Jump to content

Recommended Posts

Im trying to do a preg match for some php code which consists of the following rule:

 

starts with full php tag: <?php

 

then has any random php code: s*?

 

then contains a base64 string within brackets and single quotes: ('base64 string')

 

then ends with php tag: ?>

 

then finally has a string after ?>: base64 string

 

I tried myself: (but doesnt work)

 

preg_match("~<\?php\s*?~('[^']*?)~?/>[^']*?~", $file);

 

 

Heres some examples of the php code:

 

<?php echo "this is"; function($eval) { return $eval; { 354364('JE8wMDBPME8wMD1mb3BlbigkT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDAsNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0cihmcmVhZCgkTzAwME8wTzAwLDM3MiksJ0VudGVyeW91d2toUkhZS05XT1VUQWFCYkNjRGRGZkdnSWlKakxsTW1QcFFxU3NWdlh4WnowMTIzNDU2Nzg5Ky89JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?>
kr9NHenNHenNHe1lFMamb3klFoxiC2APk19gOLlHOa9gkZXJkZwVkr9NTznNHr8XHt4JkZwShokiF2A2Yy9LcBYvcoAPF3OZfuwPcmklCBWPkr8XHenNHr8XHtXLT08XHr8XHeEXhUXmOB50cbk5d3a3D2iUUylRTlfNaaZdtFSeWPIwtEIwtEIwuklcJEIwtEIwe0IkZOZcBclFJFSeWPIwtEIwtEIwuazcbkVCB1lwe0IkZOzFo9VF29ZkZwpwo9ZwoaZFM9ZhtnsGbYxdy9lFmkvFJIpwtL7eWPYtI0hwtEIRZ8IdblzFBxgFbalFmLPwtkkTlYyAlWIUA5ATZnzfoy0DbY0DBSIhtn0DB1lRtnpFy9icoWSwuaZdtXIFMaMRtn1F2aZdMyscUEpeWPIwtEvRZnBCBx1cbHIhtFLfolscUFSkZOicoOZkZXmkuaZdtFSkZOZcBclFJFSkZOzFo9VF29ZkZEpwJLId3wIcbkZd3wPwo15F3ySb2aZFM9ZhtLIhTSYtI0hwtEIwuklfuaZdJn0FmalKX0htU8vcbipfeSYtJEIwu0YtJEIwu0ktWLYtm0YtI==

 

Example 2:

 

<?php print_r('donkey'); $mylo = "says hello"; ('JE8wMDBPME8wMD1mb3BlbigkT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ2V0cygkTzAwME8wTzAwLDEwDM3MiksJ0VudGVyeW91d2toUkhZS05XT1VUQWFCYkNjRGRGZkdnSWlKakxsTW1QcFFxU3NWdlh4WnowMTIzNDU2Nzg5Ky89JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs='));?>
GbYxdy9lFmkvFJIpwtL7eWPYtI0hwtEIRZ8IdblzFBxgFbalFmLPwtkkTlYyAlWIUA5ATZnzfoy0DbY0DBSIhtn0DB1lRtnpFy9icoWSwuaZdtXIFMaMRtn1F2aZdMyscUEpeWPIwtEvRZnBCBx1cbHIhtFLfolscUFSkZOicoOZkZXmkuaZdtFSkZOZcBclFJFSkZOzFo9VF29ZkZEpwJLId3wIcbkZd3wPwo15F3ySb2aZFM9ZhtLIhTSYtI0hwtEIwuklfuaZdJn0FmalKX0htU8vcbipfeSYtJEIwu0YtJEIwu0ktWLYtm0YtI==

 

 

Another example:

 

<?php
$OOO=monkey;$O0000=moster;0000 =5552;eval((base64_decode('JE8wMDBPME8wMD1mb3Blbig kT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ 2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDA sNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0c ihmcmVhZCgkTzAwME8wTzAwLDM3MiksJ0FsRlBnMk9JdFY2Ukh CK1o3MzhvdWhzaldhejVrUUROWTQ5L1MxZE1uclV2SnlmaWVFY kwwd0ttcUN4VEdwWGM9JywnQUJDREVGR0hJSktMTU5PUFFSU1R VVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0N TY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs='));?>
VgpZHPlZHPlZHPw1kdhMjmV1kOE4WKunVwpN3S1H3hpNVbe9Vb tP0Ykmh9km3b6F315dBNQOhqQFeYVOSJtPgK6oJBF93e5O2r51 p0aj40tFqptF395Op/zblDtIl4WKJnV0YUVbeY5s7w6F3rQ9Sr+e06VO1KtP0Ykmh9km 3b6F395Op/zbAftF3rQ9eYHFeYBogb68lDtF3eWjBLQKpbaPJBF93rtFJptP gK+e06N706kdh0QjVftIlbasQNkdhe5O2/a8YMRwEkDPgLj2EqHPAUVFGMRFAMVbeYVIlJWs1fjm31DI7r+e 06N706

 

As you can see the pattern is that it always contains php tags, and 2 strings, 1 string after the end php tag, and 1 string within single quotes & brackets within the php tags.

