As a PHP dev every time I see you upload something with PHP, NGINX, etc I get excited and scared about having to go potentially update all of my apps lol
My absolute favorite thing about this video is you showing the mistakes/issues (like missing the *) and troubleshooting those with print/console.log. Those "failures" is the natural progression of building attacks (and detecting them) - freaking dig it! As always - so much love for your content!
One of the first videos I think I watched that was lightweight complex, but I actually understood everything within.. = growth through progression. good stuff.
With a quick modification to the code, you could brute-force check every character to print a list of all file names. Add in the ability to jump up and down directories (if known), you could even build an entire file tree.
THis was amazing! New perspective for me in tackling issues/problems as a junior php/laravel dev. Thank you. I immidiately subscribe before you ended the python script, cause I know I could learn a lot from your contents
Jeez dude! 🤯 I just grabbed the fundamentals of php and started my backend journey. I have learned so much in this one vdo than a whole udemy courses combined . At this point I really needed to see how Devs in the game thinks and process all of these. Thank you so much! Subscribed and total support! 🙌🏻
The base64 shown at 7:25 that was suggested by autocomplete seems to be encoded PHP source code. Didn't bother decoding the whole thing manually, plus some of it is obscured, but the first part is definitely
There are 1,152,921,504,606,846,976 possible combinations of 15 letters of 16 possibilities each. That collapses real quick as each character is found. Another example of why you always validate user input before doing anything with it. I learned that years ago when I built a quick little file browser in PHP and a more senior dev suggested I try something and it hosed the entire project as it overwrote files. Removing any periods at the start of the input and in this case, removing any colons from the input, would break this sort of attack.
PHP as a language being insecure is a myth. JavaScript ecosystem is far more insecure. 99.9% of developers don't know what's inside their node_modules directory. And even if you know single packages update could bring unexpected surprise. Colors package is prime most known example. One dev was able to bring down thousands of applications with one malicious update. Currently PHP is far more mature and stable. JavaScript have far more WTFs right now but somehow PHP is still laughing stock. Probably now one will write code like this in real application to allow looping over whole file system. Most likely scenario will be to loop over in specific folder and all $_GET parameters should be sanitized before using. With all that said I find this content very valuable it shows what to look out for, especially when it's not so well known and obvious.
Hi, loving your content ❤ even if I am not a Penetration tester. I am a full-stack web dev working with PHP. I think PHP is widely used so it needs someone that arise awareness of its flaws. What about making more penetration testing on PHP to have some kind of playlist on the topic? I think web developers must know these potential flaws while using this (so widespread) language. I am going to check if this could lead to some vulnerabilities on the website that I made right now 😂. I think that AJAX and PHP can be very easy to exploit so this could be a starting point, but maybe I am wrong
really insightful John. Requesting to have a tutorial on creating our own CTF using any platform(easy-to-setup) or anything you would prefer/recommend to your fans. Thanks a lot
I really hoped for you to move the "learn python" courses towards learning flask and making your own website with Python. Not having just a super duper short intro one can read up on for 3 minutes xD But hey.. Nice way to spark curiosity i guess ^^
@@_JohnHammond eyy, John! I watch each and every video you make! My boss showed me your channel 2 years ago (webapp pentester company) and sense then I've not missed a video. Got me surprised to gave a reply from you. Have a lovely day ^^
Interesting exploit but as a PHP web services developer, I can tell you that we don't do stupid things like this. Unchecked input on a service that accesses the filesystem? This would never pass my code review. We appreciate that glob can leak filenames in seconds, even when you don't know the prefix, in an attack scenario. You have to be extremely careful when pulling files off the system in all programming languages, and I can see buggy code written in many languages that use globbing. The bad code and potential exploit is not language specific.
All languages have vulnerabilities, even golang, c++ , specially the ones that deal with memory management. You only see those when hells breaks loose and suddenly people lost millions
I began as a full LAMP Stack Developer and eventually crossed over to Full Microsoft Stack. And with .Net Core I can run C# Apps in Linux lol. And my C# apps even run on my Raspberry Pi. I'd compare PHP a lot to JavaScript, which you also have Node.js these days too. But I find a more Type Strict language to be more secure out of the bag. In non-Type Strict languages you typically have the triple = (===) operator which performs a Type Strict value comparison. Because in certain conditions double = (==) will evaluate TRUE when triple = (===) would evaluate FALSE, and that has lead to many security vulnerabilities/exploits. Just a heads up, peace!
I personally really like using join() in such cases. The RUclips comment formatting will probably mangle the indentation, but I think everybody will get the point: send = "".join([ "glob:///tmp/challenge/", "".join(leaked_so_far), each_character, "*", ]) Here. Clean, simple, and readable.
private github repositories return 404 instead of access denied or something like that if you don't have access to them. I recon it is protection against something like this, someone just going through each possible repository name for some user to leak the names of the private ones. not sure how useful that information would be though.
