*f[\"\\^]*i[\"\\^]*e[\"\\^]*r[\"\\^]*s)|m[\"\\^]*(?:d(?:[\"\\^]*(?:k[\"\\^]*e[\"\\^]*y|l[\"\\^]*3[\"\\^]*2))?|s[\"\\^]*t[\"\\^]*p)|o[\"\\^]*(?:m[\"\\^]*s[\"\\^]*v[\"\\^]*c[\"\\^]*s|n[\"\\^]*(?:f[\"\\^]*i[\"\\^]*g[\"\\^]*s[\"\\^]*e[\"\\^]*c[\"\\^]*u[\"\\^]*r[\"\\^]*i[\"\\^]*t[\"\\^]*y[\"\\^]*p[\"\\^]*o[\"\\^]*l[\"\\^]*i[\"\\^]*c[\"\\^]*y|h[\"\\^]*o[\"\\^]*s[\"\\^]*t|t[\"\\^]*r[\"\\^]*o[\"\\^]*l)|r[\"\\^]*e[\"\\^]*g[\"\\^]*e[\"\\^]*n)|r[\"\\^]*e[\"\\^]*a[\"\\^]*t[\"\\^]*e[\"\\^]*d[\"\\^]*u[\"\\^]*m[\"\\^]*p|s[\"\\^]*(?:c(?:[\"\\^]*r[\"\\^]*i[\"\\^]*p[\"\\^]*t)?|i)|u[\"\\^]*s[\"\\^]*t[\"\\^]*o[\"\\^]*m[\"\\^]*s[\"\\^]*h[\"\\^]*e[\"\\^]*l[\"\\^]*l[\"\\^]*h[\"\\^]*o[\"\\^]*s[\"\\^]*t)|d[\"\\^]*(?:a[\"\\^]*t[\"\\^]*a[\"\\^]*s[\"\\^]*v[\"\\^]*c[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l|e[\"\\^]*(?:f[\"\\^]*a[\"\\^]*u[\"\\^]*l[\"\\^]*t[\"\\^]*p[\"\\^]*a[\"\\^]*c[\"\\^]*k|s[\"\\^]*k(?:[\"\\^]*t[\"\\^]*o[\"\\^]*p[\"\\^]*i[\"\\^]*m[\"\\^]*g[\"\\^]*d[\"\\^]*o[\"\\^]*w[\"\\^]*n[\"\\^]*l[\"\\^]*d[\"\\^]*r)?|v[\"\\^]*(?:i[\"\\^]*c[\"\\^]*e[\"\\^]*c[\"\\^]*r[\"\\^]*e[\"\\^]*d[\"\\^]*e[\"\\^]*n[\"\\^]*t[\"\\^]*i[\"\\^]*a[\"\\^]*l[\"\\^]*d[\"\\^]*e[\"\\^]*p[\"\\^]*l[\"\\^]*o[\"\\^]*y[\"\\^]*m[\"\\^]*e[\"\\^]*n[\"\\^]*t|t[\"\\^]*o[\"\\^]*o[\"\\^]*l[\"\\^]*s[\"\\^]*l[\"\\^]*a[\"\\^]*u[\"\\^]*n[\"\\^]*c[\"\\^]*h[\"\\^]*e[\"\\^]*r))|f[\"\\^]*s[\"\\^]*(?:h[\"\\^]*i[\"\\^]*m|v[\"\\^]*c)|i[\"\\^]*(?:a[\"\\^]*n[\"\\^]*t[\"\\^]*z|s[\"\\^]*k[\"\\^]*s[\"\\^]*h[\"\\^]*a[\"\\^]*d[\"\\^]*o[\"\\^]*w)|n[\"\\^]*(?:s[\"\\^]*c[\"\\^]*m[\"\\^]*d|x)|o[\"\\^]*t[\"\\^]*n[\"\\^]*e[\"\\^]*t|u[\"\\^]*m[\"\\^]*p[\"\\^]*6[\"\\^]*4|x[\"\\^]*c[\"\\^]*a[\"\\^]*p)|e[\"\\^]*(?:s[\"\\^]*e[\"\\^]*n[\"\\^]*t[\"\\^]*u[\"\\^]*t[\"\\^]*l|v[\"\\^]*e[\"\\^]*n[\"\\^]*t[\"\\^]*v[\"\\^]*w[\"\\^]*r|x[\"\\^]*(?:c[\"\\^]*e[\"\\^]*l|p[\"\\^]*(?:a[\"\\^]*n[\"\\^]*d|l[\"\\^]*o[\"\\^]*r[\"\\^]*e[\"\\^]*r)|t[\"\\^]*(?:e[\"\\^]*x[\"\\^]*p[\"\\^]*o[\"\\^]*r[\"\\^]*t|r[\"\\^]*a[\"\\^]*c[\"\\^]*3[\"\\^]*2)))|f[\"\\^]*(?:i[\"\\^]*n[\"\\^]*(?:d[\"\\^]*s[\"\\^]*t|g[\"\\^]*e)[\"\\^]*r|l[\"\\^]*t[\"\\^]*m[\"\\^]*c|o[\"\\^]*r[\"\\^]*f[\"\\^]*i[\"\\^]*l[\"\\^]*e[\"\\^]*s|s[\"\\^]*(?:i(?:[\"\\^]*a[\"\\^]*n[\"\\^]*y[\"\\^]*c[\"\\^]*p[\"\\^]*u)?|u[\"\\^]*t[\"\\^]*i[\"\\^]*l)|t[\"\\^]*p)|g[\"\\^]*(?:f[\"\\^]*x[\"\\^]*d[\"\\^]*o[\"\\^]*w[\"\\^]*n[\"\\^]*l[\"\\^]*o[\"\\^]*a[\"\\^]*d[\"\\^]*w[\"\\^]*r[\"\\^]*a[\"\\^]*p[\"\\^]*p[\"\\^]*e[\"\\^]*r|p[\"\\^]*s[\"\\^]*c[\"\\^]*r[\"\\^]*i[\"\\^]*p[\"\\^]*t)|h[\"\\^]*h|i[\"\\^]*(?:e[\"\\^]*(?:4[\"\\^]*u[\"\\^]*i[\"\\^]*n[\"\\^]*i[\"\\^]*t|a[\"\\^]*d[\"\\^]*v[\"\\^]*p[\"\\^]*a[\"\\^]*c[\"\\^]*k|e[\"\\^]*x[\"\\^]*e[\"\\^]*c|f[\"\\^]*r[\"\\^]*a[\"\\^]*m[\"\\^]*e)|l[\"\\^]*a[\"\\^]*s[\"\\^]*m|m[\"\\^]*e[\"\\^]*w[\"\\^]*d[\"\\^]*b[\"\\^]*l[\"\\^]*d|n[\"\\^]*(?:f[\"\\^]*d[\"\\^]*e[\"\\^]*f[\"\\^]*a[\"\\^]*u[\"\\^]*l[\"\\^]*t[\"\\^]*i[\"\\^]*n[\"\\^]*s[\"\\^]*t[\"\\^]*a[\"\\^]*l|s[\"\\^]*t[\"\\^]*a[\"\\^]*l[\"\\^]*l[\"\\^]*u[\"\\^]*t[\"\\^]*i)[\"\\^]*l)|j[\"\\^]*s[\"\\^]*c|l[\"\\^]*(?:a[\"\\^]*u[\"\\^]*n[\"\\^]*c[\"\\^]*h[\"\\^]*-[\"\\^]*v[\"\\^]*s[\"\\^]*d[\"\\^]*e[\"\\^]*v[\"\\^]*s[\"\\^]*h[\"\\^]*e[\"\\^]*l[\"\\^]*l|d[\"\\^]*i[\"\\^]*f[\"\\^]*d[\"\\^]*e)|m[\"\\^]*(?:a[\"\\^]*(?:k[\"\\^]*e[\"\\^]*c[\"\\^]*a[\"\\^]*b|n[\"\\^]*a[\"\\^]*g[\"\\^]*e[\"\\^]*-[\"\\^]*b[\"\\^]*d[\"\\^]*e|v[\"\\^]*i[\"\\^]*n[\"\\^]*j[\"\\^]*e[\"\\^]*c[\"\\^]*t)|f[\"\\^]*t[\"\\^]*r[\"\\^]*a[\"\\^]*c[\"\\^]*e|i[\"\\^]*c[\"\\^]*r[\"\\^]*o[\"\\^]*s[\"\\^]*o[\"\\^]*f[\"\\^]*t|m[\"\\^]*c|p[\"\\^]*c[\"\\^]*m[\"\\^]*d[\"\\^]*r[\"\\^]*u[\"\\^]*n|s[\"\\^]*(?:(?:b[\"\\^]*u[\"\\^]*i[\"\\^]*l|o[\"\\^]*h[\"\\^]*t[\"\\^]*m[\"\\^]*e)[\"\\^]*d|c[\"\\^]*o[\"\\^]*n[\"\\^]*f[\"\\^]*i[\"\\^]*g|d[\"\\^]*(?:e[\"\\^]*p[\"\\^]*l[\"\\^]*o[\"\\^]*y|t)|h[\"\\^]*t[\"\\^]*(?:a|m[\"\\^]*l)|i[\"\\^]*e[\"\\^]*x[\"\\^]*e[\"\\^]*c|p[\"\\^]*u[\"\\^]*b|x[\"\\^]*s[\"\\^]*l))|n[\"\\^]*(?:e[\"\\^]*t[\"\\^]*s[\"\\^]*h|t[\"\\^]*d[\"\\^]*s[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l)|o[\"\\^]*(?:d[\"\\^]*b[\"\\^]*c[\"\\^]*c[\"\\^]*o[\"\\^]*n[\"\\^]*f|f[\"\\^]*f[\"\\^]*l[\"\\^]*i[\"\\^]*n[\"\\^]*e[\"\\^]*s[\"\\^]*c[\"\\^]*a[\"\\^]*n[\"\\^]*n[\"\\^]*e[\"\\^]*r[\"\\^]*s[\"\\^]*h[\"\\^]*e[\"\\^]*l[\"\\^]*l|n[\"\\^]*e[\"\\^]*d[\"\\^]*r[\"\\^]*i[\"\\^]*v[\"\\^]*e[\"\\^]*s[\"\\^]*t[\"\\^]*a[\"\\^]*n[\"\\^]*d[\"\\^]*a[\"\\^]*l[\"\\^]*o[\"\\^]*n[\"\\^]*e[\"\\^]*u[\"\\^]*p[\"\\^]*d[\"\\^]*a[\"\\^]*t[\"\\^]*e[\"\\^]*r|p[\"\\^]*e[\"\\^]*n[\"\\^]*c[\"\\^]*o[\"\\^]*n[\"\\^]*s[\"\\^]*o[\"\\^]*l[\"\\^]*e)|p[\"\\^]*(?:c[\"\\^]*(?:a[\"\\^]*l[\"\\^]*u[\"\\^]*a|w[\"\\^]*(?:r[\"\\^]*u[\"\\^]*n|u[\"\\^]*t[\"\\^]*l))|(?:e[\"\\^]*s[\"\\^]*t[\"\\^]*e|s)[\"\\^]*r|(?:k[\"\\^]*t[\"\\^]*m[\"\\^]*o|u[\"\\^]*b[\"\\^]*p[\"\\^]*r)[\"\\^]*n|n[\"\\^]*p[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l|o[\"\\^]*w[\"\\^]*e[\"\\^]*r[\"\\^]*p[\"\\^]*n[\"\\^]*t|r[\"\\^]*(?:e[\"\\^]*s[\"\\^]*e[\"\\^]*n[\"\\^]*t[\"\\^]*a[\"\\^]*t[\"\\^]*i[\"\\^]*o[\"\\^]*n[\"\\^]*h[\"\\^]*o[\"\\^]*s[\"\\^]*t|i[\"\\^]*n[\"\\^]*t(?:[\"\\^]*b[\"\\^]*r[\"\\^]*m)?|o[\"\\^]*(?:c[\"\\^]*d[\"\\^]*u[\"\\^]*m[\"\\^]*p|t[\"\\^]*o[\"\\^]*c[\"\\^]*o[\"\\^]*l[\"\\^]*h[\"\\^]*a[\"\\^]*n[\"\\^]*d[\"\\^]*l[\"\\^]*e[\"\\^]*r)))|r[\"\\^]*(?:a[\"\\^]*s[\"\\^]*a[\"\\^]*u[\"\\^]*t[\"\\^]*o[\"\\^]*u|c[\"\\^]*s[\"\\^]*i|(?:d[\"\\^]*r[\"\\^]*l[\"\\^]*e[\"\\^]*a[\"\\^]*k[\"\\^]*d[\"\\^]*i[\"\\^]*a|p[\"\\^]*c[\"\\^]*p[\"\\^]*i[\"\\^]*n)[\"\\^]*g|e[\"\\^]*(?:g(?:[\"\\^]*(?:a[\"\\^]*s[\"\\^]*m|e[\"\\^]*d[\"\\^]*i[\"\\^]*t|i[\"\\^]*(?:n[\"\\^]*i|s[\"\\^]*t[\"\\^]*e[\"\\^]*r[\"\\^]*-[\"\\^]*c[\"\\^]*i[\"\\^]*m[\"\\^]*p[\"\\^]*r[\"\\^]*o[\"\\^]*v[\"\\^]*i[\"\\^]*d[\"\\^]*e[\"\\^]*r)|s[\"\\^]*v[\"\\^]*(?:c[\"\\^]*s|r[\"\\^]*3[\"\\^]*2)))?|(?:m[\"\\^]*o[\"\\^]*t|p[\"\\^]*l[\"\\^]*a[\"\\^]*c)[\"\\^]*e)|u[\"\\^]*n[\"\\^]*(?:d[\"\\^]*l[\"\\^]*l[\"\\^]*3[\"\\^]*2|(?:e[\"\\^]*x[\"\\^]*e|s[\"\\^]*c[\"\\^]*r[\"\\^]*i[\"\\^]*p[\"\\^]*t)[\"\\^]*h[\"\\^]*e[\"\\^]*l[\"\\^]*p[\"\\^]*e[\"\\^]*r|o[\"\\^]*n[\"\\^]*c[\"\\^]*e))|s[\"\\^]*(?:c[\"\\^]*(?:[\\s\\x0b,\\./;<>].*|h[\"\\^]*t[\"\\^]*a[\"\\^]*s[\"\\^]*k[\"\\^]*s|r[\"\\^]*i[\"\\^]*p[\"\\^]*t[\"\\^]*r[\"\\^]*u[\"\\^]*n[\"\\^]*n[\"\\^]*e[\"\\^]*r)|e[\"\\^]*t[\"\\^]*(?:r[\"\\^]*e[\"\\^]*s|t[\"\\^]*i[\"\\^]*n[\"\\^]*g[\"\\^]*s[\"\\^]*y[\"\\^]*n[\"\\^]*c[\"\\^]*h[\"\\^]*o[\"\\^]*s[\"\\^]*t|u[\"\\^]*p[\"\\^]*a[\"\\^]*p[\"\\^]*i)|h[\"\\^]*(?:d[\"\\^]*o[\"\\^]*c[\"\\^]*v[\"\\^]*w|e[\"\\^]*l[\"\\^]*l[\"\\^]*3[\"\\^]*2)|q[\"\\^]*(?:l[\"\\^]*(?:d[\"\\^]*u[\"\\^]*m[\"\\^]*p[\"\\^]*e[\"\\^]*r|(?:t[\"\\^]*o[\"\\^]*o[\"\\^]*l[\"\\^]*s[\"\\^]*)?p[\"\\^]*s)|u[\"\\^]*i[\"\\^]*r[\"\\^]*r[\"\\^]*e[\"\\^]*l)|s[\"\\^]*h|t[\"\\^]*o[\"\\^]*r[\"\\^]*d[\"\\^]*i[\"\\^]*a[\"\\^]*g|y[\"\\^]*(?:n[\"\\^]*c[\"\\^]*a[\"\\^]*p[\"\\^]*p[\"\\^]*v[\"\\^]*p[\"\\^]*u[\"\\^]*b[\"\\^]*l[\"\\^]*i[\"\\^]*s[\"\\^]*h[\"\\^]*i[\"\\^]*n[\"\\^]*g[\"\\^]*s[\"\\^]*e[\"\\^]*r[\"\\^]*v[\"\\^]*e[\"\\^]*r|s[\"\\^]*s[\"\\^]*e[\"\\^]*t[\"\\^]*u[\"\\^]*p))|t[\"\\^]*(?:e[\"\\^]*[\\s\\x0b,\\./;<>].*|r[\"\\^]*a[\"\\^]*c[\"\\^]*k[\"\\^]*e[\"\\^]*r|t[\"\\^]*(?:d[\"\\^]*i[\"\\^]*n[\"\\^]*j[\"\\^]*e[\"\\^]*c[\"\\^]*t|t[\"\\^]*r[\"\\^]*a[\"\\^]*c[\"\\^]*e[\"\\^]*r))|u[\"\\^]*(?:n[\"\\^]*r[\"\\^]*e[\"\\^]*g[\"\\^]*m[\"\\^]*p[\"\\^]*2|p[\"\\^]*d[\"\\^]*a[\"\\^]*t[\"\\^]*e|r[\"\\^]*l|t[\"\\^]*i[\"\\^]*l[\"\\^]*i[\"\\^]*t[\"\\^]*y[\"\\^]*f[\"\\^]*u[\"\\^]*n[\"\\^]*c[\"\\^]*t[\"\\^]*i[\"\\^]*o[\"\\^]*n[\"\\^]*s)|v[\"\\^]*(?:b[\"\\^]*c|e[\"\\^]*r[\"\\^]*c[\"\\^]*l[\"\\^]*s[\"\\^]*i[\"\\^]*d|i[\"\\^]*s[\"\\^]*u[\"\\^]*a[\"\\^]*l[\"\\^]*u[\"\\^]*i[\"\\^]*a[\"\\^]*v[\"\\^]*e[\"\\^]*r[\"\\^]*i[\"\\^]*f[\"\\^]*y[\"\\^]*n[\"\\^]*a[\"\\^]*t[\"\\^]*i[\"\\^]*v[\"\\^]*e|s[\"\\^]*(?:i[\"\\^]*i[\"\\^]*s[\"\\^]*e[\"\\^]*x[\"\\^]*e[\"\\^]*l[\"\\^]*a[\"\\^]*u[\"\\^]*n[\"\\^]*c[\"\\^]*h|j[\"\\^]*i[\"\\^]*t[\"\\^]*d[\"\\^]*e[\"\\^]*b[\"\\^]*u[\"\\^]*g[\"\\^]*g)[\"\\^]*e[\"\\^]*r)|w[\"\\^]*(?:a[\"\\^]*b|(?:f|m[\"\\^]*i)[\"\\^]*c|i[\"\\^]*n[\"\\^]*(?:g[\"\\^]*e[\"\\^]*t|r[\"\\^]*m|w[\"\\^]*o[\"\\^]*r[\"\\^]*d)|l[\"\\^]*r[\"\\^]*m[\"\\^]*d[\"\\^]*r|o[\"\\^]*r[\"\\^]*k[\"\\^]*f[\"\\^]*o[\"\\^]*l[\"\\^]*d[\"\\^]*e[\"\\^]*r[\"\\^]*s|s[\"\\^]*(?:(?:c[\"\\^]*r[\"\\^]*i[\"\\^]*p|r[\"\\^]*e[\"\\^]*s[\"\\^]*e)[\"\\^]*t|l)|t[\"\\^]*[\\s\\x0b,\\./;<>].*|u[\"\\^]*a[\"\\^]*u[\"\\^]*c[\"\\^]*l[\"\\^]*t)|x[\"\\^]*w[\"\\^]*i[\"\\^]*z[\"\\^]*a[\"\\^]*r[\"\\^]*d|z[\"\\^]*i[\"\\^]*p[\"\\^]*f[\"\\^]*l[\"\\^]*d[\"\\^]*r)(?:\\.[\"\\^]*[0-9A-Z_a-z]+)?\\b", "targets": [ "all" ], @@ -1561,7 +1561,7 @@ { "id": "932380", "name": "Remote Command Execution: Windows Command Injection", - "pattern": "(?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b", + "pattern": "(?i)(?:[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\x0b]*[\\s\\x0b\"'\\(,@]*(?:[\"'\\.-9A-Z_a-z]+/|(?:[\"'\\x5c\\^]*[0-9A-Z_a-z][\"'\\x5c\\^]*:[^\\x5c]*|[ \"'\\.-9A-Z\\x5c\\^_a-z]*)\\x5c)?[\"\\^]*(?:a[\"\\^]*(?:s[\"\\^]*s[\"\\^]*o[\"\\^]*c|t[\"\\^]*(?:m[\"\\^]*a[\"\\^]*d[\"\\^]*m|t[\"\\^]*r[\"\\^]*i[\"\\^]*b)|u[\"\\^]*(?:d[\"\\^]*i[\"\\^]*t[\"\\^]*p[\"\\^]*o[\"\\^]*l|t[\"\\^]*o[\"\\^]*(?:c[\"\\^]*(?:h[\"\\^]*k|o[\"\\^]*n[\"\\^]*v)|(?:f[\"\\^]*m|m[\"\\^]*o[\"\\^]*u[\"\\^]*n)[\"\\^]*t)))|b[\"\\^]*(?:c[\"\\^]*d[\"\\^]*(?:b[\"\\^]*o[\"\\^]*o|e[\"\\^]*d[\"\\^]*i)[\"\\^]*t|(?:d[\"\\^]*e[\"\\^]*h[\"\\^]*d|o[\"\\^]*o[\"\\^]*t)[\"\\^]*c[\"\\^]*f[\"\\^]*g|i[\"\\^]*t[\"\\^]*s[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i[\"\\^]*n)|c[\"\\^]*(?:a[\"\\^]*c[\"\\^]*l[\"\\^]*s|e[\"\\^]*r[\"\\^]*t[\"\\^]*(?:r[\"\\^]*e[\"\\^]*q|u[\"\\^]*t[\"\\^]*i[\"\\^]*l)|h[\"\\^]*(?:c[\"\\^]*p|d[\"\\^]*i[\"\\^]*r|g[\"\\^]*(?:l[\"\\^]*o[\"\\^]*g[\"\\^]*o[\"\\^]*n|p[\"\\^]*o[\"\\^]*r[\"\\^]*t|u[\"\\^]*s[\"\\^]*r)|k[\"\\^]*(?:d[\"\\^]*s[\"\\^]*k|n[\"\\^]*t[\"\\^]*f[\"\\^]*s))|l[\"\\^]*e[\"\\^]*a[\"\\^]*n[\"\\^]*m[\"\\^]*g[\"\\^]*r|m[\"\\^]*(?:d(?:[\"\\^]*k[\"\\^]*e[\"\\^]*y)?|s[\"\\^]*t[\"\\^]*p)|s[\"\\^]*c[\"\\^]*r[\"\\^]*i[\"\\^]*p[\"\\^]*t)|d[\"\\^]*(?:c[\"\\^]*(?:d[\"\\^]*i[\"\\^]*a[\"\\^]*g|g[\"\\^]*p[\"\\^]*o[\"\\^]*f[\"\\^]*i[\"\\^]*x)|e[\"\\^]*(?:f[\"\\^]*r[\"\\^]*a[\"\\^]*g|l)|f[\"\\^]*s[\"\\^]*(?:d[\"\\^]*i[\"\\^]*a|r[\"\\^]*m[\"\\^]*i)[\"\\^]*g|i[\"\\^]*(?:a[\"\\^]*n[\"\\^]*t[\"\\^]*z|r|s[\"\\^]*(?:k[\"\\^]*(?:c[\"\\^]*o[\"\\^]*(?:m[\"\\^]*p|p[\"\\^]*y)|p[\"\\^]*(?:a[\"\\^]*r[\"\\^]*t|e[\"\\^]*r[\"\\^]*f)|r[\"\\^]*a[\"\\^]*i[\"\\^]*d|s[\"\\^]*h[\"\\^]*a[\"\\^]*d[\"\\^]*o[\"\\^]*w)|p[\"\\^]*d[\"\\^]*i[\"\\^]*a[\"\\^]*g))|n[\"\\^]*s[\"\\^]*c[\"\\^]*m[\"\\^]*d|(?:o[\"\\^]*s[\"\\^]*k[\"\\^]*e|r[\"\\^]*i[\"\\^]*v[\"\\^]*e[\"\\^]*r[\"\\^]*q[\"\\^]*u[\"\\^]*e[\"\\^]*r)[\"\\^]*y)|e[\"\\^]*(?:n[\"\\^]*d[\"\\^]*l[\"\\^]*o[\"\\^]*c[\"\\^]*a[\"\\^]*l|v[\"\\^]*e[\"\\^]*n[\"\\^]*t[\"\\^]*c[\"\\^]*r[\"\\^]*e[\"\\^]*a[\"\\^]*t[\"\\^]*e)|E[\"\\^]*v[\"\\^]*n[\"\\^]*t[\"\\^]*c[\"\\^]*m[\"\\^]*d|f[\"\\^]*(?:c|i[\"\\^]*(?:l[\"\\^]*e[\"\\^]*s[\"\\^]*y[\"\\^]*s[\"\\^]*t[\"\\^]*e[\"\\^]*m[\"\\^]*s|n[\"\\^]*d[\"\\^]*s[\"\\^]*t[\"\\^]*r)|l[\"\\^]*a[\"\\^]*t[\"\\^]*t[\"\\^]*e[\"\\^]*m[\"\\^]*p|o[\"\\^]*r[\"\\^]*f[\"\\^]*i[\"\\^]*l[\"\\^]*e[\"\\^]*s|r[\"\\^]*e[\"\\^]*e[\"\\^]*d[\"\\^]*i[\"\\^]*s[\"\\^]*k|s[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l|(?:t[\"\\^]*y[\"\\^]*p|v[\"\\^]*e[\"\\^]*u[\"\\^]*p[\"\\^]*d[\"\\^]*a[\"\\^]*t)[\"\\^]*e)|g[\"\\^]*(?:e[\"\\^]*t[\"\\^]*(?:m[\"\\^]*a[\"\\^]*c|t[\"\\^]*y[\"\\^]*p[\"\\^]*e)|o[\"\\^]*t[\"\\^]*o|p[\"\\^]*(?:f[\"\\^]*i[\"\\^]*x[\"\\^]*u[\"\\^]*p|(?:r[\"\\^]*e[\"\\^]*s[\"\\^]*u[\"\\^]*l[\"\\^]*)?t|u[\"\\^]*p[\"\\^]*d[\"\\^]*a[\"\\^]*t[\"\\^]*e)|r[\"\\^]*a[\"\\^]*f[\"\\^]*t[\"\\^]*a[\"\\^]*b[\"\\^]*l)|h[\"\\^]*(?:e[\"\\^]*l[\"\\^]*p[\"\\^]*c[\"\\^]*t[\"\\^]*r|o[\"\\^]*s[\"\\^]*t[\"\\^]*n[\"\\^]*a[\"\\^]*m[\"\\^]*e)|i[\"\\^]*(?:c[\"\\^]*a[\"\\^]*c[\"\\^]*l[\"\\^]*s|p[\"\\^]*(?:c[\"\\^]*o[\"\\^]*n[\"\\^]*f[\"\\^]*i[\"\\^]*g|x[\"\\^]*r[\"\\^]*o[\"\\^]*u[\"\\^]*t[\"\\^]*e)|r[\"\\^]*f[\"\\^]*t[\"\\^]*p)|j[\"\\^]*e[\"\\^]*t[\"\\^]*p[\"\\^]*a[\"\\^]*c[\"\\^]*k|k[\"\\^]*(?:l[\"\\^]*i[\"\\^]*s[\"\\^]*t|s[\"\\^]*e[\"\\^]*t[\"\\^]*u[\"\\^]*p|t[\"\\^]*(?:m[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l|p[\"\\^]*a[\"\\^]*s[\"\\^]*s))|l[\"\\^]*(?:o[\"\\^]*(?:d[\"\\^]*c[\"\\^]*t[\"\\^]*r|g[\"\\^]*(?:m[\"\\^]*a[\"\\^]*n|o[\"\\^]*f[\"\\^]*f))|p[\"\\^]*[qr])|m[\"\\^]*(?:a[\"\\^]*(?:c[\"\\^]*f[\"\\^]*i[\"\\^]*l[\"\\^]*e|k[\"\\^]*e[\"\\^]*c[\"\\^]*a[\"\\^]*b|p[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i[\"\\^]*n)|k[\"\\^]*(?:d[\"\\^]*i[\"\\^]*r|l[\"\\^]*i[\"\\^]*n[\"\\^]*k)|m[\"\\^]*c|o[\"\\^]*u[\"\\^]*n[\"\\^]*t[\"\\^]*v[\"\\^]*o[\"\\^]*l|q[\"\\^]*(?:b[\"\\^]*k[\"\\^]*u[\"\\^]*p|(?:t[\"\\^]*g[\"\\^]*)?s[\"\\^]*v[\"\\^]*c)|s[\"\\^]*(?:d[\"\\^]*t|i[\"\\^]*(?:e[\"\\^]*x[\"\\^]*e[\"\\^]*c|n[\"\\^]*f[\"\\^]*o[\"\\^]*3[\"\\^]*2)|t[\"\\^]*s[\"\\^]*c))|n[\"\\^]*(?:b[\"\\^]*t[\"\\^]*s[\"\\^]*t[\"\\^]*a[\"\\^]*t|e[\"\\^]*t[\"\\^]*(?:c[\"\\^]*f[\"\\^]*g|d[\"\\^]*o[\"\\^]*m|s[\"\\^]*(?:h|t[\"\\^]*a[\"\\^]*t))|f[\"\\^]*s[\"\\^]*(?:a[\"\\^]*d[\"\\^]*m[\"\\^]*i[\"\\^]*n|s[\"\\^]*(?:h[\"\\^]*a[\"\\^]*r[\"\\^]*e|t[\"\\^]*a[\"\\^]*t))|l[\"\\^]*(?:b[\"\\^]*m[\"\\^]*g[\"\\^]*r|t[\"\\^]*e[\"\\^]*s[\"\\^]*t)|s[\"\\^]*l[\"\\^]*o[\"\\^]*o[\"\\^]*k[\"\\^]*u[\"\\^]*p|t[\"\\^]*(?:b[\"\\^]*a[\"\\^]*c[\"\\^]*k[\"\\^]*u[\"\\^]*p|c[\"\\^]*m[\"\\^]*d[\"\\^]*p[\"\\^]*r[\"\\^]*o[\"\\^]*m[\"\\^]*p[\"\\^]*t|f[\"\\^]*r[\"\\^]*s[\"\\^]*u[\"\\^]*t[\"\\^]*l))|o[\"\\^]*(?:f[\"\\^]*f[\"\\^]*l[\"\\^]*i[\"\\^]*n[\"\\^]*e|p[\"\\^]*e[\"\\^]*n[\"\\^]*f[\"\\^]*i[\"\\^]*l[\"\\^]*e[\"\\^]*s)|p[\"\\^]*(?:a[\"\\^]*(?:g[\"\\^]*e[\"\\^]*f[\"\\^]*i[\"\\^]*l[\"\\^]*e[\"\\^]*c[\"\\^]*o[\"\\^]*n[\"\\^]*f[\"\\^]*i|t[\"\\^]*h[\"\\^]*p[\"\\^]*i[\"\\^]*n)[\"\\^]*g|(?:b[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i|k[\"\\^]*t[\"\\^]*m[\"\\^]*o)[\"\\^]*n|e[\"\\^]*(?:n[\"\\^]*t[\"\\^]*n[\"\\^]*t|r[\"\\^]*f[\"\\^]*m[\"\\^]*o[\"\\^]*n)|n[\"\\^]*p[\"\\^]*u[\"\\^]*(?:n[\"\\^]*a[\"\\^]*t[\"\\^]*t[\"\\^]*e[\"\\^]*n[\"\\^]*d|t[\"\\^]*i[\"\\^]*l)|o[\"\\^]*(?:p[\"\\^]*d|w[\"\\^]*e[\"\\^]*r[\"\\^]*s[\"\\^]*h[\"\\^]*e[\"\\^]*l[\"\\^]*l)|r[\"\\^]*n[\"\\^]*(?:c[\"\\^]*n[\"\\^]*f[\"\\^]*g|(?:d[\"\\^]*r[\"\\^]*v|m[\"\\^]*n[\"\\^]*g)[\"\\^]*r|j[\"\\^]*o[\"\\^]*b[\"\\^]*s|p[\"\\^]*o[\"\\^]*r[\"\\^]*t|q[\"\\^]*c[\"\\^]*t[\"\\^]*l)|u[\"\\^]*(?:b[\"\\^]*p[\"\\^]*r[\"\\^]*n|s[\"\\^]*h[\"\\^]*(?:d|p[\"\\^]*r[\"\\^]*i[\"\\^]*n[\"\\^]*t[\"\\^]*e[\"\\^]*r[\"\\^]*c[\"\\^]*o[\"\\^]*n[\"\\^]*n[\"\\^]*e[\"\\^]*c[\"\\^]*t[\"\\^]*i[\"\\^]*o[\"\\^]*n[\"\\^]*s))|w[\"\\^]*(?:l[\"\\^]*a[\"\\^]*u[\"\\^]*n[\"\\^]*c[\"\\^]*h[\"\\^]*e[\"\\^]*r|s[\"\\^]*h))|q[\"\\^]*(?:a[\"\\^]*p[\"\\^]*p[\"\\^]*s[\"\\^]*r[\"\\^]*v|p[\"\\^]*r[\"\\^]*o[\"\\^]*c[\"\\^]*e[\"\\^]*s[\"\\^]*s|u[\"\\^]*s[\"\\^]*e[\"\\^]*r|w[\"\\^]*i[\"\\^]*n[\"\\^]*s[\"\\^]*t[\"\\^]*a)|r[\"\\^]*(?:d(?:[\"\\^]*p[\"\\^]*s[\"\\^]*i[\"\\^]*g[\"\\^]*n)?