As a web developer i have never seen someone use GET for file input, we only use POST requests for file input. Having a file input using GET request is a very clear vulnerability.
The vulnerability here does not really depend on the HTTP method used, but to the fact that user supplied input is being passed to the include() function
uhh... who's going to tell him? You are aware that GET was the only way to upload files back in the day, right? the vulnerability is not in the GET request itself, it's in passing the input to include, if you do the same with POST, then you still get the exact same vulnerability lol. There are still old HTTP servers in production that only implement GET btw... and those servers are safe, because the request itself is not unsafe, what you do with the data you get is where the vulnerability is located.
The TLDR here is follow your OWASP basic guidelines around input validation. Never trust user input. You can in theory do this in any language on any web framework. If they are allowed to "get" a file, you'd restrict that to only a certain directory, or hide details around an API once authorization is completed. Also includes, imports, anything involving file operations should never be user driven.
Including a file with a path from _GET parameter is not a vulnerability, it's idiocy...sorry for being blunt, but no serious software will have all these problems you are describing in this video...
True. But none of the softwares on the web are that serious. So we find these issues here and there once in a while. Plus including a file from GET param is a vulnerability if you weren’t expecting them to including random files. it’s not a vulnerability of php. It’s more of a vulnerability of that particular site.
I took it as more of a proof of concept/CTF practice albeit with multiple factors that had to be just right. I'm certainly not an expert on the matter, but I believe he references multiple times that this was only possible on older versions of PHP anyway?
I found an issue exactly like this in a PHP CMS two months ago on a pentest. HTTP parameter passes through ~5 function calls and then concatenated to a file path with a '.php' concatenated on the end, later in the file with some more prerequisites it is passed to include_once(). It was just a matter of using traversal to reach pearcmd and use this trick for RCE. Yeah ofc you won't find this if they use some more modern PHP framework but you are naive if you think there isn't a lot of legacy PHP code with this type of vuln running in production.
@@Felttipfuzzywuzzyflyguy no, including a file from _GET can be done in any PHP: from php3 to php8, and will still be possible decades from today... I dont know what author of video meant when he talked about older version of PHP...
@@geogusdvikois6326pearcmd.php is available until PHP 7.3... That's what was said in the video. But you are right. Including raw input into include is possible and wrong in any PHP version.
Id like to point out this ISN'T patched after 7.4, pecl just isn't installed by default anymore. If pecl is installed manually on any newer PHP version then the same RCE can be achieved with a suitable LFI exploit primitive
Actually, large number of the websites on the web STILL run PHP 7.3 and older, probably at least 30-40% of the PHP web applications run on 7.3 or older. Partially this is due to the fact that WordPress powers a lot of websites today and many WordPress core, plugin and theme versions are outdated, due to the fact people are afraid of updates or they no longer have paid subscription for specific plugin or theme and they do not get updates. Of course, many, many other PHP web applications run 5.6, because they were developed manually or with some awful old PHP framework, which does not tolerate upgrades.
Did you check if pecl is installed? That's all that is required to be vulnerable newer versions don't have it by default but not sure if it would persist through upgrades. And if you use docker, new versions will have it too!
So basically someone wrote an entire pointless blog article to tell exactly what is written in PHP documentation. That's definitely must be a vulnerability. :|
Minute 14:47 The Problem is, this all only works because YOU created the index.php with LFI. But what if there is no LFI and only the server[argv]? No link to original Post in Description!
@_johnHammond, I expected more of you: 5:30 But, who in their right mind would use include together with an input variable?? o.O That in itself has always been and still is a major vulnerability. That doesn't require any special settings in PHP to do that. Any PHP version has that "vulnerability". It is stupid in the same way as outputting the source code or your passwords for the database. If one does not use include together with an input variable, then this whole "vulnerability" is moot and will not work.
@hvidstue I thintk the point of the video is not to explain LFI, but rather to show how to escalate from LFI to RCE without log poisoning. Of course including user provided data is a vulnerability, and most web apps nowadays won't do that, but it is still possible to find a page that has LFI and can be exploited using that.
