Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   Obfuscating PHP (http://www.go4expert.com/articles/obfuscating-php-t26851/)

lionaneesh 5Oct2011 09:08

Obfuscating PHP
 
I must say that hiding or obfuscating is not the most effective ways of security but it’s still effective to keep a Script Kiddy confused about what actually you are using in your server.

As an example - Server may use vulnerable version of PHP, with a public exploit released at some underground markets, Most of the time a simple automated exploit is released to help the “Point-Click-Hackers” (Script Kiddies). Now all they have to find is which Version of PHP you are using and if it is vulnerable, Point the exploit, launch it and own your system. In these cases obfuscating can really help you a lot.

By PHP obfuscation you can hide PHP, Which means you can stop or slow down a hacker attacking your machine.

In this tutorial, we’ll be looking at some of the most popular methods used by Site Administrators to Hide PHP , So let’s get started.

Editing php.ini file



PHP as a default exposes the fact that if it is installed on a server or not, by adding its signature to the Web server header which can really be lethal in some cases.

To set this off , Simply go to your php installation directory under “conf_files” , you can find your standard PHP Configuration file named “php.ini”

Now under this file , go to the “Miscellaneous” section and simply turn expose_php to Off.

Spoofing



By adding a simple line of code you can actually fool an attacker about what service are you using.

Spoof.php
Code: php

<?php
error_reporting(0);
header("X-Powered-By: My Programming Language");
?>

Note: The header call should be made before you send any data to the client.

Using Some Basic Apache Rules



Most Web servers like Apache etc. Can be configured to use some basic rules that would allow to parse different file-types with PHP.

EG:-

A file like index.php, gives a straight clue to the attacker that the server is using php. But if we can use some basic server configuration to actually allow a extension like “.mpl” etc to parse PHP code. The attacker will certainly have no clue about the file extension.

For the Scope of this tutorial I’ll only be covering some Apache Rules/Configurations, but if you need help with some other servers, feel free to comment or PM me.

The configurations can be added either using the .htaccess directive or directly through the Apache Configurations file. Just add the following set of rules

Syntax :-
Code:

AddType application/x-httpd-php .extenstion
Example :-
Code:

AddType application/x-httpd-php .mpl .mp3 .py .asp
Note : Only use those extensions which are normally not used by the server , for example don’t use .txt extension as the server will interpret .txt as PHP code and if it contains some php , it will be executed.

Conclusion



Obfuscation is not the most effective way of security and at most of the times, it doesn’t help, as a professional hacker would already know these modifications and can easily make out what you are trying to hide. But obfuscation would really slow down the attacker and will keep away some script kiddies. It is better to obfuscate than rather telling him what he wants.

lionaneesh 5Oct2011 12:28

Re: Obfuscating PHP
 
Thanks for Adding! Will try to be more regular now! :)

Alex.Gabriel 25Oct2011 23:57

Re: Obfuscating PHP
 
To be more precise peoples can make a php file with
Code:

phpinfo();
Then see what php.ini file is loaded for that site. Remember that many hosts using cpanel or other automation system have php.ini files for each website stored on server . Anyway , good article


All times are GMT +5.5. The time now is 04:24.