How can I find the version of php that is running on a distinct server with distinct domain name? (like www.abc.com) It is not my server, no ftp access for making a php file with this code:
<?php
echo PHP_VERSION;
?>
Asked
Active
Viewed 1.5e+01k times
30
-
Why you want to do that? – rik Jan 12 '11 at 18:10
11 Answers
70
This works for me:
curl -I http://websitename.com
Which shows results like this or similar including the PHP version:
HTTP/1.1 200 OK
Date: Thu, 13 Feb 2014 03:40:38 GMT
Server: Apache
X-Powered-By: PHP/5.4.19
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: 7b79f6f1623da03a40d003a755f75b3f=87280696a01afebb062b319cacd3a6a9; path=/
Content-Type: text/html; charset=utf-8
Note that if you receive this message:
HTTP/1.1 301 Moved Permanently
You may need to curl the www version of the website instead i.e.:
curl -I http://www.websitename.com
Neil Robertson
- 3,295
- 3
- 28
- 49
-
2Hi @Vivek, I type this command into the command prompt on my Linux laptop. cURL can be enabled on your Windows machine too - see http://stackoverflow.com/q/2710748/1983389 for details – Neil Robertson Aug 09 '15 at 01:11
-
1I just upgraded to php7 and I wanted to see the X-Powered-By in the browser and I get nothing, that entry is missing, do you have any ideas why? @NeilRobertson – santiago arizti Aug 04 '16 at 21:27
-
4Hi @santiagoarizti, servers are often configured to hide this information for security purposes. – Neil Robertson Aug 07 '16 at 00:55
-
Neil is right, what would you do in this case? I use to hide those infos in apache/php and in the cms. I tried on one of the Wordpress sites I administer on one of the LAMP servers I administer, and the only useful thing I could read by both `curl -I` and redbot.org suggested by @neofutur was that: "Server: Apache". No apache, nor PHP's, nor even CMS's versions come out with proper hardening in place. – Marco Oct 12 '17 at 06:06
31
I use redbot, a great tool to see the PHP version, but also many other useful infos like headers, encoding, keepalive and many more.
Try it on
I love it!
I also up vote Neil's answer: curl -I http://websitename.com
17
Sometimes, PHP will emit a X-Powered-By: response header which you can look at e.g. using Firebug.
If this setting (controlled by the ini setting expose_php) is turned off (it often is), there is no way to tell the PHP version used - and rightly so. What PHP version is running is none of the outside world's business, and it's good to obscure this from a security perspective.
Pekka
- 442,112
- 142
- 972
- 1,088
8
There is a surprisingly effective way that consists of using the easter eggs.
They differ from version to version.
Community
- 1
- 1
Jules G.M.
- 3,624
- 1
- 21
- 35
5
By chance: Default error pages often contain detailed information, e.g.
Apache/{Version} ({OS}) {Modules} PHP/{Version} {Modules} Server at {Domain}
Not so easy: Find out which versions of PHP applications run on the server and which version of PHP they require.
Another approach, only mentioned for the sake of completeness; please forget after reading: You could (but you won't!) detect the PHP version by trying known exploits.
rik
- 8,592
- 1
- 26
- 21
-
1You could request a non-existing page to provoke 404. But you could have more luck with not so common errors ... try unsupported HTTP methods. – rik Jan 12 '11 at 18:50
2
I suggest you much easier and platform independent solution to the problem - wappalyzer for Google Chrome:
nyagolova
- 1,731
- 2
- 26
- 42
0
Possibly use something like firefox's tamperdata and look at the header returned (if they have publishing enabled).
