1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Obfuscating PHP

Discussion in 'Ethical hacking Tips' started by lionaneesh, Oct 5, 2011.

  1. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    I must say that hiding or obfuscating is not the most effective ways of security but it’s still effective to keep a Script Kiddy confused about what actually you are using in your server.

    As an example - Server may use vulnerable version of PHP, with a public exploit released at some underground markets, Most of the time a simple automated exploit is released to help the “Point-Click-Hackers” (Script Kiddies). Now all they have to find is which Version of PHP you are using and if it is vulnerable, Point the exploit, launch it and own your system. In these cases obfuscating can really help you a lot.

    By PHP obfuscation you can hide PHP, Which means you can stop or slow down a hacker attacking your machine.

    In this tutorial, we’ll be looking at some of the most popular methods used by Site Administrators to Hide PHP , So let’s get started.

    Editing php.ini file



    PHP as a default exposes the fact that if it is installed on a server or not, by adding its signature to the Web server header which can really be lethal in some cases.

    To set this off , Simply go to your php installation directory under “conf_files” , you can find your standard PHP Configuration file named “php.ini”

    Now under this file , go to the “Miscellaneous” section and simply turn expose_php to Off.

    Spoofing



    By adding a simple line of code you can actually fool an attacker about what service are you using.

    Spoof.php
    PHP:
    <?php
    error_reporting
    (0);
    header("X-Powered-By: My Programming Language");
    ?>
    Note: The header call should be made before you send any data to the client.

    Using Some Basic Apache Rules



    Most Web servers like Apache etc. Can be configured to use some basic rules that would allow to parse different file-types with PHP.

    EG:-

    A file like index.php, gives a straight clue to the attacker that the server is using php. But if we can use some basic server configuration to actually allow a extension like “.mpl” etc to parse PHP code. The attacker will certainly have no clue about the file extension.

    For the Scope of this tutorial I’ll only be covering some Apache Rules/Configurations, but if you need help with some other servers, feel free to comment or PM me.

    The configurations can be added either using the .htaccess directive or directly through the Apache Configurations file. Just add the following set of rules

    Syntax :-
    Code:
    AddType application/x-httpd-php .extenstion 
    
    Example :-
    Code:
    AddType application/x-httpd-php .mpl .mp3 .py .asp 
    
    Note : Only use those extensions which are normally not used by the server , for example don’t use .txt extension as the server will interpret .txt as PHP code and if it contains some php , it will be executed.

    Conclusion



    Obfuscation is not the most effective way of security and at most of the times, it doesn’t help, as a professional hacker would already know these modifications and can easily make out what you are trying to hide. But obfuscation would really slow down the attacker and will keep away some script kiddies. It is better to obfuscate than rather telling him what he wants.
     
  2. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Thanks for Adding! Will try to be more regular now! :)
     
  3. Alex.Gabriel

    Alex.Gabriel New Member

    Joined:
    Oct 23, 2011
    Messages:
    86
    Likes Received:
    7
    Trophy Points:
    0
    Occupation:
    Linux system administrator
    Location:
    Italy
    Home Page:
    To be more precise peoples can make a php file with
    Code:
    phpinfo();
    Then see what php.ini file is loaded for that site. Remember that many hosts using cpanel or other automation system have php.ini files for each website stored on server . Anyway , good article
     

Share This Page