PHP 8.1.0-dev BACKDOOR Hack (Easy RCE)

Подписаться 1,8 млн

Просмотров 141 тыс.

50% 1

Jump in to the Snyk Capture the Flag 101 Workshop on September 14th at 11:00am ET: jh.live/snykct...
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeac...
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
🐜Zero2Automated ➡ MISP & Malware Sandbox j-h.io/zero2au...
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
👨🏻‍💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humbleb...
🐶Snyk ➡ j-h.io/snyk
🤹‍♀️SkillShare ➡ j-h.io/skillshare
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsor...
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc

Опубликовано:

7 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 137

@_JohnHammond 2 года назад

Ps, HUGE THANKS to Snyk for sponsoring this video ! Snyk is putting together their next Capture the Flag 101 workshop! If you are new to CTF challenges and want some extra guidance on how to cut through binary exploitation or web security tasks, jump into their free online session on September 14th at 11am EDT! j-h.io/snyk-ctf101 click the link plz click it CLICK THE LINK j-h.io/snyk-ctf101 click click click

@nighthawk5305 2 года назад

Click a posted link, enter "Name", "Company E-Mail", "Company Name" and "Job Title" to register..... Not comfortable with that.

@link_safe Год назад

@@nighthawk5305 It's designed for businesses and companies.

@Fl0kii_ 2 года назад

I could watch John explaining Python code for the rest of my life!

@caiovinicius8448 2 года назад

It's a good idea.

@nikhilsuryanarayanan2133 2 года назад

😂nice

@Propertymagnet_boy Год назад

why?

@spiegelbestseller9853 Год назад

Me too

@jasonb2221 2 года назад

Thanks John, your way of teaching, explaining while you're working on the fly is awesome! Really teaches us how to think and react while troubleshooting.

@zanidd 2 года назад

Thank you -John- Kevin!

@Scorpion_Yug Месяц назад

Zanidd ❤

@ponan0053 2 года назад

Could you do a video on how you make these challenges? like the thought process and steps behind it? I think thatd be awesome

@daleryanaldover6545 2 года назад

I just remembered when I first CTF like experience with Kirshbaum. They have a challenge for job applicants and successfully doing the challenge grants them a chance for an interview. I failed the interview tho but it was a fun experience nonetheless.

@bs12wrblimitedsti38 2 года назад

I just got my A+, Net+, Sec+ and man there’s SOOO much more to learn haha maybe I’ll under more with time but 80% of the video I know. Just now I have to figure out how to implement everything I learned. Hands on is WAY better for me! Thank you for what you do hopefully one day I will be kind of close to on your level of knowledge.

@flaviomoreira01 2 года назад

The more you know the more there is to know. Do you think it is good idea to get CEH cert has my first cert?

@johnpathe 2 года назад

@@flaviomoreira01 yes

@Smithy957 2 года назад

@@flaviomoreira01 the OSCP is so much better than the CEH

@flaviomoreira01 2 года назад

@@Smithy957 I have heard that it is harder to get it, but what is the requirement?

@flaviomoreira01 2 года назад

@@zebbybobebby But in terms of reputation, would you agree that CEH is more advanced?

@mohammedbahamid8759 Год назад

It would really be awesome if you could make a video on how to create a CTF challenge based on the vulnerabilities on Exploit DB. The way to navigate through exploit DB, the thinking process, etc...

@khaleedmayas Год назад

@michaelwerkov3438 2 года назад

Its fun how i know nothing about hacking but when he explains things it makes perfect sense

@dayanjihuzefa1827 2 года назад

Your channel is best source to learn Cybr security 👍

@cnfreitas 2 года назад

Look, I'm not into security but I could not pass this video. Very interesting and made easy to understand some Linux command lines and strategies to find problems. Thanks!

@jimo8486 2 года назад

this is the only ad sponsor i would watch

@badbgp 2 года назад

Zerodium ~ Zero Diem ~ Zero Day

@JoakimKanon 2 года назад

May I suggest backing off from the mic, or getting a pop filter? Your P’s are pretty brutal on headphones. Great video, anyways. 😍

@gabe_owner 2 года назад

I thought all the comments here were from bots at first, since the sponsorship happened right out of the gate and they were all so positive. Entertaining and engaging video, though. I might try some CTF myself, since I’ve never done anything related to cybersecurity.

@mrobvious6112 2 года назад

Its crazy how simple it is to understand python ven though I barely learned python Not really as simple but getting use to how it works makes it simple enough to understand...

