PHP Data Exfiltration - Leaking Sensitive Filenames

  Рет қаралды 56,290

John Hammond

John Hammond

Күн бұрын

Пікірлер: 95
@wcrb15
@wcrb15 2 жыл бұрын
As a PHP dev every time I see you upload something with PHP, NGINX, etc I get excited and scared about having to go potentially update all of my apps lol
@tonyvelasquez6776
@tonyvelasquez6776 2 жыл бұрын
I love you
@rogercruz1547
@rogercruz1547 2 жыл бұрын
I have a framework, I'm sweating bullets
@R_Y_Z_E_N
@R_Y_Z_E_N Жыл бұрын
Does php devs have good pay scale ?
@AlexChaveriat
@AlexChaveriat 2 жыл бұрын
My absolute favorite thing about this video is you showing the mistakes/issues (like missing the *) and troubleshooting those with print/console.log. Those "failures" is the natural progression of building attacks (and detecting them) - freaking dig it! As always - so much love for your content!
@onen0zednine753
@onen0zednine753 2 жыл бұрын
One of the first videos I think I watched that was lightweight complex, but I actually understood everything within.. = growth through progression. good stuff.
@kiwiwelch3620
@kiwiwelch3620 2 жыл бұрын
Best Tech channel on KZbin right here
@lumosyob
@lumosyob 2 жыл бұрын
his python sword is an actual Bankai ... never fail to amaze 🤩... thank you for the demo sensei !
@Coolioflip666
@Coolioflip666 2 жыл бұрын
With a quick modification to the code, you could brute-force check every character to print a list of all file names. Add in the ability to jump up and down directories (if known), you could even build an entire file tree.
@mohinparamasivam5189
@mohinparamasivam5189 2 жыл бұрын
I love the way John explains Web Vulnerabilities for CTF Challenges
@thatlamp
@thatlamp 2 жыл бұрын
The base64 shown at 7:25 that was suggested by autocomplete seems to be encoded PHP source code. Didn't bother decoding the whole thing manually, plus some of it is obscured, but the first part is definitely
@EDAbrh
@EDAbrh 2 жыл бұрын
JH: *PHP is a weird programming language* JS: 👀
@manbearwall
@manbearwall 2 жыл бұрын
I enjoyed the quick throwing together of the python code. Very cool. Thanks!
@TheH2OWeb
@TheH2OWeb 2 жыл бұрын
Thanks John ! Here is my KZbin algorithm thing !
@ripplesr5655
@ripplesr5655 Жыл бұрын
Jeez dude! 🤯 I just grabbed the fundamentals of php and started my backend journey. I have learned so much in this one vdo than a whole udemy courses combined . At this point I really needed to see how Devs in the game thinks and process all of these. Thank you so much! Subscribed and total support! 🙌🏻
@CASPYBXL
@CASPYBXL 2 жыл бұрын
Great Video John H. !
@svilenSt.
@svilenSt. 2 жыл бұрын
John - thank you for that video. I will definitely make sure that in all of my projects this method will be unavailable. Thank you!
@bkucenski
@bkucenski 2 жыл бұрын
There are 1,152,921,504,606,846,976 possible combinations of 15 letters of 16 possibilities each. That collapses real quick as each character is found. Another example of why you always validate user input before doing anything with it. I learned that years ago when I built a quick little file browser in PHP and a more senior dev suggested I try something and it hosed the entire project as it overwrote files. Removing any periods at the start of the input and in this case, removing any colons from the input, would break this sort of attack.
@tandoku9133
@tandoku9133 2 жыл бұрын
THis was amazing! New perspective for me in tackling issues/problems as a junior php/laravel dev. Thank you. I immidiately subscribe before you ended the python script, cause I know I could learn a lot from your contents
@RX_100.0
@RX_100.0 2 жыл бұрын
Enjoyed. Loved it Need more videos like this.
@V1N_574
@V1N_574 2 жыл бұрын
You have a way of sharing knowledge that I haven't seen before. This is great! Thanks
@logiciananimal
@logiciananimal 2 жыл бұрын
I'll have to remember these nonstandard schemes - PHP is so odd. Thanks!
@0xbitbybit
@0xbitbybit 2 жыл бұрын
Very cool, definitely do more stuff like this, creating Python scripts to take advantage of something, love it!
