Collaborate Disseminate
I’m not sure if this question is within the scope of security.stackexchange or it would be more suitable on stackoverflow. Let me know if needed.
I’m wetting my feet in PHP, and I’ve put together a very simple program that (using JavaScrip… Continue reading Are there risks in user-uploaded .txt files sent as a string to PHP
Asked this question on Bitcoin SE was told to post it here.
I’m developing a custom Bitcoin service. Besides for the core application (which is written in PHP) I’m going to install a blog for updates and news.
Although I would never try to… Continue reading WordPress, a Security Risk for Bitcoin Application?
I have created a small code where I include the user input without validation, so as to know the inner workings of SSTI vulnerability. This is the below code:-
<!DOCTYPE html>
<html>
<head>
<title></title>… Continue reading Parameter allowing untrusted user input in twig templates, but not getting SSTI?
I was wondering what is the solution to remediate this finding?
Listable Directories
/client/
/manual/images/
There is PHP website and IIS web server. The website has unrestricted file upload vulnerability. When I upload a reverse shell to connect back to netcat listener or meterpreter it connects with username iis_met, but when I upload a PHP she… Continue reading IIS Different user with reverse shell
I am trying to figure out what a php malware attack is doing.
It looks like the code got injected into php files throughout the application.
There are multiple files with weird names created.
All index.php files have a .ico file @include w… Continue reading How does this php malware code work? [closed]
I am running a forward proxy filtering outbound requests for the following in order to catch potentially malicious requests from hacked Wordpress sites:
/wp-login.php*
/xmlrpc.php*
Lately this has been preventing the following requests:
h… Continue reading WordPress reauth attacks? How to prevent
I already know how to use password_verify and password_hash functions, but I don’t really understand how they work.
When I use them I do something like that:
$save_hash = password_hash( $password, PASSWORD_DEFAULT );
$check = password_veri… Continue reading How password_hash / password_verify can work with any arguments (PHP)
I’ve had a couple of suspicious looking PHP files appear on our web server, and I’m trying to work out what they do. There’s a big eval block in there, and I’ve tried numerous online tools to decode it, but so far none of them have worked…. Continue reading Best eval decoder tool? [closed]
I’ve found a couple of suspicious-looking PHP files on my webserver obfuscated by a substantial block of eval. Ideally, I’d like to know what they do, but I’m struggling to decrypt them.
Everything else on the server matches my git repo, s… Continue reading If a malicious PHP file never appears in the Apache log is it safe to assume it never executed?