Hacking PHP Mail
BackThis shows in detail how hackers inject PHP mailer scripts
Channel: Howto & Style
Uploaded: October 26, 2006 at 8:18 pm
Author: djshaunp
Length: 00:22:54
Rating: 3.61
Views: 79654
Tags: Hack Hacking PHP Hacks
Video Comments:
tronza87 (December 1, 2008 at 10:28 am)
What this has to do with "hacking"?
suttercain (November 28, 2008 at 11:08 pm)
This is so bad. You assume the "hacker" already has access to the FTP site to obtain the PHP file. If that's the case the rest of your script is poor at best.
AssShow (October 7, 2008 at 9:33 am)
html+php ownz
gamingmaster14 (October 7, 2008 at 7:55 pm)
LOL! those are the most newbest ways to hack.
ZeroMOA4 (November 19, 2008 at 4:52 pm)
I have to agree, php is a server-side language, so hacking with it is not very practical. I prefer Javascript and Perl for hacking.
StrikeMike2k (October 3, 2008 at 10:00 am)
This guy is funny... Did he say "input type=dropdown" at 12:51? HAHA funny. select tag would be a better way of saying it.
magnum789 (October 7, 2008 at 12:52 pm)
lol yeah:p
pimpjongen (September 30, 2008 at 11:23 am)
This works is because of 2, bad practice, loops:
while(list($key, $val) = each($_GET)) { $GLOBALS[$key] = $val;
same with $_POST;
Both the variables in GET and POST are written into the GLOBAL scope, thus overwriting the initialized $MailToAddress and $MailSubject.
So for this exploit POST/GET doesn't matter. PHP5 is vulnerable as well. Even register_globals off won't help.
Script google: PHP formmail + "asking for a name"
Now why didn't the hacker explain that? I'm just a developer...
while(list($key, $val) = each($_GET)) { $GLOBALS[$key] = $val;
same with $_POST;
Both the variables in GET and POST are written into the GLOBAL scope, thus overwriting the initialized $MailToAddress and $MailSubject.
So for this exploit POST/GET doesn't matter. PHP5 is vulnerable as well. Even register_globals off won't help.
Script google: PHP formmail + "asking for a name"
Now why didn't the hacker explain that? I'm just a developer...
jessehanson1981 (September 23, 2008 at 3:48 pm)
"we can spoof the subject of the email", "inject into the web page" classic .. is this video directed towards noobs or programmers? you realize the web page is your browser don't you..
djshaunp (August 20, 2008 at 11:15 am)
You sir are a uber dip shit deluxe. Plenty of people use or used this script, that's why it had a large rating on hotscripts[dot]com. Next time, save yourself from looking like a total retard, and do your research before you open your man hole.
-
Links:
-
Tags:
baby boy name list craigs list yahoo email sign in email for bellsouth levitra marketing analysis craigs list elephant list email troops bellsouth email sbc global email juno email on the web free email greeting cards juno email free email cards yahoo email verizon email opt-in targeted email leads rock email craig list email extractor reverse email lookup do not call list find email address aol email free newsletter templates real estate internet marketing email lookup email search free email top 10 lists email finder search engine marketing services email address search real estate marketing free email address church newsletters free email accounts marketing plans free email account network marketing marketing strategies internet marketing email directory free e-mail online marketing email addresses marketing free newsletter baby boy name list