@alialavizadeh2775
@alialavizadeh2775 2 жыл бұрын
hey John, your content is always spectacular, keep on doin' this
@кардер
@кардер 2 жыл бұрын
agree
@darkdagger032
@darkdagger032 2 жыл бұрын
Thank you for putting all this effort.
@WanderlustVisual5
@WanderlustVisual5 2 жыл бұрын
Awesome John!
@anythingbutASIC
@anythingbutASIC 2 жыл бұрын
This is good considering PHP is making a comeback..
@panjiwirasaputra2634
@panjiwirasaputra2634 2 жыл бұрын
Hey! Thanks so much for this video!
@neilthomas5026
@neilthomas5026 2 жыл бұрын
God tier stuff ❤️
@surkewrasoul4711
@surkewrasoul4711 2 жыл бұрын
Hammond looks like he was reverse shelled by santa clause but he stopped halfway through 😂
@VulnVentures
@VulnVentures 2 жыл бұрын
😊Very Usefull Video Sir......
@Maihoe1
@Maihoe1 2 жыл бұрын
Love the content.
@kiwiwelch3620
@kiwiwelch3620 2 жыл бұрын
I can't wait for this year's hack advent calendar!!!
@peterarnell8112
@peterarnell8112 2 жыл бұрын
Really love this sort of content
@scorpion_lux
@scorpion_lux 2 жыл бұрын
What a fantastic video and content
@wrench2474
@wrench2474 2 жыл бұрын
love the process
@_techwaves
@_techwaves 2 жыл бұрын
Great video john! 🔥🔥
@brunomotta4756
@brunomotta4756 2 жыл бұрын
As usual...another amazing video! Tks
@se_mat
@se_mat 2 жыл бұрын
Thank you John, this was awesome!
@bartech101
@bartech101 2 жыл бұрын
PHP as a language being insecure is a myth. JavaScript ecosystem is far more insecure. 99.9% of developers don't know what's inside their node_modules directory. And even if you know single packages update could bring unexpected surprise. Colors package is prime most known example. One dev was able to bring down thousands of applications with one malicious update. Currently PHP is far more mature and stable. JavaScript have far more WTFs right now but somehow PHP is still laughing stock. Probably now one will write code like this in real application to allow looping over whole file system. Most likely scenario will be to loop over in specific folder and all $_GET parameters should be sanitized before using. With all that said I find this content very valuable it shows what to look out for, especially when it's not so well known and obvious.
@alpha0618
@alpha0618 2 жыл бұрын
great job bro👍👍👍👍👍👍
@sandra8139
@sandra8139 2 жыл бұрын
Thank you I need this to get in front of the identity thefts that thinks they can use my identity
@michaelwerkov3438
@michaelwerkov3438 2 жыл бұрын
.. how
@marckortenhorst
@marckortenhorst 2 жыл бұрын
Fascinating. Thank you :-)
@m4rt_
@m4rt_ 2 жыл бұрын
20:30 you don't need str() to seperate them... just seperate the, just make sure the indentation is even.. or use f""
@Jiube000
@Jiube000 2 жыл бұрын
I personally really like using join() in such cases. The KZbin comment formatting will probably mangle the indentation, but I think everybody will get the point: send = "".join([ "glob:///tmp/challenge/", "".join(leaked_so_far), each_character, "*", ]) Here. Clean, simple, and readable.
@m4rt_
@m4rt_ 2 жыл бұрын
@@Jiube000 damn, that's actually really elegant, I might implement it into my version
@ShinigamiGrin
@ShinigamiGrin 2 жыл бұрын
Beautiful
@josedavidmoya344
@josedavidmoya344 2 жыл бұрын
Nice tutorial, I have a problem wNice tutorialle using soft soft .
@AHMADHASAN-ko8zt
@AHMADHASAN-ko8zt Жыл бұрын
what's the shortcut that you used to install the "Build view" in sublime text ?