|e[\"\\^]*(?:f[\"\\^]*s[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l|g(?:[\"\\^]*(?:i[\"\\^]*n[\"\\^]*i|s[\"\\^]*v[\"\\^]*r[\"\\^]*3[\"\\^]*2))?|l[\"\\^]*o[\"\\^]*g|(?:(?:p[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i|s[\"\\^]*c[\"\\^]*a)[\"\\^]*)?n|x[\"\\^]*e[\"\\^]*c)|i[\"\\^]*s[\"\\^]*e[\"\\^]*t[\"\\^]*u[\"\\^]*p|m[\"\\^]*d[\"\\^]*i[\"\\^]*r|o[\"\\^]*b[\"\\^]*o[\"\\^]*c[\"\\^]*o[\"\\^]*p[\"\\^]*y|p[\"\\^]*c[\"\\^]*(?:i[\"\\^]*n[\"\\^]*f[\"\\^]*o|p[\"\\^]*i[\"\\^]*n[\"\\^]*g)|s[\"\\^]*h|u[\"\\^]*n[\"\\^]*d[\"\\^]*l[\"\\^]*l[\"\\^]*3[\"\\^]*2|w[\"\\^]*i[\"\\^]*n[\"\\^]*s[\"\\^]*t[\"\\^]*a)|s[\"\\^]*(?:a[\"\\^]*n|c[\"\\^]*(?:h[\"\\^]*t[\"\\^]*a[\"\\^]*s[\"\\^]*k[\"\\^]*s|w[\"\\^]*c[\"\\^]*m[\"\\^]*d)|e[\"\\^]*(?:c[\"\\^]*e[\"\\^]*d[\"\\^]*i[\"\\^]*t|r[\"\\^]*v[\"\\^]*e[\"\\^]*r[\"\\^]*(?:(?:c[\"\\^]*e[\"\\^]*i[\"\\^]*p|w[\"\\^]*e[\"\\^]*r)[\"\\^]*o[\"\\^]*p[\"\\^]*t[\"\\^]*i[\"\\^]*n|m[\"\\^]*a[\"\\^]*n[\"\\^]*a[\"\\^]*g[\"\\^]*e[\"\\^]*r[\"\\^]*c[\"\\^]*m[\"\\^]*d)|t[\"\\^]*x)|f[\"\\^]*c|(?:h[\"\\^]*o[\"\\^]*w[\"\\^]*m[\"\\^]*o[\"\\^]*u[\"\\^]*n|u[\"\\^]*b[\"\\^]*s)[\"\\^]*t|x[\"\\^]*s[\"\\^]*t[\"\\^]*r[\"\\^]*a[\"\\^]*c[\"\\^]*e|y[\"\\^]*s[\"\\^]*(?:o[\"\\^]*c[\"\\^]*m[\"\\^]*g[\"\\^]*r|t[\"\\^]*e[\"\\^]*m[\"\\^]*i[\"\\^]*n[\"\\^]*f[\"\\^]*o))|t[\"\\^]*(?:a[\"\\^]*(?:k[\"\\^]*e[\"\\^]*o[\"\\^]*w[\"\\^]*n|p[\"\\^]*i[\"\\^]*c[\"\\^]*f[\"\\^]*g|s[\"\\^]*k[\"\\^]*(?:k[\"\\^]*i[\"\\^]*l[\"\\^]*l|l[\"\\^]*i[\"\\^]*s[\"\\^]*t))|(?:c[\"\\^]*m[\"\\^]*s[\"\\^]*e[\"\\^]*t[\"\\^]*u|f[\"\\^]*t)[\"\\^]*p|(?:(?:e[\"\\^]*l[\"\\^]*n[\"\\^]*e|i[\"\\^]*m[\"\\^]*e[\"\\^]*o[\"\\^]*u)[\"\\^]*|r[\"\\^]*a[\"\\^]*c[\"\\^]*e[\"\\^]*r[\"\\^]*(?:p[\"\\^]*)?)t|l[\"\\^]*n[\"\\^]*t[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*n|p[\"\\^]*m[\"\\^]*(?:t[\"\\^]*o[\"\\^]*o[\"\\^]*l|v[\"\\^]*s[\"\\^]*c[\"\\^]*m[\"\\^]*g[\"\\^]*r)|s[\"\\^]*(?:(?:d[\"\\^]*i[\"\\^]*s[\"\\^]*)?c[\"\\^]*o[\"\\^]*n|e[\"\\^]*c[\"\\^]*i[\"\\^]*m[\"\\^]*p|k[\"\\^]*i[\"\\^]*l[\"\\^]*l|p[\"\\^]*r[\"\\^]*o[\"\\^]*f)|y[\"\\^]*p[\"\\^]*e[\"\\^]*p[\"\\^]*e[\"\\^]*r[\"\\^]*f|z[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l)|u[\"\\^]*n[\"\\^]*(?:e[\"\\^]*x[\"\\^]*p[\"\\^]*o[\"\\^]*s[\"\\^]*e|i[\"\\^]*q[\"\\^]*u[\"\\^]*e[\"\\^]*i[\"\\^]*d|l[\"\\^]*o[\"\\^]*d[\"\\^]*c[\"\\^]*t[\"\\^]*r)|v[\"\\^]*s[\"\\^]*s[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i[\"\\^]*n|w[\"\\^]*(?:a[\"\\^]*i[\"\\^]*t[\"\\^]*f[\"\\^]*o[\"\\^]*r|b[\"\\^]*a[\"\\^]*d[\"\\^]*m[\"\\^]*i[\"\\^]*n|(?:d[\"\\^]*s|e[\"\\^]*(?:c|v[\"\\^]*t))[\"\\^]*u[\"\\^]*t[\"\\^]*i[\"\\^]*l|h[\"\\^]*o[\"\\^]*a[\"\\^]*m[\"\\^]*i|i[\"\\^]*n[\"\\^]*(?:n[\"\\^]*t(?:[\"\\^]*3[\"\\^]*2)?|r[\"\\^]*s)|m[\"\\^]*i[\"\\^]*c|s[\"\\^]*c[\"\\^]*r[\"\\^]*i[\"\\^]*p[\"\\^]*t)|x[\"\\^]*c[\"\\^]*o[\"\\^]*p[\"\\^]*y)(?:\\.[\"\\^]*[0-9A-Z_a-z]+)?\\b", "targets": [ "all" ], @@ -1581,7 +1581,7 @@ { "id": "932371", "name": "Remote Command Execution: Windows Command Injection", - "pattern": "(?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b", + "pattern": "(?i)(?:[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\x0b]*[\\s\\x0b\"'\\(,@]*(?:[\"'\\.-9A-Z_a-z]+/|(?:[\"'\\x5c\\^]*[0-9A-Z_a-z][\"'\\x5c\\^]*:[^\\x5c]*|[ \"'\\.-9A-Z\\x5c\\^_a-z]*)\\x5c)?[\"\\^]*a[\"\\^]*t[\"\\^]*[\\s\\x0b,\\./;<>].*(?:\\.[\"\\^]*[0-9A-Z_a-z]+)?\\b", "targets": [ "all" ], @@ -1601,7 +1601,7 @@ { "id": "932231", "name": "Remote Command Execution: Unix Command Injection", - "pattern": "(?:b[", + "pattern": "(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?:[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*\\.[\\s\\x0b].*\\b", "targets": [ "all" ], @@ -1621,7 +1621,7 @@ { "id": "932131", "name": "Remote Command Execution: Unix Shell Expression Found", - "pattern": "$(?:((?:[^)]+|([^)]+)))|{[^}]+}|[[^]]*])|[<>]([^)]+)|/[0-9A-Z_a-z]*[[^]]+]", + "pattern": "\\$(?:\\((?:[^\\)]+|\\([^\\)]+\\))\\)|\\{[^\\}]+\\}|\\[[^\\]]*\\])|[<>]\\([^\\)]+\\)|/[0-9A-Z_a-z]*\\[[^\\]]+\\]", "targets": [ "headers" ], @@ -1641,7 +1641,7 @@ { "id": "932200", "name": "RCE Bypass Technique", - "pattern": "['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{]", + "pattern": "['\\*\\?\\x5c`][^\\n/]+/|/[^/]+?['\\*\\?\\x5c`]|\\$[!#\\$\\(\\*\\-0-9\\?-\\[_a-\\{]", "targets": [ "all" ], @@ -1681,7 +1681,7 @@ { "id": "932206", "name": "RCE Bypass Technique", - "pattern": "^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{])", + "pattern": "^[^\\.]*?(?:['\\*\\?\\x5c`][^\\n/]+/|/[^/]+?['\\*\\?\\x5c`]|\\$[!#\\$\\(\\*\\-0-9\\?-\\[_a-\\{])", "targets": [ "headers" ], @@ -1721,7 +1721,7 @@ { "id": "932220", "name": "Remote Command Execution: Unix Command Injection with pipe", - "pattern": "(?i).|(?:[sx0b]*|b[", + "pattern": "(?i).\\|(?:[\\s\\x0b]*|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?:[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:7[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[arx][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|(?:G[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?E[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?T|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z|c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[89][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?9|[au][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t|c|(?:m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?p|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[dfu]|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[gr])|f[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[cgi]|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p)|h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p)|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[dp]|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b)|j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s|q)|k[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r|v)|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[cl]|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t|(?:p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?m)|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[cr]|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[ex]|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p)|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:3[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|c)|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|z)|y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m)|z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h))[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:(?:[bdx]|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|q[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)|l[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|(?:[nps]|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:4[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[dv]|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[dt]|[ghu]|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?))[\\s\\x0b&\\),<>\\|].*|a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?-[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|(?:(?:b|(?:p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?t|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[ks])[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[jp][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)[\\s\\x0b&\\),<>\\|].*)|g[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|[hr][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t|o|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?g)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*)|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:(?:(?:[at][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|f|(?:k[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?g|h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)[\\s\\x0b&\\),<>\\|].*|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10}))))", "targets": [ "all" ], @@ -1741,7 +1741,7 @@ { "id": "932240", "name": "Remote Command Execution: Unix Command Injection evasion attempt detected", - "pattern": "(?i)[-0-9_a-z]+(?:[sx0b]*[", + "pattern": "(?i)[\\-0-9_a-z]+(?:[\\s\\x0b]*[\"'][^\\s\\x0b\"',:]+[\"']|(?:[\"'][\"']+|[\\[-\\]]+|\\$+[!#\\*\\-0-9\\?@\\x5c_a-\\{]+|``|[\\$<>]\\(\\))[\\s\\x0b]*)[\\-0-9_a-z]+", "targets": [ "all" ], @@ -1761,7 +1761,7 @@ { "id": "932281", "name": "Remote Command Execution: Brace Expansion Found", - "pattern": "{[^sx0b,:}]*,[^sx0b]*}", + "pattern": "\\{[^\\s\\x0b,:\\}]*,[^\\s\\x0b]*\\}", "targets": [ "all" ], @@ -1781,7 +1781,7 @@ { "id": "932210", "name": "Remote Command Execution: SQLite System Command Execution", - "pattern": ";[sx0b]*.[sx0b]*[", + "pattern": ";[\\s\\x0b]*\\.[\\s\\x0b]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)", "targets": [ "all" ], @@ -1821,7 +1821,7 @@ { "id": "932300", "name": "Remote Command Execution: SMTP Command Execution", - "pattern": "(?i)rn.*?b(?:E(?:HLO[sx0b][-.a-z]{1,255}|XPN[sx0b].{1,64})|HELO[sx0b][-.a-z]{1,255}|MAIL[sx0b]FROM:<.{1,64}@.{1,255}>|R(?:CPT[sx0b]TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SETb)|VRFY[sx0b].{1,64}(?:[sx0b]<.{1,64}@.{1,255}>|@.{1,255})|AUTH[sx0b][-0-9_a-z]{1,20}[sx0b](?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=|STARTTLSb|NOOPb(?:[sx0b].{1,255})?)", + "pattern": "(?i)\\r\\n.*?\\b(?:E(?:HLO[\\s\\x0b][\\-\\.a-z]{1,255}|XPN[\\s\\x0b].{1,64})|HELO[\\s\\x0b][\\-\\.a-z]{1,255}|MAIL[\\s\\x0b]FROM:<.{1,64}@.{1,255}>|R(?:CPT[\\s\\x0b]TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SET\\b)|VRFY[\\s\\x0b].{1,64}(?:[\\s\\x0b]<.{1,64}@.{1,255}>|@.{1,255})|AUTH[\\s\\x0b][\\-0-9_a-z]{1,20}[\\s\\x0b](?:(?:[\\+/-9A-Z_a-z]{4})*(?:[\\+/-9A-Z_a-z]{2}=|[\\+/-9A-Z_a-z]{3}))?=|STARTTLS\\b|NOOP\\b(?:[\\s\\x0b].{1,255})?)", "targets": [ "all" ], @@ -1841,7 +1841,7 @@ { "id": "932310", "name": "Remote Command Execution: IMAP Command Execution", - "pattern": "(?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[", + "pattern": "(?is)\\r\\n[0-9A-Z_a-z]{1,50}\\b (?:A(?:PPEND (?:[\"#%&\\*\\--9A-Z\\x5c_a-z]+)?(?: \\([ \\x5ca-z]+\\))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [\\+\\-][0-9]{4}\"?)? \\{[0-9]{1,20}\\+?\\}|UTHENTICATE [\\-0-9_a-z]{1,20}\\r\\n)|L(?:SUB (?:[\"#\\*\\.-9A-Z_a-z~]+)? (?:[\"%&\\*\\.-9A-Z\\x5c_a-z]+)?|ISTRIGHTS (?:[\"%&\\*\\--9A-Z\\x5c_a-z]+)?)|S(?:TATUS (?:[\"%&\\*\\--9A-Z\\x5c_a-z]+)? \\((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+\\)|ETACL (?:[\"%&\\*\\--9A-Z\\x5c_a-z]+)? [\\+\\-][ac-eiklpr-twx]+?)|UID (?:COPY|FETCH|STORE) (?:[\\*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%&\\*\\--9A-Z\\x5c_a-z]+)?)", "targets": [ "all" ], @@ -1861,7 +1861,7 @@ { "id": "932320", "name": "Remote Command Execution: POP3 Command Execution", - "pattern": "(?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9_a-z]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))", + "pattern": "(?is)\\r\\n.*?\\b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [\\-0-9_a-z]{1,20} (?:(?:[\\+/-9A-Z_a-z]{4})*(?:[\\+/-9A-Z_a-z]{2}=|[\\+/-9A-Z_a-z]{3}))?=))", "targets": [ "all" ], @@ -1881,7 +1881,7 @@ { "id": "932236", "name": "Remote Command Execution: Unix Command Injection (command without evasion)", - "pattern": "(?i)(?:^|b[", + "pattern": "(?i)(?:^|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?:[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:7z[arx]?|(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)[\\s\\x0b&\\),<>\\|]|a(?:a-[^\\s\\x0b]{1,10}\\b|(?:b|w[ks]|l(?:ias|pine)|tobm|xel)[\\s\\x0b&\\),<>\\|]|p(?:t(?:[\\s\\x0b&\\),<>\\|]|-get)|parmor_[^\\s\\x0b]{1,10}\\b)|r(?:(?:p|ch)?[\\s\\x0b&\\),<>\\|]|j(?:[\\s\\x0b&\\),<>\\|]|-register|disp)|ia2c)|s(?:h[\\s\\x0b&\\),<>\\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))[\\s\\x0b&\\),<>\\|]|diff|e(?:grep|xe[\\s\\x0b&\\),<>\\|])|f?grep|ip2(?:[\\s\\x0b&\\),<>\\|]|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\\s\\x0b&\\),<>\\|]|c))|h[\\s\\x0b&\\),<>\\|])|tch[\\s\\x0b&\\),<>\\|])|lkid[\\s\\x0b&\\),<>\\|]|pftrace|r(?:eaksw|(?:idge|wap)[\\s\\x0b&\\),<>\\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\\s\\x0b&\\),<>\\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[\\s\\x0b&\\),<>\\|]))|c(?:[89]9(?:[\\s\\x0b&\\),<>\\|]|-gcc)|(?:a(?:t|ncel|psh)|c|mp)[\\s\\x0b&\\),<>\\|]|p(?:(?:an|io)?[\\s\\x0b&\\),<>\\|]|ulimit)|s(?:(?:h|cli)[\\s\\x0b&\\),<>\\|]|plit|vtool)|u(?:(?:t|rl)[\\s\\x0b&\\),<>\\|]|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[\\s\\x0b&\\),<>\\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\\s\\x0b&\\),\\-<>\\|])|(?:flag|pas)s|g(?:passwd|rp[\\s\\x0b&\\),<>\\|]))|lang(?:\\+\\+|[\\s\\x0b&\\),<>\\|])|o(?:bc(?:[\\s\\x0b&\\),<>\\|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\\s\\x0b&\\),<>\\|]|proc|w(?:say|think))|r(?:ash[\\s\\x0b&\\),<>\\|]|on(?:[\\s\\x0b&\\),<>\\|]|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)[\\s\\x0b&\\),<>\\|]|hclient|m(?:esg[\\s\\x0b&\\),<>\\|]|idecode|setup)|o(?:(?:as|ne)[\\s\\x0b&\\),<>\\|]|cker[\\s\\x0b&\\),\\-<>\\|]|sbox)|pkg[\\s\\x0b&\\),\\-<>\\|])|e(?:(?:[bd]|qn|s(?:h|ac)?