Initial import

author: Sebastien Blot 2017-09-20 10:11:01 +0200
committer: Sebastien Blot 2017-09-20 10:11:01 +0200
commit: 868f96c759b6650d88ff9f4fbc5c048302134248 (patch)
tree: c0de0af318bf77a8959164ef11aeeeb2b7bab294 /config
2 files changed, 101 insertions, 0 deletions
diff --git a/config/default.ini b/config/default.ini
new file mode 100644
index 0000000..0f67632
--- /dev/null
+++ b/config/default.ini
@@ -0,0 +1,54 @@
+# Harden the `chmod` function
+sp.disable_functions.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+sp.disable_functions.function("chmod").param("mode").value_r("o\\+w$").drop();
+# Prevent various `mail`-related vulnerabilities
+sp.disable_functions.function("mail").param("additional_parameters").value_r("\\-").drop();
+##Prevent various `include`-related vulnerabilities
+sp.disable_functions.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
+sp.disable_functions.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
+sp.disable_functions.function_r("^(?:require|include)_once$").drop();
+sp.disable_functions.function_r("^require|include$").drop();
+# Prevent `system`-related injections
+sp.disable_functions.function("system").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_functions.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_functions.function("exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_functions.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();
+# Prevent runtime modification of interesting things
+sp.disable_functions.function("ini_set").param("var_name").value("assert.active").drop();
+sp.disable_functions.function("ini_set").param("var_name").value("zend.assertions").drop();
+sp.disable_functions.function("ini_set").param("var_name").value("memory_limit").drop();
+sp.disable_functions.function("ini_set").param("var_name").value("include_path").drop();
+sp.disable_functions.function("ini_set").param("var_name").value("open_basedir").drop();
+# Detect some backdoors via environnement recon
+sp.disable_functions.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop();
+sp.disable_functions.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop();
+sp.disable_functions.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();
+# Ghetto sqli hardening
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("/\\*").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("--").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("#").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r(";.*;").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("benchmark").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("sleep").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("information_schema").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("/\\*").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("--").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("#").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r(";.*;").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("information_schema").drop();
+# Ghetto sqli detection
+sp.disable_functions.function_r("mysqli?_query").ret("FALSE").drop();
+sp.disable_functions.function_r("PDO::query").ret("FALSE").drop();
+#File upload
+sp.disable_functions.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_functions.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
diff --git a/config/examples.ini b/config/examples.ini
new file mode 100644
index 0000000..d7599fb
--- /dev/null
+++ b/config/examples.ini
@@ -0,0 +1,47 @@
+# Restrict system calls to specific file
+sp.disable_functions.function("system").filename("update.php").allow();
+sp.disable_functions.function("system").drop();
+   
+# Restrict system calls to specific file with a specific hash
+sp.disable_functions.function("system").filename("update.php").hash("d27c6c5686bc129716b6aac8dfefe2d519a80eb6cc144e97ad42c728d423eed0").allow();
+sp.disable_functions.function("system").drop();
+# AbanteCart 1.2.8 - Multiple SQL Injections <https://blog.ripstech.com/2016/abantecart-multiple-sql-injections>
+sp.disable_functions.filename("static_pages/index.php").var("_SERVER[PHP_SELF").value_r("\"").drop().alias("XSS");
+sp.disable_functions.filename("core/lib/language_manager.php").function("ALanguageManager>_clone_language_rows").param("from_language").value_r("[^0-9]").drop();
+sp.disable_functions.filename("admin/model/tool/backup.php").function("ModelToolBackup>createBackupTask").param("data[table_list]").value_r("'").drop();
+# Redaxo 5.2.0: Remote Code Execution via CSRF <https://blog.ripstech.com/2016/redaxo-remote-code-execution-via-csrf>
