Disabling Magic Quotes
Another way to hide php is by removing the extension completely, like so:
Options +FollowSymlinks
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(.+)$ /$1.php [L,QSA]
Hope this helps!
PHP 은닉
일반적으로, 폐쇠에 의한 보안은 약한 보안의 형태중 하나입니다. 그러나 어떤 경우에는, 이런 사소한 보안이 유용한 경우가 있습니다.
몇몇 간단한 기술들이 PHP 를 은닉 하도록 할수 있으며, 공격자가 시스템의 약한 부분을 찾아내는데 시간이 걸리도록 할 것입니다. php.ini 세팅의 expose_php 를 off 로 바꾸면, 공격자들에게 노출되는 정보를 상당부분 줄일 수가 있습니다.
또 다른 전략은 아파치 같은 웹서버들이 PHP 를 다른 파일 타입으로 인식 하도록 .htaccess 디렉티브나 아파치 설정파일을 설정하는 것입니다. 이렇게 하면 혼동되는 파일 확장자를 사용 할수 있습니다.
Example #1 다른 언어처럼 보이도록 PHP 은닉하기
# PHP를 다른 타입으로 보이도록 합니다. AddType application/x-httpd-php .asp .py .pl
Example #2 PHP 확장자에 대해 알려지지 않은 파일타입 사용하기
# PHP 를 알려지지 않은 다른 타입으로 보이도록 합니다. AddType application/x-httpd-php .bop .foo .133t
Example #3 PHP 확장자에 대한 HTML 타입 사용하기
# Make all PHP code look like HTML AddType application/x-httpd-php .htm .html
add a note
User Contributed Notes
PHP 은닉
Ryan
30-Oct-2011 12:22
CD001
21-Jul-2010 03:03
It's a good idea to "hide" PHP anyway so you can write a RESTful web application.
Using Apache Mod Rewrite:
RewriteEngine On
RewriteRule ^control/([^/]+)/(.*)$ sitecontroller.php?control=$1&query=$2
You then use a function like the following as a way to retrieve data (in a zero indexed fashion) from the $_GET superglobal.
<?php
function myGET() {
$aGet = array();
if(isset($_GET['query'])) {
$aGet = explode('/', $_GET['query']);
}
return $aGet;
}
?>
This is only a really basic example of course - you can do a lot with Mod Rewrite and a custom 'GET' function.
altan at javam dot org
18-Nov-2009 02:42
You can use this trick for non-direct used PHP files, eg. setting, class, ajax-related ones.
For abcde.php:
<?php
if ('abcde.php' == basename($_SERVER['SCRIPT_FILENAME'])) die ('What?');
?>
sandaimespaceman at gmail dot com
26-Oct-2008 10:51
Set INI directive "expose_php" to "off" will also help.
You can spoof your PHP to ASP.NET by using:
<?php
error_reporting(0);
header("X-Powered-By: ASP.NET");
?>
Pyornide
10-Oct-2008 11:57
The idea of hiding the X-Powered-By in PHP is a flawed attempt at establishing security. As the manual indicates, obscurity is not security. If I were exploiting a site, I wouldn't check what scripting language the site runs on, because all that would matter to me is exploiting it. Hiding the fact that you use [x] language isn't going to prevent me from bypassing poor security.
Raz
23-Sep-2007 09:07
May some servers not allow you to put this line (i.e this not work)
AddType application/x-httpd-php .asp .py .pl
or
DefaultType application/x-httpd-php
so, the alternative method that really a good one is:
1- In your .htaccess file write:
RewriteEngine on
RewriteBase /dire/ or just /
RewriteRule securename yourfile\.php [T=application/x-httpd-php]
example: all url like
www.example.com/securename parsed as
www.example.com/yourfile.php
2- but here the $_GET not work, but $_POST work, so for dynamic pages like
www.example.com/yourfile.php?page=1 you use
www.example.com/securename?page=1
now: instead of using $_GET use
<?php
$uri = $_SERVER['REQUEST_URI'];
$page = strstr($uri, '=');
$page = substr($page, 1);
$valid_pages = array('1', '2','...');
$page = in_array($page, $valid_pages) ? $page : '1';
//....
