[ThrillKill]

i been goiing though afew google websites on PHP exploits and some of the security forums but i havent come across anywhere where it might exploit the thoery behind PHP

not sure but it works in the same matter as SQL injection but i have no idea where to do start or get soild information about PHP so if anyone is willing to explain how PHP new or old exploit work would be nice or provide some useful reading materials

[daTh0r]

wHY should he learn php and mysql?
he only wanted to know how these exploits are working....

@ThrillKill

I think the exploits send some bytes to the php pages or something else which makes an overflow and let the exploit execute the root shell

plz correct me when i am wron

[ThrillKill]

thnkz for the links not a bad idea to learn always good to increase your knowledge its more on the side of trying to get access to the database for websites which use PHP rather then cgi asp etc when you use SQL injection..there is a pretty good tutorials on this board i been reading up on was wondering how you can use them for websites which use PHP

[BSDG33K]

root shell? :huh:
who's the smart that runs php as root?, it is possible run everything, bue in two conditions..

first one: php must have a bug that may be exploitable via overflow, and not DoS lika what appens if you got a loop for example with a bug.. and you only got rootshell if the program is runing as root or suided :)

the snd: you need the shellcode for waht y need to execute, for example, i have found some times ago a little exploit for kernels 2.4.20 that executes a /bin/sh shell
well, interesting, but ive got priveliges on a webserver to run shell commands via http, so i don't need /bin/sh for nothing! i just create my own version (yes some little code ripped :P) to create a user pwned in passwd insted of execute a shell, nice hein? yes i could put a bindshell, but the host is firewalled..i have only sshd and httpd on the target

so to run a shell with php u need:

check if php has a bug or if it is suided
setuid (0);
to get root if is suided
sexec /bin/sh
to execute the shell

and voil�.. well just overwritte the index pointer to point to the shellcode in the memory ;)

"smash the stack for fun and proof it" google it :)

[m0n]

BSDG33K, Can you explain that in English please?

[thatsmej]

BSDG33K, on Dec 26 2003, 12:27 AM, said:

"smash the stack for fun and proof it" google it :)

Smashing The Stack For Fun And Profit