Website Vulnerabilities to Fully Hacked Server

Поделиться
HTML-код
  • Опубликовано: 27 ноя 2024

Комментарии • 112

  • @mrblueberry.
    @mrblueberry. Год назад +22

    Everything is temporary but john's "I don't know" is permanent

  • @BigBoyzz2314
    @BigBoyzz2314 Год назад +48

    As a web developer i have never seen someone use GET for file input, we only use POST requests for file input. Having a file input using GET request is a very clear vulnerability.

    • @jmsanchez5631
      @jmsanchez5631 Год назад +6

      The vulnerability here does not really depend on the HTTP method used, but to the fact that user supplied input is being passed to the include() function

    • @nikolas4786
      @nikolas4786 Год назад +4

      Php devs stll think get requests are vulnerabilities 😂

    • @tiranito2834
      @tiranito2834 Год назад +2

      uhh... who's going to tell him? You are aware that GET was the only way to upload files back in the day, right? the vulnerability is not in the GET request itself, it's in passing the input to include, if you do the same with POST, then you still get the exact same vulnerability lol. There are still old HTTP servers in production that only implement GET btw... and those servers are safe, because the request itself is not unsafe, what you do with the data you get is where the vulnerability is located.

    • @dpg6769
      @dpg6769 Год назад

      @@jmsanchez5631 yes but it doesn't happen.. think and let us know if a scenario where this would ever be practically used ?

    • @dpg6769
      @dpg6769 Год назад +2

      It doesn't matter if it's GET or POST but this is not even a vulnerability. It's just PHP performing exactly what it was coded to do..

  • @echologixxx9758
    @echologixxx9758 Год назад +3

    The TLDR here is follow your OWASP basic guidelines around input validation. Never trust user input. You can in theory do this in any language on any web framework. If they are allowed to "get" a file, you'd restrict that to only a certain directory, or hide details around an API once authorization is completed. Also includes, imports, anything involving file operations should never be user driven.

  • @mikaay4269
    @mikaay4269 Год назад +3

    It's so weird seeing the ad with John, then watching john's video and then him mentioning the ad you just watched before the video

  • @geogusdvikois6326
    @geogusdvikois6326 Год назад +100

    Including a file with a path from _GET parameter is not a vulnerability, it's idiocy...sorry for being blunt, but no serious software will have all these problems you are describing in this video...

    • @sangamo38
      @sangamo38 Год назад +10

      True. But none of the softwares on the web are that serious. So we find these issues here and there once in a while. Plus including a file from GET param is a vulnerability if you weren’t expecting them to including random files. it’s not a vulnerability of php. It’s more of a vulnerability of that particular site.

    • @Felttipfuzzywuzzyflyguy
      @Felttipfuzzywuzzyflyguy Год назад +4

      I took it as more of a proof of concept/CTF practice albeit with multiple factors that had to be just right. I'm certainly not an expert on the matter, but I believe he references multiple times that this was only possible on older versions of PHP anyway?

    • @xB-yg2iw
      @xB-yg2iw Год назад +10

      I found an issue exactly like this in a PHP CMS two months ago on a pentest. HTTP parameter passes through ~5 function calls and then concatenated to a file path with a '.php' concatenated on the end, later in the file with some more prerequisites it is passed to include_once(). It was just a matter of using traversal to reach pearcmd and use this trick for RCE. Yeah ofc you won't find this if they use some more modern PHP framework but you are naive if you think there isn't a lot of legacy PHP code with this type of vuln running in production.

    • @geogusdvikois6326
      @geogusdvikois6326 Год назад +5

      @@Felttipfuzzywuzzyflyguy no, including a file from _GET can be done in any PHP: from php3 to php8, and will still be possible decades from today... I dont know what author of video meant when he talked about older version of PHP...

    • @boenrobot
      @boenrobot Год назад

      ​@@geogusdvikois6326pearcmd.php is available until PHP 7.3... That's what was said in the video.
      But you are right. Including raw input into include is possible and wrong in any PHP version.

  • @xB-yg2iw
    @xB-yg2iw Год назад +12

    Id like to point out this ISN'T patched after 7.4, pecl just isn't installed by default anymore. If pecl is installed manually on any newer PHP version then the same RCE can be achieved with a suitable LFI exploit primitive

  • @xunleqitrazer
    @xunleqitrazer Год назад +4

    Just before this vid I saw an ad of you published by snyk and I really thought that this was the beginning until I realized a skip button.

