Go Back   Runner > Coding Corner > Php

Php PHP is a general-purpose scripting language especially suited to web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 02-22-2021, 07:59 PM
Runner's Avatar
Runner Runner is offline
Administrator
 
Join Date: Nov 2020
Location: Moose Jaw
Posts: 318
Send a message via Skype™ to Runner
Default snuffleupagus.so

i compiled this for PHP 7.4.14 php 8.0.1 see files for right snuffleupagus.so if any ones interested
this a stable release from snuffleupagus-0.7.0


Quote:
Configuration file format
Since PHP ini-like configuration model isn’t flexible enough, Snuffleupagus is using its own format in the file specified by the directive
Quote:
Code:
sp.configuration_file
in your
Code:
php.ini
file, like
Code:
sp.configuration_file=/etc/php/conf.d/snuffleupagus.rules
.
You can use the
Code:
,
separator to include multiple configuration files:
Code:
sp.configuration_file=/etc/php/conf.d/snuffleupagus.rules,/etc/php/conf.d/sp_wordpress.rules
.
We’re also also supporting glob, so you can write something like:
Code:
sp.configuration_file=/etc/php/conf.d/*.rules,/etc/php/conf.d/extra/test.rules
.
To sum up, you should put this in your
Code:
php.ini
:

Code:
# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io).
# It contains "reasonable" defaults that won't break your websites,
# and a lot of commented directives that you can enable if you want to 
# have a better protection.

# Harden the PRNG
sp.harden_random.enable();

# Disabled XXE
sp.disable_xxe.enable();

# Global configuration variables
# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");

# Globally activate strict mode
# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
# sp.global_strict.enable();

# Prevent unserialize-related exploits
# sp.unserialize_hmac.enable();

# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
# sp.readonly_exec.enable();

# Php has a lot of wrappers, most of them aren't usually useful, you should 
# only enable the ones you're using.
# sp.wrappers_whitelist.list("file,php,phar");

# Prevent sloppy comparisons.
# sp.sloppy_comparison.enable();

# use SameSite on session cookie
# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
sp.cookie.name("PHPSESSID").samesite("lax");

# Harden the `chmod` function
sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();

# Prevent various `mail`-related vulnerabilities
sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();

# Since it's now burned, me might as well mitigate it publicly
sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()

# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()

# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
sp.disable_function.function("extract").param("var_array").value_r("^_").drop()
sp.disable_function.function("extract").param("extract_type").value("0").drop()

# This is also burned:
# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
# Since we have no way of matching on two parameters at the same time, we're
# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
# Moreover, there are non-public bypasses that are also using this vector ;)
sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop()

##Prevent various `include`-related vulnerabilities
sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("require_once").drop()
sp.disable_function.function("include_once").drop()
sp.disable_function.function("require").drop()
sp.disable_function.function("include").drop()

# Prevent `system`-related injections
sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();

# Prevent runtime modification of interesting things
sp.disable_function.function("ini_set").param("varname").value("assert.active").drop();
sp.disable_function.function("ini_set").param("varname").value("zend.assertions").drop();
sp.disable_function.function("ini_set").param("varname").value("memory_limit").drop();
sp.disable_function.function("ini_set").param("varname").value("include_path").drop();
sp.disable_function.function("ini_set").param("varname").value("open_basedir").drop();

# Detect some backdoors via environnement recon
sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop();
sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop();
sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop();
sp.disable_function.function("function_exists").param("function_name").value("eval").drop();
sp.disable_function.function("function_exists").param("function_name").value("exec").drop();
sp.disable_function.function("function_exists").param("function_name").value("system").drop();
sp.disable_function.function("function_exists").param("function_name").value("shell_exec").drop();
sp.disable_function.function("function_exists").param("function_name").value("proc_open").drop();
sp.disable_function.function("function_exists").param("function_name").value("passthru").drop();
sp.disable_function.function("is_callable").param("var").value("eval").drop();
sp.disable_function.function("is_callable").param("var").value("exec").drop();
sp.disable_function.function("is_callable").param("var").value("system").drop();
sp.disable_function.function("is_callable").param("var").value("shell_exec").drop();
sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
sp.disable_function.function("is_callable").param("var").value("passthru").drop();

# Commenting sqli related stuff to improve performance.
# TODO figure out why these functions can't be hooked at startup
# Ghetto sqli hardening
# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();

# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();

# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();

# Ghetto sqli detection
# sp.disable_function.function("mysql_query").ret("FALSE").drop();
# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
# sp.disable_function.function("PDO::query").ret("FALSE").drop();

# Ensure that certificates are properly verified
sp.disable_function.function("curl_setopt").param("value").value("1").allow();
sp.disable_function.function("curl_setopt").param("value").value("2").allow();
# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER
sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");

#File upload
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();

# Logging lockdown
sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop()
sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop()
sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop()
Attached Images
File Type: jpg Screenshot_2021-02-22 PHP 7 4 14 - phpinfo().jpg (12.9 KB, 5 views)
Attached Files
File Type: zip snuffleupagus.zip (250.9 KB, 0 views)
File Type: zip php8.0.1snuffleupagus.zip (250.9 KB, 0 views)
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 06:16 PM.


Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
Copyright ©2020 - 2021, Runner
Ad Management plugin by RedTyger