Hey John I have this problem that I find it hard to learn hacking without spending money and the things that you can learn for free most off the times are to advanced so I would like to see were people like me could go to were we can learn hacking like a team with other people on the same lvl or a little high lvl. Thx alot for you wonderful videos and for making me want to learn more and more keep up the excellent job ps. sorry for any spelling errors :D
Give me some of your valuable words to manage my degree program preparation and self paced cybersecurity learning. My degree is all about programming and I stuck to do both at the same time. Do I do want to give up one thing?
Hmm, this is some stupid shit.. this is not even specific to PHP. you can expose this nonsense in any language reading the filesystem from user provided input :D . Anyways, I guess John enjoyed himself.
As a PHP dev every time I see you upload something with PHP, NGINX, etc I get excited and scared about having to go potentially update all of my apps lol
I love you
I have a framework, I'm sweating bullets
Does php devs have good pay scale ?
My absolute favorite thing about this video is you showing the mistakes/issues (like missing the *) and troubleshooting those with print/console.log. Those "failures" is the natural progression of building attacks (and detecting them) - freaking dig it! As always - so much love for your content!
One of the first videos I think I watched that was lightweight complex, but I actually understood everything within.. = growth through progression. good stuff.
With a quick modification to the code, you could brute-force check every character to print a list of all file names. Add in the ability to jump up and down directories (if known), you could even build an entire file tree.
I love the way John explains Web Vulnerabilities for CTF Challenges
his python sword is an actual Bankai ... never fail to amaze 🤩... thank you for the demo sensei !
Best Tech channel on RUclips right here
THis was amazing! New perspective for me in tackling issues/problems as a junior php/laravel dev. Thank you. I immidiately subscribe before you ended the python script, cause I know I could learn a lot from your contents
I enjoyed the quick throwing together of the python code. Very cool. Thanks!
Jeez dude! 🤯
I just grabbed the fundamentals of php and started my backend journey. I have learned so much in this one vdo than a whole udemy courses combined .
At this point I really needed to see how Devs in the game thinks and process all of these. Thank you so much! Subscribed and total support! 🙌🏻
You have a way of sharing knowledge that I haven't seen before. This is great! Thanks
John - thank you for that video. I will definitely make sure that in all of my projects this method will be unavailable. Thank you!
The base64 shown at 7:25 that was suggested by autocomplete seems to be encoded PHP source code. Didn't bother decoding the whole thing manually, plus some of it is obscured, but the first part is definitely
I'll have to remember these nonstandard schemes - PHP is so odd. Thanks!
Thanks John ! Here is my RUclips algorithm thing !
There are 1,152,921,504,606,846,976 possible combinations of 15 letters of 16 possibilities each. That collapses real quick as each character is found. Another example of why you always validate user input before doing anything with it. I learned that years ago when I built a quick little file browser in PHP and a more senior dev suggested I try something and it hosed the entire project as it overwrote files. Removing any periods at the start of the input and in this case, removing any colons from the input, would break this sort of attack.
Enjoyed.
Loved it
Need more videos like this.
Very cool, definitely do more stuff like this, creating Python scripts to take advantage of something, love it!
Thank you for putting all this effort.
hey John, your content is always spectacular, keep on doin' this
agree
JH: *PHP is a weird programming language*
JS: 👀
This is good considering PHP is making a comeback..
PHP as a language being insecure is a myth. JavaScript ecosystem is far more insecure. 99.9% of developers don't know what's inside their node_modules directory. And even if you know single packages update could bring unexpected surprise. Colors package is prime most known example. One dev was able to bring down thousands of applications with one malicious update. Currently PHP is far more mature and stable. JavaScript have far more WTFs right now but somehow PHP is still laughing stock. Probably now one will write code like this in real application to allow looping over whole file system. Most likely scenario will be to loop over in specific folder and all $_GET parameters should be sanitized before using. With all that said I find this content very valuable it shows what to look out for, especially when it's not so well known and obvious.
Great Video John H. !
Hi, loving your content ❤ even if I am not a Penetration tester.
I am a full-stack web dev working with PHP. I think PHP is widely used so it needs someone that arise awareness of its flaws. What about making more penetration testing on PHP to have some kind of playlist on the topic? I think web developers must know these potential flaws while using this (so widespread) language. I am going to check if this could lead to some vulnerabilities on the website that I made right now 😂.
I think that AJAX and PHP can be very easy to exploit so this could be a starting point, but maybe I am wrong
The biggest thing I see with PHP, sanitize your input! Never trust user input, and especially not from a web request.
really insightful John. Requesting to have a tutorial on creating our own CTF using any platform(easy-to-setup) or anything you would prefer/recommend to your fans. Thanks a lot
Hey! Thanks so much for this video!