?>
and for bad URL you can add this code to .htaccess file
of coarse below the first code in .htaccess
#--
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ http://www.example.com/securename [L]
prrogers at gmail dot com
13-Sep-2007 02:50
The default session identifier-name PHPSESSID is publicly visible in an HTTP cookie and or URL if sessions are used. It can be changed in the php.ini to something more generic to further obscure PHP.
rustamabd at google mail
26-Jan-2007 05:05
So far I haven't seen a working rewriter of /foo/bar into /foo/bar.php, so I created my own. It does work in top-level directory AND subdirectories and it doesn't need hardcoding the RewriteBase.
.htaccess:
RewriteEngine on
# Rewrite /foo/bar to /foo/bar.php
RewriteRule ^([^.?]+)$ %{REQUEST_URI}.php [L]
# Return 404 if original request is /foo/bar.php
RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$"
RewriteRule .* - [L,R=404]
# NOTE! FOR APACHE ON WINDOWS: Add [NC] to RewriteCond like this:
# RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$" [NC]
simon at carbontwelevedesign dot co dot uk
09-Aug-2006 11:31
I use the following in the .htaccess document
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
then the following simple code
<?php
$permalinks = explode("/",$_SERVER['REQUEST_URI']);
$varone = $permalinks[1];
$vartwo = $permalinks[2];
...
?>
marpetr at NOSPAM dot gmail dot com
10-Apr-2006 11:18
I think the best way to hide PHP on Apache and Apache itself is this:
httpd.conf
-------------
# ...
# Minimize 'Server' header information
ServerTokens Prod
# Disable server signature on server generated pages
ServerSignature Off
# ...
# Set default file type to PHP
DefaultType application/x-httpd-php
# ...
php.ini
------------
; ...
expose_php = Off
; ...
Now the URLs will look like this:
http://my.server.com/forums/post?forumid=15
Now hacker knows only that you are using Apache.
eric at ericwing dot net
20-Jan-2006 02:20
Something that has not been mentioned here is also the PHPSESSION id that will be displayed in the URL when passing it from page to page using GET. If users have cookies set to off, this will be visible. This can be reset before any session_start() call with ini_set(). Be aware however that this can't be changed in this way if you use autho session start.
user at pampelhuber dot invalid
17-Dec-2005 09:32
It is unnecessary, to let every Pampelhuber inspect your 'php.ini' files.
Put the following into the .htaccess of your htdocuments' root:
#Obscure 'php.ini' files (where they exist)
RedirectMatch 404 .*php\.ini$
jtw90210
29-Jun-2005 07:19
In order to get the PATH_INFO to work in order to pass parameters using a hidden program/trailing slash/"pretty url" in more recent versions of PHP you MUST add "AcceptPathInfo On" to your httpd.conf.
AddType application/x-httpd-php .php .html
AcceptPathInfo On
Try it out with your phpinfo page and you'll be able to search for PATH_INFO.
http://example.com/myphpinfo.php/showmetheway
If you want to drop the .php use one or both of these:
DefaultType application/x-httpd-php
ForceType application/x-httpd-php
25-May-2005 07:06
You could also do this in .htaccess when you use Apache and your configuration allows you to override :
<Files test>
ForceType application/x-httpd-php
</Files>
That way, you can use the URL test?pop=true without having to fake it by using test/index.php.
See the Apache manual for more info: http://httpd.apache.org/docs/mod/mod_mime#forcetype
benjamin at sonntag dot fr
24-May-2005 03:14
In response to the previous messages, for apache, there is a easier way to set files without "." to be executed by PHP, just put this in a ".htaccess" file :
DefaultType application/x-httpd-php
dimitar at bastun dot net
17-Jan-2005 02:13
In case there are an Internal Server error(error 500) using the old code below in an .htaccess file, you can replace it with the code modification that must solve the problem.
