From 6cda2d5448f7387ef8b140dafe7d0ac4a131cb3d Mon Sep 17 00:00:00 2001 From: JGillam Date: Thu, 2 Nov 2017 01:10:19 -0500 Subject: [PATCH] Add support for PHP serialized object detection and update patch version 1.1.1. --- src/com/professionallyevil/bc/ParamAnalyzer.java | 12 ++++++++++++ src/com/professionallyevil/bc/ParamInstance.java | 3 ++- src/com/professionallyevil/bc/Paramalyzer.java | 2 +- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/src/com/professionallyevil/bc/ParamAnalyzer.java b/src/com/professionallyevil/bc/ParamAnalyzer.java index 84e2299..8839eb7 100644 --- a/src/com/professionallyevil/bc/ParamAnalyzer.java +++ b/src/com/professionallyevil/bc/ParamAnalyzer.java @@ -41,6 +41,8 @@ public class ParamAnalyzer { private static Pattern creditcardPattern = Pattern.compile("^[0-9]{14,16}$"); private static Pattern htmlFragment = Pattern.compile(""); private static Pattern jsonObjectPattern = Pattern.compile("^\\{(\\w*|\"\\w*\") ?: ?(\\w*|\"\\p{Print}*\")( *, *(\\w*|\"\\w*\") ?: ?(\\w*|\"\\p{Print}*\"))*\\}$"); + private static Pattern phpSerializedPatternQuick = Pattern.compile("^([si]:\\d+.*;)|(N;)|[oa]:\\d+:.*\\{.*}$"); + private static Pattern phpSerializedPattern = Pattern.compile("^((s:\\d+:\".*\";)|(i:\\d+;)|(N;)|(a:\\d+:\\{((s:\\d+:\".*?\";)|(i:\\d+;)|(N;)|(o:\\d+:\"[a-z0-9_]+\":\\d+:\\{((s:\\d+:\".*?\";)|(i:\\d+;)|(N;))*}))*})|(o:\\d+:\"[a-z0-9_]+\":\\d+:\\{((s:\\d+:\".*?\";)|(i:\\d+;)|(N;))*}))$"); private static Base62 base62 = new Base62(); @@ -94,6 +96,9 @@ public static String smartDecode(ParamInstance pi, String input, IBurpExtenderCa if (isCreditCard(input)) { return input; } + if(isPHPSerialized(input, true)){ + return input; + } if (isURLEncoded(input)) { String output = callbacks.getHelpers().urlDecode(input); if (!output.equals(input)) { @@ -142,6 +147,9 @@ public static String identify(ParamInstance pi, String input) { if (isCreditCard(input)) { log.append("Looks like a credit card (passed Luhn)."); pi.setFormat(ParamInstance.Format.CREDITCARD); + } else if(isPHPSerialized(input, false)) { + log.append("Looks like a PHP serialized data structure."); + pi.setFormat(ParamInstance.Format.PHP); } else if(isDecimalString(input)) { log.append("A "); log.append(input.length()); @@ -248,6 +256,10 @@ public static boolean isURLPathString(String input) { return urlPathPattern.matc public static boolean isBigIP(String input) {return bigIPPattern.matcher(input).find();} + public static boolean isPHPSerialized(String input, boolean quick) { + return quick?phpSerializedPatternQuick.matcher(input).find():phpSerializedPattern.matcher(input).find(); + } + public static boolean isCreditCard(String input) { return creditcardPattern.matcher(input).find() && applyLuhnAlgorithm(input); } diff --git a/src/com/professionallyevil/bc/ParamInstance.java b/src/com/professionallyevil/bc/ParamInstance.java index 0f4850c..12ee26d 100644 --- a/src/com/professionallyevil/bc/ParamInstance.java +++ b/src/com/professionallyevil/bc/ParamInstance.java @@ -43,7 +43,8 @@ enum Format { CREDITCARD("CC"), HTMLFRAG("XML/HTML"), EMPTY("Empty"), - JSON("JSON Object"); + JSON("JSON Object"), + PHP("PHP Serialized"); private String title; diff --git a/src/com/professionallyevil/bc/Paramalyzer.java b/src/com/professionallyevil/bc/Paramalyzer.java index 7f09fb6..c147666 100644 --- a/src/com/professionallyevil/bc/Paramalyzer.java +++ b/src/com/professionallyevil/bc/Paramalyzer.java @@ -71,7 +71,7 @@ public class Paramalyzer implements IBurpExtender, ITab, WorkerStatusListener, C private IHttpRequestResponse displayedRequest = null; private int deepTabCount = 0; - private static final String VERSION = "1.1.0"; + private static final String VERSION = "1.1.1"; private static final String EXTENSION_NAME = "Paramalyzer"; public Paramalyzer() {