diff options
Diffstat (limited to 'config/default.rules')
| -rw-r--r-- | config/default.rules | 83 |
1 files changed, 66 insertions, 17 deletions
diff --git a/config/default.rules b/config/default.rules index a3e779b..817e62f 100644 --- a/config/default.rules +++ b/config/default.rules | |||
| @@ -40,35 +40,39 @@ sp.disable_function.function("chmod").param("mode").value("438").drop(); | |||
| 40 | sp.disable_function.function("chmod").param("mode").value("511").drop(); | 40 | sp.disable_function.function("chmod").param("mode").value("511").drop(); |
| 41 | 41 | ||
| 42 | # Prevent various `mail`-related vulnerabilities | 42 | # Prevent various `mail`-related vulnerabilities |
| 43 | @condition PHP_VERSION_ID < 80300; | ||
| 43 | sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); | 44 | sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); |
| 45 | @condition PHP_VERSION_ID >= 80300; | ||
| 46 | sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop(); | ||
| 47 | @end_condition; | ||
| 44 | 48 | ||
| 45 | # Since it's now burned, me might as well mitigate it publicly | 49 | # Since it's now burned, me might as well mitigate it publicly |
| 46 | sp.disable_function.function("putenv").param("setting").value_r("LD_").drop() | 50 | sp.disable_function.function("putenv").param("setting").value_r("LD_").drop(); |
| 47 | sp.disable_function.function("putenv").param("setting").value("PATH").drop() | 51 | sp.disable_function.function("putenv").param("setting").value("PATH").drop(); |
| 48 | 52 | ||
| 49 | # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 | 53 | # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 |
| 50 | sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop() | 54 | sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop(); |
| 51 | 55 | ||
| 52 | # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector | 56 | # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector |
| 53 | sp.disable_function.function("extract").pos("0").value_r("^_").drop() | 57 | sp.disable_function.function("extract").pos("0").value_r("^_").drop(); |
| 54 | sp.disable_function.function("extract").pos("1").value("0").drop() | 58 | sp.disable_function.function("extract").pos("1").value("0").drop(); |
| 55 | 59 | ||
| 56 | # This is also burned: | 60 | # This is also burned: |
| 57 | # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); | 61 | # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); |
| 58 | # Since we have no way of matching on two parameters at the same time, we're | 62 | # Since we have no way of matching on two parameters at the same time, we're |
| 59 | # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. | 63 | # blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. |
| 60 | # Moreover, there are non-public bypasses that are also using this vector ;) | 64 | # Moreover, there are non-public bypasses that are also using this vector ;) |
| 61 | sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop() | 65 | sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop(); |
| 62 | 66 | ||
| 63 | # Prevent various `include`-related vulnerabilities | 67 | # Prevent various `include`-related vulnerabilities |
| 64 | sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); | 68 | sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); |
| 65 | sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); | 69 | sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); |
| 66 | sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); | 70 | sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); |
| 67 | sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); | 71 | sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); |
| 68 | sp.disable_function.function("require_once").drop() | 72 | sp.disable_function.function("require_once").drop(); |
| 69 | sp.disable_function.function("include_once").drop() | 73 | sp.disable_function.function("include_once").drop(); |
| 70 | sp.disable_function.function("require").drop() | 74 | sp.disable_function.function("require").drop(); |
| 71 | sp.disable_function.function("include").drop() | 75 | sp.disable_function.function("include").drop(); |
| 72 | 76 | ||
| 73 | # Prevent `system`-related injections | 77 | # Prevent `system`-related injections |
| 74 | sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); | 78 | sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); |
| @@ -77,13 +81,22 @@ sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\ | |||
| 77 | sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); | 81 | sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); |
| 78 | 82 | ||
| 79 | # Prevent runtime modification of interesting things | 83 | # Prevent runtime modification of interesting things |
| 84 | @condition PHP_VERSION_ID < 80000; | ||
| 80 | sp.disable_function.function("ini_set").param("varname").value("assert.active").drop(); | 85 | sp.disable_function.function("ini_set").param("varname").value("assert.active").drop(); |
| 81 | sp.disable_function.function("ini_set").param("varname").value("zend.assertions").drop(); | 86 | sp.disable_function.function("ini_set").param("varname").value("zend.assertions").drop(); |
| 82 | sp.disable_function.function("ini_set").param("varname").value("memory_limit").drop(); | 87 | sp.disable_function.function("ini_set").param("varname").value("memory_limit").drop(); |
| 83 | sp.disable_function.function("ini_set").param("varname").value("include_path").drop(); | 88 | sp.disable_function.function("ini_set").param("varname").value("include_path").drop(); |
| 84 | sp.disable_function.function("ini_set").param("varname").value("open_basedir").drop(); | 89 | sp.disable_function.function("ini_set").param("varname").value("open_basedir").drop(); |
| 90 | @condition PHP_VERSION_ID >= 80000; | ||
| 91 | sp.disable_function.function("ini_set").param("option").value("assert.active").drop(); | ||
| 92 | sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop(); | ||