Old code
-----------
<Files ~ "^[^\.]+$">
ForceType application/x-httpd-php
</Files>
Replacement of the code above(code modification)
------------------------------------------------------------
AddHandler server-parsed .php
<Files ~ "^[^\.]+$">
SetHandler application/x-httpd-php
</Files>
Regards,
Dimitar Tanev
Nikolai-Zujev-(at)-Gmail-dot-Com
22-Sep-2004 06:22
Assign files w/o extension to php interpreter
without using ReWrite module
[clip httpd.conf]
<Files ~ "^[^\.]+$">
ForceType application/x-httpd-php
</Files>
[/clip]
php at vfmedia dot de
15-Jun-2004 12:21
Ive found an easy way to hide php code and the uri is searchable by google and others...(only for unix or linux)
At first I have some rules in my hide.conf (i made an extra .conf for it (apache 2.0))
For example when I want to mask the index.php
<Files index>
ForceType application/x-httpd-php
</Files>
My problem is, that my code should be readable...
so I made an extra folder for example srv/www/htdocs/static_output
My phpcode is in the includefolder....(for ex. mnt/source/index.php)
Then I made a link in the shell > ln mnt/source/index.php srv/www/htdocs/static_output/index
So the code is readable (with .php extension) in my includefolder and there is only the link in the srv folder without extension(which is called by the browser...).
12-May-2004 02:20
Keep in mind, if your really freaked out over hiding PHP, GD will expose you.
Go ahead - make an image with GD and open with a text editor.. Somewhere in there you'll see a comment with gd & php all over it.
php at user dot net
10-Apr-2004 12:36
What about this in a .htaccess file :
RewriteEngine on
RewriteRule ^$ /index.php [L]
RewriteRule ^([a-zA-Z0-9\-\_/]*)/$ /$1/index.php [L]
RewriteRule ^([a-zA-Z0-9\-\_/]*)\.(html|htm)$ /$1.php [L]
RewriteRule ^([a-zA-Z0-9\-\_/]*)$ /$1.php [L]
Typing "sub.domain.foo/anything" loads "/anything/index.php" if 'anything' is a directory, else it loads "/anything.php".
I'm sure you can find mutch better, but it works great on my site :)
mmj
13-Mar-2004 10:58
You can see if somebody's using PHP just by adding the following to the end of the URL:
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
If the page is using PHP, this will show the PHP credits.
Setting expose_php to Off in php.ini prevents this.
ldemailly at qualysNOSPAM dot com
27-Oct-2003 01:17
adding MultiViews to your apache Options config
lets you hide/omit .php in the url without any rewriting, etc...
l0rdphi1 at liquefyr dot com
20-Jul-2003 10:02
More fun includes files without file extensions.
Simply add that ForceType application/x-httpd-php bit to an Apache .htaccess and you're set.
Oh yea, it gets even better when you play with stuff like the following:
<?php
substr($_SERVER['PATH_INFO'],1);
?>
e.g. www.example.com/somepage/55
And:
<?php
foreach ( explode('/',$_SERVER['PATH_INFO']) as $pair ) {
list($key,$value) = split('=',$pair,2);
$param[$key] = stripslashes($value);
}
?>
e.g. www.example.com/somepage/param1=value1/param2=value2/etc=etc
Enjoy =)
Bryce Nesbitt at Obviously.COM
27-Mar-2003 01:24
Using the .php extension for all your scripts is not necessary, and in fact can be harmful (by exposing too much information about your server, and by limiting what you can do in the future without breaking links). There are several ways to hide your .php script extension:
(1) Don't hard code file types at all. Don't specify any dots, and most web servers will automatically find your .php, .html, .pdf, .gif or other matching file. This is called canonical URL format:
www.xxxxxx.com/page
www.xxxxxx.com/directory/
This gives you great flexibility to change your mind in the future, and prevents Windows browsers from making improper assumptions about the file type.
