Why it's encoding??

Question

Why it's encoding??

Boopath1 opened this issue 2 years ago · 6 comments

normally "' OR 1=1--" this payload works for me, I checked whether the tool finds the same thing or not so, I tested that domain again, but while encoding the payload doesn't work bcoz of encoding the payloads
and I added this payload on "src.py"

And one more thing why was the payload tested on username only? username and password on both params mean it will be Okay!!

Answer 1 · 2022-08-09T11:56:39.000Z

in logsensor itself ,There is absolutely no encoding for payloads
this happens when you send http/s requests even through Burp proxy, it encodes (URL encoding) the data entered by the user if it contains invalid characters, symbols or spaces so as not to make the request invalid, but when the web server receives your request, it understands it with its original value

why was the payload tested on username only not password ?

for e.g , if a potential hacker were to try something like: String'); DROP TABLE USERS; -- into the password input, that would still be entered as a hash into the database
so i think it's will be useless

Answer 2 · 2022-08-09T12:02:35.000Z

Thanks for the detailed explanation but, what is the solution?

Answer 3 · 2022-08-09T12:49:35.000Z

There is no problem here. generally This is a normal behavior in any http/s request you send . Special characters and spaces are encoded (URL encoding) to make the request valid , As I mentioned, when the server receives your request, it decodes & understands it as you sent, if you inject 'or 1=1 -- it will be url endcoded : +'or+1%3d1+-- but when server receives it will be the same you sent : 'or 1=1 --
and the attack will work normally

Answer 4 · 2022-08-10T01:50:18.000Z

I didn't get any data as you mentioned in your screenshot, while manually entering the payload it will bypass the admin login, but in the tool, it shows content length only.

Answer 5 · 2022-08-10T02:08:42.000Z

The reason for making the tool show content-length is so that the user will notice the difference between requests sent with different payloads. And if he notices a difference when injecting a payload and no error message appears but the content-length is different, the user checks the response through the proxy, or manually if there is an admin page bypass or whatever, but for the tool it's difficult to discover that, it will only show you content-length, because maybe if this feature exists In the tool there will be a lot of false positives, so far the tool detects sql errors, and is under development now, checking the delay of blind sqli time based

Answer 6 · 2022-08-10T06:24:07.000Z

okay, thanks for the update.✌️