Just want to know who does this? Why would a dev code something that gives direct access to a PHP file? If you want to call php files thru a get request then why not use a variable and hard code the file to be included in an if/case statement? If there are developers still doing this to this day just quit already.
What? That is just to get an LFI primitive to demonstrate the real issue, the pearcmd RCE technique. In reality you would have a legitimate LFI primitive and substitute it with what is demonstrated
@@xB-yg2iw LFI (local file inclusion) by directly using user input? Yeah, no. Thats like demonstrating "the real issue" at breaking into a house with a no locked door, where the "technique" is like "open the door from the inside" or so.
@@CottonInDerTube The thing is that usually people try to escalate from LFI to RCE using web server log poisoning, and he is showcasing a way to get RCE without log poisoning. And LFI via direct user input is still a thing, it's not hard to find websites with that using some dorks for LFI.
I mean yeah, but who would program it like this. Normally you would make a function that checks if the file is accessible for the user. Which means you write allowed files into an array and if it is not in the array it blocks the request
@byailen I mean, not necessarily in some use cases you can do more than that, like giving access to an external data directory, but ofc only in a controlled manner. Nextcloud is a good example, although I don't know how the handle is showing files to the user, but I know that it always displays the file path in the url. I guess it checks the user permissions from the database
I hope he would show how to hack a real PHP application and not things like this. Hack PHP apps with PSR implemented and we'll see. BTW if Laravel would be put into test that's way better.
They can't because of tons of best practices followed in Symfony components and it's eco system. Most verns are patched on zero day, and they don't allow stupid things like these. Besides, php is usually jailed by basepath so that it only has access to its own directories it's running and also there's blacklisted function list disabling sys, exec and most system funcrions required to exploit it further. The pentestors won't show you that as it's part of their job to review if configs are correct or not and have no security holes. Let alone pimut it behind proxy and then let them try to access shell lol :) P.S. Typos
In Laravel everything is encrypted by default, there's also anti-spam and input cleaner (to prevent SQL injection) by default and CSRF token are mandatory for a form to work under Post request. There's a way more of things to say but in general, the application is "safe" to a certain extend right when starting a project. The #1 source of hacks and stuff are from humans sources not from the code himself. I personally don't let the admins i manage choose their personal password and i force the system to change their password each week or month, at least each year. A teacher told me one day "you gotta understand that by essence you can hack everything because everything is only 0 & 1 BUT depending on the complexity of those 0 & 1 that will need a more robust machinery, more investment and more important, more time". I always try to make things the more difficult for hackers so they give up, the most basic thing when i set up HTTPS on Apache serv is to change the encryption key each day, if possible multiple times each day. Btw for the HTTPS i use Win-Acme, it's a great interface, you set it up in like 2mins in a new machine, this already have auto schedule task built-in, you don't even have to ask for it AND this have a custom plugin feature in C# so you can really do great things, i honestly only install Apache24 (apache lounge) servers, with the right config it's solid af. Also about Laravel, always do the following at the start of a project: - Install IDE Helper - Install PHP Stan + Larastan - Install Laravel Pint I personally have created differents Makefile that i only have to copy into projects, upon them on my Laravel projects i alway have a Makefile that will do all the Laravel feature like clear:view, cache-config, optimize, dump autoload and go on and the ones i've said earlier like Php Stan and stuff just by puting into the console "make all" or if i only want to manage the cache "make all-cache" :) If you want the Make config i use for my Laravel 10 projects i'll be glad to share, only @ me ^^ LAST EDIT: Don't forget the modsecurity of Apache24 it's a must have.
if i force user/password to be only a-zA-z0-9 no other chars, on the server side, if i find single quote/double quote or any char not in a-zA-z0-9, i treat it like sql injection, can i be safe from sql injection?