|cho|fax|grep|macs|val)[\\s\\x0b&\\),<>\\|]|n(?:v(?:[\\s\\x0b&\\),<>\\|]|-update)|d(?:if|sw)[\\s\\x0b&\\),<>\\|])|x(?:(?:ec|p(?:and|(?:ec|or)t|r))?[\\s\\x0b&\\),<>\\|]|iftool)|2fsck|asy_install)|f(?:(?:c|g(?:rep)?|mt|etch|lock|unction)[\\s\\x0b&\\),<>\\|]|i(?:(?:n(?:d|ger)|sh)?[\\s\\x0b&\\),<>\\|]|le(?:[\\s\\x0b&\\),<>\\|]|test))|tp(?:[\\s\\x0b&\\),<>\\|]|stats|who)|acter|d(?:(?:find|isk)[\\s\\x0b&\\),<>\\|]|u?mount)|o(?:ld[\\s\\x0b&\\),<>\\|]|reach)|ping[\\s\\x0b&\\),6<>\\|])|g(?:c(?:c[^\\s\\x0b]{1,10}\\b|ore[\\s\\x0b&\\),<>\\|])|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))[\\s\\x0b&\\),<>\\|]|e(?:m[\\s\\x0b&\\),<>\\|]|ni(?:e[\\s\\x0b&\\),<>\\|]|soimage)|t(?:cap|facl[\\s\\x0b&\\),<>\\|]))|hc(?:-?[\\s\\x0b&\\),<>\\|]|i[\\s\\x0b&\\),\\-<>\\|])|r(?:(?:c(?:at)?|ep)[\\s\\x0b&\\),<>\\|]|oupmod)|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))[\\s\\x0b&\\),<>\\|]|e(?:ad[\\s\\x0b&\\),<>\\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[\\s\\x0b&\\),<>\\|]|passwd))|i(?:(?:d|rb|conv|nstall)[\\s\\x0b&\\),<>\\|]|p(?:[\\s\\x0b&\\),<>\\|]|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top[\\s\\x0b&\\),<>\\|])|onice|spell)|j(?:(?:js|q|ava|exec)[\\s\\x0b&\\),<>\\|]|o(?:(?:bs|in)[\\s\\x0b&\\),<>\\|]|urnalctl)|runscript)|k(?:s(?:h[\\s\\x0b&\\),<>\\|]|shell)|ill(?:[\\s\\x0b&\\),<>\\|]|all)|nife[\\s\\x0b&\\),<>\\|])|l(?:d(?:d?[\\s\\x0b&\\),<>\\|]|config)|(?:[np]|inks|ynx)[\\s\\x0b&\\),<>\\|]|s(?:(?:-F|cpu|hw|mod|of|pci|usb)?[\\s\\x0b&\\),<>\\|]|b_release)|ua(?:[\\s\\x0b&\\),<>\\|]|(?:la)?tex)|z(?:4(?:[\\s\\x0b&\\),<>\\|]|c(?:[\\s\\x0b&\\),<>\\|]|at))|(?:c(?:at|mp))?[\\s\\x0b&\\),<>\\|]|diff|[ef]?grep|less|m(?:a(?:[\\s\\x0b&\\),<>\\|]|dec|info)|ore))|a(?:st(?:(?:comm)?[\\s\\x0b&\\),<>\\|]|log(?:in)?)|tex[\\s\\x0b&\\),<>\\|])|ess(?:[\\s\\x0b&\\),<>\\|]|echo|(?:fil|pip)e)|ftp(?:[\\s\\x0b&\\),<>\\|]|get)|o(?:(?:ca(?:l|te)|ok)[\\s\\x0b&\\),<>\\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:(?:a(?:n|il[qx]?|ke|wk)|tr|v|utt)[\\s\\x0b&\\),<>\\|]|k(?:(?:dir|nod)[\\s\\x0b&\\),<>\\|]|fifo|temp)|locate|o(?:squitto|unt[\\s\\x0b&\\),<>\\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\\s\\x0b&\\),<>\\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:(?:at)?[\\s\\x0b&\\),<>\\|]|\\.(?:openbsd|traditional))|e(?:t(?:[\\s\\x0b&\\),<>\\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|m(?:ap)?|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)[\\s\\x0b&\\),<>\\|]|s(?:enter|lookup|tat[\\s\\x0b&\\),<>\\|]))|o(?:(?:d|ctave)[\\s\\x0b&\\),<>\\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[\\s\\x0b&\\),<>\\|]))|p(?:a(?:(?:x|rted|tch)[\\s\\x0b&\\),<>\\|]|s(?:swd|te[\\s\\x0b&\\),<>\\|]))|d(?:b(?:[\\s\\x0b&\\),<>\\|]|2mb|3[\\s\\x0b&\\),\\.<>\\|])|f(?:la)?tex|ksh[\\s\\x0b&\\),<>\\|])|(?:f(?:tp)?|g(?:rep)?|(?:w|op)d|xz|u(?:ppet|shd))[\\s\\x0b&\\),<>\\|]|hp(?:[57]?[\\s\\x0b&\\),<>\\|]|-cgi)|i(?:(?:co?|gz|ng6?)[\\s\\x0b&\\),<>\\|]|p(?:[\\s\\x0b&\\),<>\\|]|[^\\s\\x0b]{1,10}\\b)|dstat)|k(?:g(?:[\\s\\x0b&\\),<>\\|]|_?info)|exec|ill[\\s\\x0b&\\),<>\\|])|r(?:y?[\\s\\x0b&\\),<>\\|]|int(?:env|f[\\s\\x0b&\\),<>\\|]))|t(?:x[\\s\\x0b&\\),<>\\|]|ar(?:[\\s\\x0b&\\),<>\\|]|diff|grep))|er(?:(?:f|ms)[\\s\\x0b&\\),<>\\|]|l(?:5?[\\s\\x0b&\\),<>\\|]|sh))|s(?:(?:ed|ql)[\\s\\x0b&\\),<>\\|]|ftp)|y(?:3?versions|thon(?:[23]|[^\\s\\x0b]{1,10}\\b)))|r(?:(?:a(?:r|k[eu])|cp?|bash|nano|oute|vi(?:ew|m))[\\s\\x0b&\\),<>\\|]|e(?:(?:d(?:carpet)?|v|boot|name|p(?:eat|lace))[\\s\\x0b&\\),<>\\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\\s\\x0b&\\),<>\\|]|t(?:[\\s\\x0b&\\),<>\\|]|-(?:dump|tar))|user)|pm(?:(?:db)?[\\s\\x0b&\\),<>\\|]|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\\s\\x0b&\\),<>\\|])|u(?:by[^\\s\\x0b]{1,10}\\b|n(?:-(?:mailcap|parts)|c[\\s\\x0b&\\),<>\\|])))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|(?:ft|na)p|l(?:eep|sh)|plit)[\\s\\x0b&\\),<>\\|]|e(?:(?:d|ndmail|rvice)[\\s\\x0b&\\),<>\\|]|t(?:(?:facl)?[\\s\\x0b&\\),<>\\|]|arch|cap|env|sid))|h(?:(?:u(?:f|tdown))?[\\s\\x0b&\\),<>\\|]|\\.distrib)|s(?:[\\s\\x0b&\\),<>\\|]|h(?:[\\s\\x0b&\\),<>\\|]|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[\\s\\x0b&\\),<>\\|]|do(?:-rs|[\\s\\x0b&\\),<>_\\|]|edit|replay))|vn(?:[\\s\\x0b&\\),<>\\|]|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)[\\s\\x0b&\\),<>\\|]|elim)|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings[\\s\\x0b&\\),<>\\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:(?:[cr]|ilf?)[\\s\\x0b&\\),<>\\|]|sk(?:[\\s\\x0b&\\),<>\\|]|set))|(?:bl|o(?:p|uch)|ftp|mux)[\\s\\x0b&\\),<>\\|]|e(?:[ex][\\s\\x0b&\\),<>\\|]|lnet)|i(?:c[\\s\\x0b&\\),<>\\|]|me(?:datectl|out[\\s\\x0b&\\),<>\\|]))|c(?:l?sh[\\s\\x0b&\\),<>\\|]|p(?:dump|ing|traceroute))|r(?:a(?:ceroute6?|p[\\s\\x0b&\\),<>\\|])|off[\\s\\x0b&\\),<>\\|])|shark)|u(?:l(?:imit)?[\\s\\x0b&\\),<>\\|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[\\s\\x0b&\\),<>\\|]|expand|l(?:ink[\\s\\x0b&\\),<>\\|]|z(?:4[\\s\\x0b&\\),<>\\|]|ma))|pigz|z(?:ip[\\s\\x0b&\\),<>\\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\\s\\x0b&\\),<>\\|]|diff)|(?:[ep]w|gr|rsh)[\\s\\x0b&\\),<>\\|]|sudo(?:-rs)?)|algrind|olatility[\\s\\x0b&\\),<>\\|])|w(?:(?:3m|c|a(?:ll|tch)|get)[\\s\\x0b&\\),<>\\|]|h(?:iptail[\\s\\x0b&\\),<>\\|]|o(?:ami|is[\\s\\x0b&\\),<>\\|]))|i(?:reshark|sh[\\s\\x0b&\\),<>\\|]))|x(?:(?:(?:x|pa)d|args|term)[\\s\\x0b&\\),<>\\|]|z(?:(?:c(?:at|mp))?[\\s\\x0b&\\),<>\\|]|d(?:ec[\\s\\x0b&\\),<>\\|]|iff)|[ef]?grep|less|more)|e(?:latex|tex[\\s\\x0b&\\),<>\\|])|mo(?:dmap|re[\\s\\x0b&\\),<>\\|]))|z(?:ip(?:[\\s\\x0b&\\),<>\\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h[\\s\\x0b&\\),<>\\|]|oelim|td(?:[\\s\\x0b&\\),<>\\|]|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)[\\s\\x0b&\\),<>\\|]|[ef]grep|mo(?:dload|re[\\s\\x0b&\\),<>\\|])|ypper))", "targets": [ "all" ], @@ -1901,7 +1901,7 @@ { "id": "932239", "name": "Remote Command Execution: Unix Command Injection found in user-agent or referer header", - "pattern": "(?i)(?:^|b[", + "pattern": "(?i)(?:^|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?:[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:7z[arx]?|(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)[\\s\\x0b&\\),<>\\|]|a(?:a-[^\\s\\x0b]{1,10}\\b|(?:b|w[ks]|l(?:ias|pine)|tobm|xel)[\\s\\x0b&\\),<>\\|]|p(?:t(?:[\\s\\x0b&\\),<>\\|]|-get)|parmor_[^\\s\\x0b]{1,10}\\b)|r(?:(?:p|ch)?[\\s\\x0b&\\),<>\\|]|j(?:[\\s\\x0b&\\),<>\\|]|-register|disp)|ia2c)|s(?:h[\\s\\x0b&\\),<>\\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))[\\s\\x0b&\\),<>\\|]|diff|e(?:grep|xe[\\s\\x0b&\\),<>\\|])|f?grep|ip2(?:[\\s\\x0b&\\),<>\\|]|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\\s\\x0b&\\),<>\\|]|c))|h[\\s\\x0b&\\),<>\\|])|tch[\\s\\x0b&\\),<>\\|])|lkid[\\s\\x0b&\\),<>\\|]|pftrace|r(?:eaksw|(?:idge|wap)[\\s\\x0b&\\),<>\\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\\s\\x0b&\\),<>\\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[\\s\\x0b&\\),<>\\|]))|c(?:[89]9(?:[\\s\\x0b&\\),<>\\|]|-gcc)|(?:a(?:t|ncel|psh)|c|mp)[\\s\\x0b&\\),<>\\|]|p(?:(?:an|io)?[\\s\\x0b&\\),<>\\|]|ulimit)|s(?:(?:h|cli)[\\s\\x0b&\\),<>\\|]|plit|vtool)|u(?:t[\\s\\x0b&\\),<>\\|]|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[\\s\\x0b&\\),<>\\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\\s\\x0b&\\),\\-<>\\|])|(?:flag|pas)s|g(?:passwd|rp[\\s\\x0b&\\),<>\\|]))|lang(?:\\+\\+|[\\s\\x0b&\\),<>\\|])|o(?:bc(?:[\\s\\x0b&\\),<>\\|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\\s\\x0b&\\),<>\\|]|proc|w(?:say|think))|r(?:ash[\\s\\x0b&\\),<>\\|]|on(?:[\\s\\x0b&\\),<>\\|]|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)[\\s\\x0b&\\),<>\\|]|hclient|m(?:esg[\\s\\x0b&\\),<>\\|]|idecode|setup)|o(?:(?:as|ne)[\\s\\x0b&\\),<>\\|]|cker[\\s\\x0b&\\),\\-<>\\|]|sbox)|pkg[\\s\\x0b&\\),\\-<>\\|])|e(?:(?:[bd]|qn|s(?:h|ac)?|cho|fax|grep|macs|val)[\\s\\x0b&\\),<>\\|]|n(?:v(?:[\\s\\x0b&\\),<>\\|]|-update)|d(?:if|sw)[\\s\\x0b&\\),<>\\|])|x(?:(?:ec|p(?:and|(?:ec|or)t|r))?[\\s\\x0b&\\),<>\\|]|iftool)|2fsck|asy_install)|f(?:(?:c|g(?:rep)?|mt|etch|lock|unction)[\\s\\x0b&\\),<>\\|]|i(?:(?:n(?:d|ger)|sh)?[\\s\\x0b&\\),<>\\|]|le(?:[\\s\\x0b&\\),<>\\|]|test))|tp(?:[\\s\\x0b&\\),<>\\|]|stats|who)|acter|d(?:(?:find|isk)[\\s\\x0b&\\),<>\\|]|u?mount)|o(?:ld[\\s\\x0b&\\),<>\\|]|reach)|ping[\\s\\x0b&\\),6<>\\|])|g(?:c(?:c[^\\s\\x0b]{1,10}\\b|ore[\\s\\x0b&\\),<>\\|])|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))[\\s\\x0b&\\),<>\\|]|e(?:m[\\s\\x0b&\\),<>\\|]|ni(?:e[\\s\\x0b&\\),<>\\|]|soimage)|t(?:cap|facl[\\s\\x0b&\\),<>\\|]))|hc(?:-?[\\s\\x0b&\\),<>\\|]|i[\\s\\x0b&\\),\\-<>\\|])|r(?:(?:c(?:at)?|ep)[\\s\\x0b&\\),<>\\|]|oupmod)|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))[\\s\\x0b&\\),<>\\|]|e(?:ad[\\s\\x0b&\\),<>\\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[\\s\\x0b&\\),<>\\|]|passwd))|i(?:(?:d|rb|conv|nstall)[\\s\\x0b&\\),<>\\|]|p(?:[\\s\\x0b&\\),<>\\|]|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top[\\s\\x0b&\\),<>\\|])|onice|spell)|j(?:(?:js|q|ava|exec)[\\s\\x0b&\\),<>\\|]|o(?:(?:bs|in)[\\s\\x0b&\\),<>\\|]|urnalctl)|runscript)|k(?:s(?:h[\\s\\x0b&\\),<>\\|]|shell)|ill(?:[\\s\\x0b&\\),<>\\|]|all)|nife[\\s\\x0b&\\),<>\\|])|l(?:d(?:d?[\\s\\x0b&\\),<>\\|]|config)|(?:[np]|ynx)[\\s\\x0b&\\),<>\\|]|s(?:(?:-F|cpu|hw|mod|of|pci|usb)?[\\s\\x0b&\\),<>\\|]|b_release)|ua(?:[\\s\\x0b&\\),<>\\|]|(?:la)?tex)|z(?:4(?:[\\s\\x0b&\\),<>\\|]|c(?:[\\s\\x0b&\\),<>\\|]|at))|(?:c(?:at|mp))?[\\s\\x0b&\\),<>\\|]|diff|[ef]?grep|less|m(?:a(?:[\\s\\x0b&\\),<>\\|]|dec|info)|ore))|a(?:st(?:(?:comm)?[\\s\\x0b&\\),<>\\|]|log(?:in)?)|tex[\\s\\x0b&\\),<>\\|])|ess(?:[\\s\\x0b&\\),<>\\|]|echo|(?:fil|pip)e)|ftp(?:[\\s\\x0b&\\),<>\\|]|get)|o(?:(?:ca(?:l|te)|ok)[\\s\\x0b&\\),<>\\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:(?:a(?:n|il[qx]?|ke|wk)|tr|v|utt)[\\s\\x0b&\\),<>\\|]|k(?:(?:dir|nod)[\\s\\x0b&\\),<>\\|]|fifo|temp)|locate|o(?:squitto|unt[\\s\\x0b&\\),<>\\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\\s\\x0b&\\),<>\\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:(?:at)?[\\s\\x0b&\\),<>\\|]|\\.(?:openbsd|traditional))|e(?:t(?:[\\s\\x0b&\\),<>\\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|m(?:ap)?|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)[\\s\\x0b&\\),<>\\|]|s(?:enter|lookup|tat[\\s\\x0b&\\),<>\\|]))|o(?:(?:d|ctave)[\\s\\x0b&\\),<>\\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[\\s\\x0b&\\),<>\\|]))|p(?:a(?:(?:x|rted|tch)[\\s\\x0b&\\),<>\\|]|s(?:swd|te[\\s\\x0b&\\),<>\\|]))|d(?:b(?:[\\s\\x0b&\\),<>\\|]|2mb|3[\\s\\x0b&\\),\\.<>\\|])|f(?:la)?tex|ksh[\\s\\x0b&\\),<>\\|])|(?:f(?:tp)?|g(?:rep)?|(?:w|op)d|xz|u(?:ppet|shd))[\\s\\x0b&\\),<>\\|]|hp(?:[57]?[\\s\\x0b&\\),<>\\|]|-cgi)|i(?:(?:co?|gz|ng6?)[\\s\\x0b&\\),<>\\|]|p(?:[\\s\\x0b&\\),<>\\|]|[^\\s\\x0b]{1,10}\\b)|dstat)|k(?:g(?:[\\s\\x0b&\\),<>\\|]|_?info)|exec|ill[\\s\\x0b&\\),<>\\|])|r(?:y?[\\s\\x0b&\\),<>\\|]|int(?:env|f[\\s\\x0b&\\),<>\\|]))|t(?:x[\\s\\x0b&\\),<>\\|]|ar(?:[\\s\\x0b&\\),<>\\|]|diff|grep))|er(?:(?:f|ms)[\\s\\x0b&\\),<>\\|]|l(?:5?[\\s\\x0b&\\),<>\\|]|sh))|s(?:(?:ed|ql)[\\s\\x0b&\\),<>\\|]|ftp)|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|cp?|bash|nano|oute|vi(?:ew|m))[\\s\\x0b&\\),<>\\|]|e(?:(?:d(?:carpet)?|v|boot|name|p(?:eat|lace))[\\s\\x0b&\\),<>\\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\\s\\x0b&\\),<>\\|]|t(?:[\\s\\x0b&\\),<>\\|]|-(?:dump|tar))|user)|pm(?:(?:db)?[\\s\\x0b&\\),<>\\|]|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\\s\\x0b&\\),<>\\|])|u(?:by[^\\s\\x0b]{1,10}\\b|n(?:-(?:mailcap|parts)|c[\\s\\x0b&\\),<>\\|])))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh)|plit)[\\s\\x0b&\\),<>\\|]|e(?:(?:d|ndmail|rvice)[\\s\\x0b&\\),<>\\|]|t(?:(?:facl)?[\\s\\x0b&\\),<>\\|]|arch|cap|env|sid))|h(?:(?:u(?:f|tdown))?[\\s\\x0b&\\),<>\\|]|\\.distrib)|s(?:[\\s\\x0b&\\),<>\\|]|h(?:[\\s\\x0b&\\),<>\\|]|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[\\s\\x0b&\\),<>\\|]|do(?:-rs|[\\s\\x0b&\\),<>_\\|]|edit|replay))|vn(?:[\\s\\x0b&\\),<>\\|]|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)[\\s\\x0b&\\),<>\\|]|elim)|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings[\\s\\x0b&\\),<>\\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:(?:[cr]|ilf?)[\\s\\x0b&\\),<>\\|]|sk(?:[\\s\\x0b&\\),<>\\|]|set))|(?:bl|o(?:p|uch)|ftp|mux)[\\s\\x0b&\\),<>\\|]|e(?:[ex][\\s\\x0b&\\),<>\\|]|lnet)|i(?:c[\\s\\x0b&\\),<>\\|]|me(?:datectl|out[\\s\\x0b&\\),<>\\|]))|c(?:l?sh[\\s\\x0b&\\),<>\\|]|p(?:dump|ing|traceroute))|r(?:a(?:ceroute6?|p[\\s\\x0b&\\),<>\\|])|off[\\s\\x0b&\\),<>\\|])|shark)|u(?:l(?:imit)?[\\s\\x0b&\\),<>\\|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[\\s\\x0b&\\),<>\\|]|expand|l(?:ink[\\s\\x0b&\\),<>\\|]|z(?:4[\\s\\x0b&\\),<>\\|]|ma))|pigz|z(?:ip[\\s\\x0b&\\),<>\\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\\s\\x0b&\\),<>\\|]|diff)|(?:[ep]w|gr|rsh)[\\s\\x0b&\\),<>\\|]|sudo(?:-rs)?)|algrind|olatility[\\s\\x0b&\\),<>\\|])|w(?:(?:c|a(?:ll|tch))[\\s\\x0b&\\),<>\\|]|h(?:iptail[\\s\\x0b&\\),<>\\|]|o(?:ami|is[\\s\\x0b&\\),<>\\|]))|i(?:reshark|sh[\\s\\x0b&\\),<>\\|]))|x(?:(?:(?:x|pa)d|args|term)[\\s\\x0b&\\),<>\\|]|z(?:(?:c(?:at|mp))?[\\s\\x0b&\\),<>\\|]|d(?:ec[\\s\\x0b&\\),<>\\|]|iff)|[ef]?grep|less|more)|e(?:latex|tex[\\s\\x0b&\\),<>\\|])|mo(?:dmap|re[\\s\\x0b&\\),<>\\|]))|z(?:ip(?:[\\s\\x0b&\\),<>\\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h[\\s\\x0b&\\),<>\\|]|oelim|td(?:[\\s\\x0b&\\),<>\\|]|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)[\\s\\x0b&\\),<>\\|]|[ef]grep|mo(?:dload|re[\\s\\x0b&\\),<>\\|])|ypper))", "targets": [ "headers" ], @@ -1921,7 +1921,7 @@ { "id": "932232", "name": "Remote Command Execution: Unix Command Injection", - "pattern": "(?:b[", + "pattern": "(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?:[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?2[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n|s)|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?f|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o|[\\s\\x0b&\\),<>\\|].