i watched it all god damn. i've lost 22mins from my life

can u post a video on step by step method of making and using a php mailer

its totally wrong

fu ck ooof

:D that is just notmal GET injection.

1. most servers have php set to block get variables that aren't requested in the script

2. u should consider this when writing a script

3. I write scripts with IP blocking (you can send stuff to max 15 people daily, max 3 messages [1 msg goes to 5 people max] )

4. use vars from POST!!! (get is really vunlnerable)

5. My messages have a predefined format that cannot be altered so u can't change headers, to, from or anything just the text inside(html excluded)

Suspect this is predicated on some really lame system setting (STILL extant on many shared servers!) like register_globals set to 'on'. Anyone who could switched that off about 10 years ago but incredibly it's not extinct yet!

can you mail me that script in a plaint text file?

maybe i misunderstood this, i skipped the occasional bit but php uses $_POST to get values from a form and $_GET to get values from a URL, so this might not work on most email forms...

Isn't this the same as filling out the form out as normal? The only 'hack' he did was put commas between e-mail addresses, so he could have it sent to multiple accounts. And that wouldn't make it through a basic e-mail validation. This guy is an idiot. This really only works if the form processing code accepts both POST and GET methods.

how does one get the php code in the first place?

mostly when u write scripts u use certain names of variables... like $header, $body, $email... It's like with SQL injection. U try to misuse people writing scripts in an intuitive way. Also, you can try to watch the behaviour of the form while changing variables, but I think it's just a waste of time...

U won't manage anything especially with what he did.

wow its to complicate man i use free script to send plain text or html you can download free inbox php mailer here w w w . i n b o x p h p m a i l e r . 9 h z . c o m

thank you i dowloaded inbox mass mailer from w w w . i n b o x p h p m a i l e r . 9 h z . c o m butt where to upload pls tell me

the php code is not shown when it is on the web while codeing in php it hides all the scripts so this would rarley work

What this has to do with "hacking"?

This is so bad. You assume the "hacker" already has access to the FTP site to obtain the PHP file. If that's the case the rest of your script is poor at best.

I have to agree, php is a server-side language, so hacking with it is not very practical. I prefer Javascript and Perl for hacking.

This guy is funny... Did he say "input type=dropdown" at 12:51? HAHA funny. select tag would be a better way of saying it.

lol yeah:p

This works is because of 2, bad practice, loops:

while(list($key, $val) = each($_GET)) { $GLOBALS[$key] = $val;

same with $_POST;

Both the variables in GET and POST are written into the GLOBAL scope, thus overwriting the initialized $MailToAddress and $MailSubject.

So for this exploit POST/GET doesn't matter. PHP5 is vulnerable as well. Even register_globals off won't help.

Script google: PHP formmail + "asking for a name"

Now why didn't the hacker explain that? I'm just a developer...

"we can spoof the subject of the email", "inject into the web page" classic .. is this video directed towards noobs or programmers? you realize the web page is your browser don't you..

Just because it was some mail example doesn't mean people are actually using or advertising that they're using it. Fucking moron.

You sir are a uber dip shit deluxe. Plenty of people use or used this script, that's why it had a large rating on hotscripts[dot]com. Next time, save yourself from looking like a total retard, and do your research before you open your man hole.

Are you all retarded? The script that was exploited by your's truly is an Open Source mail form script. You can download the source code anywhere. Google PHP formmail, ugh. Instead of hating, do you research and stfu.

hacking is me laughing so hard that I start coughing

Do you even know what your talking about? or are you just making it up as you go along,just like those other idiots on youtube,who think they can hack!

ha ha ha, if you have the script , ha ha .idiot

I dont think this is the right way to hack any php mailer cuz the server doesnt give you the source code, ofcours if u know the source code as someone said you can all sorts of things. fails....

Noob

This is proof only of the concept that there are a few stupid PHP programmers out there. This method fails on 99.44% of all mailer scripts...

Yeah ok I agree you can do just about anything if you know the source code of the php file but you skipped a bit, how do you get the php script from the server? You can't just magically get the php script from the server.... When you make a request to the web server it will load the php interpreter and serve the output from that, it will not serve you the contents of the php script itself. Secondly the way you do this is flawed... You cannot overwrite the php scripts ...to be continued...