Bold of you to assume that people keep their php apps up-to-date 😄. I just finished a contract that involved updating php 5 and php 7 apps to php 8. Most organizations just set up Wordpress and never do anything to manage the underlying infrastructure, or even Wordpress itself. In a perfect world, this wouldn't be an issue because everyone would be on current versions of things, but that's not the case.
Is there any way I can see my gmail password whilst I am logged in? I don't remember the password and it is not saved in password manager. Please help 🙏🥺🥺
Everything is temporary but john's "I don't know" is permanent
Permanent*
As a web developer i have never seen someone use GET for file input, we only use POST requests for file input. Having a file input using GET request is a very clear vulnerability.
The vulnerability here does not really depend on the HTTP method used, but to the fact that user supplied input is being passed to the include() function
Php devs stll think get requests are vulnerabilities 😂
uhh... who's going to tell him? You are aware that GET was the only way to upload files back in the day, right? the vulnerability is not in the GET request itself, it's in passing the input to include, if you do the same with POST, then you still get the exact same vulnerability lol. There are still old HTTP servers in production that only implement GET btw... and those servers are safe, because the request itself is not unsafe, what you do with the data you get is where the vulnerability is located.
@@jmsanchez5631 yes but it doesn't happen.. think and let us know if a scenario where this would ever be practically used ?
It doesn't matter if it's GET or POST but this is not even a vulnerability. It's just PHP performing exactly what it was coded to do..
The TLDR here is follow your OWASP basic guidelines around input validation. Never trust user input. You can in theory do this in any language on any web framework. If they are allowed to "get" a file, you'd restrict that to only a certain directory, or hide details around an API once authorization is completed. Also includes, imports, anything involving file operations should never be user driven.
It's so weird seeing the ad with John, then watching john's video and then him mentioning the ad you just watched before the video
Including a file with a path from _GET parameter is not a vulnerability, it's idiocy...sorry for being blunt, but no serious software will have all these problems you are describing in this video...
True. But none of the softwares on the web are that serious. So we find these issues here and there once in a while. Plus including a file from GET param is a vulnerability if you weren’t expecting them to including random files. it’s not a vulnerability of php. It’s more of a vulnerability of that particular site.
I took it as more of a proof of concept/CTF practice albeit with multiple factors that had to be just right. I'm certainly not an expert on the matter, but I believe he references multiple times that this was only possible on older versions of PHP anyway?
I found an issue exactly like this in a PHP CMS two months ago on a pentest. HTTP parameter passes through ~5 function calls and then concatenated to a file path with a '.php' concatenated on the end, later in the file with some more prerequisites it is passed to include_once(). It was just a matter of using traversal to reach pearcmd and use this trick for RCE. Yeah ofc you won't find this if they use some more modern PHP framework but you are naive if you think there isn't a lot of legacy PHP code with this type of vuln running in production.
@@Felttipfuzzywuzzyflyguy no, including a file from _GET can be done in any PHP: from php3 to php8, and will still be possible decades from today... I dont know what author of video meant when he talked about older version of PHP...
@@geogusdvikois6326pearcmd.php is available until PHP 7.3... That's what was said in the video.
But you are right. Including raw input into include is possible and wrong in any PHP version.
Id like to point out this ISN'T patched after 7.4, pecl just isn't installed by default anymore. If pecl is installed manually on any newer PHP version then the same RCE can be achieved with a suitable LFI exploit primitive
Just before this vid I saw an ad of you published by snyk and I really thought that this was the beginning until I realized a skip button.
Hi John, just wanted to thank you for your videos. They are super helpful and I learn new things I can use at work every day!
Actually, large number of the websites on the web STILL run PHP 7.3 and older, probably at least 30-40% of the PHP web applications run on 7.3 or older.
Partially this is due to the fact that WordPress powers a lot of websites today and many WordPress core, plugin and theme versions are outdated, due to the fact people are afraid of updates or they no longer have paid subscription for specific plugin or theme and they do not get updates.
