Skip to content

Commit

Permalink
refactor: simplify logic
Browse files Browse the repository at this point in the history
  • Loading branch information
@glaubersilva
glaubersilva committed Jan 7, 2025
1 parent 999058d commit 51ae9a5
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 66 deletions.
43 changes: 1 addition & 42 deletions src/Helpers/Utils.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,47 +139,6 @@ public static function recursiveUrlDecode($data)
return $decoded === $data ? $data : self::recursiveUrlDecode($decoded);
}

/**
* @unreleased
*/
public static function recursiveBase64Decode($data)
{
$decodedData = base64_decode($data);
if ($decodedData !== false && base64_encode($decodedData) === $data) {
// If the decoded string is a valid Base64 string, decode again
return self::recursiveBase64Decode($decodedData);
}

return $data;
}

/**
* @unreleased
*/
public static function recursiveHexDecode($data)
{
$decodedData = hex2bin($data);
if ($decodedData !== false && bin2hex($decodedData) === $data) {
// If the decoded string is a valid Hex string, decode again
return self::recursiveHexDecode($decodedData);
}

return $data;
}

/**
* @unreleased
*/
public static function decodeString(string $data): string
{
$data = self::recursiveBase64Decode($data);
$data = self::recursiveHexDecode($data);
$data = self::recursiveUrlDecode($data);

return $data;
}


/**
* The regular expression attempts to capture the basic structure of all data types that can be serialized by PHP.
*
Expand All @@ -193,7 +152,7 @@ public static function containsSerializedDataRegex($data): bool
return false;
}

$data = self::decodeString($data);
$data = self::recursiveUrlDecode($data);

/**
* This regular expression removes any special character that is not:
Expand Down
26 changes: 2 additions & 24 deletions tests/Unit/Helpers/UtilsTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ public function serializedDataProvider(): array
'O :8:"stdClass":1:{s :4:"name";s :5:"James";}',
true,
],
// BYPASS WITH SIMPLE METHODS
// Bypass with simple methods
[
// backslash
'\\' . serialize('backslash-bypass'),
Expand All @@ -124,7 +124,7 @@ public function serializedDataProvider(): array
'\\\\' . serialize('double-backslash-bypass'),
true,
],
// BYPASS WITH ENCODING STRING METHOD #1 - URL-encoded
// Bypass with encoding string method - URL-encoded
[
// Single encode for O:8:"stdClass":1:{s:4:"name";s:5:"James";}
'O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A4%3A%22name%22%3Bs%3A5%3A%22James%22%3B%7D',
Expand All @@ -135,28 +135,6 @@ public function serializedDataProvider(): array
'O%253A8%253A%2522stdClass%2522%253A1%253A%257Bs%253A4%253A%2522name%2522%253Bs%253A5%253A%2522James%2522%253B%257D',
true,
],
// BYPASS WITH ENCODING STRING METHOD #2 - Base64
[
// Single encode for O:8:"stdClass":1:{s:4:"name";s:5:"James";}
'Tzo4OiJzdGRDbGFzcyI6MTp7czo0OiJuYW1lIjtzOjU6IkphbWVzIjt9',
true,
],
[
// Double encode for O:8:"stdClass":1:{s:4:"name";s:5:"James";}
'VHp6MDpPOmp6I3N0ZENsYXNzIjoxOntzOjQ6Im5hbWUiO3M6NToiSmFtZXMiO31z',
true,
],
// BYPASS WITH ENCODING STRING METHOD #3 - Hex-encoded
[
// Single encode for O:8:"stdClass":1:{s:4:"name";s:5:"James";}
'4f3a383a22737464436c617373223a313a7b733a343a226e616d65223b733a353a224a616d6573223b7d',
true,
],
[
// Double encode for O:8:"stdClass":1:{s:4:"name";s:5:"James";}
'346633613833613a323237333634343336643661373332223a313a376233343a313a3763363a373233333634353a343a66337a343a323233643634663a373236333a666537333a393a6666372e7a3a313b',
true,
],
// Real-world samples using multiple obfuscation techniques together
[
// Double URL-encoded for O😼:5:"TCPDF":2:{s😼:12:" * imagekeys";a😼:1:{i😼:0;s😼:34:"/tmp/../var/www/html/wp-config.php";}s😼:10:" * file_id";s😼:32:"202cb962ac59075b964b07152d234b70";}
Expand Down

0 comments on commit 51ae9a5

Please sign in to comment.