0

A PHP based website returns me a base64 encoded string which is base64 encoding of serialized data. When I manually base64 encode the decoded string, I get a different result.

So, I looked into it further and realised that the serialized data contains null bytes.

Base64 encoded string:

TzoxMDoiRXhwcmVzc2lvbiI6Mzp7czoxNDoiAEV4cHJlc3Npb24Ab3AiO3M6MzoiZGl2IjtzOjE4OiIARXhwcmVzc2lvbgBwYXJhbXMiO2E6Mjp7aTowO2Q6ODtpOjE7ZDoyO31zOjk6InN0cmluZ2lmeSI7czo1OiI4IC8gMiI7fQ==

Below is the hexdump of the base64 decoded string:

$ echo "TzoxMDoiRXhwcmVzc2lvbiI6Mzp7czoxNDoiAEV4cHJlc3Npb24Ab3AiO3M6MzoiZGl2IjtzOjE4OiIARXhwcmVzc2lvbgBwYXJhbXMiO2E6Mjp7aTowO2Q6ODtpOjE7ZDoyO31zOjk6InN0cmluZ2lmeSI7czo1OiI4IC8gMiI7fQ==" | base64 -D | hexdump -C
00000000  4f 3a 31 30 3a 22 45 78  70 72 65 73 73 69 6f 6e  |O:10:"Expression|
00000010  22 3a 33 3a 7b 73 3a 31  34 3a 22 00 45 78 70 72  |":3:{s:14:".Expr|
00000020  65 73 73 69 6f 6e 00 6f  70 22 3b 73 3a 33 3a 22  |ession.op";s:3:"|
00000030  64 69 76 22 3b 73 3a 31  38 3a 22 00 45 78 70 72  |div";s:18:".Expr|
00000040  65 73 73 69 6f 6e 00 70  61 72 61 6d 73 22 3b 61  |ession.params";a|
00000050  3a 32 3a 7b 69 3a 30 3b  64 3a 38 3b 69 3a 31 3b  |:2:{i:0;d:8;i:1;|
00000060  64 3a 32 3b 7d 73 3a 39  3a 22 73 74 72 69 6e 67  |d:2;}s:9:"string|
00000070  69 66 79 22 3b 73 3a 35  3a 22 38 20 2f 20 32 22  |ify";s:5:"8 / 2"|
00000080  3b 7d                                             |;}|

As you can see, it contains null bytes.

So, how can I base64 encode a string like this if it contains null bytes?

I would like to make some modifications to the serialized data and then base64 encode it again.

How can I include null bytes in a string before encoding it?

Because strings are terminated at null bytes in PHP and Python per my understanding.

If I represent the string as shown below in PHP and base64 encode it, I get incorrect results.

$t = "O:10:"Expression":3:{s:14:"\0Expression\0op";s:3:"div";s:18:"\0Expression\0params";a:2:{i:0;d:8;i:1;d:2;}s:9:"stringify";s:5:"8 / 2";}"

I am using \0 to represent null bytes but looks like that is not the correct representation of null bytes.

A solution in PHP or Python would be great.

Thanks.

Neon Flash
  • 3,113
  • 12
  • 58
  • 96
  • What actual problem are you trying to solve here? serialized PHP contains null bytes, and stripping them out is just going to mean the serialized string is no longer the same (or even valid). If you've resorted to a hex editor, you've probably gone a step further than you need to. – iainn Nov 23 '18 at 15:44
  • _“If I represent the string as shown below in PHP and base64 encode it, I get incorrect results.”_ - but why would you do that in the first place? If you want to modify something about the serialized object you got there, then unserialize it first, use the proper methods to change whatever has to change about this object - and then serialize and base64 encode it back …? (PHP itself introduces those NUL bytes, https://stackoverflow.com/q/45756514/10283047. but that is probably not something you should try and emulate yourself.) – misorude Nov 23 '18 at 15:44
  • _“I am using \0 to represent null bytes but looks like that is not the correct representation of null bytes.”_ - only in a double-quote string, not in a single-quoted one. FYI, `chr(0)` also exist. But again, that is probably not what you should be doing here in the first place … – misorude Nov 23 '18 at 15:48
  • Python does _not_ use null-terminated strings; it has no problem working with strings containing null bytes. – PM 2Ring Nov 23 '18 at 17:19

0 Answers0