*))\\b", "targets": [ "all" ], @@ -1941,7 +1941,7 @@ { "id": "932237", "name": "Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS", - "pattern": "(?i)b(?:(?:7z[arx]?|(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)[sx0b&),<>|]|a(?:a-[^sx0b]{1,10}b|(?:b|t(?:obm)?|w[ks]|l(?:ias|pine)|xel)[sx0b&),<>|]|p(?:t(?:(?:itude)?[sx0b&),<>|]|-get)|parmor_[^sx0b]{1,10}b)|r(?:(?:p|ch)?[sx0b&),<>|]|j(?:[sx0b&),<>|]|-register|disp)|ia2c)|s(?:h?[sx0b&),<>|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))[sx0b&),<>|]|diff|e(?:grep|xe[sx0b&),<>|])|f?grep|ip2(?:[sx0b&),<>|]|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sx0b&),<>|]|c))|h[sx0b&),<>|])|tch[sx0b&),<>|])|lkid[sx0b&),<>|]|pftrace|r(?:eaksw|(?:idge|wap)[sx0b&),<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sx0b&),<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[sx0b&),<>|]))|c(?:[89]9(?:[sx0b&),<>|]|-gcc)|(?:a(?:t|ncel|psh)|c|mp)[sx0b&),<>|]|p(?:(?:an|io)?[sx0b&),<>|]|ulimit)|s(?:(?:h|cli)[sx0b&),<>|]|plit|vtool)|u(?:t[sx0b&),<>|]|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[sx0b&),<>|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[sx0b&),-<>|])|(?:flag|pas)s|g(?:passwd|rp[sx0b&),<>|]))|lang(?:++|[sx0b&),<>|])|o(?:bc(?:[sx0b&),<>|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[sx0b&),<>|]|proc|w(?:say|think))|r(?:ash[sx0b&),<>|]|on(?:[sx0b&),<>|]|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)[sx0b&),<>|]|nf[sx0b&),<>|]?|hclient|m(?:esg[sx0b&),<>|]|idecode|setup)|o(?:(?:as|ne)[sx0b&),<>|]|cker[sx0b&),-<>|]|sbox)|pkg[sx0b&),-<>|])|e(?:(?:[bd]|qn|s(?:h|ac)?|cho|fax|grep|macs|val)[sx0b&),<>|]|n(?:v(?:[sx0b&),<>|]|-update)|d(?:if|sw)[sx0b&),<>|])|x(?:(?:ec|p(?:and|(?:ec|or)t|r))?[sx0b&),<>|]|iftool)|2fsck|asy_install)|f(?:(?:c|g(?:rep)?|mt|etch|lock|unction)[sx0b&),<>|]|i(?:(?:n(?:d|ger)|sh)?[sx0b&),<>|]|le(?:[sx0b&),<>|]|test))|tp(?:[sx0b&),<>|]|stats|who)|acter|d(?:(?:find|isk)[sx0b&),<>|]|u?mount)|o(?:ld[sx0b&),<>|]|reach)|ping[sx0b&),6<>|])|g(?:c(?:c[^sx0b]{1,10}b|ore[sx0b&),<>|])|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))[sx0b&),<>|]|e(?:m[sx0b&),<>|]|ni(?:e[sx0b&),<>|]|soimage)|t(?:cap|facl[sx0b&),<>|]))|hc(?:-?[sx0b&),<>|]|i[sx0b&),-<>|])|r(?:(?:c(?:at)?|ep)[sx0b&),<>|]|oupmod)|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))[sx0b&),<>|]|e(?:ad[sx0b&),<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[sx0b&),<>|]|passwd))|i(?:(?:d|rb|conv|nstall)[sx0b&),<>|]|p(?:[sx0b&),<>|]|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top[sx0b&),<>|])|onice|spell)|j(?:(?:js|q|ava|exec)[sx0b&),<>|]|o(?:(?:bs|in)[sx0b&),<>|]|urnalctl)|runscript)|k(?:s(?:h[sx0b&),<>|]|shell)|ill(?:[sx0b&),<>|]|all)|nife[sx0b&),<>|])|l(?:d(?:d?[sx0b&),<>|]|config)|(?:[np]|ynx)[sx0b&),<>|]|s(?:(?:-F|cpu|hw|mod|of|pci|usb)?[sx0b&),<>|]|b_release)|ua(?:[sx0b&),<>|]|(?:la)?tex)|z(?:4(?:[sx0b&),<>|]|c(?:[sx0b&),<>|]|at))|(?:c(?:at|mp))?[sx0b&),<>|]|diff|[ef]?grep|less|m(?:a(?:[sx0b&),<>|]|dec|info)|ore))|a(?:st(?:(?:comm)?[sx0b&),<>|]|log(?:in)?)|tex[sx0b&),<>|])|ess(?:[sx0b&),<>|]|echo|(?:fil|pip)e)|ftp(?:[sx0b&),<>|]|get)|o(?:(?:ca(?:l|te)|ok)[sx0b&),<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:(?:a(?:n|il[qx]?|ke|wk)|tr|v|utt)[sx0b&),<>|]|k(?:(?:dir|nod)[sx0b&),<>|]|fifo|temp)|locate|o(?:(?:re|unt)[sx0b&),<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[sx0b&),<>|]|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:(?:at)?[sx0b&),<>|]|.(?:openbsd|traditional))|e(?:t(?:[sx0b&),<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|m(?:ap)?|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)[sx0b&),<>|]|s(?:enter|lookup|tat[sx0b&),<>|]))|o(?:(?:d|ctave)[sx0b&),<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[sx0b&),<>|]))|p(?:a(?:(?:x|cman|rted|tch)[sx0b&),<>|]|s(?:swd|te[sx0b&),<>|]))|d(?:b(?:[sx0b&),<>|]|2mb|3[sx0b&),.<>|])|f(?:la)?tex|ksh[sx0b&),<>|])|(?:f(?:tp)?|g(?:rep)?|(?:w|op)d|xz|u(?:ppet|shd))[sx0b&),<>|]|hp(?:[57]?[sx0b&),<>|]|-cgi)|i(?:(?:co?|gz|ng6?)[sx0b&),<>|]|p(?:[sx0b&),<>|]|[^sx0b]{1,10}b)|dstat)|k(?:g(?:[sx0b&),<>|]|_?info)|exec|ill[sx0b&),<>|])|r(?:y?[sx0b&),<>|]|int(?:env|f[sx0b&),<>|]))|s(?:(?:ed|ql)?[sx0b&),<>|]|ftp)|t(?:x[sx0b&),<>|]|ar(?:[sx0b&),<>|]|diff|grep))|er(?:(?:f|ms)[sx0b&),<>|]|l(?:5?[sx0b&),<>|]|sh))|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|cp?|bash|nano|oute|vi(?:ew|m))[sx0b&),<>|]|e(?:(?:d(?:carpet)?|v|boot|name|p(?:eat|lace))[sx0b&),<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sx0b&),<>|]|t(?:[sx0b&),<>|]|-(?:dump|tar))|user)|pm(?:(?:db)?[sx0b&),<>|]|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[sx0b&),<>|])|u(?:by[^sx0b]{1,10}b|n(?:-(?:mailcap|parts)|c[sx0b&),<>|])))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh)|plit)[sx0b&),<>|]|e(?:(?:d|ndmail|rvice)[sx0b&),<>|]|t(?:(?:facl)?[sx0b&),<>|]|arch|cap|env|sid))|h(?:(?:u(?:f|tdown))?[sx0b&),<>|]|.distrib)|s(?:[sx0b&),<>|]|h(?:[sx0b&),<>|]|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[sx0b&),<>|]|do(?:-rs|[sx0b&),<>_|]|edit|replay))|vn(?:[sx0b&),<>|]|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)[sx0b&),<>|]|elim)|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings[sx0b&),<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:(?:[cr]|ilf?)[sx0b&),<>|]|sk(?:[sx0b&),<>|]|set))|(?:bl|o(?:p|uch)|ftp|mux)[sx0b&),<>|]|e(?:[ex][sx0b&),<>|]|lnet)|i(?:c[sx0b&),<>|]|me(?:(?:out)?[sx0b&),<>|]|datectl))|c(?:l?sh[sx0b&),<>|]|p(?:dump|ing|traceroute))|r(?:a(?:ceroute6?|p[sx0b&),<>|])|off[sx0b&),<>|])|shark)|u(?:l(?:imit)?[sx0b&),<>|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[sx0b&),<>|]|expand|l(?:ink[sx0b&),<>|]|z(?:4[sx0b&),<>|]|ma))|pigz|z(?:ip[sx0b&),<>|]|std))|p(?:2date[sx0b&),<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:[ep]w|gr|rsh)?[sx0b&),<>|]|m(?:[sx0b&),<>|]|diff)|sudo(?:-rs)?)|algrind|olatility[sx0b&),<>|])|w(?:(?:c|a(?:ll|tch))?[sx0b&),<>|]|h(?:o(?:(?:is)?[sx0b&),<>|]|ami)?|iptail[sx0b&),<>|])|i(?:reshark|sh[sx0b&),<>|]))|x(?:(?:(?:x|pa)d|args|term)[sx0b&),<>|]|z(?:(?:c(?:at|mp))?[sx0b&),<>|]|d(?:ec[sx0b&),<>|]|iff)|[ef]?grep|less|more)|e(?:latex|tex[sx0b&),<>|])|mo(?:dmap|re[sx0b&),<>|]))|z(?:ip(?:[sx0b&),<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h[sx0b&),<>|]|oelim|td(?:[sx0b&),<>|]|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)[sx0b&),<>|]|[ef]grep|mo(?:dload|re[sx0b&),<>|])|ypper))(?:b|[^0-9A-Z_a-z])", + "pattern": "(?i)\\b(?:(?:7z[arx]?|(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)[\\s\\x0b&\\),<>\\|]|a(?:a-[^\\s\\x0b]{1,10}\\b|(?:b|t(?:obm)?|w[ks]|l(?:ias|pine)|xel)[\\s\\x0b&\\),<>\\|]|p(?:t(?:(?:itude)?[\\s\\x0b&\\),<>\\|]|-get)|parmor_[^\\s\\x0b]{1,10}\\b)|r(?:(?:p|ch)?[\\s\\x0b&\\),<>\\|]|j(?:[\\s\\x0b&\\),<>\\|]|-register|disp)|ia2c)|s(?:h?[\\s\\x0b&\\),<>\\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))[\\s\\x0b&\\),<>\\|]|diff|e(?:grep|xe[\\s\\x0b&\\),<>\\|])|f?grep|ip2(?:[\\s\\x0b&\\),<>\\|]|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\\s\\x0b&\\),<>\\|]|c))|h[\\s\\x0b&\\),<>\\|])|tch[\\s\\x0b&\\),<>\\|])|lkid[\\s\\x0b&\\),<>\\|]|pftrace|r(?:eaksw|(?:idge|wap)[\\s\\x0b&\\),<>\\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\\s\\x0b&\\),<>\\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[\\s\\x0b&\\),<>\\|]))|c(?:[89]9(?:[\\s\\x0b&\\),<>\\|]|-gcc)|(?:a(?:t|ncel|psh)|c|mp)[\\s\\x0b&\\),<>\\|]|p(?:(?:an|io)?[\\s\\x0b&\\),<>\\|]|ulimit)|s(?:(?:h|cli)[\\s\\x0b&\\),<>\\|]|plit|vtool)|u(?:t[\\s\\x0b&\\),<>\\|]|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[\\s\\x0b&\\),<>\\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\\s\\x0b&\\),\\-<>\\|])|(?:flag|pas)s|g(?:passwd|rp[\\s\\x0b&\\),<>\\|]))|lang(?:\\+\\+|[\\s\\x0b&\\),<>\\|])|o(?:bc(?:[\\s\\x0b&\\),<>\\|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\\s\\x0b&\\),<>\\|]|proc|w(?:say|think))|r(?:ash[\\s\\x0b&\\),<>\\|]|on(?:[\\s\\x0b&\\),<>\\|]|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)[\\s\\x0b&\\),<>\\|]|nf[\\s\\x0b&\\),<>\\|]?|hclient|m(?:esg[\\s\\x0b&\\),<>\\|]|idecode|setup)|o(?:(?:as|ne)[\\s\\x0b&\\),<>\\|]|cker[\\s\\x0b&\\),\\-<>\\|]|sbox)|pkg[\\s\\x0b&\\),\\-<>\\|])|e(?:(?:[bd]|qn|s(?:h|ac)?|cho|fax|grep|macs|val)[\\s\\x0b&\\),<>\\|]|n(?:v(?:[\\s\\x0b&\\),<>\\|]|-update)|d(?:if|sw)[\\s\\x0b&\\),<>\\|])|x(?:(?:ec|p(?:and|(?:ec|or)t|r))?[\\s\\x0b&\\),<>\\|]|iftool)|2fsck|asy_install)|f(?:(?:c|g(?:rep)?|mt|etch|lock|unction)[\\s\\x0b&\\),<>\\|]|i(?:(?:n(?:d|ger)|sh)?[\\s\\x0b&\\),<>\\|]|le(?:[\\s\\x0b&\\),<>\\|]|test))|tp(?:[\\s\\x0b&\\),<>\\|]|stats|who)|acter|d(?:(?:find|isk)[\\s\\x0b&\\),<>\\|]|u?mount)|o(?:ld[\\s\\x0b&\\),<>\\|]|reach)|ping[\\s\\x0b&\\),6<>\\|])|g(?:c(?:c[^\\s\\x0b]{1,10}\\b|ore[\\s\\x0b&\\),<>\\|])|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))[\\s\\x0b&\\),<>\\|]|e(?:m[\\s\\x0b&\\),<>\\|]|ni(?:e[\\s\\x0b&\\),<>\\|]|soimage)|t(?:cap|facl[\\s\\x0b&\\),<>\\|]))|hc(?:-?[\\s\\x0b&\\),<>\\|]|i[\\s\\x0b&\\),\\-<>\\|])|r(?:(?:c(?:at)?|ep)[\\s\\x0b&\\),<>\\|]|oupmod)|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))[\\s\\x0b&\\),<>\\|]|e(?:ad[\\s\\x0b&\\),<>\\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[\\s\\x0b&\\),<>\\|]|passwd))|i(?:(?:d|rb|conv|nstall)[\\s\\x0b&\\),<>\\|]|p(?:[\\s\\x0b&\\),<>\\|]|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top[\\s\\x0b&\\),<>\\|])|onice|spell)|j(?:(?:js|q|ava|exec)[\\s\\x0b&\\),<>\\|]|o(?:(?:bs|in)[\\s\\x0b&\\),<>\\|]|urnalctl)|runscript)|k(?:s(?:h[\\s\\x0b&\\),<>\\|]|shell)|ill(?:[\\s\\x0b&\\),<>\\|]|all)|nife[\\s\\x0b&\\),<>\\|])|l(?:d(?:d?[\\s\\x0b&\\),<>\\|]|config)|(?:[np]|ynx)[\\s\\x0b&\\),<>\\|]|s(?:(?:-F|cpu|hw|mod|of|pci|usb)?[\\s\\x0b&\\),<>\\|]|b_release)|ua(?:[\\s\\x0b&\\),<>\\|]|(?:la)?tex)|z(?:4(?:[\\s\\x0b&\\),<>\\|]|c(?:[\\s\\x0b&\\),<>\\|]|at))|(?:c(?:at|mp))?[\\s\\x0b&\\),<>\\|]|diff|[ef]?grep|less|m(?:a(?:[\\s\\x0b&\\),<>\\|]|dec|info)|ore))|a(?:st(?:(?:comm)?[\\s\\x0b&\\),<>\\|]|log(?:in)?)|tex[\\s\\x0b&\\),<>\\|])|ess(?:[\\s\\x0b&\\),<>\\|]|echo|(?:fil|pip)e)|ftp(?:[\\s\\x0b&\\),<>\\|]|get)|o(?:(?:ca(?:l|te)|ok)[\\s\\x0b&\\),<>\\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:(?:a(?:n|il[qx]?|ke|wk)|tr|v|utt)[\\s\\x0b&\\),<>\\|]|k(?:(?:dir|nod)[\\s\\x0b&\\),<>\\|]|fifo|temp)|locate|o(?:(?:re|unt)[\\s\\x0b&\\),<>\\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\\s\\x0b&\\),<>\\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:(?:at)?[\\s\\x0b&\\),<>\\|]|\\.(?:openbsd|traditional))|e(?:t(?:[\\s\\x0b&\\),<>\\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|m(?:ap)?|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)[\\s\\x0b&\\),<>\\|]|s(?:enter|lookup|tat[\\s\\x0b&\\),<>\\|]))|o(?:(?:d|ctave)[\\s\\x0b&\\),<>\\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[\\s\\x0b&\\),<>\\|]))|p(?:a(?:(?:x|cman|rted|tch)[\\s\\x0b&\\),<>\\|]|s(?:swd|te[\\s\\x0b&\\),<>\\|]))|d(?:b(?:[\\s\\x0b&\\),<>\\|]|2mb|3[\\s\\x0b&\\),\\.<>\\|])|f(?:la)?tex|ksh[\\s\\x0b&\\),<>\\|])|(?:f(?:tp)?|g(?:rep)?|(?:w|op)d|xz|u(?:ppet|shd))[\\s\\x0b&\\),<>\\|]|hp(?:[57]?[\\s\\x0b&\\),<>\\|]|-cgi)|i(?:(?:co?|gz|ng6?)[\\s\\x0b&\\),<>\\|]|p(?:[\\s\\x0b&\\),<>\\|]|[^\\s\\x0b]{1,10}\\b)|dstat)|k(?:g(?:[\\s\\x0b&\\),<>\\|]|_?info)|exec|ill[\\s\\x0b&\\),<>\\|])|r(?:y?[\\s\\x0b&\\),<>\\|]|int(?:env|f[\\s\\x0b&\\),<>\\|]))|s(?:(?:ed|ql)?[\\s\\x0b&\\),<>\\|]|ftp)|t(?:x[\\s\\x0b&\\),<>\\|]|ar(?:[\\s\\x0b&\\),<>\\|]|diff|grep))|er(?:(?:f|ms)[\\s\\x0b&\\),<>\\|]|l(?:5?[\\s\\x0b&\\),<>\\|]|sh))|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|cp?|bash|nano|oute|vi(?:ew|m))[\\s\\x0b&\\),<>\\|]|e(?:(?:d(?:carpet)?|v|boot|name|p(?:eat|lace))[\\s\\x0b&\\),<>\\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\\s\\x0b&\\),<>\\|]|t(?:[\\s\\x0b&\\),<>\\|]|-(?:dump|tar))|user)|pm(?:(?:db)?[\\s\\x0b&\\),<>\\|]|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\\s\\x0b&\\),<>\\|])|u(?:by[^\\s\\x0b]{1,10}\\b|n(?:-(?:mailcap|parts)|c[\\s\\x0b&\\),<>\\|])))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh)|plit)[\\s\\x0b&\\),<>\\|]|e(?:(?:d|ndmail|rvice)[\\s\\x0b&\\),<>\\|]|t(?:(?:facl)?[\\s\\x0b&\\),<>\\|]|arch|cap|env|sid))|h(?:(?:u(?:f|tdown))?[\\s\\x0b&\\),<>\\|]|\\.distrib)|s(?:[\\s\\x0b&\\),<>\\|]|h(?:[\\s\\x0b&\\),<>\\|]|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[\\s\\x0b&\\),<>\\|]|do(?:-rs|[\\s\\x0b&\\),<>_\\|]|edit|replay))|vn(?:[\\s\\x0b&\\),<>\\|]|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)[\\s\\x0b&\\),<>\\|]|elim)|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings[\\s\\x0b&\\),<>\\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:(?:[cr]|ilf?)[\\s\\x0b&\\),<>\\|]|sk(?:[\\s\\x0b&\\),<>\\|]|set))|(?:bl|o(?:p|uch)|ftp|mux)[\\s\\x0b&\\),<>\\|]|e(?:[ex][\\s\\x0b&\\),<>\\|]|lnet)|i(?:c[\\s\\x0b&\\),<>\\|]|me(?:(?:out)?[\\s\\x0b&\\),<>\\|]|datectl))|c(?:l?sh[\\s\\x0b&\\),<>\\|]|p(?:dump|ing|traceroute))|r(?:a(?:ceroute6?|p[\\s\\x0b&\\),<>\\|])|off[\\s\\x0b&\\),<>\\|])|shark)|u(?:l(?:imit)?[\\s\\x0b&\\),<>\\|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[\\s\\x0b&\\),<>\\|]|expand|l(?:ink[\\s\\x0b&\\),<>\\|]|z(?:4[\\s\\x0b&\\),<>\\|]|ma))|pigz|z(?:ip[\\s\\x0b&\\),<>\\|]|std))|p(?:2date[\\s\\x0b&\\),<>\\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:[ep]w|gr|rsh)?[\\s\\x0b&\\),<>\\|]|m(?:[\\s\\x0b&\\),<>\\|]|diff)|sudo(?:-rs)?)|algrind|olatility[\\s\\x0b&\\),<>\\|])|w(?:(?:c|a(?:ll|tch))?[\\s\\x0b&\\),<>\\|]|h(?:o(?:(?:is)?[\\s\\x0b&\\),<>\\|]|ami)?|iptail[\\s\\x0b&\\),<>\\|])|i(?:reshark|sh[\\s\\x0b&\\),<>\\|]))|x(?:(?:(?:x|pa)d|args|term)[\\s\\x0b&\\),<>\\|]|z(?:(?:c(?:at|mp))?