From 868f96c759b6650d88ff9f4fbc5c048302134248 Mon Sep 17 00:00:00 2001
From: Sebastien Blot
Date: Wed, 20 Sep 2017 10:11:01 +0200
Subject: Initial import

---
 config/default.ini  | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 config/examples.ini | 47 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 101 insertions(+)
 create mode 100644 config/default.ini
 create mode 100644 config/examples.ini

(limited to 'config')

diff --git a/config/default.ini b/config/default.ini
new file mode 100644
index 0000000..0f67632
--- /dev/null
+++ b/config/default.ini
@@ -0,0 +1,54 @@
+# Harden the `chmod` function
+sp.disable_functions.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+sp.disable_functions.function("chmod").param("mode").value_r("o\\+w$").drop();
+
+# Prevent various `mail`-related vulnerabilities
+sp.disable_functions.function("mail").param("additional_parameters").value_r("\\-").drop();
+
+##Prevent various `include`-related vulnerabilities
+sp.disable_functions.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
+sp.disable_functions.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
+sp.disable_functions.function_r("^(?:require|include)_once$").drop();
+sp.disable_functions.function_r("^require|include$").drop();
+
+# Prevent `system`-related injections
+sp.disable_functions.function("system").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_functions.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_functions.function("exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_functions.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();
+
+# Prevent runtime modification of interesting things
+sp.disable_functions.function("ini_set").param("var_name").value("assert.active").drop();
+sp.disable_functions.function("ini_set").param("var_name").value("zend.assertions").drop();
+sp.disable_functions.function("ini_set").param("var_name").value("memory_limit").drop();
+sp.disable_functions.function("ini_set").param("var_name").value("include_path").drop();
+sp.disable_functions.function("ini_set").param("var_name").value("open_basedir").drop();
+
+# Detect some backdoors via environnement recon
+sp.disable_functions.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop();
+sp.disable_functions.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop();
+sp.disable_functions.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();
+
+# Ghetto sqli hardening
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("/\\*").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("--").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("#").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r(";.*;").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("benchmark").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("sleep").drop();
+sp.disable_functions.function_r("mysqli?_query").param("query").value_r("information_schema").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("/\\*").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("--").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("#").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r(";.*;").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
+sp.disable_functions.function("PDO::query").param("query").value_r("information_schema").drop();
+
+# Ghetto sqli detection
+sp.disable_functions.function_r("mysqli?_query").ret("FALSE").drop();
+sp.disable_functions.function_r("PDO::query").ret("FALSE").drop();
+
+#File upload
+sp.disable_functions.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_functions.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
diff --git a/config/examples.ini b/config/examples.ini
new file mode 100644
index 0000000..d7599fb
--- /dev/null
+++ b/config/examples.ini
@@ -0,0 +1,47 @@
+# Restrict system calls to specific file
+sp.disable_functions.function("system").filename("update.php").allow();
+sp.disable_functions.function("system").drop();
+   
+
+# Restrict system calls to specific file with a specific hash
+sp.disable_functions.function("system").filename("update.php").hash("d27c6c5686bc129716b6aac8dfefe2d519a80eb6cc144e97ad42c728d423eed0").allow();
+sp.disable_functions.function("system").drop();
+
+
+# AbanteCart 1.2.8 - Multiple SQL Injections <https://blog.ripstech.com/2016/abantecart-multiple-sql-injections>
+sp.disable_functions.filename("static_pages/index.php").var("_SERVER[PHP_SELF").value_r("\"").drop().alias("XSS");
+sp.disable_functions.filename("core/lib/language_manager.php").function("ALanguageManager>_clone_language_rows").param("from_language").value_r("[^0-9]").drop();
+sp.disable_functions.filename("admin/model/tool/backup.php").function("ModelToolBackup>createBackupTask").param("data[table_list]").value_r("'").drop();
+
+
+# Redaxo 5.2.0: Remote Code Execution via CSRF <https://blog.ripstech.com/2016/redaxo-remote-code-execution-via-csrf>
+# See <http://code.vtiger.com/vtiger/vtigercrm/commit/9b5c5338f80237ae072a06e1ba4a5cfcbfe063b0> for details
+sp.disable_functions.filename("redaxo/src/addons/structure/pages/linkmap.php").function("substr").param("string").value_r("\"").drop();
+
+
+# Guest Post: Vtiger 6.5.0 - SQL Injection <https://blog.ripstech.com/2016/vtiger-sql-injection/>
+sp.disable_functions.filename("modules/Calendar/Activity.php").function("save_module").param("query").value_r("[^0-9;]").drop();
+
+
+# The State of Wordpress Security <https://blog.ripstech.com/2016/the-state-of-wordpress-security>
+# All In One WP Security & Firewall
+sp.disable_functions.filename("admin/wp-security-dashboard-menu.php").function("render_tab3").var("_REQUEST[tab]]").value_r("\"").drop();
+
+
+# PHPKit 1.6.6: Code Execution for Privileged Users <https://blog.ripstech.com/2016/phpkit-code-exection-for-privileged-users>
+sp.disable_functions.filename("pkinc/func/default.php").function("move_uploaded_file").param("destination").value_r("\\.ph\\.+$").drop();
+
+
+# Coppermine 1.5.42: Second-Order Command Execution <https://blog.ripstech.com/2016/coppermine-second-order-command-execution>
+sp.disable_functions.filename("include/imageobject_im.class.php").function("exec").var("CONFIG[im_options]).value_r("[^a-z0-9]").drop();
+sp.disable_functions.filename("forgot_passwd.php").function("cpg_db_query").var("CLEAN[id]").value_r("[^a-z0-9]").drop();
+
+
+# CVE-2014-1610 - Mediawiki RCE
+sp.disable_functions.filename("includes/media/DjVu.php")
+sp.disable_functions.filename("includes/media/ImageHandler.php").var("_GET[page]").value_r("[^0-9]").drop()
+
+
+# CVE-2017-1001000 - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
+sp.disable_functions.filename("wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop();
+sp.disable_functions.filename("wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop();
\ No newline at end of file
-- 
cgit v1.3