Logsensor icon indicating copy to clipboard operation
Logsensor copied to clipboard
verified publisher icon Mr-Robert0

Why it's encoding??

Open Boopath1 opened this issue 3 years ago • 6 comments

image

normally "' OR 1=1--" this payload works for me, I checked whether the tool finds the same thing or not so, I tested that domain again, but while encoding the payload doesn't work bcoz of encoding the payloads and I added this payload on "src.py"

image

And one more thing why was the payload tested on username only? username and password on both params mean it will be Okay!!

Boopath1 avatar Aug 09 '22 05:08 Boopath1

in logsensor itself ,There is absolutely no encoding for payloads this happens when you send http/s requests even through Burp proxy, it encodes (URL encoding) the data entered by the user if it contains invalid characters, symbols or spaces so as not to make the request invalid, but when the web server receives your request, it understands it with its original value

  • why was the payload tested on username only not password ?
  • for e.g , if a potential hacker were to try something like: String'); DROP TABLE USERS; -- into the password input, that would still be entered as a hash into the database so i think it's will be useless

Mr-Robert0 avatar Aug 09 '22 11:08 Mr-Robert0

Thanks for the detailed explanation but, what is the solution?

Boopath1 avatar Aug 09 '22 12:08 Boopath1

There is no problem here. generally This is a normal behavior in any http/s request you send . Special characters and spaces are encoded (URL encoding) to make the request valid , As I mentioned, when the server receives your request, it decodes & understands it as you sent, if you inject 'or 1=1 -- it will be url endcoded : +'or+1%3d1+-- but when server receives it will be the same you sent : 'or 1=1 --
and the attack will work normally

Mr-Robert0 avatar Aug 09 '22 12:08 Mr-Robert0

I didn't get any data as you mentioned in your screenshot, while manually entering the payload it will bypass the admin login, but in the tool, it shows content length only.

image

Boopath1 avatar Aug 10 '22 01:08 Boopath1

The reason for making the tool show content-length is so that the user will notice the difference between requests sent with different payloads. And if he notices a difference when injecting a payload and no error message appears but the content-length is different, the user checks the response through the proxy, or manually if there is an admin page bypass or whatever, but for the tool it's difficult to discover that, it will only show you content-length, because maybe if this feature exists In the tool there will be a lot of false positives, so far the tool detects sql errors, and is under development now, checking the delay of blind sqli time based

Mr-Robert0 avatar Aug 10 '22 02:08 Mr-Robert0

okay, thanks for the update.✌️

Boopath1 avatar Aug 10 '22 06:08 Boopath1