[\\s\\x0b&\\),<>\\|]|d(?:ec[\\s\\x0b&\\),<>\\|]|iff)|[ef]?grep|less|more)|e(?:latex|tex[\\s\\x0b&\\),<>\\|])|mo(?:dmap|re[\\s\\x0b&\\),<>\\|]))|z(?:ip(?:[\\s\\x0b&\\),<>\\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h[\\s\\x0b&\\),<>\\|]|oelim|td(?:[\\s\\x0b&\\),<>\\|]|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)[\\s\\x0b&\\),<>\\|]|[ef]grep|mo(?:dload|re[\\s\\x0b&\\),<>\\|])|ypper))(?:\\b|[^0-9A-Z_a-z])", "targets": [ "headers" ], @@ -1961,7 +1961,7 @@ { "id": "932238", "name": "Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS", - "pattern": "(?i)(?:^|b[", + "pattern": "(?i)(?:^|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?:[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?2[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n|s)|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?f|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o|[\\s\\x0b&\\),<>\\|].*))", "targets": [ "all" ], @@ -1981,7 +1981,7 @@ { "id": "932190", "name": "Remote Command Execution: Wildcard bypass technique attempt", - "pattern": "(?i)/(?:[*?]+[/-9A-Z_a-z]|[/-9A-Z_a-z]+[*?])", + "pattern": "(?i)/(?:[\\*\\?]+[/-9A-Z_a-z]|[/-9A-Z_a-z]+[\\*\\?])", "targets": [ "query" ], @@ -2001,7 +2001,7 @@ { "id": "932350", "name": "Remote Command Execution: Direct Unix Command Execution (No Arguments)", - "pattern": "(?i)(?:^|b[", + "pattern": "(?i)(?:^|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?:[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:aptitud|unam)e|d(?:f|ir|mesg)|env|h(?:istory|ostname|top)|i(?:d|ostat)|l(?:ast|s)|mysql(?:[^\\s\\x0b]{1,10}\\b)?|p(?:s(?:ql)?|wd)|(?:reboo|vmsta)t|s(?:(?:cree|hutdow)n|et|u)|top|w(?:ho(?:ami|is)?)?)$", "targets": [ "all" ], @@ -2021,7 +2021,7 @@ { "id": "932301", "name": "Remote Command Execution: SMTP Command Execution", - "pattern": "rn.*?b(?:DATA|QUIT|HELP(?: .{1,255})?)", + "pattern": "\\r\\n.*?\\b(?:DATA|QUIT|HELP(?: .{1,255})?)", "targets": [ "all" ], @@ -2041,7 +2041,7 @@ { "id": "932311", "name": "Remote Command Execution: IMAP Command Execution", - "pattern": "(?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [", + "pattern": "(?is)\\r\\n[0-9A-Z_a-z]{1,50}\\b (?:C(?:(?:REATE|OPY [\\*,0-:]+) [\"#%&\\*\\--9A-Z\\x5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"#%&\\*\\-\\.0-9A-Z\\x5c_a-z]+|EX(?:AMINE [\"#%&\\*\\-\\.0-9A-Z\\x5c_a-z]+|PUNGE)|FETCH [\\*,0-:]+|L(?:IST [\"#\\*\\--9A-Z\\x5c_a-z~]+? [\"#%&\\*\\--9A-Z\\x5c_a-z]+|OG(?:IN [\\-\\.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"#%&\\*\\--9A-Z\\x5c_a-z]+? [\"#%&\\*\\--9A-Z\\x5c_a-z]+|S(?:E(?:LECT [\"#%&\\*\\--9A-Z\\x5c_a-z]+|ARCH(?: CHARSET [\\-\\.0-9A-Z_a-z]{1,40})? (?:(KEYWORD \\x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[\\*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [\\*,0-:]+?|NKEYWORD \\x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [\\*,0-:]+? [\\+\\-]?FLAGS(?:\\.SILENT)? (?:\\(\\x5c[a-z]{1,20}\\))?|ARTTLS)|UBSCRIBE [\"#%&\\*\\--9A-Z\\x5c_a-z]+)|UN(?:SUBSCRIBE [\"#%&\\*\\--9A-Z\\x5c_a-z]+|AUTHENTICATE)|NOOP)", "targets": [ "all" ], @@ -2061,7 +2061,7 @@ { "id": "932321", "name": "Remote Command Execution: POP3 Command Execution", - "pattern": "rn.*?b(?:(?:QUI|STA|RSE)T|NOOP|CAPA)", + "pattern": "\\r\\n.*?\\b(?:(?:QUI|STA|RSE)T|NOOP|CAPA)", "targets": [ "all" ], @@ -2081,7 +2081,7 @@ { "id": "932331", "name": "Remote Command Execution: Unix shell history invocation", - "pattern": "!(?:d|!)", + "pattern": "!(?:\\d|!)", "targets": [ "all" ], @@ -2113,7 +2113,7 @@ { "id": "933100", "name": "PHP Injection Attack: PHP Open Tag Found", - "pattern": "(?i)]*%>)", + "pattern": "(?:\\{%[^%}]*%}|<%=?[^%>]*%>)", "targets": [ "all" ], @@ -2704,7 +2704,7 @@ { "id": "941110", "name": "XSS Filter - Category 1: Script Tag Vector", - "pattern": "(?i)]*>[sS]*?", + "pattern": "(?i)]*>[\\s\\S]*?", "targets": [ "all" ], @@ -2724,7 +2724,7 @@ { "id": "941120", "name": "XSS Filter - Category 2: Event Handler Vector", - "pattern": "(?i)[s", + "pattern": "(?i)[\\s\"'`;/0-9=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]on[a-zA-Z]{3,50}[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=[^=]", "targets": [ "all" ], @@ -2744,7 +2744,7 @@ { "id": "941130", "name": "XSS Filter - Category 3: Attribute Vector", - "pattern": "(?i).(?:b(?:(?:x(?:link:href|html|mlns)|data:text/html|formaction)b|pattern[sx0b]*=)|(?:!ENTITY[sx0b]+(?:%[sx0b]+)?[^sx0b]+[sx0b]+(?:SYSTEM|PUBLIC)|@import|;base64)b)", + "pattern": "(?i).(?:\\b(?:(?:x(?:link:href|html|mlns)|data:text/html|formaction)\\b|pattern[\\s\\x0b]*=)|(?:!ENTITY[\\s\\x0b]+(?:%[\\s\\x0b]+)?[^\\s\\x0b]+[\\s\\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\\b)", "targets": [ "all" ], @@ -2764,7 +2764,7 @@ { "id": "941140", "name": "XSS Filter - Category 4: Javascript URI Vector", - "pattern": "(?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript", + "pattern": "(?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\\(javascript", "targets": [ "all" ], @@ -2784,7 +2784,7 @@ { "id": "941160", "name": "NoScript XSS InjectionChecker: HTML Injection", - "pattern": "(?i)<[^0-9<>A-Z_a-z]*(?:[^sx0b", + "pattern": "(?i)<[^0-9<>A-Z_a-z]*(?:[^\\s\\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z][^\\s\\x0b/]*[\\s\\x0b/]|[\"'](?:[^\\s\\x0b/]*[\\s\\x0b/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|(?:playbacktargetavailabilitychange|transitionen)d)|heel)|zoom)|ping|s(?:rc|tyle))[\\x08-\\n\\f\\r ]*?=", "targets": [ "all" ], @@ -2804,7 +2804,7 @@ { "id": "941170", "name": "NoScript XSS InjectionChecker: Attribute Injection", - "pattern": "(?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[", + "pattern": "(?i)(?:\\W|^)(?:javascript:(?:[\\s\\S]+[=\\x5c\\(\\[\\.<]|[\\s\\S]*?(?:\\bname\\b|\\x5c[ux]\\d))|data:(?:(?:[a-z]\\w+/\\w[\\w+-]+\\w)?[;,]|[\\s\\S]*?;[\\s\\S]*?\\b(?:base64|charset=)|[\\s\\S]*?,[\\s\\S]*?<[\\s\\S]*?\\w[\\s\\S]*?>))|@\\W*?i\\W*?m\\W*?p\\W*?o\\W*?r\\W*?t\\W*?(?:/\\*[\\s\\S]*?)?(?:[\"']|\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\()|[^-]*?-\\W*?m\\W*?o\\W*?z\\W*?-\\W*?b\\W*?i\\W*?n\\W*?d\\W*?i\\W*?n\\W*?g[^:]*?:\\W*?u\\W*?r\\W*?l[\\s\\S]*?\\(", "targets": [ "all" ], @@ -2824,7 +2824,7 @@ { "id": "941190", "name": "IE XSS Filters - Attack Detected", - "pattern": "(?i:.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))", + "pattern": "(?i:.*?(?:@[i\\x5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\\x5c]|&#x?0*(?:40|28|92|5C);?)))", "targets": [ "all" ], @@ -2844,7 +2844,7 @@ { "id": "941200", "name": "IE XSS Filters - Attack Detected", - "pattern": "(?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)", + "pattern": "(?i:<.*[:]?vmlframe.*?[\\s/+]*?src[\\s/+]*=)", "targets": [ "all" ], @@ -2864,7 +2864,7 @@ { "id": "941210", "name": "Javascript Word Detected", - "pattern": "(?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).", + "pattern": "(?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).", "targets": [ "all" ], @@ -2884,7 +2884,7 @@ { "id": "941220", "name": "IE XSS Filters - Attack Detected", - "pattern": "(?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).", + "pattern": "(?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\\t\\n\\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).", "targets": [ "all" ], @@ -2904,7 +2904,7 @@ { "id": "941230", "name": "IE XSS Filters - Attack Detected", - "pattern": "(?i)]", + "pattern": "(?i)]", "targets": [ "all" ], @@ -3044,7 +3044,7 @@ { "id": "941300", "name": "IE XSS Filters - Attack Detected", - "pattern": "(?i)]*[xbe>]|<[^xbe]*xbe", + "pattern": "\\xbc[^\\xbe>]*[\\xbe>]|<[^\\xbe]*\\xbe", "targets": [ "all" ], @@ -3084,7 +3084,7 @@ { "id": "941350", "name": "UTF-7 Encoding IE XSS - Attack Detected", - "pattern": "+ADw-.*(?:+AD4-|>)|<.*+AD4-", + "pattern": "\\+ADw-.*(?:\\+AD4-|>)|<.*\\+AD4-", "targets": [ "all" ], @@ -3104,7 +3104,7 @@ { "id": "941360", "name": "JSFuck / Hieroglyphy obfuscation detected", - "pattern": "![!+ ][]", + "pattern": "![!+ ]\\[\\]", "targets": [ "all" ], @@ -3124,7 +3124,7 @@ { "id": "941370", "name": "JavaScript global variable found", - "pattern": "(?:self|document|this|top|window)s*(?:/*|[[)]).+?(?:]|*/)", + "pattern": "(?:self|document|this|top|window)\\s*(?:/\\*|[\\[)]).+?(?:\\]|\\*/)", "targets": [ "all" ], @@ -3144,7 +3144,7 @@ { "id": "941390", "name": "Javascript method detected", - "pattern": "(?i)b(?:eval|set(?:timeout|interval)|new[sx0b]+Function|a(?:lert|tob)|btoa|(?:promp|impor)t|con(?:firm|sole.(?:log|dir))|fetch)[sx0b]*[({]", + "pattern": "(?i)\\b(?:eval|set(?:timeout|interval)|new[\\s\\x0b]+Function|a(?:lert|tob)|btoa|(?:promp|impor)t|con(?:firm|sole\\.(?:log|dir))|fetch)[\\s\\x0b]*[\\(\\{]", "targets": [ "all" ], @@ -3164,7 +3164,7 @@ { "id": "941400", "name": "XSS JavaScript function without parentheses", - "pattern": "((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`", + "pattern": "((?:\\[[^\\]]*\\][^.]*\\.)|Reflect[^.]*\\.).*(?:map|sort|apply)[^.]*\\..*call[^`]*`.*`", "targets": [ "all" ], @@ -3205,7 +3205,7 @@ { "id": "941150", "name": "XSS Filter - Category 5: Disallowed HTML Attributes", - "pattern": "(?i)b(?:s(?:tyle|rc)|href)b[sS]*?=", + "pattern": "(?i)\\b(?:s(?:tyle|rc)|href)\\b[\\s\\S]*?=", "targets": [ "all" ], @@ -3225,7 +3225,7 @@ { "id": "941320", "name": "Possible XSS Attack Detected - HTML Tag Handler", - "pattern": "<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W", + "pattern": "<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W", "targets": [ "all" ], @@ -3245,7 +3245,7 @@ { "id": "941330", "name": "IE XSS Filters - Attack Detected", - "pattern": "(?i:[", + "pattern": "(?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\\x5cu006C)(?:o|\\x5cu006F)(?:c|\\x5cu0063)(?:a|\\x5cu0061)(?:t|\\x5cu0074)(?:i|\\x5cu0069)(?:o|\\x5cu006F)(?:n|\\x5cu006E)|(?:n|\\x5cu006E)(?:a|\\x5cu0061)(?:m|\\x5cu006D)(?:e|\\x5cu0065)|(?:o|\\x5cu006F)(?:n|\\x5cu006E)(?:e|\\x5cu0065)(?:r|\\x5cu0072)(?:r|\\x5cu0072)(?:o|\\x5cu006F)(?:r|\\x5cu0072)|(?:v|\\x5cu0076)(?:a|\\x5cu0061)(?:l|\\x5cu006C)(?:u|\\x5cu0075)(?:e|\\x5cu0065)(?:O|\\x5cu004F)(?:f|\\x5cu0066)).*?=)", "targets": [ "all" ], @@ -3265,7 +3265,7 @@ { "id": "941340", "name": "IE XSS Filters - Attack Detected", - "pattern": "(?i)[", + "pattern": "(?i)[\"\\'][ ]*(?:[^a-z0-9~_:\\' ]|in).+?[.].+?=", "targets": [ "all" ], @@ -3285,7 +3285,7 @@ { "id": "941380", "name": "AngularJS client side template injection detected", - "pattern": "{{.*?}}", + "pattern": "\\{\\{.*?}}", "targets": [ "all" ], @@ -3337,7 +3337,7 @@ { "id": "942140", "name": "SQL Injection Attack: Common DB Names Detected", - "pattern": "(?i)b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*(|(?:information_schema|m(?:aster..sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql.db)|northwind|pg_(?:catalog|toast)|tempdb)b|s(?:chema(?:_nameb|[^0-9A-Z_a-z]*()|(?:qlite_(?:temp_)?master|ys(?:aux|.database_name))b))", + "pattern": "(?i)\\b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*\\(|(?:information_schema|m(?:aster\\.\\.sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql\\.db)|northwind|pg_(?:catalog|toast)|tempdb)\\b|s(?:chema(?:_name\\b|[^0-9A-Z_a-z]*\\()|(?:qlite_(?:temp_)?master|ys(?:aux|\\.database_name))\\b))", "targets": [ "all" ], @@ -3357,7 +3357,7 @@ { "id": "942151", "name": "SQL Injection Attack: SQL function name detected", - "pattern": "(?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|eil(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert_tz)?)|t)|rc32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|s_(?:de|en)crypt)|ump)|e(?:n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|insert|object(?:_(?:agg|keys))?|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|insert_id)|case|east|i(?:kely|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2))|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:lygon|w)|rocedure_analyse)|qu(?:ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp))|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(", + "pattern": "(?i)\\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|eil(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert_tz)?)|t)|rc32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|s_(?:de|en)crypt)|ump)|e(?:n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|insert|object(?:_(?:agg|keys))?|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|insert_id)|case|east|i(?:kely|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2))|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:lygon|w)|rocedure_analyse)|qu(?:ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp))|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\\(", "targets": [ "all" ], @@ -3377,7 +3377,7 @@ { "id": "942160", "name": "Detects blind sqli tests using sleep() or benchmark()", - "pattern": "(?i:sleeps*?(.*?)|benchmarks*?(.*?,.*?))", + "pattern": "(?i:sleep\\s*?\\(.*?\\)|benchmark\\s*?\\(.*?\\,.*?\\))", "targets": [ "all" ], @@ -3397,7 +3397,7 @@ { "id": "942170", "name": "Detects SQL benchmark and sleep injection attempts including conditional queries", - "pattern": "(?i)(?:select|;)[sx0b]+(?:benchmark|if|sleep)[sx0b]*?([sx0b]*?(?[sx0b]*?[0-9A-Z_a-z]+", + "pattern": "(?i)(?:select|;)[\\s\\x0b]+(?:benchmark|if|sleep)[\\s\\x0b]*?\\([\\s\\x0b]*?\\(?[\\s\\x0b]*?[0-9A-Z_a-z]+", "targets": [ "all" ], @@ -3417,7 +3417,7 @@ { "id": "942190", "name": "Detects MSSQL code execution and information gathering attempts", - "pattern": "(?i)[", + "pattern": "(?i)[\"'`](?:[\\s\\x0b]*![\\s\\x0b]*[\"'0-9A-Z_-z]|;?[\\s\\x0b]*(?:having|select|union\\b[\\s\\x0b]*(?:all|(?:distin|sele)ct))\\b[\\s\\x0b]*[^\\s\\x0b])|\\b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[\\s\\x0b]*?|select.*?[0-9A-Z_a-z]?user)\\(|exec(?:ute)?[\\s\\x0b]+master\\.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[\\s\\x0b\\+]+(?:dump|out)file[\\s\\x0b]*?[\"'`]|union(?:[\\s\\x0b]select[\\s\\x0b]@|[\\s\\x0b\\(0-9A-Z_a-z]*?select))|[\\s\\x0b]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[\\s\\x0b]*?\\(", "targets": [ "all" ], @@ -3436,7 +3436,7 @@ }, { "id": "942220", - "name": "Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \"magic number\" crash", + "name": "Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \\\"magic number\\\" crash", "pattern": "^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$", "targets": [ "all" @@ -3457,7 +3457,7 @@ { "id": "942230", "name": "Detects conditional SQL injection attempts", - "pattern": "(?i)[sx0b()]case[sx0b]+when.