Category: PHP

Web Shell – WSO – Security – #ImAWhiteHat

So WSO!!!

By attempting any of the things listed in this blog post you accept full responsibility for your actions and I will not be held responsible whatsoever. This tutorial is strictly for penetration testers only. 

Today we are going to talk about a slightly different topic. I’m pretty sure you are going to love it if you are techie like me. This post is strictly dedicated to security personals out there who are white hats(neither black hats nor grey hats). Hacking or in other terms exploiting a vulnerability is an interesting topic that is also a massive area to be studied. The topic comes under computer security. This blog post will focus on controlling a remote server via a small script which is called a web shell. A popular one has a variation and is known as the ‘WSO Web Shell’. Today we’ll see what we can do with it and how.

So a web shell can also be defined as a type of Remote Administration Tool (RAT) or Backdoor. The web shell can be a full featured administrative GUI which has all the features you need to own/run/destroy a server or as simple as a single line of code that simply takes commands through a browser’s URL and execute it in the server. Beauty is web shells can be written in any language that a server supports. As an example WSO, the one we are going to look at today is written in PHP. So let’s assume that you are running Apache with PHP you will be vulnerable for PHP web shells such as this mighty WSO if you don’t have proper security in place. Most dangerous part is when the shell is installed, it will have the same permissions and abilities as the user who put it on the server. Now you know what’s a web shell is. If you are looking for a list of web shells that are being used in the tech world you can find them right here. Also makes sure that you have harden the Apache server as given this this blog post. – Read More –

class diagram

Class Diagram From PHP Code Using phUML

Today we are going to talk about UML Generator called phUML which is written in PHP. phUML is one of the best tools I have encountered to generate a class diagram from the existing PHP code. This is a common need when it comes to agile methodology. At some point we all have to write code 1st then do the documentation such as draw class diagrams for future references which is crucial for project success. There are tons of tools but most of them are paid or else not working properly but this tool is golden. Okay now if you ask me what’s phUML is, the answer is right below.

phUML is fully automatic UML class diagramm generator written PHP. It is capable of parsing any PHP5 object oriented source code and create an appropriate image representation of the oo structure based on the UML specification.

The image below here is the generated class diagram which phUML created when run on a particular codebase.

phuml generated class diagram

phUML generated class diagram

Okay let’s get down to business. – Read More –

Access a Java function from PHP Using PHP/Java Bridge

If you are wondering how to access a Java function from your PHP code, this blog post is just for you. Answer to your problem is PHP/Java Bridge. You can do many more things using PHP/Java Bridge. Without beating around the bush let’s get started(happy-face).

What’s PHP/Java Bridge?

“The PHP/Java Bridge is an implementation of a streaming, XML-based network protocol, which can be used to connect a native script engine, for example PHP, Scheme or Python, with a Java virtual machine. It is up to 50 times faster than local RPC via SOAP, requires less resources on the web-server side. It is faster and more reliable than direct communication via the Java Native Interface, and it requires no additional components to invoke Java procedures from PHP or PHP procedures from Java.”  – Source 

pjb

– Read More –

Where PHP security could fail or be vulnerable PART 2

Hey PHP folks! How are you? Having a bad day? Are you hacked? Are you feeling unsafe from hackers? Don’t worry, I got you. Today are going to continue our PHP security post. Haven’t you read the part 1 of this blog post? If not I would like you to read it. There I have talked about data security, SQL injection, OS injection and code injection. If you are into security you know that these are the type of vulnerabilities that could exist in a PHP application. Are you sure that you are safe from hackers? Not quite sure right? So read the part 1 of this blog post and get to know the vulnerabilities better. Okay just like the last time we’ll focus on the vulnerabilities and the countermeasures for the particular vulnerability. Time for us to dive into PHP security again(happy-face).

5. Information Leakage

Information leakage is a common vulnerability that we see in PHP applications. You might think that it has a low impact but there is nothing called low impact when it comes to PHP security. Being 99% safe is not going to help, you have to make sure that your application is 100% safe. Look at the picture below.

Information Leakage

You see there goes the PHP vulnerability. This tells the attacker where the weak spot is. You don’t want to display this in a production server. How can we stop this?

– Read More –

Where PHP security could fail or be vulnerable

Hellow there PHP lovers or PHP hackers or whoever you are(happy-face). Today we are going to talk about PHP security. Yeah security. Interesting right? I know I know. Some of the stuff I mention below would be specifically applicable to PHP. But I’ll try to generalise as much as possible so you could apply them everywhere.

In this blog post I’ll focus on the vulnerabilities and the countermeasures for the particular vulnerability. Hey I almost forgot to tell you that some of the PHP security pitfalls are mentioned in the php documentation. So make sure you go through them as well. Let’s divine into PHP security now.

– Read More –