Thursday, October 13, 2011

Obfuscating PHP

Obfuscation is not the most effective way of security and at most of the times, it doesn’t help, as a professional hacker would already know these modifications and can easily make out what you are trying to hide. But obfuscation would really slow down the attacker and will keep away some script kiddies. It is better to obfuscate than rather telling him what he wants.

As an example - Server may use vulnerable version of PHP, with a public exploit released at some underground markets, Most of the time a simple automated exploit is released to help the “Point-Click-Hackers” (Script Kiddies). Now all they have to find is which Version of PHP you are using and if it is vulnerable, Point the exploit, launch it and own your system. In these cases obfuscating can really help you a lot.

By PHP obfuscation you can hide PHP, Which means you can stop or slow down a hacker attacking your machine.

In this tutorial, we’ll be looking at some of the most popular methods used by Site Administrators to Hide PHP , So let’s get started.

Editing php.ini file

PHP as a default exposes the fact that if it is installed on a server or not, by adding its signature to the Web server header which can really be lethal in some cases.

To set this off , Simply go to your php installation directory under “conf_files” , you can find your standard PHP Configuration file named “php.ini”

Now under this file , go to the “Miscellaneous” section and simply turn expose_php to Off.


By adding a simple line of code you can actually fool an attacker about what service are you using.



header("X-Powered-By: My Programming Language");
Note: The header call should be made before you send any data to the client.

Using Some Basic Apache Rules

Most Web servers like Apache etc. Can be configured to use some basic rules that would allow to parse different file-types with PHP.


A file like index.php, gives a straight clue to the attacker that the server is using php. But if we can use some basic server configuration to actually allow a extension like “.mpl” etc to parse PHP code. The attacker will certainly have no clue about the file extension.

For the Scope of this tutorial I’ll only be covering some Apache Rules/Configurations, but if you need help with some other servers, feel free to comment or PM me.

The configurations can be added either using the .htaccess directive or directly through the Apache Configurations file. Just add the following set of rules

Syntax :-

AddType application/x-httpd-php .extenstion
Example :-

AddType application/x-httpd-php .mpl .mp3 .py .asp
Note : Only use those extensions which are normally not used by the server , for example don’t use .txt extension as the server will interpret .txt as PHP code and if it contains some php , it will be executed.

[via] If you enjoyed this post, make sure you subscribe to my RSS feed! Comments are encouraged

No comments:
Write comments