@jtw-r
@jtw-r 2 жыл бұрын
update your chrome John!! love the vid btw
@motbus3
@motbus3 2 жыл бұрын
I wonder if you could reduce the number of calls to be more stealth by sending sub patterns 🤔
@slinkychungus2044
@slinkychungus2044 2 жыл бұрын
PHP, the write-only language
@FilippoVicari
@FilippoVicari 2 жыл бұрын
Hi, loving your content ❤ even if I am not a Penetration tester. I am a full-stack web dev working with PHP. I think PHP is widely used so it needs someone that arise awareness of its flaws. What about making more penetration testing on PHP to have some kind of playlist on the topic? I think web developers must know these potential flaws while using this (so widespread) language. I am going to check if this could lead to some vulnerabilities on the website that I made right now 😂. I think that AJAX and PHP can be very easy to exploit so this could be a starting point, but maybe I am wrong
@javabeanz8549
@javabeanz8549 2 жыл бұрын
The biggest thing I see with PHP, sanitize your input! Never trust user input, and especially not from a web request.
@RnVjayBZb3V0dWJl
@RnVjayBZb3V0dWJl 2 жыл бұрын
I really hoped for you to move the "learn python" courses towards learning flask and making your own website with Python. Not having just a super duper short intro one can read up on for 3 minutes xD But hey.. Nice way to spark curiosity i guess ^^
@_JohnHammond
@_JohnHammond 2 жыл бұрын
Sounds like I should get back on this ;)
@RnVjayBZb3V0dWJl
@RnVjayBZb3V0dWJl 2 жыл бұрын
@@_JohnHammond eyy, John! I watch each and every video you make! My boss showed me your channel 2 years ago (webapp pentester company) and sense then I've not missed a video. Got me surprised to gave a reply from you. Have a lovely day ^^
@guilherme5094
@guilherme5094 2 жыл бұрын
Nice.
@LexiLominite
@LexiLominite 2 жыл бұрын
Very nice video 🙂
@andersodgaard6699
@andersodgaard6699 2 жыл бұрын
does this also goes for Laravel ?
@alimustafa2682
@alimustafa2682 2 жыл бұрын
The dub dub dub has become a trend
@void_p
@void_p 2 жыл бұрын
private github repositories return 404 instead of access denied or something like that if you don't have access to them. I recon it is protection against something like this, someone just going through each possible repository name for some user to leak the names of the private ones. not sure how useful that information would be though.
@0xr1kk07
@0xr1kk07 2 жыл бұрын
really insightful John. Requesting to have a tutorial on creating our own CTF using any platform(easy-to-setup) or anything you would prefer/recommend to your fans. Thanks a lot
@enpassant7358
@enpassant7358 2 жыл бұрын
PHP didn't have follow link set in the config file.
@Narblo
@Narblo 2 жыл бұрын
What DE/WM/Compositor are you using and do you have the configs?
@zukxxxx0
@zukxxxx0 2 жыл бұрын
Give me some of your valuable words to manage my degree program preparation and self paced cybersecurity learning. My degree is all about programming and I stuck to do both at the same time. Do I do want to give up one thing?
@cirklare
@cirklare 2 жыл бұрын
PHP is one of the most vulnerable things on earth
@Tux0xFF
@Tux0xFF 2 жыл бұрын
All languages have vulnerabilities, even golang, c++ , specially the ones that deal with memory management. You only see those when hells breaks loose and suddenly people lost millions
@everything-om3zx
@everything-om3zx 2 жыл бұрын
hey john , can u make python tutorial for us ?
@Joel-gf4zl
@Joel-gf4zl 2 жыл бұрын
It's just like doing a blind SQL injection.
@C901-p8i
@C901-p8i 2 жыл бұрын
Make a 1 hour video of one nice tuto from google
@ElectricPhase
@ElectricPhase 2 жыл бұрын
This is great, but anyone who programs a script accepting user-arguments for directories to examine is certifiably insane.
@thehonestabe
@thehonestabe 2 жыл бұрын
If you trust a user input without validation, you deserve what you get
@dimitriostsobanopoulos7
@dimitriostsobanopoulos7 2 жыл бұрын
concurrently :D
@JohnGotts
@JohnGotts 2 жыл бұрын
Interesting exploit but as a PHP web services developer, I can tell you that we don't do stupid things like this. Unchecked input on a service that accesses the filesystem? This would never pass my code review. We appreciate that glob can leak filenames in seconds, even when you don't know the prefix, in an attack scenario. You have to be extremely careful when pulling files off the system in all programming languages, and I can see buggy code written in many languages that use globbing. The bad code and potential exploit is not language specific.
