As a PHP dev every time I see you upload something with PHP, NGINX, etc I get excited and scared about having to go potentially update all of my apps lol
My absolute favorite thing about this video is you showing the mistakes/issues (like missing the *) and troubleshooting those with print/console.log. Those "failures" is the natural progression of building attacks (and detecting them) - freaking dig it! As always - so much love for your content!
One of the first videos I think I watched that was lightweight complex, but I actually understood everything within.. = growth through progression. good stuff.
With a quick modification to the code, you could brute-force check every character to print a list of all file names. Add in the ability to jump up and down directories (if known), you could even build an entire file tree.
The base64 shown at 7:25 that was suggested by autocomplete seems to be encoded PHP source code. Didn't bother decoding the whole thing manually, plus some of it is obscured, but the first part is definitely
Jeez dude! 🤯 I just grabbed the fundamentals of php and started my backend journey. I have learned so much in this one vdo than a whole udemy courses combined . At this point I really needed to see how Devs in the game thinks and process all of these. Thank you so much! Subscribed and total support! 🙌🏻
There are 1,152,921,504,606,846,976 possible combinations of 15 letters of 16 possibilities each. That collapses real quick as each character is found. Another example of why you always validate user input before doing anything with it. I learned that years ago when I built a quick little file browser in PHP and a more senior dev suggested I try something and it hosed the entire project as it overwrote files. Removing any periods at the start of the input and in this case, removing any colons from the input, would break this sort of attack.
THis was amazing! New perspective for me in tackling issues/problems as a junior php/laravel dev. Thank you. I immidiately subscribe before you ended the python script, cause I know I could learn a lot from your contents
PHP as a language being insecure is a myth. JavaScript ecosystem is far more insecure. 99.9% of developers don't know what's inside their node_modules directory. And even if you know single packages update could bring unexpected surprise. Colors package is prime most known example. One dev was able to bring down thousands of applications with one malicious update. Currently PHP is far more mature and stable. JavaScript have far more WTFs right now but somehow PHP is still laughing stock. Probably now one will write code like this in real application to allow looping over whole file system. Most likely scenario will be to loop over in specific folder and all $_GET parameters should be sanitized before using. With all that said I find this content very valuable it shows what to look out for, especially when it's not so well known and obvious.
I personally really like using join() in such cases. The TH-cam comment formatting will probably mangle the indentation, but I think everybody will get the point: send = "".join([ "glob:///tmp/challenge/", "".join(leaked_so_far), each_character, "*", ]) Here. Clean, simple, and readable.
Hi, loving your content ❤ even if I am not a Penetration tester. I am a full-stack web dev working with PHP. I think PHP is widely used so it needs someone that arise awareness of its flaws. What about making more penetration testing on PHP to have some kind of playlist on the topic? I think web developers must know these potential flaws while using this (so widespread) language. I am going to check if this could lead to some vulnerabilities on the website that I made right now 😂. I think that AJAX and PHP can be very easy to exploit so this could be a starting point, but maybe I am wrong
I really hoped for you to move the "learn python" courses towards learning flask and making your own website with Python. Not having just a super duper short intro one can read up on for 3 minutes xD But hey.. Nice way to spark curiosity i guess ^^
@@_JohnHammond eyy, John! I watch each and every video you make! My boss showed me your channel 2 years ago (webapp pentester company) and sense then I've not missed a video. Got me surprised to gave a reply from you. Have a lovely day ^^
private github repositories return 404 instead of access denied or something like that if you don't have access to them. I recon it is protection against something like this, someone just going through each possible repository name for some user to leak the names of the private ones. not sure how useful that information would be though.
really insightful John. Requesting to have a tutorial on creating our own CTF using any platform(easy-to-setup) or anything you would prefer/recommend to your fans. Thanks a lot
Give me some of your valuable words to manage my degree program preparation and self paced cybersecurity learning. My degree is all about programming and I stuck to do both at the same time. Do I do want to give up one thing?
All languages have vulnerabilities, even golang, c++ , specially the ones that deal with memory management. You only see those when hells breaks loose and suddenly people lost millions
Interesting exploit but as a PHP web services developer, I can tell you that we don't do stupid things like this. Unchecked input on a service that accesses the filesystem? This would never pass my code review. We appreciate that glob can leak filenames in seconds, even when you don't know the prefix, in an attack scenario. You have to be extremely careful when pulling files off the system in all programming languages, and I can see buggy code written in many languages that use globbing. The bad code and potential exploit is not language specific.
I began as a full LAMP Stack Developer and eventually crossed over to Full Microsoft Stack. And with .Net Core I can run C# Apps in Linux lol. And my C# apps even run on my Raspberry Pi. I'd compare PHP a lot to JavaScript, which you also have Node.js these days too. But I find a more Type Strict language to be more secure out of the bag. In non-Type Strict languages you typically have the triple = (===) operator which performs a Type Strict value comparison. Because in certain conditions double = (==) will evaluate TRUE when triple = (===) would evaluate FALSE, and that has lead to many security vulnerabilities/exploits. Just a heads up, peace!
