1 files changed, 54 insertions, 0 deletions
diff --git a/config/default.rules b/config/default.rules
new file mode 100644
index 0000000..88398c1
--- /dev/null
+++ b/config/default.rules
@@ -0,0 +1,54 @@
+# Harden the `chmod` function
+sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+sp.disable_function.function("chmod").param("mode").value_r("o\\+w$").drop();
+# Prevent various `mail`-related vulnerabilities
+sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
+##Prevent various `include`-related vulnerabilities
+sp.disable_function.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
+sp.disable_function.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
+sp.disable_function.function_r("^(?:require|include)_once$").drop();
+sp.disable_function.function_r("^require|include$").drop();
+# Prevent `system`-related injections
+sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();
+# Prevent runtime modification of interesting things
+sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
+sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
+sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
+sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
+sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
+# Detect some backdoors via environnement recon
+sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop();
+sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop();
+sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();
+# Ghetto sqli hardening
+sp.disable_function.function_r("mysqli?_query").param("query").value_r("/\\*").drop();
+sp.disable_function.function_r("mysqli?_query").param("query").value_r("--").drop();
+sp.disable_function.function_r("mysqli?_query").param("query").value_r("#").drop();
+sp.disable_function.function_r("mysqli?_query").param("query").value_r(";.*;").drop();
+sp.disable_function.function_r("mysqli?_query").param("query").value_r("benchmark").drop();
+sp.disable_function.function_r("mysqli?_query").param("query").value_r("sleep").drop();
+sp.disable_function.function_r("mysqli?_query").param("query").value_r("information_schema").drop();
+sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
+sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
+sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
+sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
+sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
+sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
+sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
+# Ghetto sqli detection
+sp.disable_function.function_r("mysqli?_query").ret("FALSE").drop();
+sp.disable_function.function_r("PDO::query").ret("FALSE").drop();
+#File upload
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();

diff --git a/config/default.rules b/config/default.rules new file mode 100644 index 0000000..88398c1 --- /dev/null +++ b/config/default.rules
@@ -0,0 +1,54 @@
	1	# Harden the `chmod` function
	2	sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
	3	sp.disable_function.function("chmod").param("mode").value_r("o\\+w$").drop();
	4
	5	# Prevent various `mail`-related vulnerabilities
	6	sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
	7
	8	##Prevent various `include`-related vulnerabilities
	9	sp.disable_function.function_r("^(?:require\|include)_once$").value_r("\\.(?:php\|php7\|inc\|tpl)$").allow();
	10	sp.disable_function.function_r("^require\|include$").value_r("\\.(?:php\|php7\|inc\|tpl)$").allow();
	11	sp.disable_function.function_r("^(?:require\|include)_once$").drop();
	12	sp.disable_function.function_r("^require\|include$").drop();
	13
	14	# Prevent `system`-related injections
	15	sp.disable_function.function("system").param("command").value_r("[$\|;&`\\n]").drop();
	16	sp.disable_function.function("shell_exec").param("command").value_r("[$\|;&`\\n]").drop();
	17	sp.disable_function.function("exec").param("command").value_r("[$\|;&`\\n]").drop();
	18	sp.disable_function.function("proc_open").param("command").value_r("[$\|;&`\\n]").drop();
	19
	20	# Prevent runtime modification of interesting things
	21	sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
	22	sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
	23	sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
	24	sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
	25	sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
	26
	27	# Detect some backdoors via environnement recon
	28	sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen\|open_basedir\|suhosin)").drop();
	29	sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval\|exec\|system)").drop();
	30	sp.disable_function.function("is_callable").param("var").value_r("(?:eval\|exec\|system)").drop();
	31
	32	# Ghetto sqli hardening
	33	sp.disable_function.function_r("mysqli?_query").param("query").value_r("/\\*").drop();
	34	sp.disable_function.function_r("mysqli?_query").param("query").value_r("--").drop();
	35	sp.disable_function.function_r("mysqli?_query").param("query").value_r("#").drop();
	36	sp.disable_function.function_r("mysqli?_query").param("query").value_r(";.*;").drop();
	37	sp.disable_function.function_r("mysqli?_query").param("query").value_r("benchmark").drop();
	38	sp.disable_function.function_r("mysqli?_query").param("query").value_r("sleep").drop();
	39	sp.disable_function.function_r("mysqli?_query").param("query").value_r("information_schema").drop();
	40	sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
	41	sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
	42	sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
	43	sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
	44	sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
	45	sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
	46	sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
	47
	48	# Ghetto sqli detection
	49	sp.disable_function.function_r("mysqli?_query").ret("FALSE").drop();
	50	sp.disable_function.function_r("PDO::query").ret("FALSE").drop();
	51
	52	#File upload
	53	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
	54	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();