Revert "test"

This reverts commit afc7591d74.

src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-955-WEB-SHELLS.conf

@@ -0,0 +1,548 @@
+# ------------------------------------------------------------------------
+# OWASP CRS ver.4.0.0
+# Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
+#
+# The OWASP CRS is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
+#
+
+# For performance reasons, most of the shells are matched using this rule.
+# This rule is intended for PHP web shells.
+SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \
+    "id:955100,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Web shell detected',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# r57 web shell
+SecRule RESPONSE_BODY "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)" \
+    "id:955110,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'r57 web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# WSO web shell
+SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" \
+    "id:955120,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'WSO web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# b4tm4n web shell (https://github.com/k4mpr3t/b4tm4n)
+SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>" \
+    "id:955130,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'b4tm4n web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Mini Shell web shell
+SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
+    "id:955140,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Mini Shell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Ashiyane web shell
+SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
+    "id:955150,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Ashiyane web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Symlink_Sa web shell
+SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
+    "id:955160,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Symlink_Sa web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# CasuS web shell
+SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
+    "id:955170,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'CasuS web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# GRP WebShell
+SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
+    "id:955180,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'GRP WebShell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# NGHshell web shell
+SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
+    "id:955190,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'NGHshell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# SimAttacker web shell
+SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " \
+    "id:955200,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'SimAttacker web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Unknown web shell
+SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web Shell</title>" \
+    "id:955210,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Unknown web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# lama's'hell web shell
+SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
+    "id:955220,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'lama\'s\'hell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# lostDC web shell
+SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
+    "id:955230,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'lostDC web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Unknown web shell
+SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n    <!-- Replaces command with Base64-encoded Data -->" \
+    "id:955240,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Unknown web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Unknown web shell
+SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\">Input command :</font></div>\n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">" \
+    "id:955250,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Unknown web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Ru24PostWebShell web shell
+SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell - " \
+    "id:955260,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Ru24PostWebShell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# s72 Shell web shell
+SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" \
+    "id:955270,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'s72 Shell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# PhpSpy web shell
+SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">\r\n<title>PhpSpy Ver [0-9]+</title>" \
+    "id:955280,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'PhpSpy web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# g00nshell web shell
+SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
+    "id:955290,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'g00nshell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# PuNkHoLic shell web shell
+# Various versions has this text written little differently so we need to do
+# t:removeWhitespace and t:lowercase.
+SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
+    "id:955300,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,t:removeWhitespace,t:lowercase,\
+    msg:'PuNkHoLic shell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# azrail web shell
+SecRule RESPONSE_BODY "@rx ^<html>\n      <head>\n             <title>azrail [0-9.]+ by C-W-M</title>" \
+    "id:955310,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'azrail web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# SmEvK_PaThAn Shell web shell
+SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
+    "id:955320,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'SmEvK_PaThAn Shell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Shell I web shell
+SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style>" \
+    "id:955330,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Shell I web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# b374k m1n1 web shell
+SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" \
+    "id:955340,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'b374k m1n1 web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
+#
+# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
+#
+
+# webadmin.php file manager
+# This is placed in PL2 because of too generic pattern.
+SecRule RESPONSE_BODY "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1>" \
+    "id:955350,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'webadmin.php file manager',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.0.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
+#
+# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
+#
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
+#
+# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
+#
+
+
+
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-RESPONSE-955-WEB-SHELLS"

src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933111.yaml

@@ -0,0 +1,32 @@
+---
+meta:
+  author: "NiceYouKnow"
+  description: None
+  enabled: true
+  name: 933111.yaml
+tests:
+  - test_title: 933111-1
+    desc: "PHP Injection Attack: PHP Script File Upload Found"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              User-Agent: "OWASP CRS test agent"
+              Host: "localhost"
+              Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoRWIb3busvBrbttO
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            uri: /
+            port: 80
+            data: |
+              ------WebKitFormBoundaryoRWIb3busvBrbttO
+              Content-Disposition: form-data; name="file"; filename="test.php.jpg"
+              Content-Type: image/jpeg
+
+              <?php @eval($_POST["hacker"]); ?>
+
+              ------WebKitFormBoundaryoRWIb3busvBrbttO--
+            version: HTTP/1.1
+          output:
+            log_contains: id "933111"

src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933190.yaml

@@ -0,0 +1,24 @@
+---
+meta:
+  author: "NiceYouKnow"
+  description: None
+  enabled: true
+  name: 933190.yaml
+tests:
+  - test_title: 933190-1
+    desc: "PHP Injection Attack: PHP Closing Tag Found"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: "localhost"
+              Cache-Control: "no-cache, no-store, must-revalidate"
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            data: 'file_test=<?php%20@eval($_POST["hacker"]);%20?>&submit=1'
+            version: HTTP/1.1
+          output:
+            log_contains: id "933190"