Hey John I have this problem that I find it hard to learn hacking without spending money and the things that you can learn for free most off the times are to advanced so I would like to see were people like me could go to were we can learn hacking like a team with other people on the same lvl or a little high lvl. Thx alot for you wonderful videos and for making me want to learn more and more keep up the excellent job ps. sorry for any spelling errors :D
Hmm, this is some stupid shit.. this is not even specific to PHP. you can expose this nonsense in any language reading the filesystem from user provided input :D . Anyways, I guess John enjoyed himself.
As a PHP dev every time I see you upload something with PHP, NGINX, etc I get excited and scared about having to go potentially update all of my apps lol
I love you
I have a framework, I'm sweating bullets
Does php devs have good pay scale ?
My absolute favorite thing about this video is you showing the mistakes/issues (like missing the *) and troubleshooting those with print/console.log. Those "failures" is the natural progression of building attacks (and detecting them) - freaking dig it! As always - so much love for your content!
One of the first videos I think I watched that was lightweight complex, but I actually understood everything within.. = growth through progression. good stuff.
Best Tech channel on TH-cam right here
his python sword is an actual Bankai ... never fail to amaze 🤩... thank you for the demo sensei !
With a quick modification to the code, you could brute-force check every character to print a list of all file names. Add in the ability to jump up and down directories (if known), you could even build an entire file tree.
I love the way John explains Web Vulnerabilities for CTF Challenges
The base64 shown at 7:25 that was suggested by autocomplete seems to be encoded PHP source code. Didn't bother decoding the whole thing manually, plus some of it is obscured, but the first part is definitely
JH: *PHP is a weird programming language*
JS: 👀
I enjoyed the quick throwing together of the python code. Very cool. Thanks!
Thanks John ! Here is my TH-cam algorithm thing !
Jeez dude! 🤯
I just grabbed the fundamentals of php and started my backend journey. I have learned so much in this one vdo than a whole udemy courses combined .
At this point I really needed to see how Devs in the game thinks and process all of these. Thank you so much! Subscribed and total support! 🙌🏻
Great Video John H. !
John - thank you for that video. I will definitely make sure that in all of my projects this method will be unavailable. Thank you!
There are 1,152,921,504,606,846,976 possible combinations of 15 letters of 16 possibilities each. That collapses real quick as each character is found. Another example of why you always validate user input before doing anything with it. I learned that years ago when I built a quick little file browser in PHP and a more senior dev suggested I try something and it hosed the entire project as it overwrote files. Removing any periods at the start of the input and in this case, removing any colons from the input, would break this sort of attack.
THis was amazing! New perspective for me in tackling issues/problems as a junior php/laravel dev. Thank you. I immidiately subscribe before you ended the python script, cause I know I could learn a lot from your contents
Enjoyed.
Loved it
Need more videos like this.
You have a way of sharing knowledge that I haven't seen before. This is great! Thanks
I'll have to remember these nonstandard schemes - PHP is so odd. Thanks!
Very cool, definitely do more stuff like this, creating Python scripts to take advantage of something, love it!
hey John, your content is always spectacular, keep on doin' this
agree
Thank you for putting all this effort.
Awesome John!
This is good considering PHP is making a comeback..
Hey! Thanks so much for this video!
God tier stuff ❤️
Hammond looks like he was reverse shelled by santa clause but he stopped halfway through 😂
😊Very Usefull Video Sir......
Love the content.
I can't wait for this year's hack advent calendar!!!
Really love this sort of content
What a fantastic video and content
love the process
Great video john! 🔥🔥
As usual...another amazing video! Tks
Thank you John, this was awesome!
PHP as a language being insecure is a myth. JavaScript ecosystem is far more insecure. 99.9% of developers don't know what's inside their node_modules directory. And even if you know single packages update could bring unexpected surprise. Colors package is prime most known example. One dev was able to bring down thousands of applications with one malicious update. Currently PHP is far more mature and stable. JavaScript have far more WTFs right now but somehow PHP is still laughing stock. Probably now one will write code like this in real application to allow looping over whole file system. Most likely scenario will be to loop over in specific folder and all $_GET parameters should be sanitized before using. With all that said I find this content very valuable it shows what to look out for, especially when it's not so well known and obvious.
great job bro👍👍👍👍👍👍
Thank you I need this to get in front of the identity thefts that thinks they can use my identity
.. how
Fascinating. Thank you :-)
20:30 you don't need str() to seperate them... just seperate the, just make sure the indentation is even.. or use f""
I personally really like using join() in such cases. The TH-cam comment formatting will probably mangle the indentation, but I think everybody will get the point:
send = "".join([
"glob:///tmp/challenge/",
"".join(leaked_so_far),
each_character,
"*",
])
Here. Clean, simple, and readable.
