Qustion on viewing code
This is a discussion on Qustion on viewing code within the alt.comp.lang.php forums, part of the PHP Programming Forums category; Is there a way i can look at the php code that is runnig a site, without any ind of ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-23-2007
|
|||
|
|||
Re: Qustion on viewing code
Alan Larsson wrote:
> Is there a way i can look at the php code that is runnig a site, without any > ind of admin access to the server? Unless there is a horrible server misconfiguration or the site has a serious scripting vulnerability, no. -- Curtis, http://dyersweb.com 
|
|
02-23-2007
|
|||
|
|||
|
Re: Qustion on viewing code
On 23 Feb, 01:12, Curtis <zer0d...@verizon.net> wrote:
> Alan Larsson wrote: > > Is there a way i can look at the php code that is runnig a site, without any > > ind of admin access to the server? > > Unless there is a horrible server misconfiguration or the site has a > serious scripting vulnerability, no. > > -- > Curtis,http://dyersweb.com yes, probably but not for someone who provides no specifics and at least attempts to justify it. do no evil. and you have to pay school fees by learning more about things before you ask this kind of question, or you wont be respected enough to get given the answers
|
|
02-23-2007
|
|||
|
|||
|
Re: Qustion on viewing code
Message-ID: <45de37b2$0$4891$4c368faf@roadrunner.com> from Alan Larsson
contained the following: >Is there a way i can look at the php code that is runnig a site, without any >ind of admin access to the server? No. -- Geoff Berrow 0110001001101100010000000110 001101101011011001000110111101100111001011 100110001101101111001011100111010101101011
|
|
02-23-2007
|
|||
|
|||
|
Re: Qustion on viewing code
"shimmyshack" <matt.farey@gmail.com> wrote in message news:1172193670.840327.125390@v33g2000cwv.googlegr oups.com... > On 23 Feb, 01:12, Curtis <zer0d...@verizon.net> wrote: >> Alan Larsson wrote: >> > Is there a way i can look at the php code that is runnig a site, >> > without any >> > ind of admin access to the server? >> >> Unless there is a horrible server misconfiguration or the site has a >> serious scripting vulnerability, no. >> >> -- >> Curtis,http://dyersweb.com > > yes, probably but not for someone who provides no specifics and at > least attempts to justify it. > do no evil. > and you have to pay school fees by learning more about things before > you ask this kind of question, or you wont be respected enough to get > given the answers > actually, I am being accused of stealing PHP code from a site.. and I did not think it was possible, so I asked the experts here.
|
|
02-23-2007
|
|||
|
|||
|
Re: Qustion on viewing code
On 23 Feb, 02:23, "Alan Larsson" <newsgr...@alstown.com> wrote:
> "shimmyshack" <matt.fa...@gmail.com> wrote in message > > news:1172193670.840327.125390@v33g2000cwv.googlegr oups.com... > > > > > On 23 Feb, 01:12, Curtis <zer0d...@verizon.net> wrote: > >> Alan Larsson wrote: > >> > Is there a way i can look at the php code that is runnig a site, > >> > without any > >> > ind of admin access to the server? > > >> Unless there is a horrible server misconfiguration or the site has a > >> serious scripting vulnerability, no. > > >> -- > >> Curtis,http://dyersweb.com > > > yes, probably but not for someone who provides no specifics and at > > least attempts to justify it. > > do no evil. > > and you have to pay school fees by learning more about things before > > you ask this kind of question, or you wont be respected enough to get > > given the answers > > actually, I am being accused of stealing PHP code from a site.. and I did > not think it was possible, so I asked the experts here. Ah I see, well it didn't sound to me that you knew enough to do it, so that's your strongest card. Don't start getting interested in this area just for the sake of showing you can't because it's a huge area and the answer to this question is always YES probably. (even the ones with "hacker safe" symbols. Basically PHP code is designed never to be released to the end user, any file on the server should be executed and only the results of the php code sent to your browser, however there are times when people make mistakes and the code can be downloaded. The only way you could have accidentally stolen code via a browser is by accidentally finding a publically available piece of code, which is NOT your fault. Even if you did find this, it would be quite improbable that the site in question could tell if you had. (Unless they use some kind of complex outgoing filter that records but does not stop outgoing code release - whereas filters of this kind are usually set up to stop code release) I would say you are on balance very unlikely to be accused for very long, a) it shows a lack of professionalism on their part to be releasing code which they later regret. b) whereas however they are saying "they know" you did it, which shows a degree of skill they probably don't have as (a) shows Just ask for evidence. But don't claim it "isn't possible" because it usually is possible to launch an attack, there are so may ways to do it. For more advice and info ask "OWASP or web app sec" they have to deal with these kinds of complaints and threats on a regular basis when they reveal vulnerabilities on sites. In general if you see something wrong the advice is don't report it, unless you have reason to believe you will escape subsequent action.
