During one of my project I observed that that the application is
sending the query string (with dynamic values) in base-64 encoding format and Subsequent
pages will be loaded based on this query string parameter values.
There are lots of applications exists which use some encryption/decryption technique to protect the data when send/receive over the network.
Base 60 encoding is one the the way to protect data over the network by encoding it in Base-64 from plain text and then decoding it from Base-64 to plain text.
Base-64 encoding converts plain text into Base-64 converted data
//Plain Text
action=INIT&state=Bank_Transfer&RefNumber=198518Routing_Numberr=172118
//Base-64 encoded data
YWN0aW9uPUlOSVQmc3RhdGU9QmFua19UcmFuc2ZlciZSZWZOdW1iZXI9MTk4NTE4Um91dG
luZ19OdW1iZXJyPTE3MjExOA==
luZ19OdW1iZXJyPTE3MjExOA==
In the Script you will see the data going in request in encoded form but this data can't be find in the previous steps response.
Here we can see in generation log and can figure it out that data is being converted into Base-64 by some technique or function.
Below request shows data (highlighted in Red) is going in encoded form
web_submit_data("saveParams.jsp",
"Action=http://www.WebServer.com/saveParams.jsp",
"Method=POST",
"TargetFrame=",
"RecContentType=text/html",
"Referer=http://www.WebServer.com/Example.do",
"Snapshot=t24.inf",
"Mode=HTML",
ITEMDATA,
"Name=params", "Value=YWN0aW9uPUlOSVQmc3RhdGU9QmFua19UcmFuc2ZlciZSZWZOdW1iZXI9MTk4NTE4Um91dG
luZ19OdW1iZXJyPTE3MjExOA==", ENDITEM,
LAST);
"Action=http://www.WebServer.com/saveParams.jsp",
"Method=POST",
"TargetFrame=",
"RecContentType=text/html",
"Referer=http://www.WebServer.com/Example.do",
"Snapshot=t24.inf",
"Mode=HTML",
ITEMDATA,
"Name=params", "Value=YWN0aW9uPUlOSVQmc3RhdGU9QmFua19UcmFuc2ZlciZSZWZOdW1iZXI9MTk4NTE4Um91dG
luZ19OdW1iZXJyPTE3MjExOA==", ENDITEM,
LAST);
Use the following steps to get this dynamic data
1. Decode this data and see what exact plain text is being sent to the server
For decoding you can use http://www.rbl.jp/base64.php
in my example i decoded my encoded string and got the below plain text code
action=INIT&state=Bank_Transfer&RefNumber=198518&Routing_Numberr=172118
2. Based on this we can generate the query string and then passing this query string to the Base-64 converter function can get the encode dstring.
Place the below functions in globals.h
#ifndef _GLOBALS_H
#define _GLOBALS_H
//--------------------------------------------------------------------
// Include Files
#include "lrun.h"
#include "web_api.h"
#include "lrw_custom_body.h"
//--------------------------------------------------------------------
// Global Variables
#define _GLOBALS_H
//--------------------------------------------------------------------
// Include Files
#include "lrun.h"
#include "web_api.h"
#include "lrw_custom_body.h"
//--------------------------------------------------------------------
// Global Variables
//Converting in Base-64 encoding
char *convert( char *src)
{
int dest_size;
char *deststr;
// Allocate dest buffer
dest_size = 1 + ((strlen(src)+2)/3*4);
deststr = (char *)malloc(dest_size);
memset(deststr,0,dest_size);
base64encode(src, deststr, dest_size);
return deststr;
}
void base64encode(char *src, char *dest, int len)
// Encodes a buffer to base64
{
char base64encode_lut[] = {
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q',
'R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f','g','h',
'i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y',
'z','0','1','2','3','4','5','6','7','8','9','+','/','='};
int i=0, slen=strlen(src);
for(i=0;i<slen && i<len;i+=3,src+=3)
{ // Enc next 4 characters
*(dest++)=base64encode_lut[(*src&0xFC)>>0x2];
*(dest++)=base64encode_lut[(*src&0x3)<<0x4|(*(src+1)&0xF0)>>0x4];
*(dest++)=((i+1)<slen)?base64encode_lut[(*(src+1)&0xF)<<0x2|(*(src+2)&0xC0)>>0x6]:'=';
*(dest++)=((i+2)<slen)?base64encode_lut[*(src+2)&0x3F]:'=';
}
*dest='\0'; // Append terminator
}
//Preparing the query string & passing to base-64 encoding
char *getParam(char *str, char *param1, char *param2)
{
char *temp;
char *src, *target;
char param[2000];
temp="";
src="";
target="";
temp=str;
strcpy(param,"");
strcat(param,temp);
strcat(param,"&RefNumber="); strcat(param,param2);
strcat(param,param1);
strcat(param,"&Routing_Numberr=");
strcat(param, param2);
strcat(param, param2);
src=(char *) param;
target=convert(src);
return target;
}
target=convert(src);
return target;
}
Call the function in the script as given below, This will prepare the query string as well as convert it into base-64
lr_save_string( getParam("action=INIT&state=Bank_Transfer",
lr_eval_string("{Ref_Number_Val}"),
lr_eval_string("{Routing_Number_Val}")),
"param" );
lr_eval_string("{Ref_Number_Val}"),
lr_eval_string("{Routing_Number_Val}")),
"param" );
web_submit_data("saveParams.jsp",
"Action=http://www.WebServer.com/saveParams.jsp",
"Method=POST",
"TargetFrame=",
"RecContentType=text/html",
"Referer=http://www.WebServer.com/Example.do",
"Snapshot=t24.inf",
"Mode=HTML",
ITEMDATA,
"Name=params", "Value={param}", ENDITEM,
LAST);
"Action=http://www.WebServer.com/saveParams.jsp",
"Method=POST",
"TargetFrame=",
"RecContentType=text/html",
"Referer=http://www.WebServer.com/Example.do",
"Snapshot=t24.inf",
"Mode=HTML",
ITEMDATA,
"Name=params", "Value={param}", ENDITEM,
LAST);
// Note: Values for Ref_Number_Val and Routing_Number_Val will vary in each iteration and with the data.
No comments:
Post a Comment