Forums: Php Exploit - Forums

i been goiing though afew google websites on PHP exploits and some of the security forums but i havent come across anywhere where it might exploit the thoery behind PHP

not sure but it works in the same matter as SQL injection but i have no idea where to do start or get soild information about PHP so if anyone is willing to explain how PHP new or old exploit work would be nice or provide some useful reading materials

learn php
http://au3.php.net/manual/en/index.php

mysql
http://www.mysql.com...n/Tutorial.html

then play

wHY should he learn php and mysql?
he only wanted to know how these exploits are working....

@ThrillKill

I think the exploits send some bytes to the php pages or something else which makes an overflow and let the exploit execute the root shell

plz correct me when i am wron

it's not bad to learn them
(then exploit is not a black box for him/her) :D

sorry i was just giving some links to help give an understanding of the language

thnkz for the links not a bad idea to learn always good to increase your knowledge its more on the side of trying to get access to the database for websites which use PHP rather then cgi asp etc when you use SQL injection..there is a pretty good tutorials on this board i been reading up on was wondering how you can use them for websites which use PHP

root shell? :huh:
who's the smart that runs php as root?, it is possible run everything, bue in two conditions..

first one: php must have a bug that may be exploitable via overflow, and not DoS lika what appens if you got a loop for example with a bug.. and you only got rootshell if the program is runing as root or suided :)

the snd: you need the shellcode for waht y need to execute, for example, i have found some times ago a little exploit for kernels 2.4.20 that executes a /bin/sh shell
well, interesting, but ive got priveliges on a webserver to run shell commands via http, so i don't need /bin/sh for nothing! i just create my own version (yes some little code ripped :P ) to create a user pwned in passwd insted of execute a shell, nice hein? yes i could put a bindshell, but the host is firewalled..i have only sshd and httpd on the target

so to run a shell with php u need:

check if php has a bug or if it is suided
setuid (0);
to get root if is suided
sexec /bin/sh
to execute the shell

and voilá.. well just overwritte the index pointer to point to the shellcode in the memory ;)

"smash the stack for fun and proof it" google it :)

BSDG33K, Can you explain that in English please?

BSDG33K, on Dec 26 2003, 12:27 AM, said:

Smashing The Stack For Fun And Profit

You'll never get something deemed as high as root- period. The only thing one can do is defacement through circumventing crappy code with something simple. The prog itself takes things quite verbatim; you can do defacement / mysql db compromisation and that's about it-- I may stand corrected but I have yet to hear of something as drastic as shell / account comrpomisation with PHP.