*?then|)[sx0b]*?like[sx0b]*?(|select.*?having[sx0b]*?[^sx0b]+[sx0b]*?[^sx0b0-9A-Z_a-z]|if[sx0b]?([0-9A-Z_a-z]+[sx0b]*?[<->~]", + "pattern": "(?i)[\\s\\x0b\\(\\)]case[\\s\\x0b]+when.*?then|\\)[\\s\\x0b]*?like[\\s\\x0b]*?\\(|select.*?having[\\s\\x0b]*?[^\\s\\x0b]+[\\s\\x0b]*?[^\\s\\x0b0-9A-Z_a-z]|if[\\s\\x0b]?\\([0-9A-Z_a-z]+[\\s\\x0b]*?[<->~]", "targets": [ "all" ], @@ -3477,7 +3477,7 @@ { "id": "942240", "name": "Detects MySQL charset switch and MSSQL DoS attempts", - "pattern": "(?i)alter[sx0b]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sx0b]+set[sx0b]+[0-9A-Z_a-z]+|[", + "pattern": "(?i)alter[\\s\\x0b]*?[0-9A-Z_a-z]+.*?char(?:acter)?[\\s\\x0b]+set[\\s\\x0b]+[0-9A-Z_a-z]+|[\"'`](?:;*?[\\s\\x0b]*?waitfor[\\s\\x0b]+(?:time|delay)[\\s\\x0b]+[\"'`]|;.*?:[\\s\\x0b]*?goto)", "targets": [ "all" ], @@ -3497,7 +3497,7 @@ { "id": "942250", "name": "Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections", - "pattern": "(?i:merge.*?usings*?(|executes*?immediates*?[", + "pattern": "(?i:merge.*?using\\s*?\\(|execute\\s*?immediate\\s*?[\"'`]|match\\s*?[\\w(),+-]+\\s*?against\\s*?\\()", "targets": [ "all" ], @@ -3537,7 +3537,7 @@ { "id": "942280", "name": "Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts", - "pattern": "(?i)select[sx0b]*?pg_sleep|waitfor[sx0b]*?delay[sx0b]?[", + "pattern": "(?i)select[\\s\\x0b]*?pg_sleep|waitfor[\\s\\x0b]*?delay[\\s\\x0b]?[\"'`]+[\\s\\x0b]?[0-9]|;[\\s\\x0b]*?shutdown[\\s\\x0b]*?(?:[#;\\{]|/\\*|--)", "targets": [ "all" ], @@ -3557,7 +3557,7 @@ { "id": "942290", "name": "Finds basic MongoDB SQL injection attempts", - "pattern": "(?i)[?$(?:a(?:bs|c(?:cumulator|osh?)|dd(?:ToSet)?|ll(?:ElementsTrue)?|n(?:d|yElementTrue)|rray(?:ElemA|ToObjec)t|sinh?|tan[2h]?|vg)|b(?:etween|i(?:narySize|t(?:And|Not|(?:O|Xo)r)?)|ottomN?|sonSize|ucket(?:Auto)?)|c(?:eil|mp|o(?:n(?:cat(?:Arrays)?|d|vert)|sh?|unt|variance(?:Po|Sam)p)|urrentDate)|d(?:a(?:te(?:Add|Diff|From(?:Parts|String)|Subtract|T(?:o(?:Parts|String)|runc))|yOf(?:Month|Week|Year))|e(?:greesToRadians|nseRank|rivative)|iv(?:ide)?|ocumentNumber)|e(?:(?:a|lemMat)ch|q|x(?:ists|p(?:MovingAvg|r)?))|f(?:i(?:lter|rstN?)|loor|unction)|g(?:etField|roup|te?)|(?:hou|xo|yea)r|i(?:fNull|n(?:c|dexOf(?:Array|Bytes|CP)|tegral)?|s(?:Array|Number|o(?:DayOfWeek|Week(?:Year)?)))|jsonSchema|l(?:astN?|et|i(?:ke|(?:nearFil|tera)l)|n|o(?:cf|g(?:10)?)|t(?:e|rim)?)|m(?:a(?:p|xN?)|e(?:dian|rgeObjects|ta)|i(?:llisecond|n(?:N|ute)?)|o(?:d|nth)|ul(?:tiply)?)|n(?:atural|e|in|o[rt])|o(?:bjectToArray|r)|p(?:ercentile|o(?:[pw]|sition)|roject|u(?:ll(?:All)?|sh))|r(?:a(?:diansToDegrees|n(?:[dk]|ge))|e(?:(?:duc|nam)e|gex(?:Find(?:All)?|Match)?|place(?:All|One)|verseArray)|ound|trim)|s(?:(?:ampleRat|lic)e|e(?:cond|t(?:Difference|(?:Equal|WindowField)s|Field|I(?:ntersection|sSubset)|OnInsert|Union)?)|(?:hif|pli|qr)t|i(?:nh?|ze)|ort(?:Array)?|t(?:dDev(?:Po|Sam)p|r(?:Len(?:Bytes|CP)|casecmp))|u(?:b(?:str(?:Bytes|CP)?|tract)|m)|witch)|t(?:anh?|ext|o(?:Bool|D(?:(?:at|oubl)e|ecimal)|HashedIndexKey|Int|Lo(?:ng|wer)|ObjectId|String|U(?:UID|pper)|pN?)|r(?:im|unc)|s(?:Increment|Second)|ype)|unset|w(?:eek|here)|zip)]?", + "pattern": "(?i)\\[?\\$(?:a(?:bs|c(?:cumulator|osh?)|dd(?:ToSet)?|ll(?:ElementsTrue)?|n(?:d|yElementTrue)|rray(?:ElemA|ToObjec)t|sinh?|tan[2h]?|vg)|b(?:etween|i(?:narySize|t(?:And|Not|(?:O|Xo)r)?)|ottomN?|sonSize|ucket(?:Auto)?)|c(?:eil|mp|o(?:n(?:cat(?:Arrays)?|d|vert)|sh?|unt|variance(?:Po|Sam)p)|urrentDate)|d(?:a(?:te(?:Add|Diff|From(?:Parts|String)|Subtract|T(?:o(?:Parts|String)|runc))|yOf(?:Month|Week|Year))|e(?:greesToRadians|nseRank|rivative)|iv(?:ide)?|ocumentNumber)|e(?:(?:a|lemMat)ch|q|x(?:ists|p(?:MovingAvg|r)?))|f(?:i(?:lter|rstN?)|loor|unction)|g(?:etField|roup|te?)|(?:hou|xo|yea)r|i(?:fNull|n(?:c|dexOf(?:Array|Bytes|CP)|tegral)?|s(?:Array|Number|o(?:DayOfWeek|Week(?:Year)?)))|jsonSchema|l(?:astN?|et|i(?:ke|(?:nearFil|tera)l)|n|o(?:cf|g(?:10)?)|t(?:e|rim)?)|m(?:a(?:p|xN?)|e(?:dian|rgeObjects|ta)|i(?:llisecond|n(?:N|ute)?)|o(?:d|nth)|ul(?:tiply)?)|n(?:atural|e|in|o[rt])|o(?:bjectToArray|r)|p(?:ercentile|o(?:[pw]|sition)|roject|u(?:ll(?:All)?|sh))|r(?:a(?:diansToDegrees|n(?:[dk]|ge))|e(?:(?:duc|nam)e|gex(?:Find(?:All)?|Match)?|place(?:All|One)|verseArray)|ound|trim)|s(?:(?:ampleRat|lic)e|e(?:cond|t(?:Difference|(?:Equal|WindowField)s|Field|I(?:ntersection|sSubset)|OnInsert|Union)?)|(?:hif|pli|qr)t|i(?:nh?|ze)|ort(?:Array)?|t(?:dDev(?:Po|Sam)p|r(?:Len(?:Bytes|CP)|casecmp))|u(?:b(?:str(?:Bytes|CP)?|tract)|m)|witch)|t(?:anh?|ext|o(?:Bool|D(?:(?:at|oubl)e|ecimal)|HashedIndexKey|Int|Lo(?:ng|wer)|ObjectId|String|U(?:UID|pper)|pN?)|r(?:im|unc)|s(?:Increment|Second)|ype)|unset|w(?:eek|here)|zip)\\]?", "targets": [ "all" ], @@ -3577,7 +3577,7 @@ { "id": "942320", "name": "Detects MySQL and PostgreSQL stored procedure/function injections", - "pattern": "(?i)create[sx0b]+(?:function|procedure)[sx0b]*?[0-9A-Z_a-z]+[sx0b]*?([sx0b]*?)[sx0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sx0b]*?[0-9A-Z_a-z]+|iv[sx0b]*?([+-]*[sx0b.0-9]+,[+-]*[sx0b.0-9]+))|exec[sx0b]*?([sx0b]*?@|(?:lo_(?:impor|ge)t|procedure[sx0b]+analyse)[sx0b]*?(|;[sx0b]*?(?:declare|open)[sx0b]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sx0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)", + "pattern": "(?i)create[\\s\\x0b]+(?:function|procedure)[\\s\\x0b]*?[0-9A-Z_a-z]+[\\s\\x0b]*?\\([\\s\\x0b]*?\\)[\\s\\x0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\\s\\x0b]*?[0-9A-Z_a-z]+|iv[\\s\\x0b]*?\\([\\+\\-]*[\\s\\x0b\\.0-9]+,[\\+\\-]*[\\s\\x0b\\.0-9]+\\))|exec[\\s\\x0b]*?\\([\\s\\x0b]*?@|(?:lo_(?:impor|ge)t|procedure[\\s\\x0b]+analyse)[\\s\\x0b]*?\\(|;[\\s\\x0b]*?(?:declare|open)[\\s\\x0b]+[\\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\\s\\x0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)", "targets": [ "all" ], @@ -3597,7 +3597,7 @@ { "id": "942350", "name": "Detects MySQL UDF injection and other data/structure manipulation attempts", - "pattern": "(?i)create[sx0b]+function[sx0b].+[sx0b]returns|;[sx0b]*?(?:alter|(?:(?:cre|trunc|upd)at|re(?:nam|plac))e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sx0b]*?[([]?[0-9A-Z_a-z]{2,}", + "pattern": "(?i)create[\\s\\x0b]+function[\\s\\x0b].+[\\s\\x0b]returns|;[\\s\\x0b]*?(?:alter|(?:(?:cre|trunc|upd)at|re(?:nam|plac))e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\\b[\\s\\x0b]*?[\\(\\[]?[0-9A-Z_a-z]{2,}", "targets": [ "all" ], @@ -3617,7 +3617,7 @@ { "id": "942360", "name": "Detects concatenated basic SQL injection and SQLLFI attempts", - "pattern": "(?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sx0b]+(?:char|group_concat|load_file)b[sx0b]*(?|end[sx0b]*?);)|[sx0b(]load_file[sx0b]*?(|[", + "pattern": "(?i)\\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\\s\\x0b]+(?:char|group_concat|load_file)\\b[\\s\\x0b]*\\(?:end[\\s\\x0b]*?\\);)|[\\s\\x0b\\(]load_file[\\s\\x0b]*?\\(|[\"'`][\\s\\x0b]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][\\s\\x0b]+as\\b[\\s\\x0b]*[\"'0-9A-Z_-z]+[\\s\\x0b]*\\bfrom|^[^A-Z_a-z]+[\\s\\x0b]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\\s\\x0b]+[0-9A-Z_a-z]+|u(?:pdate[\\s\\x0b]+[0-9A-Z_a-z]+|nion[\\s\\x0b]*(?:all|(?:sele|distin)ct)\\b)|alter[\\s\\x0b]*(?:a(?:(?:ggregat|pplication[\\s\\x0b]*rol)e|s(?:sembl|ymmetric[\\s\\x0b]*ke)y|u(?:dit|thorization)|vailability[\\s\\x0b]*group)|b(?:roker[\\s\\x0b]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\\s\\x0b]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\\s\\x0b]*group|in)))|m(?:a(?:s(?:k|ter[\\s\\x0b]*key)|terialized)|e(?:ssage[\\s\\x0b]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\\s\\x0b]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\\s\\x0b]*schema|srobject))\\b)", "targets": [ "all" ], @@ -3637,7 +3637,7 @@ { "id": "942500", "name": "MySQL in-line comment detected", - "pattern": "(?i)/*[sx0b]*?[!+](?:[sx0b()-0-9=A-Z_a-z]+)?*/", + "pattern": "(?i)/\\*[\\s\\x0b]*?[!\\+](?:[\\s\\x0b\\(\\)\\-0-9=A-Z_a-z]+)?\\*/", "targets": [ "all" ], @@ -3657,7 +3657,7 @@ { "id": "942540", "name": "SQL Authentication bypass (split query)", - "pattern": "^(?:[^']*'|[^", + "pattern": "^(?:[^']*'|[^\"]*\"|[^`]*`)[\\s\\x0b]*;", "targets": [ "all" ], @@ -3677,7 +3677,7 @@ { "id": "942560", "name": "MySQL Scientific Notation payload detected", - "pattern": "(?i)1.e(?:[(),]|.[$0-9A-Z_a-z])", + "pattern": "(?i)1\\.e(?:[\\(\\),]|\\.[\\$0-9A-Z_a-z])", "targets": [ "all" ], @@ -3697,7 +3697,7 @@ { "id": "942550", "name": "JSON-Based SQL Injection", - "pattern": "(?i)[", + "pattern": "(?i)[\"'`][\\[\\{][^#\\]\\}]*[\\]\\}]+[\"'`]|(?:[\\-@]>?|<@|@[\\?@]|\\?(?:(?:)|&|\\|#>)|#(?:>>|-)|->>|[<>])[\"'`](?:[\\[\\{][^#\\]\\}]*[\\]\\}]+[\"'`]|\\$[\\.\\[])|\\bjson_extract\\b[^\\(]*\\([^\\)]*\\)", "targets": [ "all" ], @@ -3717,7 +3717,7 @@ { "id": "942120", "name": "SQL Injection Attack: SQL Operator Detected", - "pattern": "(?i)[!=]=|&&||||->|>[=>]|<(?:[<=]|>(?:[sx0b]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[", + "pattern": "(?i)[!=]=|&&|\\|\\||->|>[=>]|<(?:[<=]|>(?:[\\s\\x0b]+binary)?)|\\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\\b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[\\s\\x0b]*\\()|r(?:egexp|like)[\\s\\x0b]+binary|not[\\s\\x0b]+between[\\s\\x0b]+(?:0[\\s\\x0b]+and|(?:'[^']*'|\"[^\"]*\")[\\s\\x0b]+and[\\s\\x0b]+(?:'[^']*'|\"[^\"]*\"))|is[\\s\\x0b]+null|like[\\s\\x0b]+(?:null|[0-9A-Z_a-z]+[\\s\\x0b]+escape\\b)|(?:^|[^0-9A-Z_a-z])in[\\s\\x0b\\+]*\\([\\s\\x0b\"0-9]+[^\\(\\)]*\\)|[!<->][\\s\\x0b]*all\\b", "targets": [ "all" ], @@ -3737,7 +3737,7 @@ { "id": "942130", "name": "SQL Injection Attack: SQL Boolean-based attack detected", - "pattern": "(?i)[sx0b", + "pattern": "(?i)[\\s\\x0b\"'-\\)`]*?\\b([0-9A-Z_a-z]+)\\b[\\s\\x0b\"'-\\)`]*?(?:=|<=>|(?:sounds[\\s\\x0b]+)?like|glob|r(?:like|egexp))[\\s\\x0b\"'-\\)`]*?\\b([0-9A-Z_a-z]+)\\b", "targets": [ "body", "query" @@ -3758,7 +3758,7 @@ { "id": "942131", "name": "SQL Injection Attack: SQL Boolean-based attack detected", - "pattern": "(?i)[sx0b", + "pattern": "(?i)[\\s\\x0b\"'-\\)`]*?\\b([0-9A-Z_a-z]+)\\b[\\s\\x0b\"'-\\)`]*?(?:![<->]|<[=>]?|>=?|\\^|is[\\s\\x0b]+not|not[\\s\\x0b]+(?:like|r(?:like|egexp)))[\\s\\x0b\"'-\\)`]*?\\b([0-9A-Z_a-z]+)\\b", "targets": [ "body", "query" @@ -3779,7 +3779,7 @@ { "id": "942150", "name": "SQL Injection Attack: SQL function name detected", - "pattern": "(?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*(", + "pattern": "(?i)\\b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*\\(", "targets": [ "all" ], @@ -3799,7 +3799,7 @@ { "id": "942180", "name": "Detects basic SQL authentication bypass attempts 1/3", - "pattern": "(?i)(?:/*)+[", + "pattern": "(?i)(?:/\\*)+[\"'`]+[\\s\\x0b]?(?:--|[#\\{]|/\\*)?|[\"'`](?:[\\s\\x0b]*(?:(?:x?or|and|div|like|between)[\\s\\x0b\\-0-9A-Z_a-z]+[\\(\\)\\+-\\-<->][\\s\\x0b]*[\"'0-9`]|[!=\\|](?:[\\s\\x0b!\\+\\-0-9=]+[^\\[]*[\"'\\(`].*|[\\s\\x0b!0-9=]+[^0-9]*[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'\\(0-9A-Z_-z]|;)|(?:[<>~]+|[\\s\\x0b]*[^\\s\\x0b0-9A-Z_a-z]?=[\\s\\x0b]*|[^0-9A-Z_a-z]*?[\\+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][\\s\\x0b]+[\"'`][\\s\\x0b]+[0-9]|^admin[\\s\\x0b]*?[\"'`]|[\\s\\x0b\"'\\(`][\\s\\x0b]*?glob[^0-9A-Z_a-z]+[\"'\\(0-9A-Z_-z]|[\\s\\x0b]is[\\s\\x0b]*?0[^0-9A-Z_a-z]|where[\\s\\x0b][\\s\\x0b,-\\.0-9A-Z_a-z]+[\\s\\x0b]=", "targets": [ "all" ], @@ -3819,7 +3819,7 @@ { "id": "942200", "name": "Detects MySQL comment-/space-obfuscated injections and backtick termination", - "pattern": "(?i),.*?(?:[)0-9a-f](?:$|[", + "pattern": "(?i),.*?(?:[\\)0-9a-f](?:$|[\"'`](?:$|[^\"'`]+[\"'`])|(?:\\r?\\n)?\\z)|[\"'`][^\"'`]+[\"'`])|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\\s\\x0b]*?\\([\\s\\x0b]*?space[\\s\\x0b]*?\\(", "targets": [ "all" ], @@ -3839,7 +3839,7 @@ { "id": "942210", "name": "Detects chained SQL injection attempts 1/2", - "pattern": "(?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sx0b(]+[0-9A-Z_a-z]+[sx0b)]*?[!+=]+[sx0b0-9]*?[", + "pattern": "(?i)(?:&&|\\|\\||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[\\s\\x0b\\(]+[0-9A-Z_a-z]+[\\s\\x0b\\)]*?[!\\+=]+[\\s\\x0b0-9]*?[\"'-\\)=`]|[0-9](?:[\\s\\x0b]*?(?:and|between|div|like|x?or)[\\s\\x0b]*?[0-9]+[\\s\\x0b]*?[\\+\\-]|[\\s\\x0b]+group[\\s\\x0b]+by.+\\()|/[0-9A-Z_a-z]+;?[\\s\\x0b]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[\\s\\x0b]*?(?:alter|drop|(?:insert|update)[\\s\\x0b]*?[0-9A-Z_a-z]{2,})|@.+=[\\s\\x0b]*?\\([\\s\\x0b]*?select|[^0-9A-Z_a-z]SET[\\s\\x0b]*?@[0-9A-Z_a-z]+", "targets": [ "all" ], @@ -3859,7 +3859,7 @@ { "id": "942260", "name": "Detects basic SQL authentication bypass attempts 2/3", - "pattern": "(?i)[", + "pattern": "(?i)[\"'`][\\s\\x0b]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\\|\\||&&)[\\s\\x0b]+[\\s\\x0b0-9A-Z_a-z]+=[\\s\\x0b]*?[0-9A-Z_a-z]+[\\s\\x0b]*?having[\\s\\x0b]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][\\s\\x0b]+like[\\s\\x0b]+[\"'`]|like[\\s\\x0b]*?[\"'`]%|select[\\s\\x0b]+?[\\s\\x0b\"'-\\),-\\.0-9A-\\[\\]_-z]+from[\\s\\x0b]+", "targets": [ "all" ], @@ -3879,7 +3879,7 @@ { "id": "942300", "name": "Detects MySQL comments, conditions and ch(a)r injections", - "pattern": "(?i))[sx0b]*?when[sx0b]*?[0-9]+[sx0b]*?then|[", + "pattern": "(?i)\\)[\\s\\x0b]*?when[\\s\\x0b]*?[0-9]+[\\s\\x0b]*?then|[\"'`][\\s\\x0b]*?(?:[#\\{]|--)|/\\*![\\s\\x0b]?[0-9]+|\\b(?:(?:binary|cha?r)[\\s\\x0b]*?\\([\\s\\x0b]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[\\s\\x0b]+[0-9A-Z_a-z]+\\()|(?:\\|\\||&&)[\\s\\x0b]*?[0-9A-Z_a-z]+\\(", "targets": [ "all" ], @@ -3899,7 +3899,7 @@ { "id": "942310", "name": "Detects chained SQL injection attempts 2/2", - "pattern": "(?i)(?:([sx0b]*?select[sx0b]*?[0-9A-Z_a-z]+|coalesce|order[sx0b]+by[sx0b]+if[0-9A-Z_a-z]*?)