  • @ITSecSteveRogers
    @ITSecSteveRogers Год назад +6

    Hi John, just wanted to thank you for your videos. They are super helpful and I learn new things I can use at work every day!

  • @MP-wm9gb
    @MP-wm9gb Год назад +2

    Actually, large number of the websites on the web STILL run PHP 7.3 and older, probably at least 30-40% of the PHP web applications run on 7.3 or older.
    Partially this is due to the fact that WordPress powers a lot of websites today and many WordPress core, plugin and theme versions are outdated, due to the fact people are afraid of updates or they no longer have paid subscription for specific plugin or theme and they do not get updates.
    Of course, many, many other PHP web applications run 5.6, because they were developed manually or with some awful old PHP framework, which does not tolerate upgrades.

    • @cruzergo
      @cruzergo 4 месяца назад

      😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊

  • @seb_gibbs
    @seb_gibbs Год назад +4

    5:30 Seriously though. What idiot would have a query control which include file to load. There's the security issue right there.

    • @xB-yg2iw
      @xB-yg2iw Год назад +1

      Yes obviously, it's just for the sake of demonstration. Typically a tainted value would pass through many functions to reach a sink like this.

    • @dytra_io
      @dytra_io Год назад

      for the sake of ctf players ✌

  • @paul.phillips
    @paul.phillips Год назад +4

    Glad I upgraded my PHP.

    • @xB-yg2iw
      @xB-yg2iw Год назад +1

      Did you check if pecl is installed? That's all that is required to be vulnerable newer versions don't have it by default but not sure if it would persist through upgrades. And if you use docker, new versions will have it too!

  • @dpg6769
    @dpg6769 Год назад

    So basically someone wrote an entire pointless blog article to tell exactly what is written in PHP documentation.
    That's definitely must be a vulnerability. :|

  • @Maik.iptoux
    @Maik.iptoux Год назад +2

    Minute 14:47 The Problem is, this all only works because YOU created the index.php with LFI. But what if there is no LFI and only the server[argv]? No link to original Post in Description!

  • @Lampe2020
    @Lampe2020 Год назад +5

    Wow, I appreciate that you're so dedicated that you record a video at 23:30 in the night, but please don't overwork yourself!

  • @mikkolukas
    @mikkolukas Год назад +10

    @_johnHammond, I expected more of you:
    5:30 But, who in their right mind would use include together with an input variable?? o.O
    That in itself has always been and still is a major vulnerability. That doesn't require any special settings in PHP to do that. Any PHP version has that "vulnerability".
    It is stupid in the same way as outputting the source code or your passwords for the database.
    If one does not use include together with an input variable, then this whole "vulnerability" is moot and will not work.

    • @NicholasFerreira7359
      @NicholasFerreira7359 Год назад +2

      @hvidstue I thintk the point of the video is not to explain LFI, but rather to show how to escalate from LFI to RCE without log poisoning. Of course including user provided data is a vulnerability, and most web apps nowadays won't do that, but it is still possible to find a page that has LFI and can be exploited using that.

  • @digitalcynicism
    @digitalcynicism Год назад +2

    Include from a GET?! I haven't coded php since 2006 and I still know this is the dumbest thing ever.

  • @helbertgascon
    @helbertgascon 2 месяца назад +1

    Just want to know who does this? Why would a dev code something that gives direct access to a PHP file? If you want to call php files thru a get request then why not use a variable and hard code the file to be included in an if/case statement?
    If there are developers still doing this to this day just quit already.

  • @ReligionAndMaterialismDebunked
    @ReligionAndMaterialismDebunked Год назад +2

    Early crew. :3

  • @CottonInDerTube
    @CottonInDerTube Год назад +2

    What are you trying to show? That its not a good idea to include USER INPUT (at any language)?
    Because that would and should be less than 1 min.

    • @xB-yg2iw
      @xB-yg2iw Год назад +1

      What? That is just to get an LFI primitive to demonstrate the real issue, the pearcmd RCE technique. In reality you would have a legitimate LFI primitive and substitute it with what is demonstrated

    • @CottonInDerTube
      @CottonInDerTube Год назад

      @@xB-yg2iw LFI (local file inclusion) by directly using user input? Yeah, no. Thats like demonstrating "the real issue" at breaking into a house with a no locked door, where the "technique" is like "open the door from the inside" or so.

    • @xB-yg2iw
      @xB-yg2iw Год назад

      @@CottonInDerTube If you are clueless enough to not see that the LFI primitive used is irrelevant I don't know what else to say to you.

