0
在线手册:中文 英文

隐藏 PHP

一般而言,通过隐藏的手段提高安全性被认为是作用不大的做法。但某些情况下,尽可能的多增加一份安全性都是值得的。

一些简单的方法可以帮助隐藏 PHP,这样做可以提高攻击者发现系统弱点的难度。在 php.ini 文件里设置 expose_php = off ,可以减少他们能获得的有用信息。

另一个策略就是让 web 服务器用 PHP 解析不同扩展名。无论是通过 .htaccess 文件还是 Apache 的配置文件,都可以设置能误导攻击者的文件扩展名:

Example #1 把 PHP 隐藏为另一种语言

# 使PHP看上去像其它的编程语言
AddType application/x-httpd-php .asp .py .pl
或者干脆彻底隐藏它:

Example #2 使用未知的扩展名作为 PHP 的扩展名

# 使 PHP 看上去像未知的文件类型
AddType application/x-httpd-php .bop .foo .133t
或者把它隐藏为 HTML 页面,这样所有的 HTML 文件都会通过 PHP 引擎,会为服务器增加一些负担:

Example #3 用 HTML 做 PHP 的文件后缀

# 使 PHP 代码看上去像 HTML 页面
AddType application/x-httpd-php .htm .html
要让此方法生效,必须把 PHP 文件的扩展名改为以上的扩展名。这样就通过隐藏来提高了安全性,虽然防御能力很低而且有些缺点。

0
在线手册:中文 英文

25位用户评论

[#1] ▲-2▼ omolewastephen@gmail.com [42%] (2018-01-04 22:03:53)

I used this on my site and it works great for me # RewriteEngine on # Rewrite /foo/bar to /foo/bar.php # RewriteRule ^([^.?]+)$ %{REQUEST_URI}.php [L] # Return 404 if original request is /foo/bar.php # RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$" # RewriteRule .* - [L,R=404] # NOTE! FOR APACHE ON WINDOWS: Add [NC] to RewriteCond like this: # RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$" [NC]

[#2] ▲3▼ info@frinteractives.com [52%] (2015-07-02 10:42:02)

try this RewriteEngine On # Unless directory, remove trailing slash RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^([^/]+)/$ http://example.com/folder/$1 [R=301,L] # Redirect external .php requests to extensionless url RewriteCond %{THE_REQUEST} ^(.+)\.php([#?][^\ ]*)?\ HTTP/ RewriteRule ^(.+)\.php$ http://example.com/folder/$1 [R=301,L] # Resolve .php file for extensionless php urls RewriteRule ^([^/.]+)$ $1.php [L]

[#3] ▲17▼ anon@example.com [57%] (2013-12-23 22:48:25)

The session name defaults to PHPSESSID. This is used as the name of the session cookie that is sent to the user's web browser / client. (Example: PHPSESSID=kqjqper294faui343o98ts8k77). To hide this, call session_name() with the $name parameter set to a generic name, before calling session_start(). Example: session_name("id"); session_start(); Cheers.

[#4] ▲-11▼ ryan [45%] (2011-10-30 18:22:06)

Another way to hide php is by removing the extension completely, like so: Options +FollowSymlinks RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME}.php -f RewriteRule ^(.+)$ /$1.php [L,QSA] Hope this helps!

[#5] ▲8▼ cd001 [53%] (2010-07-21 09:03:16)

It's a good idea to "hide" PHP anyway so you can write a RESTful web application. Using Apache Mod Rewrite: RewriteEngine On RewriteRule ^control/([^/]+)/(.*)$ sitecontroller.php?control=$1&query=$2 You then use a function like the following as a way to retrieve data (in a zero indexed fashion) from the $_GET superglobal. <?php
function myGET() {
  
$aGet = array();

  if(isset(
$_GET['query'])) {
    
$aGet explode('/'$_GET['query']);
  }

  return 
$aGet;
}
?>
This is only a really basic example of course - you can do a lot with Mod Rewrite and a custom 'GET' function.

[#6] ▲3▼ sandaimespaceman@gmail.com [53%] (2008-10-26 16:51:37)

Set INI directive "expose_php" to "off" will also help. You can spoof your PHP to ASP.NET by using: <?php
error_reporting
(0);
header("X-Powered-By: ASP.NET");
?>

[#7] ▲3▼ pyornide [52%] (2008-10-10 17:57:23)

The idea of hiding the X-Powered-By in PHP is a flawed attempt at establishing security. As the manual indicates, obscurity is not security. If I were exploiting a site, I wouldn't check what scripting language the site runs on, because all that would matter to me is exploiting it. Hiding the fact that you use [x] language isn't going to prevent me from bypassing poor security.