@CopiousAmountsOfDerp
@CopiousAmountsOfDerp 2 жыл бұрын
I began as a full LAMP Stack Developer and eventually crossed over to Full Microsoft Stack. And with .Net Core I can run C# Apps in Linux lol. And my C# apps even run on my Raspberry Pi. I'd compare PHP a lot to JavaScript, which you also have Node.js these days too. But I find a more Type Strict language to be more secure out of the bag. In non-Type Strict languages you typically have the triple = (===) operator which performs a Type Strict value comparison. Because in certain conditions double = (==) will evaluate TRUE when triple = (===) would evaluate FALSE, and that has lead to many security vulnerabilities/exploits. Just a heads up, peace!
@RepublikSivizien
@RepublikSivizien 2 жыл бұрын
c^n suddenly is c·n, ups
@aronpop1447
@aronpop1447 2 жыл бұрын
if php is a weird language, javascript is a mindfuck oh boi
@moonshadow6224
@moonshadow6224 2 жыл бұрын
Hey John I have this problem that I find it hard to learn hacking without spending money and the things that you can learn for free most off the times are to advanced so I would like to see were people like me could go to were we can learn hacking like a team with other people on the same lvl or a little high lvl. Thx alot for you wonderful videos and for making me want to learn more and more keep up the excellent job ps. sorry for any spelling errors :D
@bigappleplug6021
@bigappleplug6021 2 жыл бұрын
For someone who doesn't php... Looks breezy to me
@RageGamer15
@RageGamer15 2 жыл бұрын
500th like
@douggale5962
@douggale5962 2 жыл бұрын
Come on man. I am tired of youtubers saying "parenthesee" [sic]. It ends with "sis" if it is singular.
@jacobelliott2420
@jacobelliott2420 2 жыл бұрын
You could also use string.hexdigits as your pool of characters instead of typing them all out
@ireneditrani6203
@ireneditrani6203 2 жыл бұрын
sa
@wisnuwibissono5330
@wisnuwibissono5330 2 жыл бұрын
Sae
@gg-gn3re
@gg-gn3re 2 жыл бұрын
ew chrome and sublime wtf
@JNET_Reloaded
@JNET_Reloaded 2 жыл бұрын
why ask questions on a video for no1 replies your wasting time!
@xtobsscire4760
@xtobsscire4760 2 жыл бұрын
Hmm, this is some stupid shit.. this is not even specific to PHP. you can expose this nonsense in any language reading the filesystem from user provided input :D . Anyways, I guess John enjoyed himself.
@roslinked
@roslinked 2 жыл бұрын
dude, i have to turn you waaaaay down to even watch your video without getting a major headache... turn your fucking mic down!!!
@puceno
@puceno 2 жыл бұрын
7:24
@holyciwa
@holyciwa 2 жыл бұрын
trance. Dude made a month worth of s before actually realizing what a plug-in is.
Markdown to PDF Code Injection (CSAW CTF 2022)
20:46
John Hammond
Рет қаралды 80 М.
The King Of Malware is Back
19:27
John Hammond
Рет қаралды 192 М.
To Brawl AND BEYOND!
00:51
Brawl Stars
Рет қаралды 17 МЛН
Quando A Diferença De Altura É Muito Grande 😲😂
00:12
Mari Maria
Рет қаралды 45 МЛН
Hacking Windows TrustedInstaller (GOD MODE)
31:07
John Hammond
Рет қаралды 800 М.
Exploiting Tomcat with LFI & Container Privesc - "Tabby" HackTheBox
45:54
HAVOC C2 - Demon Bypasses Windows 11 Defender
29:50
John Hammond
Рет қаралды 154 М.
Harder Drive: Hard drives we didn't want or need
36:47
suckerpinch
Рет қаралды 1,7 МЛН
The problem with null
8:01
PHP Annotated
Рет қаралды 12 М.
ASMR Programming - Spinning Cube - No Talking
20:45
Servet Gulnaroglu
Рет қаралды 4,2 МЛН
Avoid PowerShell Invoke-Expression with DNS Records
27:00
John Hammond
Рет қаралды 57 М.
Can you DISABLE Windows Defender Antivirus?
28:36
John Hammond
Рет қаралды 63 М.
To Brawl AND BEYOND!
00:51
Brawl Stars
Рет қаралды 17 МЛН