+# See <http://code.vtiger.com/vtiger/vtigercrm/commit/9b5c5338f80237ae072a06e1ba4a5cfcbfe063b0> for details
+sp.disable_functions.filename("redaxo/src/addons/structure/pages/linkmap.php").function("substr").param("string").value_r("\"").drop();
+# Guest Post: Vtiger 6.5.0 - SQL Injection <https://blog.ripstech.com/2016/vtiger-sql-injection/>
+sp.disable_functions.filename("modules/Calendar/Activity.php").function("save_module").param("query").value_r("[^0-9;]").drop();
+# The State of Wordpress Security <https://blog.ripstech.com/2016/the-state-of-wordpress-security>
+# All In One WP Security & Firewall
+sp.disable_functions.filename("admin/wp-security-dashboard-menu.php").function("render_tab3").var("_REQUEST[tab]]").value_r("\"").drop();
+# PHPKit 1.6.6: Code Execution for Privileged Users <https://blog.ripstech.com/2016/phpkit-code-exection-for-privileged-users>
+sp.disable_functions.filename("pkinc/func/default.php").function("move_uploaded_file").param("destination").value_r("\\.ph\\.+$").drop();
+# Coppermine 1.5.42: Second-Order Command Execution <https://blog.ripstech.com/2016/coppermine-second-order-command-execution>
+sp.disable_functions.filename("include/imageobject_im.class.php").function("exec").var("CONFIG[im_options]).value_r("[^a-z0-9]").drop();
+sp.disable_functions.filename("forgot_passwd.php").function("cpg_db_query").var("CLEAN[id]").value_r("[^a-z0-9]").drop();
+# CVE-2014-1610 - Mediawiki RCE
+sp.disable_functions.filename("includes/media/DjVu.php")
+sp.disable_functions.filename("includes/media/ImageHandler.php").var("_GET[page]").value_r("[^0-9]").drop()
+# CVE-2017-1001000 - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
+sp.disable_functions.filename("wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop();
+sp.disable_functions.filename("wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop();
+\ No newline at end of file
author	Sebastien Blot	2017-09-20 10:11:01 +0200
committer	Sebastien Blot	2017-09-20 10:11:01 +0200
commit	868f96c759b6650d88ff9f4fbc5c048302134248 (patch)
tree	c0de0af318bf77a8959164ef11aeeeb2b7bab294 /config

diff --git a/config/default.ini b/config/default.ini new file mode 100644 index 0000000..0f67632 --- /dev/null +++ b/config/default.ini
@@ -0,0 +1,54 @@
	1	# Harden the `chmod` function
	2	sp.disable_functions.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
	3	sp.disable_functions.function("chmod").param("mode").value_r("o\\+w$").drop();
	4
	5	# Prevent various `mail`-related vulnerabilities
	6	sp.disable_functions.function("mail").param("additional_parameters").value_r("\\-").drop();
	7
	8	##Prevent various `include`-related vulnerabilities
	9	sp.disable_functions.function_r("^(?:require\|include)_once$").value_r("\\.(?:php\|php7\|inc\|tpl)$").allow();
	10	sp.disable_functions.function_r("^require\|include$").value_r("\\.(?:php\|php7\|inc\|tpl)$").allow();
	11	sp.disable_functions.function_r("^(?:require\|include)_once$").drop();
	12	sp.disable_functions.function_r("^require\|include$").drop();
	13
	14	# Prevent `system`-related injections
	15	sp.disable_functions.function("system").param("command").value_r("[$\|;&`\\n]").drop();
	16	sp.disable_functions.function("shell_exec").param("command").value_r("[$\|;&`\\n]").drop();
	17	sp.disable_functions.function("exec").param("command").value_r("[$\|;&`\\n]").drop();
	18	sp.disable_functions.function("proc_open").param("command").value_r("[$\|;&`\\n]").drop();
	19
	20	# Prevent runtime modification of interesting things
	21	sp.disable_functions.function("ini_set").param("var_name").value("assert.active").drop();
	22	sp.disable_functions.function("ini_set").param("var_name").value("zend.assertions").drop();
	23	sp.disable_functions.function("ini_set").param("var_name").value("memory_limit").drop();
	24	sp.disable_functions.function("ini_set").param("var_name").value("include_path").drop();
	25	sp.disable_functions.function("ini_set").param("var_name").value("open_basedir").drop();
	26
	27	# Detect some backdoors via environnement recon
	28	sp.disable_functions.function("ini_get").param("var_name").value_r("(?:allow_url_fopen\|open_basedir\|suhosin)").drop();
	29	sp.disable_functions.function("function_exists").param("function_name").value_r("(?:eval\|exec\|system)").drop();
	30	sp.disable_functions.function("is_callable").param("var").value_r("(?:eval\|exec\|system)").drop();
	31
	32	# Ghetto sqli hardening
	33	sp.disable_functions.function_r("mysqli?_query").param("query").value_r("/\\*").drop();
	34	sp.disable_functions.function_r("mysqli?_query").param("query").value_r("--").drop();
	35	sp.disable_functions.function_r("mysqli?_query").param("query").value_r("#").drop();