[#8] ▲-18▼ raz [35%] (2007-09-24 03:07:31)

May some servers not allow you to put this line (i.e this not work) AddType application/x-httpd-php .asp .py .pl or DefaultType application/x-httpd-php so, the alternative method that really a good one is: 1- In your .htaccess file write: RewriteEngine on RewriteBase /dire/ or just / RewriteRule securename yourfile\.php [T=application/x-httpd-php] example: all url like www.example.com/securename parsed as www.example.com/yourfile.php 2- but here the $_GET not work, but $_POST work, so for dynamic pages like www.example.com/yourfile.php?page=1 you use www.example.com/securename?page=1 now: instead of using $_GET use <?php
$uri         
$_SERVER['REQUEST_URI'];
$page        strstr($uri'=');
$page        substr($page1);
$valid_pages = array('1''2','...');
$page        in_array($page$valid_pages) ? $page '1';
//....
?>
and for bad URL you can add this code to .htaccess file of coarse below the first code in .htaccess #-- RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^.*$ http://www.example.com/securename [L]

[#9] ▲31▼ rustamabd@google mail [56%] (2007-01-26 12:05:35)

So far I haven't seen a working rewriter of /foo/bar into /foo/bar.php, so I created my own. It does work in top-level directory AND subdirectories and it doesn't need hardcoding the RewriteBase. .htaccess: RewriteEngine on # Rewrite /foo/bar to /foo/bar.php RewriteRule ^([^.?]+)$ %{REQUEST_URI}.php [L] # Return 404 if original request is /foo/bar.php RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$" RewriteRule .* - [L,R=404] # NOTE! FOR APACHE ON WINDOWS: Add [NC] to RewriteCond like this: # RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$" [NC]

[#10] ▲-1▼ simon@carbontwelevedesign.co.uk [49%] (2006-08-10 05:31:59)

I use the following in the .htaccess document <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> then the following simple code <?php

$permalinks 
explode("/",$_SERVER['REQUEST_URI']);

$varone $permalinks[1];
$vartwo $permalinks[2];

...

?>

[#11] ▲6▼ marpetr@nospam.gmail.com [51%] (2006-04-11 05:18:00)

I think the best way to hide PHP on Apache and Apache itself is this: httpd.conf ------------- # ... # Minimize 'Server' header information ServerTokens Prod # Disable server signature on server generated pages ServerSignature Off # ... # Set default file type to PHP DefaultType application/x-httpd-php # ... php.ini ------------ ; ... expose_php = Off ; ... Now the URLs will look like this: http://my.server.com/forums/post?forumid=15 Now hacker knows only that you are using Apache.

[#12] ▲-4▼ jtw90210 [45%] (2005-06-30 01:19:00)

In order to get the PATH_INFO to work in order to pass parameters using a hidden program/trailing slash/"pretty url" in more recent versions of PHP you MUST add "AcceptPathInfo On" to your httpd.conf. AddType application/x-httpd-php .php .html AcceptPathInfo On Try it out with your phpinfo page and you'll be able to search for PATH_INFO. http://example.com/myphpinfo.php/showmetheway If you want to drop the .php use one or both of these: DefaultType application/x-httpd-php ForceType application/x-httpd-php

[#13] ▲1▼ benjamin@sonntag.fr [51%] (2005-05-24 09:14:30)

In response to the previous messages, for apache, there is a easier way to set files without "." to be executed by PHP, just put this in a ".htaccess" file : DefaultType application/x-httpd-php

[#14] ▲-2▼ php@vfmedia.de [48%] (2004-06-15 06:21:22)

[#15] ▲6▼ (2004-05-12 08:20:43)

Keep in mind, if your really freaked out over hiding PHP, GD will expose you. Go ahead - make an image with GD and open with a text editor.. Somewhere in there you'll see a comment with gd & php all over it.

[#16] ▲-1▼ php@user.net [49%] (2004-04-10 18:36:47)

What about this in a .htaccess file : RewriteEngine on RewriteRule ^$ /index.php [L] RewriteRule ^([a-zA-Z0-9\-\_/]*)/$ /$1/index.php [L] RewriteRule ^([a-zA-Z0-9\-\_/]*)\.(html|htm)$ /$1.php [L] RewriteRule ^([a-zA-Z0-9\-\_/]*)$ /$1.php [L] Typing "sub.domain.foo/anything" loads "/anything/index.php" if 'anything' is a directory, else it loads "/anything.php". I'm sure you can find mutch better, but it works great on my site :)

[#17] ▲8▼ mmj [53%] (2004-03-14 05:58:22)

You can see if somebody's using PHP just by adding the following to the end of the URL: ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 If the page is using PHP, this will show the PHP credits. Setting expose_php to Off in php.ini prevents this.