This fails from the start!

Exclamation marks aren't syntactically correct and will cause a parse error if used in a variable name.

i always expect to hear music like "prodigy" or "ramstein" in hacker videos, along with a picture of them covering half their face with a scarf, or gas mask, like the feds might come get them, or they just got back from tagging up the subway station. so typical.

rediculous

Well sure, if you can see the script then there's a ton of stuff you can do. Spoofing the email is actually pretty tame. No site with any security should be giving you that script though, and he skipped right over it here.

LOL "Server not found"... so noooooob...

nice man!

wow awesome, a 13year old H4cKz0r is hacking his own script. Give me back my 5 minutes (not like I'd watch all this crap)

yeah this is weak! besides with the new version of php you can't do that anymore. If the page requests $_POST["email"] injecting stuff on the url doesn't do anything.

No way, It's the same as $_GET['email'], you should just send the same string but with the POST method ( telnet, custom form html, etc ... )

Pretty interesting. I'd have sought out an ajax site, as active GET methods are much more flawed than $_post methods. Considering this is just having the actual script, this isn't that deep. Dumping global vars or showing a remot include method would have been nice. I only watched the first bit though after the word "download".

chepalle22:

you are a stupid kid -.- this is a shit -.- n00bz

if everyone is so nooby why is you waching this viedo tourtial?

Actually, you can do it this way. It is a simple exploit and you have to know the variables (which you normally don't know unless they are using a commercial PHP script).

YOU B***H you coppied my F***ing name!

note this message was to jonnyhackercake

Lol, it would've been just jonnycake, but it was already in use :P.

you are a stupid kid -.- this is a shit -.- n00bz

This is amazing! A simple generalization of AfterBurn's method allows one to inject arbitrary code at ANY point in the file.

1. Obtain the PHP file (just ask the admin for root access - he's a nice guy).

2. Open it.

3. Inject code at will.

4. Save it.

5. Replace the original file with your 733t haxx0red version.

Yeah this is pretty lame. Show us how to obtain the php script and that may be useful.

The reason its called "server side scripting" is because its processed on the server before its sent to the client.

If this was even remotely possible with this method then you would see a lot more hacked websites...

totally useless staff, why not you talk about how to obtain the php file, this is the key of your hacking method

ok trying to figure it out... is this a joke? I assume you don't see this video as valid anymore... at least since PHP5. But what I would like to know is how do you get a php file off a server??? Honestly I do not believe this is possible.

Exactly. This is like a car thief saying "It's easy to steal a car. First find an unlocked car with the keys in the ignition."

It'd be easy to "hack" a PHP script if you could simply download it from the server. Yet nowhere in this video is the method to accomplish this shown.

i know tht you can d/l a php(raw) file using ssh and wget tht is the cleanest way i think unless u inject into there cpanel or brute there ftp

stupid gimp

gimx2006. Do a little more research please...

mmm...

mmm....

Unless I missed a huge part of your process, this would simply not work. The action page sets $emailaddress to a value, it isn't assigned in the form.

Besides that, in the current versions of PHP register_globals defaults to off. It's also off on many "better" web sites.

Long story short, this is a huge waste of 23 minutes. LAME.

be nice about a kid that has a crappy handle which is a rip off hackers the movie "afterburn - acidburn" QQ what whats this lame -=+ crap...lol

Hacking isn't cracking get ya facts str8, hacking is programming so please tell me you know atleast C or C++ or hmm ASM?

your lame dude..have you tried backtrack..and half your stuff you have is already made by groups. Your dns vid was posted by a security group not you and was the same host.

I bet you don't know how to inject strings into a dns host to obtain remote access to the server...GO Learn lamer

I was reading the comments on here and some of you need to chill the hell out, stop barking like a bipolar dog at the poster like he is unintelligent...My 2¢

if the method is POST and you do it as you are saying, it will not work since u r sending them via GET and php with register_globals = Off ( standard since php 5 ).

also I agree with galenjr, "i was able to obtain the script doesnt make any sense.

can anyone do something for me? I need an email extractor,if you can make it and know how to make $ let me know

I guess none of you have heard of site leechers that will download the entire site and all of it's files and folders? mmkay. Not all of your average everyday "skiddie" leechers will work. You have to trick the webserver into making your download the script.

