krandor Posted July 11, 2008 Posted July 11, 2008 And the POC of worm in PHP it's like a worm virus in computer? I mean how worm in PHP can keep it self run in that computer that have infect? I'm not sure if PHP itself can be a worm, it's all server side (i could be wrong, i'm fairly new to PHP). now, with some malicious javascript you could probably do something more along the lines of a worm. Still why would you want to do that? I'm still confused of what your original question was. Quote
Steve8x Posted July 11, 2008 Posted July 11, 2008 I'm not sure if PHP itself can be a worm, it's all server side (i could be wrong, i'm fairly new to PHP). now, with some malicious javascript you could probably do something more along the lines of a worm. Still why would you want to do that? I'm still confused of what your original question was. yeah as krandor said, php is a server sided scripting language... that means that the code is run on the server side! so say your running apache on your computer with php installed... when someone connects to your website, on a php page... your server computer is where the php code is executed from... it then spits out the html code to be displayed client side(in the persons browser)... Thats what I like about php... it enables you to have truly dynamic web pages! based on certain conditions in your php code you can have it generate different html code to be displayed... Lets think of an example. Imagine how tedious making a dictionary website would be if the person making it had to create each html page manually!! yikes! a page for every word would be ridiculous to make... So instead someone puts all the words and definitions in a mysql database (still I wouldn't want to do that even lol but its less tedious) then when someone types a word to get the definition of, the php code scans the database for the word, and if found creates the html code to display the word's definition... So its only 1 page, but with changing content... So for your idea of a worm in php, you would only be infecting your own computer... If there is a vulnerability in php someone could potentially exploit it to run code on your server machine... But even if there is, it would involve your page allowing people to submit data to the site, and as long as you sanitize any input you get (something that should be done anyway for a secure website) you'll be fine... lookup how to prevent SQL injection which is what people usually try to do to exploit a web page. removing the special characters from the posted data should be enough prevent any kind of code injection, as even assembly has [ and ]... without those brackets it would be difficult if not impossible to do anything, as you wouldn't be able to access memory locations easily... Anyways to be able to run code on someone's computer through a web browser, you would have to find some exploit within firefox, or IE or any sort of browser... maybe a buffer overflow or something ;) then like krandor said, some specially crafted javascript could allow you to run "arbitrary" code probably to download and execute a worm on their computer without the person even knowing what happened! I'm pretty sure its happened to me before a long time ago when firefox wasn't out, and I was using IE... Some website was using an exploit to download and execute a virus on the site's visitors... I ended up having to reformat as the virus fucked everything up... So yeah anyway if you do find an exploit. Do the right thing and submit it to the browser's developers so they can patch it up, so the exploit can't be used to infect people's computers! Quote
nicatronTg Posted July 12, 2008 Posted July 12, 2008 As far as being a worm, take the following situation for example. User A infects a site with an XSS based attack that points to a php script. User B visits the site, and then is compromised to the php script. User B continues browsing the site, and downloads a file, from the rouge php script, generated to fit the user, and send out viruses. User C gets an e-mail from User B pointing to User A's site. User C now does the same. Quote
r4v37t Posted July 13, 2008 Author Posted July 13, 2008 Earlier I got some thinking about how PHP WORM can inject the client computer, and it's like this: 1. WORM_MAKER has infect the site with worm script, where in that page is checks the OS that the client using. 2. Like example if user have used WINDOWS OS, then the script will generate the worm code for WINDOWS OS. 3. Then that page will make that code downloaded silently. It's possible to do? Absolutely in PHP code? Quote
digip Posted July 13, 2008 Posted July 13, 2008 Earlier I got some thinking about how PHP WORM can inject the client computer, and it's like this: 1. WORM_MAKER has infect the site with worm script, where in that page is checks the OS that the client using. 2. Like example if user have used WINDOWS OS, then the script will generate the worm code for WINDOWS OS. 3. Then that page will make that code downloaded silently. It's possible to do? Absolutely in PHP code? Anything is possible, in any language, but what is your intent? Malicious, or do you actually want to learn something, because it seems the more questions you ask, the more script kiddie you sound. If all you want is exploits and free code, go to milworm or check google, but please stop asking questions that you don't want answers to, becauase all you seem to want is the code to do it for you with mal intent. Quote
Deveant Posted July 14, 2008 Posted July 14, 2008 a Virus can easly be made in PHP, you over looking that fact that the target does not need to be a user of the website, but the website its self. Lets say a forum, with a lil XSS, mixed in with a custom login page, now every time one of your users log in, it emails me there user and pass in plain text. Easier than decrypting a Database, and Admins who dont know what there doing will never find it. Quote
Sparda Posted July 14, 2008 Posted July 14, 2008 Easier than decrypting a Database, and Admins who dont know what there doing will never find it. That's a bit insulting, (as far as I know) VaKo never figured out what happend with the password forwarding thing on this forum. ;) Quote
Deveant Posted July 14, 2008 Posted July 14, 2008 haha :( my bad, wasn't meant that way though, more as though, it would never be found. Quote
r4v37t Posted July 14, 2008 Author Posted July 14, 2008 Anything is possible, in any language, but what is your intent? Malicious, or do you actually want to learn something, because it seems the more questions you ask, the more script kiddie you sound. If all you want is exploits and free code, go to milworm or check google, but please stop asking questions that you don't want answers to, becauase all you seem to want is the code to do it for you with mal intent. Be a script kiddie.. I think I'm a newbie, where start to learn to get fun from my digital world. I just want to explore and try to hack the PHP Code And I want to make a something different and usefull for anyone...... Quote
Deveant Posted July 14, 2008 Posted July 14, 2008 if you want to hack the PHP code, then understanding it is the first step, you need to go learn PHP. Having fun in the digital world is all good and fun, but the moment you cross from fun to illegal is the point of which you become a tool. Quote
r4v37t Posted July 15, 2008 Author Posted July 15, 2008 Yupz..... I have start to learn that :D Yeah... I think no one is illegal if it for fun, learn, and help many people Quote
marky-b Posted August 4, 2008 Posted August 4, 2008 if you want to hack the PHP code, then understanding it is the first step, you need to go learn PHP Having fun in the digital world is all good and fun, but the moment you cross from fun to illegal is the point of which you become a tool. I agree. I taught myself many of the basics of PHP in less than a week. Began a dynamic website project for a business and now i love it. However, whenvever i see people just looking for information on how to break websites/webhosts/clients/etc... all i can think of is how much i want to reach through the internet and poke you in they eye. well said Deveant. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.