@caiovinicius8448 2 года назад

Very interesting.

@analyzec137 2 года назад

Glad to hear about the snyk ctf webinar John.... can’t wait XD

@renatofreirefilho 2 года назад

Obrigado, sempre ótimos conteúdos!

@danielghani3903 2 года назад

Thank you for the video suggestions .I will go through one by one

@vipanchika5059 24 дня назад

Thank you sir you would have been intresting to me to become a good business man

@huzifaahmed1426 2 года назад

I learn alot from you man 💚

@Zerback 2 года назад

Great content John! Thanks for all your shared knowledge as usual!

@NicolaCalore Год назад

Thanks John for teaching me 👾

@joaoverde7742 Год назад

I loved the office reference :D

@christophermarshall8712 Год назад

This is why I never upgrade to a version of PHP when it first comes out. I always stay one or two behind if I can to make sure if any severe vulnerabilities like this come out they are fixed before they can affect me.

@anthonylamoreaux1282 Год назад

Love your videos! Thank you for all that you do.

@kaas12 2 года назад

You never disappoint, thanks John!

@sdafasfF 2 года назад

Real cool man! Although I completed the box within 3 minutes X3

@branisgreat 2 года назад

The hair in front of his face the entire time man lmao

@Freeak6 Год назад

One thing I don't understand is why root user in container has root privileges in host filesystem? These shouldn't be treated as different users? To me, users in containers shouldn't 'communicate' with users in host. Why is it the case? Thanks :)

@frosecold 2 года назад

Hey John, I've been using rustscan lately and i really like it, is. Slot faster and can be complemented with nmap for full scans but is much faster. I wonder why you don't use it?

@themasterofdisastr1226 2 года назад

Last year, this exploit was featured in HackTheBox when it was quite new. You had to understand a chinese Blog post to get the shell back then

@moustafakashen3610 2 года назад

Love your content Mr. Hammond

@0xm3m 2 года назад

Can you make a video on Creating vulnerable machines for hacking platforms in depth, and that can be in series?

@cartoonchannel5584 Год назад

You are best ;) Thank You !!!!!!!!!!!!!!!!

@GeorgeWulfers_88 2 года назад

Awesome! :) Great video as always.

@DEADCODE_ 2 года назад

you know what john i love you

@djones0105 2 года назад

thanks, John!

@huzifaahmed1426 2 года назад

The Greatest man in this feild ❤❤❤

@TheHaircutFish 2 года назад

Awesome vid John!!!

@MrsCyImsofly 2 года назад

Thank you John

2 года назад

What I'm really struck by is that it was _planted_, by a security firm that sells exploits no less... wow

@elisansabimana6200 2 года назад

Thanks for the video.

@ALD7MI2011 2 года назад

I learned alot thanks

@animesubber7136 2 года назад

Whats with the thumbnail lol John Hammond Breaking bad XD

@aquaforgegames6207 2 года назад

I've always wanted to get into whitehat hacking and this is the best video I've seen so far about it. You're amazing

@CageTheTurtle 2 года назад

what up KEVIN!!

@nelaina 2 года назад

Thank you John. Do you think the snyk ctf webinar is good for an absolute beginner? No ctf experience (aside from your channel), and just starting to learn python, cybersec, etc...thanks.

@WanderlustVisual5 2 года назад

Good stuff

@brian.-_393i3.-_ 2 года назад

Thanks!

@wcrb15 2 года назад

Whoa that seems really bad. Gonna have to go do some more research on that user agentt situation

@Terszel 2 года назад

Think I remember when this backdoor went up, wasn't it a big thing?

@guilherme5094 2 года назад

Thanks.

@kekeke7815 2 года назад

Hey, I just wanted to check briesofty if there is a way for to import a new soft into the program, for example softs or sotNice tutorialng that

@12346798Mann 2 года назад

The webpage looks like an appseed template

@gauthamgamer1214 2 года назад

nice one

@jaume748 2 года назад

Why I got rickrolled ?¿? I only wanted to do the workshop

@diegocracker 2 года назад

Show thanks obrigado

@Rantofthings. 8 дней назад

I’m guessing I need to know PHP.

@fdgmedd 2 года назад

Gj :)

@onen0zednine753 2 года назад

so who caught the 'Kevin/ Office' refence at the beginning?