I really hoped for you to move the "learn python" courses towards learning flask and making your own website with Python. Not having just a super duper short intro one can read up on for 3 minutes xD But hey.. Nice way to spark curiosity i guess ^^
Sounds like I should get back on this ;)
@@_JohnHammond eyy, John! I watch each and every video you make! My boss showed me your channel 2 years ago (webapp pentester company) and sense then I've not missed a video. Got me surprised to gave a reply from you. Have a lovely day ^^
As usual...another amazing video! Tks
Really love this sort of content
Hammond looks like he was reverse shelled by santa clause but he stopped halfway through 😂
love the process
Awesome John!
God tier stuff ❤️
Thank you John, this was awesome!
I can't wait for this year's hack advent calendar!!!
Love the content.
Thank you I need this to get in front of the identity thefts that thinks they can use my identity
.. how
Great video john! 🔥🔥
😊Very Usefull Video Sir......
Beautiful
update your chrome John!! love the vid btw
Fascinating. Thank you :-)
Interesting exploit but as a PHP web services developer, I can tell you that we don't do stupid things like this. Unchecked input on a service that accesses the filesystem? This would never pass my code review. We appreciate that glob can leak filenames in seconds, even when you don't know the prefix, in an attack scenario. You have to be extremely careful when pulling files off the system in all programming languages, and I can see buggy code written in many languages that use globbing. The bad code and potential exploit is not language specific.
Nice.
What a fantastic video and content
great job bro👍👍👍👍👍👍
Nice tutorial, I have a problem wNice tutorialle using soft soft .
PHP, the write-only language
PHP is one of the most vulnerable things on earth
All languages have vulnerabilities, even golang, c++ , specially the ones that deal with memory management.
You only see those when hells breaks loose and suddenly people lost millions
I began as a full LAMP Stack Developer and eventually crossed over to Full Microsoft Stack. And with .Net Core I can run C# Apps in Linux lol. And my C# apps even run on my Raspberry Pi.
I'd compare PHP a lot to JavaScript, which you also have Node.js these days too. But I find a more Type Strict language to be more secure out of the bag. In non-Type Strict languages you typically have the triple = (===) operator which performs a Type Strict value comparison. Because in certain conditions double = (==) will evaluate TRUE when triple = (===) would evaluate FALSE, and that has lead to many security vulnerabilities/exploits.
Just a heads up, peace!
This is great, but anyone who programs a script accepting user-arguments for directories to examine is certifiably insane.
Very nice video 🙂
If you trust a user input without validation, you deserve what you get
The dub dub dub has become a trend
20:30 you don't need str() to seperate them... just seperate the, just make sure the indentation is even.. or use f""
I personally really like using join() in such cases. The RUclips comment formatting will probably mangle the indentation, but I think everybody will get the point:
send = "".join([
"glob:///tmp/challenge/",
"".join(leaked_so_far),
each_character,
"*",
])
Here. Clean, simple, and readable.
@@Jiube000 damn, that's actually really elegant, I might implement it into my version
It's just like doing a blind SQL injection.
Make a 1 hour video of one nice tuto from google
private github repositories return 404 instead of access denied or something like that if you don't have access to them. I recon it is protection against something like this, someone just going through each possible repository name for some user to leak the names of the private ones. not sure how useful that information would be though.
I wonder if you could reduce the number of calls to be more stealth by sending sub patterns 🤔
Hey John I have this problem that I find it hard to learn hacking without spending money and the things that you can learn for free most off the times are to advanced so I would like to see were people like me could go to were we can learn hacking like a team with other people on the same lvl or a little high lvl.
Thx alot for you wonderful videos and for making me want to learn more and more keep up the excellent job
ps. sorry for any spelling errors :D
concurrently :D
what's the shortcut that you used to install the "Build view" in sublime text ?
Give me some of your valuable words to manage my degree program preparation and self paced cybersecurity learning. My degree is all about programming and I stuck to do both at the same time. Do I do want to give up one thing?
Come on man. I am tired of youtubers saying "parenthesee" [sic]. It ends with "sis" if it is singular.
c^n suddenly is c·n, ups
PHP didn't have follow link set in the config file.
does this also goes for Laravel ?
hey john , can u make python tutorial for us ?
What DE/WM/Compositor are you using and do you have the configs?
if php is a weird language, javascript is a mindfuck oh boi
You could also use string.hexdigits as your pool of characters instead of typing them all out
For someone who doesn't php...
Looks breezy to me
Sae
500th like
sa
ew chrome and sublime wtf
Hmm, this is some stupid shit.. this is not even specific to PHP. you can expose this nonsense in any language reading the filesystem from user provided input :D . Anyways, I guess John enjoyed himself.
why ask questions on a video for no1 replies your wasting time!
dude, i have to turn you waaaaay down to even watch your video without getting a major headache... turn your fucking mic down!!!
7:24
trance. Dude made a month worth of s before actually realizing what a plug-in is.