1 files changed, 16 insertions, 16 deletions
diff --git a/config/default_php8.rules b/config/default_php8.rules
index 5517eb7..fa3120e 100644
--- a/config/default_php8.rules
+++ b/config/default_php8.rules
@@ -23,7 +23,7 @@ sp.disable_xxe.enable();
 # Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
 # sp.readonly_exec.enable();
-# Php has a lot of wrappers, most of them aren't usually useful, you should 
+# Php has a lot of wrappers, most of them aren't usually useful, you should
 # only enable the ones you're using.
 # sp.wrappers_whitelist.list("file,php,phar");
@@ -41,14 +41,14 @@ sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").dr
 sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
 # Since it's now burned, me might as well mitigate it publicly
-sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
+sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop()
 # This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
-sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
+sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop()
 # Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
-sp.disable_function.function("extract").param("var_array").value_r("^_").drop()
+sp.disable_function.function("extract").param("array").value_r("^_").drop()
-sp.disable_function.function("extract").param("extract_type").value("0").drop()
+sp.disable_function.function("extract").param("flags").value("0").drop()
 # This is also burned:
 # ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
@@ -80,22 +80,22 @@ sp.disable_function.function("ini_set").param("option").value("memory_limit").dr
 sp.disable_function.function("ini_set").param("option").value("include_path").drop();
 sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
-# Detect some backdoors via environnement recon
+# Detect some backdoors via environment recon
-sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop();
+sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop();
-sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop();
+sp.disable_function.function("ini_get").param("option").value("open_basedir").drop();
-sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop();
+sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop();
 sp.disable_function.function("function_exists").param("function").value("eval").drop();
 sp.disable_function.function("function_exists").param("function").value("exec").drop();
 sp.disable_function.function("function_exists").param("function").value("system").drop();
 sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();
 sp.disable_function.function("function_exists").param("function").value("proc_open").drop();
 sp.disable_function.function("function_exists").param("function").value("passthru").drop();
-sp.disable_function.function("is_callable").param("var").value("eval").drop();
+sp.disable_function.function("is_callable").param("value").value("eval").drop();
-sp.disable_function.function("is_callable").param("var").value("exec").drop();
+sp.disable_function.function("is_callable").param("value").value("exec").drop();
-sp.disable_function.function("is_callable").param("var").value("system").drop();
+sp.disable_function.function("is_callable").param("value").value("system").drop();
-sp.disable_function.function("is_callable").param("var").value("shell_exec").drop();
+sp.disable_function.function("is_callable").param("value").value("shell_exec").drop();
-sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
+sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
-sp.disable_function.function("is_callable").param("var").value("passthru").drop();
+sp.disable_function.function("is_callable").param("value").value("passthru").drop();
 # Commenting sqli related stuff to improve performance.
 # TODO figure out why these functions can't be hooked at startup
@@ -136,7 +136,7 @@ sp.disable_function.function("curl_setopt").param("value").value("2").allow();
 sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
 sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
-#File upload
+# File upload
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();

diff --git a/config/default_php8.rules b/config/default_php8.rules index 5517eb7..fa3120e 100644 --- a/config/default_php8.rules +++ b/config/default_php8.rules
@@ -23,7 +23,7 @@ sp.disable_xxe.enable();
23	# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.	23	# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
24	# sp.readonly_exec.enable();	24	# sp.readonly_exec.enable();
25		25
26	# Php has a lot of wrappers, most of them aren't usually useful, you should	26	# Php has a lot of wrappers, most of them aren't usually useful, you should
27	# only enable the ones you're using.	27	# only enable the ones you're using.
28	# sp.wrappers_whitelist.list("file,php,phar");	28	# sp.wrappers_whitelist.list("file,php,phar");
29		29
@@ -41,14 +41,14 @@ sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").dr
41	sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();	41	sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
42		42
43	# Since it's now burned, me might as well mitigate it publicly	43	# Since it's now burned, me might as well mitigate it publicly
44	sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()	44	sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop()
45		45
46	# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80	46	# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
47	sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()	47	sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop()
48		48
49	# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector	49	# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
50	sp.disable_function.function("extract").param("var_array").value_r("^_").drop()	50	sp.disable_function.function("extract").param("array").value_r("^_").drop()
51	sp.disable_function.function("extract").param("extract_type").value("0").drop()	51	sp.disable_function.function("extract").param("flags").value("0").drop()
52		52
53	# This is also burned:	53	# This is also burned:
54	# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));	54	# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
@@ -80,22 +80,22 @@ sp.disable_function.function("ini_set").param("option").value("memory_limit").dr
80	sp.disable_function.function("ini_set").param("option").value("include_path").drop();	80	sp.disable_function.function("ini_set").param("option").value("include_path").drop();
81	sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();	81	sp.disable_function.function("ini_set").param("option").value("open_basedir").drop();
82		82
83	# Detect some backdoors via environnement recon	83	# Detect some backdoors via environment recon
84	sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop();	84	sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop();
85	sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop();	85	sp.disable_function.function("ini_get").param("option").value("open_basedir").drop();
86	sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop();	86	sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop();
87	sp.disable_function.function("function_exists").param("function").value("eval").drop();	87	sp.disable_function.function("function_exists").param("function").value("eval").drop();
88	sp.disable_function.function("function_exists").param("function").value("exec").drop();	88	sp.disable_function.function("function_exists").param("function").value("exec").drop();
89	sp.disable_function.function("function_exists").param("function").value("system").drop();	89	sp.disable_function.function("function_exists").param("function").value("system").drop();
90	sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();	90	sp.disable_function.function("function_exists").param("function").value("shell_exec").drop();
91	sp.disable_function.function("function_exists").param("function").value("proc_open").drop();	91	sp.disable_function.function("function_exists").param("function").value("proc_open").drop();
92	sp.disable_function.function("function_exists").param("function").value("passthru").drop();	92	sp.disable_function.function("function_exists").param("function").value("passthru").drop();
93	sp.disable_function.function("is_callable").param("var").value("eval").drop();	93	sp.disable_function.function("is_callable").param("value").value("eval").drop();
94	sp.disable_function.function("is_callable").param("var").value("exec").drop();	94	sp.disable_function.function("is_callable").param("value").value("exec").drop();
95	sp.disable_function.function("is_callable").param("var").value("system").drop();	95	sp.disable_function.function("is_callable").param("value").value("system").drop();
96	sp.disable_function.function("is_callable").param("var").value("shell_exec").drop();	96	sp.disable_function.function("is_callable").param("value").value("shell_exec").drop();
97	sp.disable_function.function("is_callable").param("var").value("proc_open").drop();	97	sp.disable_function.function("is_callable").param("value").value("proc_open").drop();
98	sp.disable_function.function("is_callable").param("var").value("passthru").drop();	98	sp.disable_function.function("is_callable").param("value").value("passthru").drop();
99		99
100	# Commenting sqli related stuff to improve performance.	100	# Commenting sqli related stuff to improve performance.
101	# TODO figure out why these functions can't be hooked at startup	101	# TODO figure out why these functions can't be hooked at startup
@@ -136,7 +136,7 @@ sp.disable_function.function("curl_setopt").param("value").value("2").allow();
136	sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");	136	sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
137	sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");	137	sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
138		138
139	#File upload	139	# File upload
140	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();	140	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
141	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();	141	sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
142		142