sqlmap icon indicating copy to clipboard operation
sqlmap copied to clipboard

Published 20 hours ago verified publisher icon sqlmapproject

Triple base64encode

Open M-Tofla opened this issue 1 year ago • 0 comments

Hi @stamparm

sorry for bothering you

i found that vuln on json param1 but its triple encoded base64

Example :

GET /list?id=WlhsS2QxbFlTbWhpVkVWcFQybEplazFUU1hOSmJrSm9ZMjFHZEUxcFNUWkpibEpzWXpOUmFVeERTbmRaV0Vwb1lsUk5hVTlwU2pCYVdFNHdTVzR3UFE9PQ==

when i decode 3x

GET /list?id={"param1":"31","param2":"test","param3":"test"}

then i saw this post and you suggest for modif https://github.com/sqlmapproject/sqlmap/issues/2594

0# You should provide that same parameter value in (triple-)unencoded form (e.g. if original was ...&foo=V1cxR2VRPT0= then provide it like &foo=bar).

and modif base64.b64encode(base64.b64encode(base64.b64encode(payload.encode(UNICODE_ENCODING))))

after it i inject again using -u /list?id={"param1":"31","param2":"test","param3":"test" --tamper=triplebase64

it appears that provided value for GET parameter 'id' is JSON deserializable. Do you want to inject inside? [y/N] y

sqlmap didint detect the vuln, so i check using -v 6, sqlmap only triple encode for the payload on json param1

GET /list?id={"param1":"31VFhwRmJrc3dSazlTUTNONlQxUkJNRkJVVlRGTlZHZDBURk4wYzJWWFJrND0=","param2":"test","param3":"test"}

not for all id parameter

is there any suggest for modif this ?

Sorry if i make you confuse Thank you

Regards, Tofla

M-Tofla avatar Apr 27 '24 07:04 M-Tofla