8000 update file `php-function-names-933150.data` · Issue #2684 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
8000

update file php-function-names-933150.data #2684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Tracked by #2621
fzipi opened this issue Jul 10, 2022 · 24 comments
Closed
Tracked by #2621

update file php-function-names-933150.data #2684

fzipi opened this issue Jul 10, 2022 · 24 comments
Assignees
@azurit @M4tteoP
Labels
⚡ list update
Milestone
CRS v4.0.0

Comments

@fzipi
Copy link
Member
fzipi commented Jul 10, 2022
edited
Loading

These must be addressed as a group:

Rule 933150

~40 words highly common to PHP injection payloads and extremely rare in natural language or other contexts.

Examples: 'base64_decode', 'file_get_contents'.

These words are detected as a match directly using @pmFromFile.
@fzipi fzipi mentioned this issue Jul 10, 2022
Closed
34 tasks
@github-actions
Copy link
Contributor
github-actions bot commented Nov 8, 2022

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

@azurit azurit removed the Stale issue label Nov 8, 2022
@fzipi fzipi added this to the CRS v4.0.0 milestone Nov 21, 2022
This was referenced Nov 22, 2022
Closed
Closed
Closed
@fzipi fzipi self-assigned this Dec 28, 2022
@fzipi
Copy link
Member Author
fzipi commented Dec 28, 2022

@theMiddleBlue @lifeforms Where do you think we can get such a list of "common PHP functions used in injections"? Is there some heuristic we can use?

@theMiddleBlue
Copy link
Contributor

let's say that we can't get a "common function used in injections" from a public list, what we can do is think about what is needed for a code injection exploit:

source: https://www.php.net/manual/en/refs.basic.php.php

I didn't include "fetching from remote" via PHP wrappers because we already block them with other rules.

I think that if we manage to select functions that can fit in one or more of the above categories, we can have a good "common function used in injection" list.

@azurit
Copy link
Member
azurit commented Jan 28, 2023

I would choose these from Misc. Functions:

eval
get_browser
pack
php_strip_whitespace
sapi_windows_cp_conv
sleep
time_nanosleep
time_sleep_until
unpack
usleep

@azurit
Copy link
Member
azurit commented Jan 28, 2023

URL Functions:

base64_decode
base64_encode
get_headers
urldecode
rawurldecode

@azurit
Copy link
Member
azurit commented Jan 28, 2023

Process Control Extensions:

eio_busy
eio_chmod
eio_chown
eio_custom
eio_fchmod
eio_fchown
eio_futime
eio_link
eio_mkdir
eio_mknod
eio_rename
eio_symlink
eio_utime

Ev::sleep

expect_popen

pcntl_exec
pcntl_fork
pcntl_rfork
pcntl_signal
pcntl_sigtimedwait

posix_getcwd
posix_getegid
posix_geteuid
posix_getgid
posix_getgrgid
posix_getgrnam
posix_getgroups
posix_getlogin
posix_getpgid
posix_getpgrp
posix_getpwnam
posix_getpwuid
posix_initgroups
posix_kill
posix_mkfifo
posix_mknod
posix_setegid
posix_seteuid
posix_setgid
posix_setpgid
posix_setuid
posix_uname

exec
passthru
proc_open
shell_exec
system

Runtime::run 

Threaded::run
Threaded::wait
Thread::start
Pool::submit
Pool::submitTo

SyncMutex::lock
SyncSemaphore::lock
SyncEvent::wait
SyncReaderWriter::readlock
SyncReaderWriter::writelock

@azurit
Copy link
Member
azurit commented Jan 28, 2023

File System Related Extensions:

dio_open
dio_write

chdir
dir
getcwd
readdir
scandir

finfo_file
finfo_open

chgrp
chmod
chown
copy
file_exists
file_get_contents
file_put_contents
fileatime
filectime
filegroup
fileinode
filemtime
fileowner
fileperms
filesize
filetype
fopen
fputs
fread
fstat
fwrite
lchgrp
lchown
link
linkinfo
lstat
mkdir
popen
readfile
rename
stat
symlink
tempnam
tmpfile
touch

xattr_get
xattr_list
xattr_remove
xattr_set

xdiff_file_bdiff
xdiff_file_bpatch
xdiff_file_diff_binary
xdiff_file_diff
xdiff_file_merge3
xdiff_file_patch_binary
xdiff_file_patch
xdiff_file_rabdiff
xdiff_string_bdiff
xdiff_string_bpatch
xdiff_string_diff_binary
xdiff_string_diff
xdiff_string_merge3
xdiff_string_patch_binary
xdiff_string_patch
xdiff_string_rabdiff