Perhaps by using a browser object that doesn't have options for viewing php, flooding the web server's php "GET or POST" thus tricking php into just offering the script for download to your machine, instead of in the browser server side. There are many types of ways this can be done, You just have to know WTF you are doing, which apparently is not the case with some of you who say it's "Impossible"

"tricking the server", i see......

This was ONLY possible due to bad code.

hahahahahahahahaha..........

"i was able to obtain the script"

this video is stupid

hahahha

yeah you cant view server side scritps, you only get the output

-- DONT WASTE YOUR TIME WATCHING THIS CRAP -- AND THERES 5 MINUTES MUSIC AT THE END LMFAO --

since when can you download SERVER SIDE scripts, when they are not viewable to the user. oh "i just managed to download config.php and see all of the mysql data"

thats not hacking, its looking at open source scripts, probably not made by you!

NOONE CAN look at .php files, you will get the output in view source.

-- DONT WASTE YOUR TIME WATCHING THIS CRAP -- AND THERES 5 MINUTES MUSIC AT THE END LOL --

tell me this what ever php was there in the "action" part of the form that u called directly .. what if we simply put a check in that which says " If the Submit button was pressed onnly then it will send mail or u can pass submit variable too in that script

or simply look for posted values instead of get or request values

And if your really love this kind of stuff then you have a need for knowledge and if you talk to any hacker (Not a Fu$#^ng script kitty or a cracker) You look for information on just about everything because you don't know when something will come in handy from time to time.

This is a form of hacking like Deusasd said its any form of using something to your advantage. And this is a good way if some one does anything with programming becasue it really hits around the line of cross site script injection.

how tha fuck did he download the script? what a dick head!

hacking my ass

Some times new programmers in php will add the .phps some where on there sites. Just do a file scan on the root directory of the site and most of the times you can find it (if its there) and there is other ways but those go into ftp or telnet. Another way is the site is a tutoiral on PHP :) most of the time they will use the code they used to make the site..heh

Hacking can mean anything that involves using, manipulating etc. a system another way than it's meant to be used, manipulated etc. So those saying this isn't hacking are wrong. Hacking larger databases and corporations holds same kind of basic procedures inside as hacking a web mail or such.

indeed, this using-a-downloaded-script thing so many dumb script-kiddies are using nowadays is not hacking in any way or form. Boring.

Trying to get more change from a coke machine is far more to the spirit of hacking then using a script to deface a NASA website.

True, but noobs always saying that other people are noobs, so don't respond to those comments anymore :P

Also, to all those people who are shouting something I can't even read: Learn English, or go find yourself a decent keyboard or whatever your excuse is for typing like that.

Yeh your a genious, your just amazing i mean using the get method. your so clever. I mean as if ! as if

anyone would use a capatcha or the post method or maybe even SSL server, at the most extreeme could they ? would they ? maybe they would actully check and validate their input.

dork !

Cool.

One question though: how do you download the PHP script of the contact page that sends the email. I didn't realize it was possible, and I have been programming in PHP for years.

He says he was able to obtain the script not telling how.

Which basicly means, it should "not be possible" to download the script at all...but he got it anyway in one way or another (for instance, knowing the FTP credentials, but that is also very unlikely)

your right, its not possible

Hmm, nothing special.

This is not hacking at all, just lame coding! :)

not lame coding, its not coding at all, nor can you do that

Only idiots would use an insecure mail script with register_globals and no captcha.

wordek with register_globals, right?

never heard of super globals?

PHP5 standardly deactivate that ^^

usefull, i knew most of the stuff on here already but it helped me out in a few ways, thanks.

to everyone, yah its blurry, its youTube FFS, they compress it like crazy when u upload a video.

method=POST

LOL! W3c error n.1

Ampersand after the question mark? The variables start from ?, not &.

Is that INCREDIMAIL ?

damn spyware sh*t !

REGISTER_GLOBALS must be on and the vars mustn't be declared yet.