Brad Christie
- 100,477
- 16
- 156
- 200
-
a php forum asks this question for checking the ability of his users and he want us to find out his php version and when u get it he gives you some points... / so 100% there is a way for finding it out... / i test many versions and i figured out it's ver is 5.3.1 / but i am looking for the correct way for getting that...firebug and page soure not helped -> i searched 5.3.1 without any resault – LostLord Jan 12 '11 at 18:15
-
try using "site:website.com php version" in a google query and seing if any page on the site has it displayed. otherwise, people can (and do) go to the trouble of hiding their engine (and more specifically version) due to how easy it can be when version "x.x.x" has a new security threat, you could search for every website running that version and exploit it. – Brad Christie Jan 12 '11 at 18:23
-
i do your way (mean googled it) and i figure out the NMAP is the answer(from that forum)... an open source Program... – LostLord Jan 12 '11 at 18:46
0
There is a possibility to find the PHP version of other domain by checking "X-Powered-By" response header in the browser through developer tools as other already mentioned it. If it is not exposed through the php.ini configuration there is no way you can get it unless you have access to the server.
Kalyan Chakravarthi V
- 137
- 2
- 11
0
As this questions was asked with PHP implied as the tool to use to extract the PHP version information for any website, I felt that the code provides a working solution to the question.
The class below is used to extract the headers given a set of cURL parameters ($opts).
class get_site_php_info {
public $headers;
public function __construct() {
$this->headers = array();
}
public function fetch_headers($opts){
$opts[CURLOPT_HEADERFUNCTION] = array($this, '_setHeader');
$ch = curl_init();
curl_setopt_array($ch, $opts);
return curl_exec($ch);
}
private function _setHeader($ch, $header) {
$this->headers[] = $header;
return strlen($header);
}
}
This class is called when a URL is submitted in the form specified in the code below.
echo "<h1>Get Site Header Information</h1>";
echo "<h3>Domain input form</h3>";
echo "<form action='" . $_SERVER['PHP_SELF'] . "' method='post' enctype=''>" .
"<table>" .
"<tr><td>Enter URL: </td>" .
"<td><input type='text' name='url' value='' size='40' maxlength='128' placeholder='your domain here' /></td>" .
"</tr>" .
"<tr><td colspan='2'><input type='hidden' name='action' value='submitted' />" .
"<input type='submit' name='submit' value='Submit' /> " .
"<input type='reset' value='Reset' /></td></tr>" .
"</table>" .
"</form>";
if (isset($_POST['action']) && $_POST['action'] == "submitted") {
echo "<h4>Output</h4>";
if ($_POST['url']) {
$url = substr($_POST['url'], 0, 4) == 'http'? $_POST['url']: 'http://' . $_POST['url'];
echo "<h3>General [" . $url . "]</h3>";
$opts = array(
CURLOPT_URL => $url, // set the URL
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CONNECTTIMEOUT => 120,
CURLOPT_TIMEOUT => 120,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_MAXREDIRS => 3,
);
$info = new get_site_php_info;
$data = $info->fetch_headers($opts);
echo "<h3>Headers</h3><pre>" . var_export($info->headers, true) . "</pre>";
} else {
echo "<p>The field is not set!!</p>";
}
echo "<p><a href='" . $_SERVER['PHP_SELF'] . "'>Try again</a></p>";
}
I am sure that the code and cURL options can be improved but this provides a working PHP code for extracting the headers that allow the PHP version and other information to be extracted. Helow is a sample output:
I hope that this code is useful to someone and saves a bit of time.
Clinton
- 1,111
- 1
- 14
- 21
-2
You can’t. One reason is that not every web site uses PHP. And another reason is: Even if there are some signs that PHP might be used (e.g. .php file name extension, some “PHPSESSID” parameter, X-Powered-By header field containing “PHP”, etc.) those information might be spoofed to let you think PHP is used.
Gumbo
- 643,351
- 109
- 780
- 844
-
You're right that you can't be sure, but generally speaking X-Powered-By is correct. – Paul Feakins Jul 05 '21 at 15:09
-7
THE ANSWER IS : NMAP PROGRAM
THANKS FOR YOUR ATTENTIONS ...
another way is getting HTTP Headers by this site (http://web-sniffer.net/) or firefox add-on for getting HTTP Headers...
Best Regards
LostLord
- 2,279
- 10
- 32
- 32