Of course, many, many other PHP web applications run 5.6, because they were developed manually or with some awful old PHP framework, which does not tolerate upgrades.
😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊
5:30 Seriously though. What idiot would have a query control which include file to load. There's the security issue right there.
Yes obviously, it's just for the sake of demonstration. Typically a tainted value would pass through many functions to reach a sink like this.
for the sake of ctf players ✌
Glad I upgraded my PHP.
Did you check if pecl is installed? That's all that is required to be vulnerable newer versions don't have it by default but not sure if it would persist through upgrades. And if you use docker, new versions will have it too!
So basically someone wrote an entire pointless blog article to tell exactly what is written in PHP documentation.
That's definitely must be a vulnerability. :|
Minute 14:47 The Problem is, this all only works because YOU created the index.php with LFI. But what if there is no LFI and only the server[argv]? No link to original Post in Description!
Wow, I appreciate that you're so dedicated that you record a video at 23:30 in the night, but please don't overwork yourself!
@_johnHammond, I expected more of you:
5:30 But, who in their right mind would use include together with an input variable?? o.O
That in itself has always been and still is a major vulnerability. That doesn't require any special settings in PHP to do that. Any PHP version has that "vulnerability".
It is stupid in the same way as outputting the source code or your passwords for the database.
If one does not use include together with an input variable, then this whole "vulnerability" is moot and will not work.
@hvidstue I thintk the point of the video is not to explain LFI, but rather to show how to escalate from LFI to RCE without log poisoning. Of course including user provided data is a vulnerability, and most web apps nowadays won't do that, but it is still possible to find a page that has LFI and can be exploited using that.
Include from a GET?! I haven't coded php since 2006 and I still know this is the dumbest thing ever.
Just want to know who does this? Why would a dev code something that gives direct access to a PHP file? If you want to call php files thru a get request then why not use a variable and hard code the file to be included in an if/case statement?
If there are developers still doing this to this day just quit already.
Early crew. :3
What are you trying to show? That its not a good idea to include USER INPUT (at any language)?
Because that would and should be less than 1 min.
What? That is just to get an LFI primitive to demonstrate the real issue, the pearcmd RCE technique. In reality you would have a legitimate LFI primitive and substitute it with what is demonstrated
@@xB-yg2iw LFI (local file inclusion) by directly using user input? Yeah, no. Thats like demonstrating "the real issue" at breaking into a house with a no locked door, where the "technique" is like "open the door from the inside" or so.
@@CottonInDerTube If you are clueless enough to not see that the LFI primitive used is irrelevant I don't know what else to say to you.
@@CottonInDerTube The thing is that usually people try to escalate from LFI to RCE using web server log poisoning, and he is showcasing a way to get RCE without log poisoning. And LFI via direct user input is still a thing, it's not hard to find websites with that using some dorks for LFI.
I mean yeah, but who would program it like this.
Normally you would make a function that checks if the file is accessible for the user. Which means you write allowed files into an array and if it is not in the array it blocks the request
yup. if it's more than root folder of project, block it.
@byailen I mean, not necessarily in some use cases you can do more than that, like giving access to an external data directory, but ofc only in a controlled manner. Nextcloud is a good example, although I don't know how the handle is showing files to the user, but I know that it always displays the file path in the url. I guess it checks the user permissions from the database
Oh this guy is from Singapore.
Wow great video
Nobody uses PHP like this any more. You are living in the 90s
No but the frameworks you use do this for you
@@damiendye6623 lol 😂
love you brother, im at lowest in my life, do you have any courses for free or any guidence, god bless you
english is not my first language so i dont know how to exactly say it, if it goes wrong sense, im sorry
He showed some "Pay what you can" courses which can give you some free lessons. I can't find it but you might
How did you learned this, u went to college? Genious
16:08 why do you need to put that in bash -c if you already pipe command into bash?
I hope he would show how to hack a real PHP application and not things like this.
Hack PHP apps with PSR implemented and we'll see.
