Hack Websites with PHP!
HTML-код
- Опубликовано: 30 сен 2024
- Hack Websites with PHP!
~Links~
Stuck with Ethical Hacking?: www.udemy.com/...
My socials: gr1ff1nsec.car...
My Other Tech Channel: @JohnDoeTech
Github: github.com/4R1...
--IGNORE
kali linux,hacker,learn to code,oscp,owasp,parrot os,nmap,bash aliases,htb,como instalar kali linux,vmware,digital forensics,windows subsystem for linux,cyber security,sql injection,linux,comptia linux+ exam
-IGNORE-
You just didn't shown me how to crack a php site. Also you helped me to save my php sites from this.
(Solution: just make an shell script or java app or python script or whatever, that will keep continuously checking my /img/avatars/ folder & just erase instantly if any non png/jpg/jpeg file found. )
Thanks for it. ❤
Just don’t accept files that aren’t images in first place
@@pklvo it doesn't work like that, since we can bypass that too!
Run Nuclei or Burp Scanner on your website and it should show you some basic vulnerabilities that your website may have.
It can save you from script-kiddies breaking your website!
@@JohnDoeSec Im pretty sure correct me if im wrong that this only bypasses content-type headers, but if the server itself checks for what they file itself is rather than the HTTP headers it wont be the case.
@@jotunnpy If the website checks, even before it allows you to upload a file then HTTP Headers bypass won't work. Because you won't even get a response to try to manipulate it.
But you can always try different ways, extension bypass, changing hex values in the files itself.
watch wordpress cry
lol
Will this still work if the image folder only has read but not execute permission?
It has to execute.
So upload a dummy image, if it shows, that means a payload will work too.
@@JohnDoeSec It's cool that YT recommended your video to me.
I happen to be working on a PHP based website with an image upload feature.
I guess the algorithm includes my recent search history.
My website isn't done yet but I'll see if I can figure out a way to avoid this PHP vulnerability.
I'll try posing the link to my work in progress in a reply to this comment.
If YT really doesn't allow links I'll see if I can message it to you more directly.
No worries if you don't have time to look at it, but thanks if you do.
Wow! YT really doesn't like links in the comments.
I would think Google would be less of a sledge hammer with spam detection.
Anyway, you will need to just figure out where the . and the com go in this, my 6th attempt:
political-streamers /RegisterStreamer
I guess I'm a little autistic or something.
I've been trying to post this reply for 35 minutes.
Now, I'm just curious if anything will work.
I should probably give up eventually.
You will need to figure out the missing parts yourself:
political-streamers slash RegisterStreamer
This is my 7th attempt.
I've been trying to post reply this for 40 minutes.
I'm pretty sure I've tripped something.
This is my 8th attempt.
I may give up eventually.
My target still doesn't allow php file upload. How do I upload php file as png or jpg
So what you can try to do is
-Bypass HTTP Client Side Verification with Burpsuite
-Run through Blacklist/Whitelist
-Double extensions
And much more, I can recommend checking out OWASP for more Info
@@JohnDoeSec I wish you could refer me to a video
@@skeeterstudies8109 ruclips.net/video/ZWG1nNdUnBc/видео.html
First one here
is there a better alternative for burp suite?
Burpsuite Pro : D
But to be honest, a lot of people use Caido, ZAP. It's personal preference in my opinion.
But Burpsuite Pro has some functions that are worth buying.
second!!!!!
Third maybe!?