Apache环境:
创建.htaccess文件

cd /tmp
vi .htaccess
php_value auto_prepend_file /tmp/waf.php

创建waf.php

cd /var/www/html/
vi waf.php

<?php
//流量抓取
function get_http_raw() {
    $raw = '';
    $raw.= $_SERVER['REQUEST_METHOD'] . ' ' . $_SERVER['REQUEST_URI'] . ' ' . $_SERVER['SERVER_PROTOCOL'] . "\r\n";
    foreach ($_SERVER as $key => $value) {
        if (substr($key, 0, 5) === 'HTTP_') {
            $key = substr($key, 5);
            $key = str_replace('_', '-', $key);
            $raw.= $key . ': ' . $value . "\r\n";
        }
    }
    $raw.= "\r\n";
    $raw.= file_get_contents('php://input');
    return $raw;
}

function write_attack_log() {
    $data = date("Y/m/d H:i:s") . " --" . "\r\n" . get_http_raw() . "\r\n\r\n";
    $ffff = fopen('llog.txt', 'a'); //保存的文件名,可以指定一个位置
    fwrite($ffff, $data);
    fclose($ffff);
    }

//参数过滤
function filter($a){
        foreach($a as $key => $value)
       {
          $b=str_split($value);
          foreach($b as $str)
          {
                 if($str==""){continue;}
                  if(!preg_match('/\w|\.|\&|\//',$str))         //过滤的第一层,网页错误需要修改
                 {
                         die("error!!");
                         break;
                 }
          }
           if(preg_match('/flag|log/',$value)){die("hacker!!");} 
       }
}

//文件上传修改
function filefilter($x)
{
        foreach($x as $key => $a)
        {
                $_FILES[$key]['content']=file_get_contents($_FILES[$key]['tmp_name']);
                fwrite(fopen('/var/www/html/p.txt','a'),$_FILES[$key]['content']."\r\n\r\n");
                file_put_contents($_FILES[$key]['tmp_name'],"<?php require_once('/var/www/html/file.php');?>");
        }
}

if(isset($_FILES))
{
        filefilter($_FILES);
}

write_attack_log();

if(isset($_REQUEST))
{
       filter($_REQUEST);
}

?>

其他环境:

sed -ri "1 i\<?php include('/tmp/waf.php');?>" `grep -rl "<?php" .`
sed -i 1d `grep -rl "<?php" .`