@azurit
Copy link
Member
azurit commented Jan 28, 2023

Affecting PHP's Behaviour:

apcu_cache_info
apcu_fetch
apcu_key_info
apcu_store
APCUIterator::current

debug_backtrace
debug_print_backtrace
error_get_last
error_log
set_error_handler
set_exception_handler
trigger_error
user_error

opcache_get_status

ob_get_clean
ob_get_contents
ob_get_flush
ob_gzhandler

cli_get_process_title
cli_set_process_title
dl
get_current_user
get_defined_constants
get_included_files
get_required_files
getenv
getmygid
getmyuid
ini_alter
ini_set
php_ini_loaded_file
php_ini_scanned_files
php_uname
phpversion
putenv
set_include_path
sys_get_temp_dir
zend_version

phpdbg_break_file
phpdbg_break_function
phpdbg_break_method
phpdbg_break_next

runkit7_constant_add
runkit7_constant_redefine
runkit7_function_add
runkit7_function_copy
runkit7_function_redefine
runkit7_function_rename
runkit7_import
runkit7_method_add
runkit7_method_copy
runkit7_method_redefine
runkit7_method_rename
runkit7_zval_inspect

uopz_add_function
uopz_compose
uopz_copy
uopz_extend
uopz_flags
uopz_function
uopz_implement
uopz_overload
uopz_redefine
uopz_rename
uopz_set_hook
uopz_set_property
uopz_set_static

wincache_fcache_fileinfo
wincache_fcache_meminfo
wincache_ocache_fileinfo
wincache_rplist_fileinfo
wincache_scache_info
wincache_ucache_add
wincache_ucache_cas
wincache_ucache_get
wincache_ucache_info
wincache_ucache_set

Yac::add
Yac::dump
Yac::get
Yac::info
Yac::set

@azurit
Copy link
Member
azurit commented Jan 28, 2023

BTW, why not add all function names?

@fzipi
Copy link
Member Author
fzipi commented Jan 28, 2023

I don't know 😄 Can you take over and push this one to the finish line?

8000

@azurit
Copy link
Member
azurit commented Jan 28, 2023

Can you take over and push this one to the finish line?

Do you mean takeing functions which i choosed and update the list?

@fzipi
Copy link
Member Author
fzipi commented Jan 28, 2023

Yes, exactly that. This list, and all depending ones in the group. Please.

@azurit
Copy link
Member
azurit commented Jan 28, 2023

Ok, few questions:

  1. You wrote that function names must be extremely rare in natural language or other contexts. Should i remove functions like touch, stat, system or so from the list?
  2. What do you suggest to do with functions like Yac::add? They can be called using two ways:
  • as a static function: Yac::add(...
  • as an object method: $anything_here = Yac::new(); .....; $anything_here->add(...

@azurit azurit assigned azurit and unassigned fzipi Mar 20, 2023
@Xhoenix
Copy link
Member
Xhoenix commented Mar 20, 2023

What about PHP deserialization functions? We need to add those too.

@azurit
Copy link
Member
azurit commented Mar 20, 2023

@GenialHacker Feel free to add them here in the comments.

@Xhoenix
Copy link
Member
Xhoenix commented Mar 20, 2023
edited
Loading

The PHP gadget chain phpggc can be used to create test payloads which call different framework specific functions. Gadgets can be specific to a webapp or even a framework, but you can use the phpgcc to get some common gadgets.

@azurit
Copy link
Member
azurit commented Mar 21, 2023

@GenialHacker Can you be more specific and suggest function names which you consider dangerous? Thanks.

@Xhoenix
Copy link
Member
Xhoenix commented Mar 21, 2023
edited
Loading

I meant that, to exploit PHP deserialization certain classes from different PHP frameworks can be used in a payload. The phpggc binary gives names of some common classes. But as this is about functions, I'm not sure where those will fit.

@Xhoenix
Copy link
Member
Xhoenix commented Mar 21, 2023

Never mind, the idea just came suddenly when I took a look at this issue and hadn't thought the implementation would be complicated. :)

@dune73 dune73 mentioned this issue Jun 5, 2023
Closed
@M4tteoP M4tteoP self-assigned this Jun 8, 2023
@fzipi
Copy link
Member Author
fzipi commented Jun 10, 2023

While I think the chosen functions make sense, is there any way to automate this? I'm worried that every time we need to add one new function we need to redo all the reasoning here... and the future versions of us will hate us for this decision.

@dune73
Copy link
Member
dune73 commented Jun 16, 2023

Hey @M4tteoP, did you have to look into this during the week?

@M4tteoP
Copy link
Member
M4tteoP commented Jun 16, 2023

@dune73 nope :(, It's planned for the weekend

@dune73
Copy link
Member
dune73 commented Jun 16, 2023

Good. Please keep us posted on this.

@M4tteoP
Copy link
Member
M4tteoP commented Sep 19, 2023

Closing as completed via #3273

@M4tteoP M4tteoP closed this as completed Sep 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@azurit azurit

@M4tteoP M4tteoP

Labels
⚡ list update
Projects
None yet
Milestone
CRS v4.0.0
Development

No branches or pull requests
6 participants
@dune73 @azurit @fzipi @theMiddleBlue @M4tteoP @Xhoenix
0