PHP Easter Eggs - Worked Example

You are here:Home»KB»Programming»PHP»PHP Easter Eggs - Worked Example

Sunday, 22 February 2015 22:23

PHP Easter Eggs - Worked Example

Written by shoulders

The following is the research i did to show what easter eggs PHP had that could be accessed and then prevented form being access by using .htaccess.

Using htaccess to deny access to PHP Easter Eggs

This is a worked example of Rewrite rules. With special forcus on when you need to involve the = or ? in a url with a query which sometimes is recognised just as a url by some parts of mod_rewrite.

Below is some example urls that you can use to test the htaccess file with. Pay special attention to the = ?. Some of these URL will not be recognised as having queries.

Next to each line in the htacces codes is ome numbers that match to the example URLs. The numbers signify which successfully performed a rewrite.

URL Examples:

1 - http://localhost/turnip.php?tool=PHPE9568F36-D428-11d2-A769-00AA001ACF42  (common exploits hits first)
2 - http://localhost/turnip.php=PHPE9568F36-D428-11d2-A769-00AA001ACF42       (this has no query)
3 - http://localhost/turnip.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
4 - http://localhost/=PHPE9568F36-D428-11d2-A769-00AA001ACF42
5 - http://localhost/tmp/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

htaccess code

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information

These success codes are valid on xammp only

#135#  RewriteCond %{QUERY_STRING} ^(.)*PHPE9568F36-D428-11d2-A769-00AA001ACF42(.)* [NC]
#135#  RewriteCond %{QUERY_STRING} .*PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC]
#135#  RewriteCond %{QUERY_STRING} .*=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC]
#135#  RewriteCond %{QUERY_STRING} (?=PHP).* 		[NC]	"# PHP Version Probing"
#135#  RewriteCond %{QUERY_STRING} .*(?=PHP).* [NC]
#35#   RewriteCond %{QUERY_STRING} ^=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC]
#35#   RewriteCond %{QUERY_STRING} (&|^){1,1}=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC]
#2#    RewriteCond %{QUERY_STRING} ^(.)+PHPE9568F36-D428-11d2-A769-00AA001ACF42(.)+ [NC]
#none# RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC]
#none# RewriteCond %{QUERY_STRING} ^(.*)\?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC]

#24#   RewriteCond %{REQUEST_URI} .*(=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} .*(?=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} ^(?=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} (.*)(?=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} (^(.*)?=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} .*(=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} (.*)(=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} (^(.*)=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} (PHP).*[NC]
#none# RewriteCond %{REQUEST_URI} ^(=PHP).*[NC]
#Rewrite rule forced on# RewriteCond %{REQUEST_URI} (?=PHP).* 	[NC]	
#Rewrite rule forced on# RewriteCond %{REQUEST_URI} ^.*(?=PHP).*[NC]

#RewriteRule ^(.*)$ extra/joomla-fingerprinting.php [L]
#RewriteRule ^(.*)$ extra/joomla-fingerprinting.html [L]

These codes are valid on my webserver with Extra Security Including suhosin

#  RewriteCond %{QUERY_STRING} ^(.)*PHPE9568F36-D428-11d2-A769-00AA001ACF42(.)* [NC]
#  RewriteCond %{QUERY_STRING} .*PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC]
#  RewriteCond %{QUERY_STRING} .*=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC]
#  RewriteCond %{QUERY_STRING} (?=PHP).* 		[NC]	"# PHP Version Probing"
#  RewriteCond %{QUERY_STRING} .*(?=PHP).* [NC]
#none#  RewriteCond %{QUERY_STRING} ^=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC]
#none#  RewriteCond %{QUERY_STRING} (&|^){1,1}=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC]
#  RewriteCond %{QUERY_STRING} ^(.)+PHPE9568F36-D428-11d2-A769-00AA001ACF42(.)+ [NC]
#  RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC]
#  RewriteCond %{QUERY_STRING} ^(.*)\?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [NC]

#24#   RewriteCond %{REQUEST_URI} .*(=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} .*(?=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} ^(?=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} (.*)(?=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} (^(.*)?=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} .*(=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} (.*)(=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} (^(.*)=PHP).*[NC]
#24#   RewriteCond %{REQUEST_URI} (PHP).*[NC]
#none# RewriteCond %{REQUEST_URI} ^(=PHP).*[NC]
#Rewrite rule forced on# RewriteCond %{REQUEST_URI} (?=PHP).* 	[NC]	
#Rewrite rule forced on# RewriteCond %{REQUEST_URI} ^.*(?=PHP).*[NC]

#RewriteRule ^(.*)$ extra/joomla-fingerprinting.php [L]
#RewriteRule ^(.*)$ extra/joomla-fingerprinting.html [L]

Selected code for PHP Easter Egg Protection

These rules work on my Xampp:

Database Version: 5.1.33-community 
Database Collation: utf8_general_ci 
PHP Version: 5.2.9 
Web Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 
Web Server to PHP interface: apache2handler

the rules

RewriteCond %{QUERY_STRING} (?=PHP).*	[NC]	"# Also PHP Version Probing"
RewriteCond %{REQUEST_URI} .*(=PHP).*	[NC]
RewriteRule ^(.*)$ extra/joomla-fingerprinting.php [L]

The following occurs on my live server with those rules:

Database Version: 5.1.50 
Database Collation: utf8_general_ci 
PHP Version: 5.3.2 
Web Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

the rules

1. 404
2. 403
3. shows elephant
4. 403
5. shows elephant

Read 936 times Last modified on Sunday, 22 February 2015 22:39

Published in PHP

back to top