[sx0b]*?(|*/from|+[sx0b]*?[0-9]+[sx0b]*?+[sx0b]*?@|[0-9A-Z_a-z][", + "pattern": "(?i)(?:\\([\\s\\x0b]*?select[\\s\\x0b]*?[0-9A-Z_a-z]+|coalesce|order[\\s\\x0b]+by[\\s\\x0b]+if[0-9A-Z_a-z]*?)[\\s\\x0b]*?\\(|\\*/from|\\+[\\s\\x0b]*?[0-9]+[\\s\\x0b]*?\\+[\\s\\x0b]*?@|[0-9A-Z_a-z][\"'`][\\s\\x0b]*?(?:(?:[\\+\\-=@\\|]+[\\s\\x0b]+?)+|[\\+\\-=@\\|]+)[\\(0-9]|@@[0-9A-Z_a-z]+[\\s\\x0b]*?[^\\s\\x0b0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[\\s\\x0b]*?(?:if|while|begin)|[\\s\\x0b0-9]+=[\\s\\x0b]*?[0-9])|[\\s\\x0b\\(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[\\s\\x0b\\(]", "targets": [ "all" ], @@ -3919,7 +3919,7 @@ { "id": "942330", "name": "Detects classic SQL injection probings 1/3", - "pattern": "(?i)[", + "pattern": "(?i)[\"'`][\\s\\x0b]*?\\b(?:x?or|div|like|between|and)\\b[\\s\\x0b]*?[\"'`]?[0-9]|\\x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'\\x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[\\s\\x0b]*?\\b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\\|\\||&&)\\b[\\s\\x0b]*?[\"'0-9A-Z_-z][!&\\(\\)\\+-\\.@])|[^\\s\\x0b0-9A-Z_a-z][0-9A-Z_a-z]+[\\s\\x0b]*?[\\-\\|][\\s\\x0b]*?[\"'`][\\s\\x0b]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[\\s\\x0b]+(?:and|x?or|div|like|between)\\b[\\s\\x0b]*?[\"'0-9`]+|[\\-0-9A-Z_a-z]+[\\s\\x0b](?:and|x?or|div|like|between)\\b[\\s\\x0b]*?[^\\s\\x0b0-9A-Z_a-z])|[^\\s\\x0b0-:A-Z_a-z][\\s\\x0b]*?[0-9][^0-9A-Z_a-z]+[^\\s\\x0b0-9A-Z_a-z][\\s\\x0b]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]", "targets": [ "all" ], @@ -3939,7 +3939,7 @@ { "id": "942340", "name": "Detects basic SQL authentication bypass attempts 3/3", - "pattern": "(?i)in[sx0b]*?(+[sx0b]*?select|(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between)[sx0b]+|(?:|||&&)[sx0b]*?)[sx0b+0-9A-Z_a-z]+(?:regexp[sx0b]*?(|sounds[sx0b]+like[sx0b]*?[", + "pattern": "(?i)in[\\s\\x0b]*?\\(+[\\s\\x0b]*?select|(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between)[\\s\\x0b]+|(?:\\|\\||&&)[\\s\\x0b]*?)[\\s\\x0b\\+0-9A-Z_a-z]+(?:regexp[\\s\\x0b]*?\\(|sounds[\\s\\x0b]+like[\\s\\x0b]*?[\"'`]|[0-9=]+x)|[\"'`](?:[\\s\\x0b]*?(?:(?:[0-9]+[\\s\\x0b]*?(?:--|#)|is[\\s\\x0b]*?(?:[0-9][^\"'`]+[\"'`]?[0-9A-Z_a-z]|[\\.0-9]+[\\s\\x0b]*?[^0-9A-Z_a-z][^\"'`]*[\"'`])|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between)[\\s\\x0b]+|(?:\\|\\||&&)[\\s\\x0b]*?)(?:array[\\s\\x0b]*?\\[|(?:tru|fals)e\\b|[0-9A-Z_a-z]+(?:[\\s\\x0b]*?!?~|[\\s\\x0b]+(?:not[\\s\\x0b]+)?similar[\\s\\x0b]+to[\\s\\x0b]+))|[%&<->\\^]+[0-9]+[\\s\\x0b]*?(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between)=)|(?:[^0-9A-Z_a-z]+[\\+\\-0-9A-Z_a-z]+[\\s\\x0b]*?=[\\s\\x0b]*?[0-9][^0-9A-Z_a-z]+|\\|?[\\-0-9A-Z_a-z]{3,}[^\\s\\x0b,\\.0-9A-Z_a-z]+)[\"'`])|\\bexcept[\\s\\x0b]+(?:select\\b|values[\\s\\x0b]*?\\()", "targets": [ "all" ], @@ -3959,7 +3959,7 @@ { "id": "942361", "name": "Detects basic SQL injection based on keyword alter or union", - "pattern": "(?i:^[Wd]+s*?(?:alter|union)b)", + "pattern": "(?i:^[\\W\\d]+\\s*?(?:alter|union)\\b)", "targets": [ "all" ], @@ -3979,7 +3979,7 @@ { "id": "942362", "name": "Detects concatenated basic SQL injection and SQLLFI attempts", - "pattern": "(?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sx0b]+(?:char|group_concat|load_file)[sx0b]?(?|end[sx0b]*?);|[sx0b(]load_file[sx0b]*?(|[", + "pattern": "(?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\\s\\x0b]+(?:char|group_concat|load_file)[\\s\\x0b]?\\(?:end[\\s\\x0b]*?\\);|[\\s\\x0b\\(]load_file[\\s\\x0b]*?\\(|[\"'`][\\s\\x0b]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][\\s\\x0b]+as\\b[\\s\\x0b]*[\"'0-9A-Z_-z]+[\\s\\x0b]*\\bfrom|^[^A-Z_a-z]+[\\s\\x0b]*?(?:create[\\s\\x0b]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[\\s\\x0b]*(?:all|(?:sele|distin)ct))|alter[\\s\\x0b]*(?:a(?:(?:ggregat|pplication[\\s\\x0b]*rol)e|s(?:sembl|ymmetric[\\s\\x0b]*ke)y|u(?:dit|thorization)|vailability[\\s\\x0b]*group)|b(?:roker[\\s\\x0b]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\\s\\x0b]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\\s\\x0b]*group|in)))|m(?:a(?:s(?:k|ter[\\s\\x0b]*key)|terialized)|e(?:ssage[\\s\\x0b]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\\s\\x0b]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\\s\\x0b]*schema|srobject)))\\b)", "targets": [ "all" ], @@ -3999,7 +3999,7 @@ { "id": "942370", "name": "Detects classic SQL injection probings 2/3", - "pattern": "(?i)[", + "pattern": "(?i)[\"'`](?:[\\s\\x0b]*?(?:(?:\\*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\"'`]|(?:x?or|div|like|between|and)[\\s\\x0b][^0-9]+[\\-0-9A-Z_a-z]+[^0-9]*)[0-9]|[^\\s\\x0b0-9\\?A-Z_a-z]+[\\s\\x0b]*?[^\\s\\x0b0-9A-Z_a-z]+[\\s\\x0b]*?[\"'`]|[^\\s\\x0b0-9A-Z_a-z]+[\\s\\x0b]*?[^A-Z_a-z](?:[^#]*#|.*?--))|[^\\*]*\\*[\\s\\x0b]*?[0-9])|\\^[\"'`]|[%\\(-\\+\\-<>][\\-0-9A-Z_a-z]+[^\\s\\x0b0-9A-Z_a-z]+[\"'`][^,]", "targets": [ "all" ], @@ -4019,7 +4019,7 @@ { "id": "942380", "name": "SQL Injection Attack", - "pattern": "(?i)b(?:havingb(?:[sx0b]+(?:[0-9]{1,10}|'[^=]{1,10}')[sx0b]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[", + "pattern": "(?i)\\b(?:having\\b(?:[\\s\\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')[\\s\\x0b]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-\\?\\[]+))|ex(?:ecute(?:\\(|[\\s\\x0b]{1,5}[\\$\\.0-9A-Z_a-z]{1,5}[\\s\\x0b]{0,3})|ists[\\s\\x0b]*?\\([\\s\\x0b]*?select\\b)|(?:create[\\s\\x0b]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)\\()|select.*?case|from.*?limit|order[\\s\\x0b]by|exists[\\s\\x0b](?:[\\s\\x0b]select|s(?:elect[^\\s\\x0b](?:if(?:null)?[\\s\\x0b]\\(|top|concat)|ystem[\\s\\x0b]\\()|\\bhaving\\b[\\s\\x0b]+[0-9]{1,10}|'[^=]{1,10}')", "targets": [ "all" ], @@ -4039,7 +4039,7 @@ { "id": "942390", "name": "SQL Injection Attack", - "pattern": "(?i)b(?:orb(?:[sx0b]?(?:[0-9]{1,10}|[", + "pattern": "(?i)\\b(?:or\\b(?:[\\s\\x0b]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[\\s\\x0b]?[<->]+|[\\s\\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\\s\\x0b]*?[<->])?)|xor\\b[\\s\\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\\s\\x0b]*?[<->])?)|'[\\s\\x0b]+x?or[\\s\\x0b]+.{1,20}[!\\+\\-<->]", "targets": [ "all" ], @@ -4059,7 +4059,7 @@ { "id": "942400", "name": "SQL Injection Attack", - "pattern": "(?i)bandb(?:[sx0b]+(?:[0-9]{1,10}[sx0b]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[", + "pattern": "(?i)\\band\\b(?:[\\s\\x0b]+(?:[0-9]{1,10}[\\s\\x0b]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)", "targets": [ "all" ], @@ -4079,7 +4079,7 @@ { "id": "942410", "name": "SQL Injection Attack", - "pattern": "(?i)b(?:a(?:(?:b|co)s|vg)|bin|c(?:(?:as|o(?:nver|un))t|h(?:ar(?:set)?|r))|d(?:a(?:te|y)|e(?:fault|grees))|elt|f(?:ield|loor|ormat)|(?:hou|quarte|yea)r|i[fns]|l(?:ast|e(?:ft|ngth)|n|ikelihood|o(?:cal|g|wer))|m(?:ax|in(?:ute)?|o(?:d|nth))|now|p(?:assword|i|o(?:sition|wer))|r(?:awtonhex(?:toraw)?|e(?:p(?:eat|lace)|verse)|ight|ound)|s(?:econd|ign|leep|pace|tddev|um)|t(?:an|ime|o_(?:n?char|(?:day|second)s))|u(?:nlikely|(?:pp|s)er)|v(?:alues|ersion)|week)[^0-9A-Z_a-z]*?(", + "pattern": "(?i)\\b(?:a(?:(?:b|co)s|vg)|bin|c(?:(?:as|o(?:nver|un))t|h(?:ar(?:set)?|r))|d(?:a(?:te|y)|e(?:fault|grees))|elt|f(?:ield|loor|ormat)|(?:hou|quarte|yea)r|i[fns]|l(?:ast|e(?:ft|ngth)|n|ikelihood|o(?:cal|g|wer))|m(?:ax|in(?:ute)?|o(?:d|nth))|now|p(?:assword|i|o(?:sition|wer))|r(?:awtonhex(?:toraw)?|e(?:p(?:eat|lace)|verse)|ight|ound)|s(?:econd|ign|leep|pace|tddev|um)|t(?:an|ime|o_(?:n?char|(?:day|second)s))|u(?:nlikely|(?:pp|s)er)|v(?:alues|ersion)|week)[^0-9A-Z_a-z]*?\\(", "targets": [ "all" ], @@ -4119,7 +4119,7 @@ { "id": "942480", "name": "SQL Injection Attack", - "pattern": "(?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))'", + "pattern": "(?i)\\b(?:(?:d(?:bms_[0-9A-Z_a-z]+\\.|elete\\b[^0-9A-Z_a-z]*?\\bfrom)|(?:group\\b.*?\\bby\\b.{1,100}?\\bhav|overlay\\b[^0-9A-Z_a-z]*?\\(.*?\\b[^0-9A-Z_a-z]*?plac)ing|in(?:ner\\b[^0-9A-Z_a-z]*?\\bjoin|sert\\b[^0-9A-Z_a-z]*?\\binto|to\\b[^0-9A-Z_a-z]*?\\b(?:dump|out)file)|load\\b[^0-9A-Z_a-z]*?\\bdata\\b.*?\\binfile|s(?:elect\\b.{1,100}?\\b(?:(?:.*?\\bdump\\b.*|(?:count|length)\\b.{1,100}?)\\bfrom|(?:data_typ|from\\b.{1,100}?\\bwher)e|instr|to(?:_(?:cha|numbe)r|p\\b.{1,100}?\\bfrom))|ys_context)|u(?:nion\\b.{1,100}?\\bselect|tl_inaddr))\\b|print\\b[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?\\(a|@@version|;[^0-9A-Z_a-z]*?\\b(?:drop|shutdown))\\b|'(?:dbo|msdasql|s(?:a|qloledb))'", "targets": [ "all" ], @@ -4139,7 +4139,7 @@ { "id": "942430", "name": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)", - "pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){12})", + "pattern": "((?:(?:[!-\\+\\-:->@\\[\\]\\^`\\{-~]|\\x{c2}\\x{b4}|\\x{e2}\\x80[\\x98\\x99])[^!-\\+\\-:->@\\[\\]\\^`\\{-~]*?){12})", "targets": [ "body", "query" @@ -4160,7 +4160,7 @@ { "id": "942440", "name": "SQL Comment Sequence Detected", - "pattern": "/*!?|*/|[';]--|--(?:[sx0b]|[^-]*?-)|[^&-]#.*?[sx0b]|;?x00", + "pattern": "/\\*!?|\\*/|[';]--|--(?:[\\s\\x0b]|[^\\-]*?-)|[^&\\-]#.*?[\\s\\x0b]|;?\\x00", "targets": [ "all" ], @@ -4180,7 +4180,7 @@ { "id": "942450", "name": "SQL Bin or Hex Encoding Identified", - "pattern": "(?i:b0x[a-fd]{3,}|x'[a-fd]{3,}'|b'[0-1]{10,}')", + "pattern": "(?i:\\b0x[a-f\\d]{3,}|x\\'[a-f\\d]{3,}\\'|b\\'[0-1]{10,}\\')", "targets": [ "all" ], @@ -4200,7 +4200,7 @@ { "id": "942510", "name": "SQLi bypass attempt by ticks or backticks detected", - "pattern": "(?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)", + "pattern": "(?:`(?:(?:[\\w\\s=_\\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)", "targets": [ "all" ], @@ -4220,7 +4220,7 @@ { "id": "942520", "name": "Detects basic SQL authentication bypass attempts 4.0/4", - "pattern": "(?i)[", + "pattern": "(?i)[\"'`][\\s\\x0b]*?(?:(?:is[\\s\\x0b]+not|not[\\s\\x0b]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\\s\\x0b]+like)\\b|[%&\\*\\+\\-/<->\\^\\|]{1,3})", "targets": [ "all" ], @@ -4240,7 +4240,7 @@ { "id": "942521", "name": "Detects basic SQL authentication bypass attempts 4.1/4", - "pattern": "(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^", + "pattern": "(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[\\s\\x0b]*([0-9A-Z_a-z]+)\\b", "targets": [ "all" ], @@ -4260,7 +4260,7 @@ { "id": "942522", "name": "Detects basic SQL authentication bypass attempts 4.1/4", - "pattern": "^.*?x5c['", + "pattern": "^.*?\\x5c['\"`](?:.*?['\"`])?\\s*(?:and|or)\\b", "targets": [ "body", "query" @@ -4301,7 +4301,7 @@ { "id": "942152", "name": "SQL Injection Attack: SQL function name detected", - "pattern": "(?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|eil(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|rc32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|insert_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(", + "pattern": "(?i)\\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|eil(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|rc32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|insert_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\\(", "targets": [ "headers" ], @@ -4321,7 +4321,7 @@ { "id": "942321", "name": "Detects MySQL and PostgreSQL stored procedure/function injections", - "pattern": "(?i)create[sx0b]+(?:function|procedure)[sx0b]*?[0-9A-Z_a-z]+[sx0b]*?([sx0b]*?)[sx0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sx0b]*?[0-9A-Z_a-z]+|iv[sx0b]*?([+-]*[sx0b.0-9]+,[+-]*[sx0b.0-9]+))|exec[sx0b]*?([sx0b]*?@|(?:lo_(?:impor|ge)t|procedure[sx0b]+analyse)[sx0b]*?(|;[sx0b]*?(?:declare|open)[sx0b]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sx0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)", + "pattern": "(?i)create[\\s\\x0b]+(?:function|procedure)[\\s\\x0b]*?[0-9A-Z_a-z]+[\\s\\x0b]*?\\([\\s\\x0b]*?\\)[\\s\\x0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\\s\\x0b]*?[0-9A-Z_a-z]+|iv[\\s\\x0b]*?\\([\\+\\-]*[\\s\\x0b\\.0-9]+,[\\+\\-]*[\\s\\x0b\\.0-9]+\\))|exec[\\s\\x0b]*?\\([\\s\\x0b]*?@|(?:lo_(?:impor|ge)t|procedure[\\s\\x0b]+analyse)[\\s\\x0b]*?\\(|;[\\s\\x0b]*?(?:declare|open)[\\s\\x0b]+[\\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\\s\\x0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)", "targets": [ "headers" ], @@ -4341,7 +4341,7 @@ { "id": "942251", "name": "Detects HAVING injections", - "pattern": "(?i)W+d*?s*?bhavingbs*?[^s-]", + "pattern": "(?i)\\W+\\d*?\\s*?\\bhaving\\b\\s*?[^\\s\\-]", "targets": [ "all" ], @@ -4361,7 +4361,7 @@ { "id": "942490", "name": "Detects classic SQL injection probings 3/3", - "pattern": "[", + "pattern": "[\"'`][\\s\\d]*?[^\\w\\s]\\W*?\\d\\W*?.*?[\"'`\\d]", "targets": [ "all" ], @@ -4381,7 +4381,7 @@ { "id": "942420", "name": "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)", - "pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){8})", + "pattern": "((?:(?:[!-\\+\\-:->@\\[\\]\\^`\\{-~]|\\x{c2}\\x{b4}|\\x{e2}\\x80[\\x98\\x99])[^!-\\+\\-:->@\\[\\]\\^`\\{-~]*?){8})", "targets": [ "headers" ], @@ -4401,7 +4401,7 @@ { "id": "942431", "name": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)", - "pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){6})", + "pattern": "((?:(?:[!-\\+\\-:->@\\[\\]\\^`\\{-~]|\\x{c2}\\x{b4}|\\x{e2}\\x80[\\x98\\x99])[^!-\\+\\-:->@\\[\\]\\^`\\{-~]*?){6})", "targets": [ "body", "query" @@ -4422,7 +4422,7 @@ { "id": "942460", "name": "Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters", - "pattern": "W{4}", + "pattern": "\\W{4}", "targets": [ "query" ], @@ -4442,7 +4442,7 @@ { "id": "942511", "name": "SQLi bypass attempt by ticks detected", - "pattern": "(?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')", + "pattern": "(?:'(?:(?:[\\w\\s=_\\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')", "targets": [ "all" ], @@ -4482,7 +4482,7 @@ { "id": "942421", "name": "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)", - "pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){3})", + "pattern": "((?:(?:[!