@BuddyWazzup Год назад

yeah!!! "Why use more words when less do trick?" 🤣🤣🤣🤣🤣🤣

@onen0zednine753 Год назад

@@BuddyWazzup

@plooshdev 2 года назад

nice

@0xmkay 2 года назад

Pls was the workshop session recorded cos I missed it

@FidelEmilioSusanaJimenez 2 года назад

👽😍😍😍

@chris7010_1 4 месяца назад

Astra Linux users can take the hack me challenge.

@mathesonstep 2 года назад

Can you do a video on setting up a VM for doing these challenges, I have wanted to do these challenges for a while but want to ensure I am being as safe as possible as I have heard you are all connecting to the same VPN network I want to ensure my vm is as isolated as possible, I was thinking putting my vm behind a virtualized pfSense and blocking access to my network from that pfSense firewall. Am I overthinking this or should I really dedicate one vm and virtual network setup to just CTF challenges?

@eandudley8415 2 года назад

Just throw up a kali machine on VMware.

@georgehammond867 2 года назад

what is proc in Linux directories? and why does its size be 140 TB ,, which system uses that huge amount of memory in the tera bytes?

@azatecas 2 года назад

to all php devs, jump ship while you still can

@khaleedmayas Год назад

anyone tried to get rev shell on the machine or could ?

@ihsankurniawan3591 2 года назад

how do you know what to search? what if i cannot tell if PHP 8.1.0-dev is the keyword?

@soniablanche5672 Год назад

I don't get it, why would you intentionally add a backdoor to php.

@Freeak6 Год назад

It was made by an attacker who compromised git php's servers. So the attacker will have a backdoor on all servers that run this version of php (so possibly millions of servers if the attack had not been detected).

@learnfirst-1 Год назад

Apache tomcat 8.5.58 vuln ??

@judylyons177 2 года назад

Sorry, not on this subject. Any advice of how to get rid of Instant Memo? It is messing my tablet up. Tried numerous ways to uninstall, can't. Force stop, clear cache doesn't even slow it down. I can't find any info on it.

@InsaneRecords997 Год назад

Watching on sep 27 lol

@michaelwerkov3438 2 года назад

What is verbosity in this context?

@LiEnby 2 года назад

LOL'd at this ahaha if you dont provide the "zerodium" at the start of the string it just says "REMOVETHIS: Sold to zerodium in 2017"

@sdafasfF 2 года назад

Every happened to the Ubuntu install?

@dopy8418 2 года назад

What's with the marvin villain thumbnail ?

@aqsajimmy2803 2 года назад

did u already create an exploite sir ?

@juneilquilana5159 2 года назад

❤️❤️❤️👏👏👍

@omari4m 2 года назад

as a php programmer , feeling so sad

@kevinwong_2016 2 года назад

Look for mobile malware please

@pathfinder750 2 года назад

Agent-T

@SB-qm5wg 2 года назад

php had a backdoor built in. WTF!?

@Freeak6 Год назад

It was a dev version, and from what they showed, it has been caught before going into production.

@hanomedia 2 года назад

*I feel pity for Php Evangelists*

@rebelsdeveloper367 2 года назад

hmm..

@unknown_3293 2 года назад

mp4 mp3 files backdoor

@masdadmin 2 года назад

Please laugh a bit so I can see if you sound like Seth Rogen.

@thispacifist9004 2 года назад

John your having a laugh arent you with this? I like watching your videos because you are informative. You said at the beginning this was an easy challenge, yet you copy and pasted someone else's code.

@MrGeekGamer 2 года назад

I dropped PHP 19 years ago, because I was awful then and it's still awful now. Stop using PHP.

@tutorialsacc7314 Год назад

no its not

@MrGeekGamer Год назад

@@tutorialsacc7314 I won't argue with you, because you're clearly an idiot if you're simping for PHP in 2022.

@abhishek24506 2 года назад

Php is still important??

@sipintarpatrick 2 года назад

why not

@HTWwpzIuqaObMt 2 года назад

Trying to be funny?

@JustinMylo 2 года назад

@@HTWwpzIuqaObMt it is funny

@henrym5034 2 года назад

Wordpress.

@_Omni 2 года назад

Yes it is

@cirklare 2 года назад

I told you PHP is very vulnerable language Also php 5.3 has RCE exploit Another php vulnerability PHP CGI argument injection

@toifel 2 года назад

PHP 5.3 is older than RU-vid and this backdoor is using a "-dev" build which no sane person would ever use in production. I'm not even using PHP, but you obviously don't have any clue what you're even talking about.