    • @NicholasFerreira7359
      @NicholasFerreira7359 Год назад

      @@CottonInDerTube The thing is that usually people try to escalate from LFI to RCE using web server log poisoning, and he is showcasing a way to get RCE without log poisoning. And LFI via direct user input is still a thing, it's not hard to find websites with that using some dorks for LFI.

  • @david_santiagoo
    @david_santiagoo Год назад +1

    I mean yeah, but who would program it like this.
    Normally you would make a function that checks if the file is accessible for the user. Which means you write allowed files into an array and if it is not in the array it blocks the request

    • @byailen
      @byailen Год назад

      yup. if it's more than root folder of project, block it.

    • @david_santiagoo
      @david_santiagoo Год назад

      @byailen I mean, not necessarily in some use cases you can do more than that, like giving access to an external data directory, but ofc only in a controlled manner. Nextcloud is a good example, although I don't know how the handle is showing files to the user, but I know that it always displays the file path in the url. I guess it checks the user permissions from the database

  • @LeeZhiWei8219
    @LeeZhiWei8219 Год назад

    Oh this guy is from Singapore.

  • @sonOfLiberty100
    @sonOfLiberty100 Год назад

    Wow great video

  • @illegalsmirf
    @illegalsmirf Год назад +1

    Nobody uses PHP like this any more. You are living in the 90s

    • @damiendye6623
      @damiendye6623 Год назад

      No but the frameworks you use do this for you

    • @illegalsmirf
      @illegalsmirf Год назад

      @@damiendye6623 lol 😂

  • @commonuncommon2486
    @commonuncommon2486 Год назад +6

    love you brother, im at lowest in my life, do you have any courses for free or any guidence, god bless you

    • @commonuncommon2486
      @commonuncommon2486 Год назад

      english is not my first language so i dont know how to exactly say it, if it goes wrong sense, im sorry

    • @MasterCraft_48
      @MasterCraft_48 Год назад

      He showed some "Pay what you can" courses which can give you some free lessons. I can't find it but you might

  • @Esteban-nq9bo
    @Esteban-nq9bo Год назад

    How did you learned this, u went to college? Genious

  • @RandomGeometryDashStuff
    @RandomGeometryDashStuff Год назад +1

    16:08 why do you need to put that in bash -c if you already pipe command into bash?

  • @MK-bs3dq
    @MK-bs3dq Год назад +1

    I hope he would show how to hack a real PHP application and not things like this.
    Hack PHP apps with PSR implemented and we'll see.
    BTW if Laravel would be put into test that's way better.

    • @MaulikParmar210
      @MaulikParmar210 Год назад

      They can't because of tons of best practices followed in Symfony components and it's eco system. Most verns are patched on zero day, and they don't allow stupid things like these.
      Besides, php is usually jailed by basepath so that it only has access to its own directories it's running and also there's blacklisted function list disabling sys, exec and most system funcrions required to exploit it further.
      The pentestors won't show you that as it's part of their job to review if configs are correct or not and have no security holes. Let alone pimut it behind proxy and then let them try to access shell lol :)
      P.S. Typos

    • @amumuisalivedatcom8567
      @amumuisalivedatcom8567 Год назад

      In Laravel everything is encrypted by default, there's also anti-spam and input cleaner (to prevent SQL injection) by default and CSRF token are mandatory for a form to work under Post request.
      There's a way more of things to say but in general, the application is "safe" to a certain extend right when starting a project.
      The #1 source of hacks and stuff are from humans sources not from the code himself.
      I personally don't let the admins i manage choose their personal password and i force the system to change their password each week or month, at least each year.
      A teacher told me one day "you gotta understand that by essence you can hack everything because everything is only 0 & 1 BUT depending on the complexity of those 0 & 1 that will need a more robust machinery, more investment and more important, more time".
      I always try to make things the more difficult for hackers so they give up, the most basic thing when i set up HTTPS on Apache serv is to change the encryption key each day, if possible multiple times each day.
      Btw for the HTTPS i use Win-Acme, it's a great interface, you set it up in like 2mins in a new machine, this already have auto schedule task built-in, you don't even have to ask for it AND this have a custom plugin feature in C# so you can really do great things, i honestly only install Apache24 (apache lounge) servers, with the right config it's solid af.
      Also about Laravel, always do the following at the start of a project:
      - Install IDE Helper
      - Install PHP Stan + Larastan
      - Install Laravel Pint
      I personally have created differents Makefile that i only have to copy into projects, upon them on my Laravel projects i alway have a Makefile that will do all the Laravel feature like clear:view, cache-config, optimize, dump autoload and go on and the ones i've said earlier like Php Stan and stuff just by puting into the console "make all" or if i only want to manage the cache "make all-cache" :)
      If you want the Make config i use for my Laravel 10 projects i'll be glad to share, only @ me ^^
      LAST EDIT: Don't forget the modsecurity of Apache24 it's a must have.

