I have no motivation to write things over the past year. It's good for everyone to read things.
Basically, CGI scanners (this includes the vast majority of SQL Injection detection tools, background/upload/database scanners)
All of them are determined by judging the HTTP Response Message code, that is, 200,404,400, and I believe I don't need to talk about HTTP here.
When the default browser encounters 40x or 50x, it will give you a default error page, but after "show friendly HTTP Error message" (IE) is canceled, the information in these error messages will be displayed (so there is no difference with the normal page ).
In this way, you can use the PHP header function to perform a trick:
<? Php
Ob_start ();
Header ("HTTP/1.1 404 Not Found ");
?>
<! Doctype html public "-// W3C // dtd html 4.0 Transitional // EN">
<HTML>
<HEAD>
<TITLE> Sample </TITLE>
</HEAD>
<BODY>
This is just a sample, created by fragment er!
</BODY>
</HTML>
<? Php ob_end_flush ();?>
I don't know if anyone has mentioned this before. I think it can be used to hide some background pages or backdoors.
(Remember to cancel "show friendly HTTP Error message", in IE)