JavaScript Scanning and expose_php=On

Friday, December 1. 2006

The good thing about images is that JavaScript can check if they are loaded and what size they are. With this ability it is trivial to detect if PHP is running on an URL if expose_php=On.

Here is the little proof of concept:

<html><head><title>Detect PHP Version by JavaScript</title>
<script>
  function fail()
  {
    alert("URL is not powered by PHP or expose_php=off");
  }
  function detect()
  {
    if (xxx.width == 100 && xxx.height==58) {
      alert("URL is powered by PHP 4");
    } else if (xxx.width == 113 && xxx.height==72) {
      alert("URL is powered by PHP 5");
    } else {
      alert("No PHP or unknown PHP version");
    }
  }
</script></head>
<body>
<img 
src="http://URL/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42"
onerror="fail()" name=xxx onload="detect()">
</body>
</html>

Update: I changed the example because it actually did not work. I had rewritten it in the blog to get around displaying problems. Therefore the previous example simply did not work.

Update-2: In one of the comments I was advised to simply use telnet and check the HTTP headers for the PHP version instead of JavaScript. The problem is that the poster misunderstood that all these JavaScript scanning tricks are things a malicious piece of JavaScript forces YOUR browser to do. This means YOUR browser executes the scan for PHP in your internal company network and sends information back to MY website. And after that I will know how YOUR internal company network is structured and if YOUR internal servers are running PHP or not.

Posted by Stefan Esser in Security, PHP at 10:00

Comments (5)

Link to this post

Comments

Display comments as (Linear | Threaded)

#1 Jakub Vrána wrote (Link) ()

Better coding style would be:

detect(xxx)
img onload="detect(this)"

(no name needed).

I respect it's just a proof of concept.

posted on Friday, December 1. 2006

#2 Pento wrote (Link) ()

It's better to use telnet client for this purpose.
So you can see also version of PHP, not only 5 or 4.
Example
$ telnet php.net 80
Trying 66.163.161.117...
Connected to php.net.
Escape character is '^]'.
GET /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/ 1.1/
Host: php.net

HTTP/1.0 200 OK
Date: Sat, 02 Dec 2006 06:59:25 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0-dev
X-Powered-By: PHP/5.2.0-dev
Content-Type: image/gif
X-Cache: MISS from academ.org
Connection: close

posted on Saturday, December 2. 2006

#2.1 Stefan Esser wrote (Link) ()

Sorry but you misunderstand the whole idea of JavaScript portscanning.

The idea is that you are visiting a page that contains JavaScript, which requests lots of stuff within your private IP area. The idea is to let your browser scan your internal company network.

With the trick mentioned in this post it is possible to detect servers in your internal company network that run PHP from any page on the internet that you visit (with JavaScript activated).

If I can simply telnet in your internal company network from the outside you have of course bigger problems.

posted on Saturday, December 2. 2006

#2.1.1 Pento wrote (Link) ()

Thanks, Stefan! Now I understood.

But what we can do, if, for example, will know if some host in local network has installed PHP and it's version?

posted on Monday, December 4. 2006

#2.1.1.1 Stefan Esser wrote (Link) ()

Hi Pento,

determining the PHP major version was just a demo. Well actually this information could be quite useful if you have URLs that exploit some PHP script differently for PHP 4 and 5.

The blog posting was mostly meant as basis for http://blog.php-security.org/archives/56-Bruteforcing-HTTP-Auth-in-Firefox-with-JavaScript.html when you combine both techniques you could f.e. request...

http://user:pass@192.168.1.1/?=LOGO_UID

And when you actually get the picture you know 2 things: The PHP major version that runs on the server and that you bruteforced the password.

posted on Monday, December 4. 2006

Add Comment

Name:

Email:

Homepage:

In reply to:

Comment:
Standard emoticons like :-) and ;-) are converted to images.

Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.

Calendar