Add support for PHP serialized object detection and update patch vers…

…ion 1.1.1.
JGillam · Nov 2, 2017 · 6cda2d5 · 6cda2d5
1 parent 555a6af
commit 6cda2d5
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/src/com/professionallyevil/bc/ParamAnalyzer.java b/src/com/professionallyevil/bc/ParamAnalyzer.java
@@ -41,6 +41,8 @@ public class ParamAnalyzer {
     private static Pattern creditcardPattern = Pattern.compile("^[0-9]{14,16}$");
     private static Pattern htmlFragment = Pattern.compile("</[a-z]+>");
     private static Pattern jsonObjectPattern = Pattern.compile("^\\{(\\w*|\"\\w*\") ?: ?(\\w*|\"\\p{Print}*\")( *, *(\\w*|\"\\w*\") ?: ?(\\w*|\"\\p{Print}*\"))*\\}$");
+    private static Pattern phpSerializedPatternQuick = Pattern.compile("^([si]:\\d+.*;)|(N;)|[oa]:\\d+:.*\\{.*}$");
+    private static Pattern phpSerializedPattern = Pattern.compile("^((s:\\d+:\".*\";)|(i:\\d+;)|(N;)|(a:\\d+:\\{((s:\\d+:\".*?\";)|(i:\\d+;)|(N;)|(o:\\d+:\"[a-z0-9_]+\":\\d+:\\{((s:\\d+:\".*?\";)|(i:\\d+;)|(N;))*}))*})|(o:\\d+:\"[a-z0-9_]+\":\\d+:\\{((s:\\d+:\".*?\";)|(i:\\d+;)|(N;))*}))$");
 
     private static Base62 base62 = new Base62();
 
@@ -94,6 +96,9 @@ public static String smartDecode(ParamInstance pi, String input, IBurpExtenderCa
         if (isCreditCard(input))  {
             return input;
         }
+        if(isPHPSerialized(input, true)){
+            return input;
+        }
         if (isURLEncoded(input)) {
             String output = callbacks.getHelpers().urlDecode(input);
             if (!output.equals(input)) {
@@ -142,6 +147,9 @@ public static String identify(ParamInstance pi, String input) {
         if (isCreditCard(input)) {
             log.append("Looks like a credit card (passed Luhn).");
             pi.setFormat(ParamInstance.Format.CREDITCARD);
+        } else if(isPHPSerialized(input, false)) {
+            log.append("Looks like a PHP serialized data structure.");
+            pi.setFormat(ParamInstance.Format.PHP);
         } else if(isDecimalString(input)) {
             log.append("A ");
             log.append(input.length());
@@ -248,6 +256,10 @@ public static boolean isURLPathString(String input) { return urlPathPattern.matc
 
     public static boolean isBigIP(String input) {return bigIPPattern.matcher(input).find();}
 
+    public static boolean isPHPSerialized(String input, boolean quick) {
+        return quick?phpSerializedPatternQuick.matcher(input).find():phpSerializedPattern.matcher(input).find();
+    }
+
     public static boolean isCreditCard(String input) {
         return creditcardPattern.matcher(input).find() && applyLuhnAlgorithm(input);
     }

diff --git a/src/com/professionallyevil/bc/ParamInstance.java b/src/com/professionallyevil/bc/ParamInstance.java
@@ -43,7 +43,8 @@ enum Format {
         CREDITCARD("CC"),
         HTMLFRAG("XML/HTML"),
         EMPTY("Empty"),
-        JSON("JSON Object");
+        JSON("JSON Object"),
+        PHP("PHP Serialized");
 
         private String title;
 

diff --git a/src/com/professionallyevil/bc/Paramalyzer.java b/src/com/professionallyevil/bc/Paramalyzer.java
@@ -71,7 +71,7 @@ public class Paramalyzer implements IBurpExtender, ITab, WorkerStatusListener, C
     private IHttpRequestResponse displayedRequest = null;
     private int deepTabCount = 0;
 
-    private static final String VERSION = "1.1.0";
+    private static final String VERSION = "1.1.1";
     private static final String EXTENSION_NAME = "Paramalyzer";
 
     public Paramalyzer() {