(2) In an Apache .htaccess file use:
RewriteEngine on
RewriteRule page.html page.php
(3) Force the webserver to interpret ALL .html files as .php:
AddType application/x-httpd-php .php3 .php .html
bminton at efn dot org
27-Feb-2003 05:05
Another technique is to have every file be named index.php and be in it's own directory. Then instead of using for instance http://example.com/foo.php you could use http://example.com/foo/ where foo is a directory with a file called index.php in it.
29-Jan-2003 03:53
PS. If you want to use pretty URLs (i.e. hide your .php extensions) AND you have safe-mode=on, the previous example (ForceType) won't work for you. The problem is that safe-mode forces Apache to honor trailing characters in a requested URL. This means that:
http://www.example.com/home
would still be processed by the home script in our doc root, but for:
http://www.example.com/home/contact_us.html
apache would actually look for the /home/contact_us.html file in our doc root.
The best solution I've found is to set up a virtual host (which I do for everything, even the default doc root) and override the trailing characters handling within the virtual host. So, for a virtual host listening on port 8080, the apache directives would look like this:
<VirtualHost *:8080>
DocumentRoot /web/doc_root
Alias /home "/web/doc_root/home.php"
AcceptPathInfo On
</VirtualHost>
Some people might question why we are overriding the trailing characters handling (with the AcceptPathInfo directive) instead of just turning safe-mode=off. The reason is that safe mode sets global limitations on the entire server, which can then be turned on or left off for each specific virtual host. This is the equivilent of blocking all connections on a firewall, and then opening up only the ones you want, which is a lot safer than leaving everything open globally, and assuming your programmers will never overlook a possible security hole.
Azureash
27-Jan-2003 09:34
Another way to hide your .php extensions is to use the Apache ForceType directive (which is often referred to as pretty URLs.) Basically you force Apache to parse a file as PHP that matches the trailing directory name in your URL.
For example, place this directive in your Apache httpd.conf file:
<Location /home>
ForceType application/x-httpd-php
</Location>
and create a php file name "home" in your doc root. This file should not have a .php extension, and can be a php template file. Combined with a function to strip out URL parameters, this can create a new templating system, which can effectively hide your file extensions.
In this example,
http://www.example.com/home/bar.html
would actually use the home script we created, and then the "bar.html" could be used to specify content to include.
Kevin Vincent
22-Jan-2003 10:43
Just a thought but if you have changed the extensions that php interprets I would assume you've also changed header.php and footer.php files to the new extension.
EG:
index.php, somefile.php, header.php, footer.php...
Change the Apache directive so PHP interprets .kev files and rename your files:
index.kev, somefile.kev, header.kev, footer.kev
If you leave header and footer as PHP files then it won't understand how to interpret them.
sth at panix dot com
04-Aug-2002 06:45
The flipside to this is, if you're running a version of
PHP/Apache which is not known to have exploitable bugs (usually the latest stable version at the time), and an attacker sees this, they may give up before even trying. If they don't, they may continue to attempt their exploit(s).
It really depends on the type of attacker. The educated, security advisory reading attacker vs. script kiddie on the street.
If you're keeping up on patches, version exposition should not be a problem for you.
m1tk4 at hotmail dot com
22-Jul-2002 11:53
I usually do:
<code>
RewriteEngine on<br>
RewriteOptions inherit<br>
RewriteRule (.*)\.htm[l]?(.*) $1.php$2 [nocase]<br>
</code>
in .htaccess. You'll need mod_rewrite installed for this .
yasuo_ohgaki at yahoo dot com
25-Jan-2002 08:59
To hide PHP, you need following php.ini settings
expose_php=Off
display_errors=Off
and in httpd.conf
ServerSignature Off
(min works, but I prefer off)
istvan dot takacsNOSPAM at hungax dot com
30-Dec-2001 02:42
And use the
ServerTokens min
directive in your httpd.conf to hide installed PHP modules in apache.