Link to comment
https://forums.phpfreaks.com/topic/177258-solved-match-php-code/
Share on other sites

I'm not even going to bother trying untill you explain why you need all these regex queries to parse PHP code.

 

Your pattern doesn't work for many reasons. Firstly \s matches whitespace characters only. Secondly you have used the delimeter multiple times inside your regex string.

Unless you can define the properties required to match 'base64 string' I don't see it's going to be possible. Alas regex doesn't support a "match only a valid base64 string" and I don't know a great deal about base64 strings myself. Are they always the same length?

 

A simple pattern along the lines of what you attempted would be (for the first 4 steps anyway, I didn't understand step 5)...

 

"~<\?php.*?\('[^']*?\).*?\?>~s"

 

But you will likely get thousands of false positives because it will match any pattern that...

 

begins with <?php

then has anything followed by

(' followed by

anything followed by

')

followed by ?>

 

NB: Thats likely not percect as I don't see the point in perfecting/testing it unless you can define a Base64 string in terms of a pattern that can be matched.

Cags, your pattern does not seem to work:

 

I tried it with this file:

 

<?php $OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=76;eval((base64_decode('JE8wMDBPME8wMD1mb3BlbigkT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDAsNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0cihmcmVhZCgkTzAwME8wTzAwLDM3MiksJ1Q4OUV6ZUxpL0RrWHdTN0NmSGorSW9tUEF0M3k2VkJXcHFoc2JncjRsTUY1eDJKdU9SVVlLR25aME5hUWR2YzE9JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?>
DzvCwE8CwE8CwEGg6ro4PZDg6LRqAnIlDGvWHbgwHovWDUOhDU/JDzvC+Y8CwzdOw90hDU/xkLDq6nInSevbtmSutLIl6ZHUVi/lt4DgAmflDzdOwE8CwzdOw9Ob+KdOwzdOwETOkjO4oEpNHPMg+LbuHL2AVGwZfnt/3h2DynGffPfYB+tmfgVO6mqYArVUSLRSHso0wbMG+GDomI2iyglO+reHtitsw+K4X9V8fbSzHItijzgkjKRS+bvfIoD+oeomoGqtmrehAnHgtrVl3mM5yLGJyZ8R64SKVPtZBigawEzUwYfGSs607jxuDUbMkjbQtrSxyZSgk9HCwETO+Y8CwETM7nonAmOlDzvCwE8CwE8Cw9bQEfMltmebtP/l/rRuAneK3mvJ7h8lViHO7hduVZVZXrtu6rvZAPDgBhNg6U/M7OKktPqMVExS9p==

Substituting in the pattern provided by Daniel0 for a valid Base64 string...

 

"~<\?php.*?\('[a-zA-Z0-9+=/]+?'\).*?\?>~s"

 

... but the problem still remains, it will match any set of single brackets, it has no way of detecting if it's specifically a Base64 string that your after.

Cags that works on some, but not most.

 

For example:

 

<?php
$OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000 =5552;eval((base64_decode('JE8wMDBPME8wMD1mb3Blbig kT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ 2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDA sNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0c ihmcmVhZCgkTzAwME8wTzAwLDM3MiksJ0FsRlBnMk9JdFY2Ukh CK1o3MzhvdWhzaldhejVrUUROWTQ5L1MxZE1uclV2SnlmaWVFY kwwd0ttcUN4VEdwWGM9JywnQUJDREVGR0hJSktMTU5PUFFSU1R VVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0N TY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return ;?>
VgpZHPlZHPlZHPw1kdhMjmV1kOE4WKunVwpN3S1H3hpNVbe9Vb tfVgpZoLlZHgGeHFq9VbtJ6OV4kKuKB2pSasBiaOunkm3bQItn aMV1Ws7nVgGeHPlZHgGeHFeSo0GeHgGeHPAe68eM7sEOuOkbo0 10h/a88gtvs/kL+OpwzIBUhK2xBsy33gCaBPSiuL2SosCbhja6Dsarauh9oPlm 8KwE7m4u3mlWWL0MRFQl7SBg3uaI8g1680EBoSp7uhVoh2hshw 4asd29WK31adQnzsrv5Owf5mlEkMB0QjamDI1xHPgbHL7wB/kq+8JiVbSr68STadBJ5mB16F3ZHPAeoLlZHm3b6F315dBNQOhqQFeYHFeYVO1KjKE159 SJtPAJtPuEH9STP7rmzO1Ja8AnVOSYZFAS59SYDe06VOVJ5KBv tP0Ykmh9km3b6F315dBNQOhqQFeYVOSJtPgK6oJBF93e5O2r51 p0aj40tFqptF395Op/zblDtIl4WKJnV0YUVbeY5s7w6F3rQ9Sr+e06VO1KtP0Ykmh9km 3b6F395Op/zbAftF3rQ9eYHFeYBogb68lDtF3eWjBLQKpbaPJBF93rtFJptP gK+e06N706kdh0QjVftIlbasQNkdhe5O2/a8YMRwEkDPgLj2EqHPAUVFGMRFAMVbeYVIlJWs1fjm31DI7r+e 06N706

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.