[#18] ▲5▼ ldemailly@qualysnospam.com [55%] (2003-10-27 20:17:33)

adding MultiViews to your apache Options config lets you hide/omit .php in the url without any rewriting, etc...

[#19] ▲3▼ l0rdphi1@liquefyr.com [52%] (2003-07-21 04:02:37)

More fun includes files without file extensions. Simply add that ForceType application/x-httpd-php bit to an Apache .htaccess and you're set. Oh yea, it gets even better when you play with stuff like the following: <?php
substr
($_SERVER['PATH_INFO'],1);
?>
e.g. www.example.com/somepage/55 And: <?php
foreach ( explode('/',$_SERVER['PATH_INFO']) as $pair ) {
    list(
$key,$value) = split('=',$pair,2);
    
$param[$key] = stripslashes($value);
}
?>
e.g. www.example.com/somepage/param1=value1/param2=value2/etc=etc Enjoy =)

[#20] ▲-5▼ bryce nesbitt@obviously.com [42%] (2003-03-27 08:24:53)

Using the .php extension for all your scripts is not necessary, and in fact can be harmful (by exposing too much information about your server, and by limiting what you can do in the future without breaking links). There are several ways to hide your .php script extension: (1) Don't hard code file types at all. Don't specify any dots, and most web servers will automatically find your .php, .html, .pdf, .gif or other matching file. This is called canonical URL format: www.xxxxxx.com/page www.xxxxxx.com/directory/ This gives you great flexibility to change your mind in the future, and prevents Windows browsers from making improper assumptions about the file type. (2) In an Apache .htaccess file use: RewriteEngine on RewriteRule page.html page.php (3) Force the webserver to interpret ALL .html files as .php: AddType application/x-httpd-php .php3 .php .html

[#21] ▲3▼ (2003-01-29 10:53:50)

PS. If you want to use pretty URLs (i.e. hide your .php extensions) AND you have safe-mode=on, the previous example (ForceType) won't work for you. The problem is that safe-mode forces Apache to honor trailing characters in a requested URL. This means that: http://www.example.com/home would still be processed by the home script in our doc root, but for: http://www.example.com/home/contact_us.html apache would actually look for the /home/contact_us.html file in our doc root. The best solution I've found is to set up a virtual host (which I do for everything, even the default doc root) and override the trailing characters handling within the virtual host. So, for a virtual host listening on port 8080, the apache directives would look like this: <VirtualHost *:8080> DocumentRoot /web/doc_root Alias /home "/web/doc_root/home.php" AcceptPathInfo On </VirtualHost> Some people might question why we are overriding the trailing characters handling (with the AcceptPathInfo directive) instead of just turning safe-mode=off. The reason is that safe mode sets global limitations on the entire server, which can then be turned on or left off for each specific virtual host. This is the equivilent of blocking all connections on a firewall, and then opening up only the ones you want, which is a lot safer than leaving everything open globally, and assuming your programmers will never overlook a possible security hole.

[#22] ▲-6▼ sth@panix.com [41%] (2002-08-04 12:45:19)

The flipside to this is, if you're running a version of PHP/Apache which is not known to have exploitable bugs (usually the latest stable version at the time), and an attacker sees this, they may give up before even trying. If they don't, they may continue to attempt their exploit(s). It really depends on the type of attacker. The educated, security advisory reading attacker vs. script kiddie on the street. If you're keeping up on patches, version exposition should not be a problem for you.

[#23] ▲2▼ m1tk4@hotmail.com [51%] (2002-07-22 17:53:14)

I usually do: <code> RewriteEngine on<br> RewriteOptions inherit<br> RewriteRule (.*)\.htm[l]?(.*) $1.php$2 [nocase]<br> </code> in .htaccess. You'll need mod_rewrite installed for this .

[#24] ▲5▼ yasuo_ohgaki@yahoo.com [55%] (2002-01-26 03:59:28)

To hide PHP, you need following php.ini settings expose_php=Off display_errors=Off and in httpd.conf ServerSignature Off (min works, but I prefer off)

[#25] ▲1▼ istvan.takacsnospam@hungax.com [51%] (2001-12-30 09:42:10)

And use the ServerTokens min directive in your httpd.conf to hide installed PHP modules in apache.