|
|
02-23-2007
|
|||
|
|||
|
Re: Qustion on viewing code
"shimmyshack" <matt.farey@gmail.com> wrote in message news:1172198155.605591.99560@s48g2000cws.googlegro ups.com... | On 23 Feb, 02:23, "Alan Larsson" <newsgr...@alstown.com> wrote: | > "shimmyshack" <matt.fa...@gmail.com> wrote in message | > | > news:1172193670.840327.125390@v33g2000cwv.googlegr oups.com... | > | > | > | > > On 23 Feb, 01:12, Curtis <zer0d...@verizon.net> wrote: | > >> Alan Larsson wrote: | > >> > Is there a way i can look at the php code that is runnig a site, | > >> > without any | > >> > ind of admin access to the server? | > | > >> Unless there is a horrible server misconfiguration or the site has a | > >> serious scripting vulnerability, no. | > | > >> -- | > >> Curtis,http://dyersweb.com | > | > > yes, probably but not for someone who provides no specifics and at | > > least attempts to justify it. | > > do no evil. | > > and you have to pay school fees by learning more about things before | > > you ask this kind of question, or you wont be respected enough to get | > > given the answers | > | > actually, I am being accused of stealing PHP code from a site.. and I did | > not think it was possible, so I asked the experts here. | | Ah I see, well it didn't sound to me that you knew enough to do it, so | that's your strongest card. | Don't start getting interested in this area just for the sake of | showing you can't because it's a huge area and the answer to this | question is always YES probably. (even the ones with "hacker safe" | symbols. | Basically PHP code is designed never to be released to the end user, | any file on the server should be executed and only the results of the | php code sent to your browser, however there are times when people | make mistakes and the code can be downloaded. The only way you could | have accidentally stolen code via a browser is by accidentally finding | a publically available piece of code, which is NOT your fault. Even if | you did find this, it would be quite improbable that the site in | question could tell if you had. (Unless they use some kind of complex | outgoing filter that records but does not stop outgoing code release - | whereas filters of this kind are usually set up to stop code release) | | I would say you are on balance very unlikely to be accused for very | long, | a) it shows a lack of professionalism on their part to be releasing | code which they later regret. | b) whereas however they are saying "they know" you did it, which shows | a degree of skill they probably don't have as (a) shows | | Just ask for evidence. But don't claim it "isn't possible" because it | usually is possible to launch an attack, there are so may ways to do | it. For more advice and info ask "OWASP or web app sec" they have to | deal with these kinds of complaints and threats on a regular basis | when they reveal vulnerabilities on sites. In general if you see | something wrong the advice is don't report it, unless you have reason | to believe you will escape subsequent action. which is odd that he'd be asking how to do it...thus giving him the knowlege/means and taking away his best defense. find a server that parses all documents via php instead of by extension, and one that allows uploads. embed php code in an image and upload it. in that code, you should find the document root and then recurse for all dirs from the doc root. output the paths into a file your script creates. access that script. look for interesting names...especially header, security, and config file names. the embedded php code should also output the product of php_info(). any file you want, you can access via this method whether it is in the www root or in some other system directory - which most people here think gives a measure of security. it's not hard to hack any site...it just takes a bit of knowledge and some desire.
|
|
02-23-2007
|
|||
|
|||
|
Re: Qustion on viewing code
"Geoff Berrow" <blthecat@ckdog.co.uk> wrote in message news:68hst2l9rpl53um7q7q737mbav5aglopk9@4ax.com... | Message-ID: <45de37b2$0$4891$4c368faf@roadrunner.com> from Alan Larsson | contained the following: | | >Is there a way i can look at the php code that is runnig a site, without any | >ind of admin access to the server? | | No. are you trying to be funny, geof? that's about the most uninformed and unimaginatively wrong answer as i've ever seen. i am horrified that it was made by you of all people!
|
|
02-23-2007
|
|||
|
|||
|
Re: Qustion on viewing code
Steve <no.one@example.com> wrote:
> find a server that parses all documents via php instead of by extension, > .... > > it's not hard to hack any site...it just takes a bit of knowledge and > some desire. And in this case, both an insane webserver setting and a either no or a bogus check on files after upload... Usually it would be much, much harder. -- Rik Wasmus
|
|
02-23-2007
|
|||
|
|||
|
Re: Qustion on viewing code
"Rik" <luiheidsgoeroe@hotmail.com> wrote in message news:op.tn6pvcviqnv3q9@misant... | Steve <no.one@example.com> wrote: | > find a server that parses all documents via php instead of by extension, | > .... | > | > it's not hard to hack any site...it just takes a bit of knowledge and | > some desire. | | And in this case, both an insane webserver setting and a either no or a | bogus check on files after upload... Usually it would be much, much harder. true. however sadly, *most* web servers (apache anyway) out there at least parse all documents through php even if the extension is different...things like .css or .jpg, or what have you. this is the critical part. as long as this is the configuration, you can find *many* ways to get your script onto their server. and you will have enough authorization to access any system directory that php has access to...even those not in the web root. this is not just a php issue, asp and others have the same problem. people are not ever as aware as they should be when it comes to security. myself included.
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 09:19 PM.