BTW if Laravel would be put into test that's way better.
They can't because of tons of best practices followed in Symfony components and it's eco system. Most verns are patched on zero day, and they don't allow stupid things like these.
Besides, php is usually jailed by basepath so that it only has access to its own directories it's running and also there's blacklisted function list disabling sys, exec and most system funcrions required to exploit it further.
The pentestors won't show you that as it's part of their job to review if configs are correct or not and have no security holes. Let alone pimut it behind proxy and then let them try to access shell lol :)
P.S. Typos
In Laravel everything is encrypted by default, there's also anti-spam and input cleaner (to prevent SQL injection) by default and CSRF token are mandatory for a form to work under Post request.
There's a way more of things to say but in general, the application is "safe" to a certain extend right when starting a project.
The #1 source of hacks and stuff are from humans sources not from the code himself.
I personally don't let the admins i manage choose their personal password and i force the system to change their password each week or month, at least each year.
A teacher told me one day "you gotta understand that by essence you can hack everything because everything is only 0 & 1 BUT depending on the complexity of those 0 & 1 that will need a more robust machinery, more investment and more important, more time".
I always try to make things the more difficult for hackers so they give up, the most basic thing when i set up HTTPS on Apache serv is to change the encryption key each day, if possible multiple times each day.
Btw for the HTTPS i use Win-Acme, it's a great interface, you set it up in like 2mins in a new machine, this already have auto schedule task built-in, you don't even have to ask for it AND this have a custom plugin feature in C# so you can really do great things, i honestly only install Apache24 (apache lounge) servers, with the right config it's solid af.
Also about Laravel, always do the following at the start of a project:
- Install IDE Helper
- Install PHP Stan + Larastan
- Install Laravel Pint
I personally have created differents Makefile that i only have to copy into projects, upon them on my Laravel projects i alway have a Makefile that will do all the Laravel feature like clear:view, cache-config, optimize, dump autoload and go on and the ones i've said earlier like Php Stan and stuff just by puting into the console "make all" or if i only want to manage the cache "make all-cache" :)
If you want the Make config i use for my Laravel 10 projects i'll be glad to share, only @ me ^^
LAST EDIT: Don't forget the modsecurity of Apache24 it's a must have.
if i force user/password to be only a-zA-z0-9 no other chars, on the server side, if i find single quote/double quote or any char not in a-zA-z0-9, i treat it like sql injection, can i be safe from sql injection?
use parametrised queries for values that you need to pass to the query
why do you build a full image for this? just use docker run?
So it won't work without LFI !!😅
Amazing! Can you please share the code you showed?
That's all patched
Bold of you to assume that people keep their php apps up-to-date 😄. I just finished a contract that involved updating php 5 and php 7 apps to php 8. Most organizations just set up Wordpress and never do anything to manage the underlying infrastructure, or even Wordpress itself. In a perfect world, this wouldn't be an issue because everyone would be on current versions of things, but that's not the case.
@@yramagicman675 you never did some penetrations testing in real time right!?
Pure gold.
so hows the argv used?
Seth?
awesome. I always wondered how to do something like this
Is there any way I can see my gmail password whilst I am logged in? I don't remember the password and it is not saved in password manager. Please help 🙏🥺🥺
No, not even gmail itself has your password in plain text
@@david_santiagoo 😯😯
it has to be windows?
Please mention Twitter X link of trycos or phithon etc...
Pretty fancy exploit
You're the best hacker in the world. You can even hack a human brain😅
php what is this 2005 ?
shit. still using php 7.3.33 at work..
❤
Cool
I like it ;-)
Pin📌?
This is bad. Yo!
Interesting script kiddie
tf you talking about ?
y u say dis GUI boy ? @@kiyu3229
@@margarita8442 i am just asking what the fuck you are talking about
Everyone is a script kiddy in the beginning. That’s where you start.
🤡
first
nope, too late brother
20th comment
Nice
So it won't work without LFI !! thanks for the video
php in 2023....