	36	sp.disable_functions.function_r("mysqli?_query").param("query").value_r(";.*;").drop();
	37	sp.disable_functions.function_r("mysqli?_query").param("query").value_r("benchmark").drop();
	38	sp.disable_functions.function_r("mysqli?_query").param("query").value_r("sleep").drop();
	39	sp.disable_functions.function_r("mysqli?_query").param("query").value_r("information_schema").drop();
	40	sp.disable_functions.function("PDO::query").param("query").value_r("/\\*").drop();
	41	sp.disable_functions.function("PDO::query").param("query").value_r("--").drop();
	42	sp.disable_functions.function("PDO::query").param("query").value_r("#").drop();
	43	sp.disable_functions.function("PDO::query").param("query").value_r(";.*;").drop();
	44	sp.disable_functions.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
	45	sp.disable_functions.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
	46	sp.disable_functions.function("PDO::query").param("query").value_r("information_schema").drop();
	47
	48	# Ghetto sqli detection
	49	sp.disable_functions.function_r("mysqli?_query").ret("FALSE").drop();
	50	sp.disable_functions.function_r("PDO::query").ret("FALSE").drop();
	51
	52	#File upload
	53	sp.disable_functions.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
	54	sp.disable_functions.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();


diff --git a/config/examples.ini b/config/examples.ini new file mode 100644 index 0000000..d7599fb --- /dev/null +++ b/config/examples.ini
@@ -0,0 +1,47 @@
	1	# Restrict system calls to specific file
	2	sp.disable_functions.function("system").filename("update.php").allow();
	3	sp.disable_functions.function("system").drop();
	4
	5
	6	# Restrict system calls to specific file with a specific hash
	7	sp.disable_functions.function("system").filename("update.php").hash("d27c6c5686bc129716b6aac8dfefe2d519a80eb6cc144e97ad42c728d423eed0").allow();
	8	sp.disable_functions.function("system").drop();
	9
	10
	11	# AbanteCart 1.2.8 - Multiple SQL Injections <https://blog.ripstech.com/2016/abantecart-multiple-sql-injections>
	12	sp.disable_functions.filename("static_pages/index.php").var("_SERVER[PHP_SELF").value_r("\"").drop().alias("XSS");
	13	sp.disable_functions.filename("core/lib/language_manager.php").function("ALanguageManager>_clone_language_rows").param("from_language").value_r("[^0-9]").drop();
	14	sp.disable_functions.filename("admin/model/tool/backup.php").function("ModelToolBackup>createBackupTask").param("data[table_list]").value_r("'").drop();
	15
	16
	17	# Redaxo 5.2.0: Remote Code Execution via CSRF <https://blog.ripstech.com/2016/redaxo-remote-code-execution-via-csrf>
	18	# See <http://code.vtiger.com/vtiger/vtigercrm/commit/9b5c5338f80237ae072a06e1ba4a5cfcbfe063b0> for details
	19	sp.disable_functions.filename("redaxo/src/addons/structure/pages/linkmap.php").function("substr").param("string").value_r("\"").drop();
	20
	21
	22	# Guest Post: Vtiger 6.5.0 - SQL Injection <https://blog.ripstech.com/2016/vtiger-sql-injection/>
	23	sp.disable_functions.filename("modules/Calendar/Activity.php").function("save_module").param("query").value_r("[^0-9;]").drop();
	24
	25
	26	# The State of Wordpress Security <https://blog.ripstech.com/2016/the-state-of-wordpress-security>
	27	# All In One WP Security & Firewall
	28	sp.disable_functions.filename("admin/wp-security-dashboard-menu.php").function("render_tab3").var("_REQUEST[tab]]").value_r("\"").drop();
	29
	30
	31	# PHPKit 1.6.6: Code Execution for Privileged Users <https://blog.ripstech.com/2016/phpkit-code-exection-for-privileged-users>
	32	sp.disable_functions.filename("pkinc/func/default.php").function("move_uploaded_file").param("destination").value_r("\\.ph\\.+$").drop();
	33
	34
	35	# Coppermine 1.5.42: Second-Order Command Execution <https://blog.ripstech.com/2016/coppermine-second-order-command-execution>
	36	sp.disable_functions.filename("include/imageobject_im.class.php").function("exec").var("CONFIG[im_options]).value_r("[^a-z0-9]").drop();
	37	sp.disable_functions.filename("forgot_passwd.php").function("cpg_db_query").var("CLEAN[id]").value_r("[^a-z0-9]").drop();
	38
	39
	40	# CVE-2014-1610 - Mediawiki RCE
	41	sp.disable_functions.filename("includes/media/DjVu.php")
	42	sp.disable_functions.filename("includes/media/ImageHandler.php").var("_GET[page]").value_r("[^0-9]").drop()
	43
	44
	45	# CVE-2017-1001000 - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
	46	sp.disable_functions.filename("wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop();
	47	sp.disable_functions.filename("wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop(); \ No newline at end of file