@@Jiube000 damn, that's actually really elegant, I might implement it into my version
Beautiful
Nice tutorial, I have a problem wNice tutorialle using soft soft .
what's the shortcut that you used to install the "Build view" in sublime text ?
update your chrome John!! love the vid btw
I wonder if you could reduce the number of calls to be more stealth by sending sub patterns 🤔
PHP, the write-only language
Hi, loving your content ❤ even if I am not a Penetration tester.
I am a full-stack web dev working with PHP. I think PHP is widely used so it needs someone that arise awareness of its flaws. What about making more penetration testing on PHP to have some kind of playlist on the topic? I think web developers must know these potential flaws while using this (so widespread) language. I am going to check if this could lead to some vulnerabilities on the website that I made right now 😂.
I think that AJAX and PHP can be very easy to exploit so this could be a starting point, but maybe I am wrong
The biggest thing I see with PHP, sanitize your input! Never trust user input, and especially not from a web request.
I really hoped for you to move the "learn python" courses towards learning flask and making your own website with Python. Not having just a super duper short intro one can read up on for 3 minutes xD But hey.. Nice way to spark curiosity i guess ^^
Sounds like I should get back on this ;)
@@_JohnHammond eyy, John! I watch each and every video you make! My boss showed me your channel 2 years ago (webapp pentester company) and sense then I've not missed a video. Got me surprised to gave a reply from you. Have a lovely day ^^
Nice.
Very nice video 🙂
does this also goes for Laravel ?
The dub dub dub has become a trend
private github repositories return 404 instead of access denied or something like that if you don't have access to them. I recon it is protection against something like this, someone just going through each possible repository name for some user to leak the names of the private ones. not sure how useful that information would be though.
really insightful John. Requesting to have a tutorial on creating our own CTF using any platform(easy-to-setup) or anything you would prefer/recommend to your fans. Thanks a lot
PHP didn't have follow link set in the config file.
What DE/WM/Compositor are you using and do you have the configs?
Give me some of your valuable words to manage my degree program preparation and self paced cybersecurity learning. My degree is all about programming and I stuck to do both at the same time. Do I do want to give up one thing?
PHP is one of the most vulnerable things on earth
All languages have vulnerabilities, even golang, c++ , specially the ones that deal with memory management.
You only see those when hells breaks loose and suddenly people lost millions
hey john , can u make python tutorial for us ?
It's just like doing a blind SQL injection.
Make a 1 hour video of one nice tuto from google
This is great, but anyone who programs a script accepting user-arguments for directories to examine is certifiably insane.
If you trust a user input without validation, you deserve what you get
concurrently :D
Interesting exploit but as a PHP web services developer, I can tell you that we don't do stupid things like this. Unchecked input on a service that accesses the filesystem? This would never pass my code review. We appreciate that glob can leak filenames in seconds, even when you don't know the prefix, in an attack scenario. You have to be extremely careful when pulling files off the system in all programming languages, and I can see buggy code written in many languages that use globbing. The bad code and potential exploit is not language specific.
I began as a full LAMP Stack Developer and eventually crossed over to Full Microsoft Stack. And with .Net Core I can run C# Apps in Linux lol. And my C# apps even run on my Raspberry Pi.
I'd compare PHP a lot to JavaScript, which you also have Node.js these days too. But I find a more Type Strict language to be more secure out of the bag. In non-Type Strict languages you typically have the triple = (===) operator which performs a Type Strict value comparison. Because in certain conditions double = (==) will evaluate TRUE when triple = (===) would evaluate FALSE, and that has lead to many security vulnerabilities/exploits.
Just a heads up, peace!
c^n suddenly is c·n, ups
if php is a weird language, javascript is a mindfuck oh boi
Hey John I have this problem that I find it hard to learn hacking without spending money and the things that you can learn for free most off the times are to advanced so I would like to see were people like me could go to were we can learn hacking like a team with other people on the same lvl or a little high lvl.
Thx alot for you wonderful videos and for making me want to learn more and more keep up the excellent job
ps. sorry for any spelling errors :D
For someone who doesn't php...
Looks breezy to me
500th like
Come on man. I am tired of youtubers saying "parenthesee" [sic]. It ends with "sis" if it is singular.
You could also use string.hexdigits as your pool of characters instead of typing them all out
sa
Sae
ew chrome and sublime wtf
why ask questions on a video for no1 replies your wasting time!
Hmm, this is some stupid shit.. this is not even specific to PHP. you can expose this nonsense in any language reading the filesystem from user provided input :D . Anyways, I guess John enjoyed himself.
dude, i have to turn you waaaaay down to even watch your video without getting a major headache... turn your fucking mic down!!!
7:24
trance. Dude made a month worth of s before actually realizing what a plug-in is.