Abusing PHP's Easter Eggs: Revealing PHP Versions

1:09 PM

PHP Comes with some easter eggs for fun. today, I will try to share the way I use to identify the PHP version of a website as an alternative way. This way is useful for information gathering when the traditional nmap scanning & X-Powered-By headers get filtered.

If you add the value "?=PHPE9568F36-D428-11d2-A769-00AA001ACF42"  to the end of any URL that is a PHP page, you will see a funny picture on *most* servers. Note this trick does not work on big sites like Facebook.

There is a hidden function in PHP, which is NOT documented in php.net online manual. php_egg_logo_guid().
The function is defined as a macro preprocessor in php-src/ext/standard/info.h around line 54,

 


The easter egg on april 1 (april fool's) will replace the PHP logo on any phpinfo() page. If the php directive expose _php is set to "off" in php.ini, then the PHP eggs will not show. it is "on" by default. 3 of the web hosting servers I have tried, all of them, did not change it.


?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 is interesting. Below are 6 different images that will be displayed depending on the PHP version.


If the first brown dog appeared, PHP Version 4.3.0 - 4.3.10
If the black dog appeared, PHP Version is PHP Versions 4.3.11 - 4.4.6; and 5.0.4 - 5.1.2
If colored php logo, PHP Version 5.1.3 - 5.2.13
The guy with breadsticks means, PHP Version 4.0.0 - 4.2.3
If the bunny appeared, PHP Version 5.0.0 - 5.0.3
Or else, if the elephant appeared, PHP Version 5.3.0 - current

And easy as that, we have our PHP version range.
the easter eggs also contain, ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 for PHP credits.
which is almost very similar interface of the phpinfo() page.
Also?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 to identify the zend engine php uses, which is an alternative way of version identification depending on the logo.




Out of Topic, People need to listen to this amazing song. I loved it.

Happy Hacking :)

You Might Also Like

2 comments