-\\+\\-:->@\\[\\]\\^`\\{-~]|\\x{c2}\\x{b4}|\\x{e2}\\x80[\\x98\\x99])[^!-\\+\\-:->@\\[\\]\\^`\\{-~]*?){3})", "targets": [ "headers" ], @@ -4502,7 +4502,7 @@ { "id": "942432", "name": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)", - "pattern": "((?:(?:[!-+-:->@[]^`{-~]|x{c2}x{b4}|x{e2}x80[x98x99])[^!-+-:->@[]^`{-~]*?){2})", + "pattern": "((?:(?:[!-\\+\\-:->@\\[\\]\\^`\\{-~]|\\x{c2}\\x{b4}|\\x{e2}\\x80[\\x98\\x99])[^!-\\+\\-:->@\\[\\]\\^`\\{-~]*?){2})", "targets": [ "body", "query" @@ -4535,7 +4535,7 @@ { "id": "943100", "name": "Possible Session Fixation Attack: Setting Cookie Values in HTML", - "pattern": "(?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)", + "pattern": "(?i:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)", "targets": [ "all" ], @@ -4555,7 +4555,7 @@ { "id": "943110", "name": "Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer", - "pattern": "^(?:j(?:se(?:ssionid|rvsession)|wsession)|(?:asp(?:.net_)?session|zend_session_)id|p(?:hpsessi(?:on|d)|lay_session)|(?:(?:w(?:eblogic|l)|rack.|laravel_)sessio|(?:next-auth.session-|meteor_login_)toke)n|s(?:(?:ession[-_]?|ails.s)id|hiny-token)|_(?:session_id|(?:(?:flask|rails)_sessio|_(?:secure|host)-next-auth.session-toke)n)|c(?:f(?:s?id|token)|onnect.sid|akephp|i_session)|koa[.:]sess)$", + "pattern": "^(?:j(?:se(?:ssionid|rvsession)|wsession)|(?:asp(?:\\.net_)?session|zend_session_)id|p(?:hpsessi(?:on|d)|lay_session)|(?:(?:w(?:eblogic|l)|rack\\.|laravel_)sessio|(?:next-auth\\.session-|meteor_login_)toke)n|s(?:(?:ession[\\-_]?|ails\\.s)id|hiny-token)|_(?:session_id|(?:(?:flask|rails)_sessio|_(?:secure|host)-next-auth\\.session-toke)n)|c(?:f(?:s?id|token)|onnect\\.sid|akephp|i_session)|koa[\\.:]sess)$", "targets": [ "query" ], @@ -4575,7 +4575,7 @@ { "id": "943120", "name": "Possible Session Fixation Attack: SessionID Parameter Name with No Referer", - "pattern": "^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|sessionid|cfid|cftoken|cfsid|jservsession|jwsession|_flask_session|_session_id|connect.sid|laravel_session)$", + "pattern": "^(?:jsessionid|aspsessionid|asp\\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|sessionid|cfid|cftoken|cfsid|jservsession|jwsession|_flask_session|_session_id|connect\\.sid|laravel_session)$", "targets": [ "query" ], @@ -4607,7 +4607,7 @@ { "id": "944100", "name": "Remote Command Execution: Suspicious Java class detected", - "pattern": "java.lang.(?:runtime|processbuilder)", + "pattern": "java\\.lang\\.(?:runtime|processbuilder)", "targets": [ "all" ], @@ -4667,7 +4667,7 @@ { "id": "944140", "name": "Java Injection Attack: Java Script File Upload Found", - "pattern": ".*.(?:jsp|jspx).*$", + "pattern": ".*\\.(?:jsp|jspx)\\.*$", "targets": [ "headers" ], @@ -4687,7 +4687,7 @@ { "id": "944150", "name": "Potential Remote Command Execution: Log4j / Log4shell", - "pattern": "(?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)", + "pattern": "(?i)(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)(?:[^\\}]{0,15}(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)|jndi|ctx)", "targets": [ "all" ], @@ -4707,7 +4707,7 @@ { "id": "944151", "name": "Potential Remote Command Execution: Log4j / Log4shell", - "pattern": "(?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)", + "pattern": "(?i)(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)(?:[^\\}]*(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)|jndi|ctx)", "targets": [ "all" ], @@ -4727,7 +4727,7 @@ { "id": "944200", "name": "Magic bytes Detected, probable java serialization in use", - "pattern": "xacxedx00x05", + "pattern": "\\xac\\xed\\x00\\x05", "targets": [ "all" ], @@ -4787,7 +4787,7 @@ { "id": "944250", "name": "Remote Command Execution: Suspicious Java method detected", - "pattern": "javab.+(?:runtime|processbuilder)", + "pattern": "java\\b.+(?:runtime|processbuilder)", "targets": [ "all" ], @@ -4807,7 +4807,7 @@ { "id": "944260", "name": "Remote Command Execution: Malicious class-loading payload", - "pattern": "(?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)", + "pattern": "(?:class\\.module\\.classLoader\\.resources\\.context\\.parent\\.pipeline|springframework\\.context\\.support\\.FileSystemXmlApplicationContext)", "targets": [ "all" ], @@ -4847,7 +4847,7 @@ { "id": "944152", "name": "Potential Remote Command Execution: Log4j / Log4shell", - "pattern": "(?i)(?:$|$?)(?:{|&l(?:brace|cub);?)", + "pattern": "(?i)(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)", "targets": [ "all" ], @@ -4879,7 +4879,7 @@ { "id": "950130", "name": "Directory Listing", - "pattern": "(?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)", + "pattern": "(?:<(?:TITLE>Index of.*?Index of.*?Index of|>\\[To Parent Directory\\]
)", "targets": [ "body" ], @@ -4899,7 +4899,7 @@ { "id": "950140", "name": "CGI source code leakage", - "pattern": "^#!s?/", + "pattern": "^#\\!\\s?/", "targets": [ "body" ], @@ -4919,7 +4919,7 @@ { "id": "950100", "name": "The Application Returned a 500-Level Status Code", - "pattern": "^5d{2}$", + "pattern": "^5\\d{2}$", "targets": [ "body" ], @@ -4951,7 +4951,7 @@ { "id": "951110", "name": "Microsoft Access SQL Information Leakage", - "pattern": "(?i)(?:JET|Access) Database Engine|[Microsoft][ODBC Microsoft Access Driver]", + "pattern": "(?i)(?:JET|Access) Database Engine|\\[Microsoft\\]\\[ODBC Microsoft Access Driver\\]", "targets": [ "body" ], @@ -4971,7 +4971,7 @@ { "id": "951120", "name": "Oracle SQL Information Leakage", - "pattern": "(?i)bORA-[0-9][0-9][0-9][0-9][0-9]:|java.sql.SQLException|Oracle(?: erro|[^()]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})", + "pattern": "(?i)\\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\\.sql\\.SQLException|Oracle(?: erro|[^\\(\\)]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})", "targets": [ "body" ], @@ -4991,7 +4991,7 @@ { "id": "951130", "name": "DB2 SQL Information Leakage", - "pattern": "(?i)DB2 SQL error|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|db2_[0-9A-Z_a-z]+()", + "pattern": "(?i)DB2 SQL error|\\[IBM\\]\\[CLI Driver\\]\\[DB2/6000\\]|CLI Driver.*DB2|db2_[0-9A-Z_a-z]+\\(\\)", "targets": [ "body" ], @@ -5011,7 +5011,7 @@ { "id": "951140", "name": "EMC SQL Information Leakage", - "pattern": "(?i)[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:", + "pattern": "(?i)\\[DM_QUERY_E_SYNTAX\\]|has occurred in the vicinity of:", "targets": [ "body" ], @@ -5051,7 +5051,7 @@ { "id": "951160", "name": "Frontbase SQL Information Leakage", - "pattern": "(?i)Exception (?:condition )?d+. Transaction rollback.", + "pattern": "(?i)Exception (?:condition )?\\d+\\. Transaction rollback\\.", "targets": [ "body" ], @@ -5071,7 +5071,7 @@ { "id": "951170", "name": "hsqldb SQL Information Leakage", - "pattern": "(?i)org.hsqldb.jdbc", + "pattern": "(?i)org\\.hsqldb\\.jdbc", "targets": [ "body" ], @@ -5091,7 +5091,7 @@ { "id": "951180", "name": "informix SQL Information Leakage", - "pattern": "(?i)An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix", + "pattern": "(?i)An illegal character has been found in the statement|com\\.informix\\.jdbc|Exception.*Informix", "targets": [ "body" ], @@ -5151,7 +5151,7 @@ { "id": "951210", "name": "maxDB SQL Information Leakage", - "pattern": "(?i)Warning.{1,10}maxdb[():_a-z]{1,26}:", + "pattern": "(?i)Warning.{1,10}maxdb[\\(\\):_a-z]{1,26}:", "targets": [ "body" ], @@ -5171,7 +5171,7 @@ { "id": "951220", "name": "mssql SQL Information Leakage", - "pattern": "(?i)S(?:y(?:stem.Data.(?:OleDb.OleDb|SqlClient.Sql)Except|ntax error (?:in string|.*) in query express)ion|intaxis incorrecta cerca de)|[(?:SqlException|M(?:icrosoft][ODBC SQL Server|acromedia][SQLServer JDBC) Driver])|(?:Exception.*[^0-9A-Z_a-z]System.Data.SqlClie|Conversion failed when converting the varchar value .*? to data type i)nt.|D(?:river.*SQL[ -_]*Server|ata type mismatch in criteria expression.)|Microsoft OLE DB Provider for (?:ODBC Drivers|SQL Server)|(?:(?:OLE DB.*SQL Serv|Procedure or function '.{1,128}' expects paramet)e|Incorrect syntax nea)r|Unclosed quotation mark (?:after|before) the character string|'80040e14'|(?:ADODB.Field (0x800A0BCD|mssql_query())|the used select statements have different number of columns|Warning.*mssql_.*", + "pattern": "(?i)S(?:y(?:stem\\.Data\\.(?:OleDb\\.OleDb|SqlClient\\.Sql)Except|ntax error (?:in string|.*) in query express)ion|intaxis incorrecta cerca de)|\\[(?:SqlException|M(?:icrosoft\\]\\[ODBC SQL Server|acromedia\\]\\[SQLServer JDBC) Driver\\])|(?:Exception.*[^0-9A-Z_a-z]System\\.Data\\.SqlClie|Conversion failed when converting the varchar value .*? to data type i)nt\\.|D(?:river.*SQL[ \\-_]*Server|ata type mismatch in criteria expression\\.)|Microsoft OLE DB Provider for (?:ODBC Drivers|SQL Server)|(?:(?:OLE DB.*SQL Serv|Procedure or function '.{1,128}' expects paramet)e|Incorrect syntax nea)r|Unclosed quotation mark (?:after|before) the character string|'80040e14'|(?:ADODB\\.Field \\(0x800A0BCD|mssql_query\\()\\)|the used select statements have different number of columns|Warning.*mssql_.*", "targets": [ "body" ], @@ -5191,7 +5191,7 @@ { "id": "951230", "name": "mysql SQL Information Leakage", - "pattern": "(?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[()_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):", + "pattern": "(?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\\(\\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\\.)|\\[MySQL\\]\\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\\(\\)_a-z]{1,26})?|(?:ERROR [0-9]{4} \\([0-9a-z]{5}\\)|XPATH syntax error):", "targets": [ "body" ], @@ -5211,7 +5211,7 @@ { "id": "951240", "name": "postgres SQL Information Leakage", - "pattern": "(?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)() [|org.postgresql.util.PSQLException):|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er", + "pattern": "(?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)\\(\\) \\[|org\\.postgresql\\.util\\.PSQLException):|Warning.{1,20}\\bpg_.*|valid PostgreSQL result|Npgsql\\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er", "targets": [ "body" ], @@ -5231,7 +5231,7 @@ { "id": "951250", "name": "sqlite SQL Information Leakage", - "pattern": "(?i)Warning.*(?:sqlite_|SQLite3::)|S(?:QLite(?:/JDBCDriver|.Exception)|ystem.Data.SQLite.SQLiteException)", + "pattern": "(?i)Warning.*(?:sqlite_|SQLite3::)|S(?:QLite(?:/JDBCDriver|\\.Exception)|ystem\\.Data\\.SQLite\\.SQLiteException)", "targets": [ "body" ], @@ -5283,7 +5283,7 @@ { "id": "952110", "name": "Java Errors", - "pattern": "(?i)b(?:java[.a-z]+E(?:xception|rror)|(?:org|com).[.a-z]+Exception|Exception in thread ", + "pattern": "(?i)\\b(?:java[\\.a-z]+E(?:xception|rror)|(?:org|com)\\.[\\.a-z]+Exception|Exception in thread \"[^\"]*\"|at[\\s\\x0b]+(?:ja(?:vax?|karta)|org|com))\\b", "targets": [ "body" ], @@ -5315,7 +5315,7 @@ { "id": "953110", "name": "PHP source code leakage", - "pattern": "(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b", + "pattern": "(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b", "targets": [ "body" ], @@ -5335,7 +5335,7 @@ { "id": "953120", "name": "PHP source code leakage", - "pattern": "(?i).{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)
Timeout expired
)|

internal server error

.*?

part of the server has crashed or it has a configuration error.

|cannot connect to the server: timed out)", + "pattern": "(?:Microsoft OLE DB Provider for SQL Server(?:.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \\(0x80040e31\\)
Timeout expired
)|

internal server error

.*?

part of the server has crashed or it has a configuration error\\.

|cannot connect to the server: timed out)", "targets": [ "body" ], @@ -5447,7 +5447,7 @@ { "id": "954101", "name": "Disclosure of IIS install location", - "pattern": "(?i)[x5c/]inetpubb", + "pattern": "(?i)[\\x5c/]inetpub\\b", "targets": [ "body" ], @@ -5559,7 +5559,7 @@ { "id": "955150", "name": "Ashiyane web shell", - "pattern": ".:: [^~]*~ Ashiyane V [0-9.]+ ::.", + "pattern": "\\.:: [^~]*~ Ashiyane V [0-9.]+ ::\\.", "targets": [ "body" ], @@ -5619,7 +5619,7 @@ { "id": "955180", "name": "GRP WebShell", - "pattern": "^rnrnGRP WebShell [0-9.]+ ", + "pattern": "^<html>\\r\\n<head>\\r\\n<title>GRP WebShell [0-9.]+ ", "targets": [ "body" ], @@ -5639,7 +5639,7 @@ { "id": "955190", "name": "NGHshell web shell", - "pattern": "<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$", + "pattern": "<small>NGHshell [0-9.]+ by Cr4sh</body></html>\\n$", "targets": [ "body" ], @@ -5679,7 +5679,7 @@ { "id": "955210", "name": "Unknown web shell", - "pattern": "^<!DOCTYPE html>n<html>n<!-- By Artyum [^<]*<title>Web Shell", + "pattern": "^\\n\\n", + "pattern": "^PHP Web Shell\\r\\n\\r\\n\\r\\n ", "targets": [ "body" ], @@ -5759,7 +5759,7 @@ { "id": "955250", "name": "Unknown web shell", - "pattern": "^nn
\\n\\n
Input command :
\\n
", "targets": [ "body" ], @@ -5779,7 +5779,7 @@ { "id": "955260", "name": "Ru24PostWebShell web shell", - "pattern": "^nnRu24PostWebShell ", + "pattern": "^<html>\\n<head>\\n<title>Ru24PostWebShell ", "targets": [ "body" ], @@ -5819,7 +5819,7 @@ { "id": "955280", "name": "PhpSpy web shell", - "pattern": "^<html>rn<head>rn<meta http-equiv=", + "pattern": "^<html>\\r\\n<head>\\r\\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">\\r\\n<title>PhpSpy Ver [0-9]+", "targets": [ "body" ], @@ -5839,7 +5839,7 @@ { "id": "955290", "name": "g00nshell web shell", - "pattern": "^ nnnng00nshell v[0-9.]+ ", + "pattern": "^ <html>\\n\\n<head>\\n\\n<title>g00nshell v[0-9.]+ ", "targets": [ "body" ], @@ -5859,7 +5859,7 @@ { "id": "955310", "name": "azrail web shell", - "pattern": "^<html>n <head>n <title>azrail [0-9.]+ by C-W-M", + "pattern": "^\\n \\n azrail [0-9.]+ by C-W-M", "targets": [ "body" ], @@ -5899,7 +5899,7 @@ { "id": "955330", "name": "Shell I web shell", - "pattern": "^n[^~]*~ Shell Inn