  • @jw27
    @jw27 Год назад

    if i force user/password to be only a-zA-z0-9 no other chars, on the server side, if i find single quote/double quote or any char not in a-zA-z0-9, i treat it like sql injection, can i be safe from sql injection?

    • @txts-to-be
      @txts-to-be Год назад +2

      use parametrised queries for values that you need to pass to the query

  • @m8_981
    @m8_981 Год назад

    why do you build a full image for this? just use docker run?

  • @IDK_911
    @IDK_911 Год назад

    So it won't work without LFI !!😅

  • @ohadzr
    @ohadzr Год назад

    Amazing! Can you please share the code you showed?

  • @seansean7653
    @seansean7653 Год назад +2

    That's all patched

    • @yramagicman675
      @yramagicman675 Год назад +5

      Bold of you to assume that people keep their php apps up-to-date 😄. I just finished a contract that involved updating php 5 and php 7 apps to php 8. Most organizations just set up Wordpress and never do anything to manage the underlying infrastructure, or even Wordpress itself. In a perfect world, this wouldn't be an issue because everyone would be on current versions of things, but that's not the case.

    • @seansean7653
      @seansean7653 Год назад

      @@yramagicman675 you never did some penetrations testing in real time right!?

  • @adamolecky6296
    @adamolecky6296 Год назад

    Pure gold.

  • @0xbr0d
    @0xbr0d 8 месяцев назад

    so hows the argv used?

  • @justinst2587
    @justinst2587 Год назад

    Seth?

  • @rodricbr
    @rodricbr Год назад

    awesome. I always wondered how to do something like this

  • @katherinefiori
    @katherinefiori Год назад

    Is there any way I can see my gmail password whilst I am logged in? I don't remember the password and it is not saved in password manager. Please help 🙏🥺🥺

    • @david_santiagoo
      @david_santiagoo Год назад +1

      No, not even gmail itself has your password in plain text

    • @katherinefiori
      @katherinefiori Год назад

      @@david_santiagoo 😯😯

  • @mbithi_ke
    @mbithi_ke 2 месяца назад

    it has to be windows?

  • @Free.Education786
    @Free.Education786 Год назад

    Please mention Twitter X link of trycos or phithon etc...

  • @tfsunit
    @tfsunit Год назад +1

    Pretty fancy exploit

  • @alvesbruno4900
    @alvesbruno4900 Год назад +3

    You're the best hacker in the world. You can even hack a human brain😅

  • @domdirector
    @domdirector Год назад

    php what is this 2005 ?

  • @ryonagana
    @ryonagana Год назад

    shit. still using php 7.3.33 at work..

  • @sand3epyadav
    @sand3epyadav Год назад

  • @zaphhood4745
    @zaphhood4745 Год назад

    Cool

  • @elmatheotheo4583
    @elmatheotheo4583 Год назад

    I like it ;-)

  • @nitinshinde642
    @nitinshinde642 Год назад

    Pin📌?

  • @KumbaIvor
    @KumbaIvor Год назад

    This is bad. Yo!

  • @margarita8442
    @margarita8442 Год назад +5

    Interesting script kiddie

    • @kiyu3229
      @kiyu3229 Год назад +1

      tf you talking about ?

    • @margarita8442
      @margarita8442 Год назад

      y u say dis GUI boy ? @@kiyu3229

    • @kiyu3229
      @kiyu3229 Год назад

      @@margarita8442 i am just asking what the fuck you are talking about

    • @sangamo38
      @sangamo38 Год назад

      Everyone is a script kiddy in the beginning. That’s where you start.

    • @xB-yg2iw
      @xB-yg2iw Год назад

      🤡

  • @pmcforever9686
    @pmcforever9686 Год назад +1

    first

  • @CaptainMC554
    @CaptainMC554 Год назад

    20th comment

  • @ric8961
    @ric8961 Год назад

    Nice

  • @gurucode.studio
    @gurucode.studio Год назад +1

    So it won't work without LFI !! thanks for the video

  • @christiancepeda5457
    @christiancepeda5457 Год назад

    php in 2023....