Sorry but i don't think this is a good tutorial; very blurry.

Dude, dun con people with that bullcrap. you are not the only one who uses this fake email method to con people into giving their password to you. And if you realy are a leet hacker, you dont tell everyone that you are one.

Wait, your not the same afterburn from information leak

are you. If so, you and halla do some good work.

Yes i am also the AfterBurn from Information Leak, and thanks! I have alot of affiliates i code, write for.

i cant see the effing text is blurry

n00b stuffs, but good video for beginners. Works with register_global on and only if in the scripts vars are invoked with REQUEST (btw, who uses REQUEST array?!?).

Also, very simple, if yout cycle all the POST vars and use htmlentities() on them, in the worst case the script crashes, in the better case you send a mail with the code injected without parsing it...

this is rubbish, you simly set the the headers for cc and bcc fields and hey ho.

As a developer, i protect by reading the headers and check to see if bcc / cc are present.

btw sorry to say but this is quite boring as well as weak in security and over complicated and unclear.

wow not your best video by far bro

Well, This hasn't really taught me much. Thanks for it anyway but I mean how are you going to download the php file. It is always parsed on the site so unless you are a better hacker than I think who would watch this it is not function-able. Also, most people put their message above the mail so it would be overwriten by the email. Good luck with trying to do it on a proper site but there is not much chance with such simple techniques.

Sending the variables as POST sometimes isn't enough.

You can make your own html form, set the "action" attribute to "(world wide web).../process.php" and run it locally. If the server accepts requests from the exterior then the script can be hacked.

The right thing to do is put all the processing scripts inside a folder and protect that folder so that no other can run those the scripts except the local server, i.e., using and configuring "mod_access" for Apache.

haha.. why botter and losse time with this newbie stuff... just hack itno the server, root it and have fun.

The Problem is the  Formmail PHP Scripts.

It is injectble because of the "REQUEST" instead of POST.

The "REQUEST" receives either POST or GET.

In some ways, Hacking can be prevented if the Formmail Scripts uses POST only.

Additional protection is by adding Sessions with CAPTCHA script.

register_globals should be off. This spammers won't be able to exploit your scripts even if you have register globals on, unless they know your variable names.

I think it's nice you gave an idea of the basic concept but like the other people mentioned there are alot of solutions to this and the script is really written to get hacked. Why use _GET i.s.o. _POST? U can use regexp and u can limit the number of input adresses at a time and per IP.

Let me add that I am not playing down the need for security... but please specify that the script is crap and this is not possible for any and every PHP-based form mailer on the web.

- use _POST info

- check ALL client-based input (ie: RegEx)

- bingo, you're safe

Bah, simple stuff, script either uses _GET or server has register_globals off, both are obviously insecure. Simple regular expressions can also check variable inputs and block unwanted info. Overall, the script is extremely poorly written. I believe you'll be giving new PHP users the wrong idea.

This is all routine stuff to block and really not worth a 23 minute video. This could be likened to the security vulnerabilities of a saran wrap door. :)

Oops, register_globals *on*...

Yup

There are EASY ways around this... Simplest I know of, build the form in Flash... SWF's can be locked and all your variables, including the PHP file's URL are safely tucked away inside. The same thing can be done with JS.

Why show this if you have no solution?

PS: %20 = url encoding... All punctuation is usually URL encoded, not just spaces.

This can be stopped by adding a image based validation, or modifying the script to include some sorts of validation. Also as far as i know %20 is used just for spaces.

Image verification won't work.

Just generate an image code from their captcha and include that value in your URL and thats it. Just generate submit, generate submit.

Obviously you don't know how captcha works.

And obviously you dont know how javascript works my fellow friend. Because you can get easily any hidden data which is user-only... because js is clientsided ;)

You need a lot of learning to do kid. Obviously you don't know what you are talking about. Flash is not safe at all, Flash just pass the form to a php handler script just like when you do it normally. I can just do sniffing or decompile the swf to get the posting URL and the variable names and you have what you need.

Only noobish have this trouble with a simple contact form. This is very simple to get around with.

Thanks alot!

I so respect you. man

Hey, Thanks alot!