# Harden the PRNG sp.harden_random.enable(); # Disabled XXE sp.disable_xxe.enable(); # use SameSite on session cookie sp.cookie.name("PHPSESSID").samesite("lax"); # Always verify certificates sp.curl_verify_certificates.enable(); # Harden the `chmod` function sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop(); # Prevent various `mail`-related vulnerabilities sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); # Since it's now burned, me might as well mitigate it publicly sp.disable_function.function("putenv").param("setting").value_r("LD_").drop() ##Prevent various `include`-related vulnerabilities sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); sp.disable_function.function("require_once").drop() sp.disable_function.function("include_once").drop() sp.disable_function.function("require").drop() sp.disable_function.function("include").drop() # Prevent `system`-related injections sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop(); sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop(); sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop(); sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop(); # Prevent runtime modification of interesting things sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop(); sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop(); sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop(); sp.disable_function.function("ini_set").param("var_name").value("include_path").drop(); sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop(); # Detect some backdoors via environnement recon sp.disable_function.function("ini_get").param("var_name").value("allow_url_fopen").drop(); sp.disable_function.function("ini_get").param("var_name").value("open_basedir").drop(); sp.disable_function.function("ini_get").param("var_name").value_r("suhosin").drop(); sp.disable_function.function("function_exists").param("function_name").value("eval").drop(); sp.disable_function.function("function_exists").param("function_name").value("exec").drop(); sp.disable_function.function("function_exists").param("function_name").value("system").drop(); sp.disable_function.function("function_exists").param("function_name").value("shell_exec").drop(); sp.disable_function.function("function_exists").param("function_name").value("proc_open").drop(); sp.disable_function.function("function_exists").param("function_name").value("passthru").drop(); sp.disable_function.function("is_callable").param("var").value("eval").drop(); sp.disable_function.function("is_callable").param("var").value("exec").drop(); sp.disable_function.function("is_callable").param("var").value("system").drop(); sp.disable_function.function("is_callable").param("var").value("shell_exec").drop(); sp.disable_function.function("is_callable").param("var").value("proc_open").drop(); sp.disable_function.function("is_callable").param("var").value("passthru").drop(); # Commenting sqli related stuff to improve performance. # TODO figure out why these functions can't be hooked at startup # Ghetto sqli hardening # sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop(); # sp.disable_function.function("mysql_query").param("query").value_r("--").drop(); # sp.disable_function.function("mysql_query").param("query").value_r("#").drop(); # sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop(); # sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop(); # sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop(); # sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop(); # sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop(); # sp.disable_function.function("mysqli_query").param("query").value_r("--").drop(); # sp.disable_function.function("mysqli_query").param("query").value_r("#").drop(); # sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop(); # sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop(); # sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop(); # sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop(); # sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop(); # sp.disable_function.function("PDO::query").param("query").value_r("--").drop(); # sp.disable_function.function("PDO::query").param("query").value_r("#").drop(); # sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop(); # sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop(); # sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop(); # sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop(); # Ghetto sqli detection # sp.disable_function.function("mysql_query").ret("FALSE").drop(); # sp.disable_function.function("mysqli_query").ret("FALSE").drop(); # sp.disable_function.function("PDO::query").ret("FALSE").drop(); #File upload sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop(); sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();