Unify/fix the default.rules file across PHP versions, and add some new ones

author: jvoisin 2025-05-25 13:11:38 +0200
committer: jvoisin 2025-05-25 13:22:06 +0200
commit: 4052c363ec770559aade8bf4ab57e49f2322281d (patch)
tree: 344decdccfde88cb6ed46e0ced705d16ce328f26 /config/default.rules
parent: afee12e26cb43526552692da4294052d369d0ffa (diff)
1 files changed, 66 insertions, 17 deletions
diff --git a/config/default.rules b/config/default.rules
index a3e779b..817e62f 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -40,35 +40,39 @@ sp.disable_function.function("chmod").param("mode").value("438").drop();
 sp.disable_function.function("chmod").param("mode").value("511").drop();
 # Prevent various `mail`-related vulnerabilities
+@condition PHP_VERSION_ID < 80300;
 sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
+@condition PHP_VERSION_ID >= 80300;
+sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop();
+@end_condition;
 # Since it's now burned, me might as well mitigate it publicly
-sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
+sp.disable_function.function("putenv").param("setting").value_r("LD_").drop();
-sp.disable_function.function("putenv").param("setting").value("PATH").drop()
+sp.disable_function.function("putenv").param("setting").value("PATH").drop();
 # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
-sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
+sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop();
 # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
-sp.disable_function.function("extract").pos("0").value_r("^_").drop()
+sp.disable_function.function("extract").pos("0").value_r("^_").drop();
-sp.disable_function.function("extract").pos("1").value("0").drop()
+sp.disable_function.function("extract").pos("1").value("0").drop();
 # This is also burned:
 # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
 # Since we have no way of matching on two parameters at the same time, we're
 # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
 # Moreover, there are non-public bypasses that are also using this vector ;)
-sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop()
+sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop();
 # Prevent various `include`-related vulnerabilities
 sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
 sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
 sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
 sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
-sp.disable_function.function("require_once").drop()
+sp.disable_function.function("require_once").drop();
-sp.disable_function.function("include_once").drop()
+sp.disable_function.function("include_once").drop();
-sp.disable_function.function("require").drop()
+sp.disable_function.function("require").drop();
-sp.disable_function.function("include").drop()
+sp.disable_function.function("include").drop();
 # Prevent `system`-related injections
 sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
@@ -77,13 +81,22 @@ sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\
 sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 # Prevent runtime modification of interesting things
+@condition PHP_VERSION_ID < 80000;
 sp.disable_function.function("ini_set").param("varname").value("assert.active").drop();
 sp.disable_function.function("ini_set").param("varname").value("zend.assertions").drop();
 sp.disable_function.function("ini_set").param("varname").value("memory_limit").drop();
 sp.disable_function.function("ini_set").param("varname").value("include_path").drop();
 sp.disable_function.function("ini_set").param("varname").value("open_basedir").drop();
+@condition PHP_VERSION_ID >= 80000;
+sp.disable_function.function("ini_set").param("option").value("assert.active").drop();
+sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop();
+sp.disable_function.function("ini_set").param("option").value("memory_limit").drop();
+sp.disable_function.function("ini_set").param("option").value("include_path").drop();
+sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
+@end_condition;
 # Detect some backdoors via environment recon
+@condition PHP_VERSION_ID < 80000;
 sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop();
 sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop();
 sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop();
@@ -99,6 +112,24 @@ sp.disable_function.function("is_callable").param("var").value("system").drop();
 sp.disable_function.function("is_callable").param("var").value("shell_exec").drop();
 sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
 sp.disable_function.function("is_callable").param("var").value("passthru").drop();
+@condition PHP_VERSION_ID >= 80000;
+sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop();
+sp.disable_function.function("ini_get").param("option").value("open_basedir").drop();
+sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop();
+sp.disable_function.function("function_exists").param("function").value("eval").drop();
+sp.disable_function.function("function_exists").param("function").value("exec").drop();
+sp.disable_function.function("function_exists").param("function").value("system").drop();
+sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();
+sp.disable_function.function("function_exists").param("function").value("proc_open").drop();
+sp.disable_function.function("function_exists").param("function").value("passthru").drop();
+sp.disable_function.function("is_callable").param("value").value("eval").drop();
+sp.disable_function.function("is_callable").param("value").value("exec").drop();
+sp.disable_function.function("is_callable").param("value").value("system").drop();
+sp.disable_function.function("is_callable").param("value").value("shell_exec").drop();
+sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
+sp.disable_function.function("is_callable").param("value").value("passthru").drop();
+@end_condition;
 # Ghetto error-based sqli detection
 # sp.disable_function.function("mysql_query").ret("FALSE").drop();
@@ -117,14 +148,32 @@ sp.disable_function.function("curl_setopt").param("value").value_r("file://").dr
 sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled");
 # File upload
-# On old PHP7 versions
+@condition PHP_VERSION_ID >= 80000;
-#sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
-#sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();
-# On PHP7.4+
+@condition PHP_VERSION_ID >= 70400;
 sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ht").drop();
+@condition PHP_VERSION_ID >= 70000;
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
+@end_condition;
 # Logging lockdown
-sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop()
+@condition PHP_VERSION_ID >= 70000;
-sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop()
+sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop();
-sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop()
+sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop();
+sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop();
+@condition PHP_VERSION_ID >= 80000;
+sp.disable_function.function("ini_set").param("option").value_r("error_log").drop();
+sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop();
+sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop();
+@end_condition;
+# Classic webshells patterns
+sp.disable_function.function("system>base64_decode").drop();
+sp.disable_function.function("shell_exec>base64_decode").drop();
+sp.disable_function.function("exec>base64_decode").drop();
+sp.disable_function.function("passthru>base64_decode").drop();
+sp.disable_function.function("proc_open>base64_decode").drop();
+sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open");
author	jvoisin	2025-05-25 13:11:38 +0200
committer	jvoisin	2025-05-25 13:22:06 +0200
commit	4052c363ec770559aade8bf4ab57e49f2322281d (patch)
tree	344decdccfde88cb6ed46e0ced705d16ce328f26 /config/default.rules
parent	afee12e26cb43526552692da4294052d369d0ffa (diff)