| 93 | sp.disable_function.function("ini_set").param("option").value("memory_limit").drop(); | ||
| 94 | sp.disable_function.function("ini_set").param("option").value("include_path").drop(); | ||
| 95 | sp.disable_function.function("ini_set").param("option").value("open_basedir").drop(); | ||
| 96 | @end_condition; | ||
| 85 | 97 | ||
| 86 | # Detect some backdoors via environment recon | 98 | # Detect some backdoors via environment recon |
| 99 | @condition PHP_VERSION_ID < 80000; | ||
| 87 | sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop(); | 100 | sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop(); |
| 88 | sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop(); | 101 | sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop(); |
| 89 | sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop(); | 102 | sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop(); |
| @@ -99,6 +112,24 @@ sp.disable_function.function("is_callable").param("var").value("system").drop(); | |||
| 99 | sp.disable_function.function("is_callable").param("var").value("shell_exec").drop(); | 112 | sp.disable_function.function("is_callable").param("var").value("shell_exec").drop(); |
| 100 | sp.disable_function.function("is_callable").param("var").value("proc_open").drop(); | 113 | sp.disable_function.function("is_callable").param("var").value("proc_open").drop(); |
| 101 | sp.disable_function.function("is_callable").param("var").value("passthru").drop(); | 114 | sp.disable_function.function("is_callable").param("var").value("passthru").drop(); |
| 115 | @condition PHP_VERSION_ID >= 80000; | ||
| 116 | sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop(); | ||
| 117 | sp.disable_function.function("ini_get").param("option").value("open_basedir").drop(); | ||
| 118 | sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop(); | ||
| 119 | sp.disable_function.function("function_exists").param("function").value("eval").drop(); | ||
| 120 | sp.disable_function.function("function_exists").param("function").value("exec").drop(); | ||
| 121 | sp.disable_function.function("function_exists").param("function").value("system").drop(); | ||
| 122 | sp.disable_function.function("function_exists").param("function").value("shell_exec").drop(); | ||
| 123 | sp.disable_function.function("function_exists").param("function").value("proc_open").drop(); | ||
| 124 | sp.disable_function.function("function_exists").param("function").value("passthru").drop(); | ||
| 125 | sp.disable_function.function("is_callable").param("value").value("eval").drop(); | ||
| 126 | sp.disable_function.function("is_callable").param("value").value("exec").drop(); | ||
| 127 | sp.disable_function.function("is_callable").param("value").value("system").drop(); | ||
| 128 | sp.disable_function.function("is_callable").param("value").value("shell_exec").drop(); | ||
| 129 | sp.disable_function.function("is_callable").param("value").value("proc_open").drop(); | ||
| 130 | sp.disable_function.function("is_callable").param("value").value("passthru").drop(); | ||
| 131 | @end_condition; | ||
| 132 | |||
| 102 | 133 | ||
| 103 | # Ghetto error-based sqli detection | 134 | # Ghetto error-based sqli detection |
| 104 | # sp.disable_function.function("mysql_query").ret("FALSE").drop(); | 135 | # sp.disable_function.function("mysql_query").ret("FALSE").drop(); |
| @@ -117,14 +148,32 @@ sp.disable_function.function("curl_setopt").param("value").value_r("file://").dr | |||
| 117 | sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled"); | 148 | sp.disable_function.function("curl_init").param("url").value_r("file://").drop().alias("file:// protocol is disabled"); |
| 118 | 149 | ||
| 119 | # File upload | 150 | # File upload |
| 120 | # On old PHP7 versions | 151 | @condition PHP_VERSION_ID >= 80000; |
| 121 | #sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); | 152 | sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop(); |
| 122 | #sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); | 153 | sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop(); |
| 123 | # On PHP7.4+ | 154 | @condition PHP_VERSION_ID >= 70400; |
| 124 | sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ph").drop(); | 155 | sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ph").drop(); |
| 125 | sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ht").drop(); | 156 | sp.disable_function.function("move_uploaded_file").param("new_path").value_r("\\.ht").drop(); |
| 157 | @condition PHP_VERSION_ID >= 70000; | ||
| 158 | sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); | ||
| 159 | sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop(); | ||
| 160 | @end_condition; | ||
| 126 | 161 | ||
| 127 | # Logging lockdown | 162 | # Logging lockdown |
| 128 | sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop() | 163 | @condition PHP_VERSION_ID >= 70000; |
| 129 | sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop() | 164 | sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop(); |
| 130 | sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop() | 165 | sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop(); |
| 166 | sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop(); | ||
| 167 | @condition PHP_VERSION_ID >= 80000; | ||
| 168 | sp.disable_function.function("ini_set").param("option").value_r("error_log").drop(); | ||
| 169 | sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop(); | ||
| 170 | sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop(); | ||
| 171 | @end_condition; | ||
| 172 | |||
| 173 | # Classic webshells patterns | ||
| 174 | sp.disable_function.function("system>base64_decode").drop(); | ||
| 175 | sp.disable_function.function("shell_exec>base64_decode").drop(); | ||
| 176 | sp.disable_function.function("exec>base64_decode").drop(); | ||
| 177 | sp.disable_function.function("passthru>base64_decode").drop(); | ||
| 178 | sp.disable_function.function("proc_open>base64_decode").drop(); | ||
| 179 | sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open"); | ||