2

I'm building an Excel script that will bypass a form on a website, and parse the request directly in a URL to generate the desired output (then pull that data into Excel).

I have everything working, but part of the solution is to include a parameter value that seems to be a combination of fixed and variable characters. The website is using a .do Java serverlet file for server side requests. The script apparently decodes this, and looks for something before executing. If any value is different in the generated codes, it will not execute.

Here are three examples. Each work successfullly. How can I go about decoding this, so that I may create a dynamic code of my own vs. re-using the same ID over and over?

My guess is that this would need to be some base conversion? Not sure if it's possible, but there's certainly a pattern in the codes, at least for the first and last few characters:

1: H4sIAAAAAAAAAL2QTU_DMAyGf824VKrsdKvKwYeqHQIJbTAGO0wcQhq2SN1aJRkfUn48brsDMMQNbm9iW378BAQgERCQ8MxalStvmv1C2WoNjxS66p2WVm2jwhqvrZF976t-km3rRMwjsddv0sWb5mWU5BlwXdBIXExXOceki67Vyjwbda2l07cHbd-HNXHVcMuYdtpvm2rZFLKu-WNCh_1xRFf8zghO0Naup8rtxsWttHL3IOuDZmJBgCEhAQLCuMuTIac0Dxl9IQnn1Nqmyve82su6NK7lbTRcAFlPLwDTcRAMWRnnrVH-GwoeLZXHMjuI-tk_lzQY4JiSq2_kRttPJn7Uhv-uLaHZfLG8jIr5qpzOovvZ1fJ3mevTUzrBhEyIwITY4TEdMhrCB5_buH2_AgAA

2: H4sIAAAAAAAAALWQTU8CMRCGfw1eNjZtF8hymEOziycjKERjiIfaHaHJwjZt8SPpj3d24aCinvT2ttPpPPMkwTnIJLgAcea9USbadndjfL3iD5C66gK1N5us9Dait7p_-4KP2rkgGbWwiK86sHX7PMhVwakuYSAvpneKYt7F4NDYJ2suUQe83qN_O4xhdUtPhrDFuGnrZVvqpqGLEex3xxas6VwAP0FbhZ5K-XVgTnu9vdXNHolYAhcpB8nFJA27PKIseRrDLBXwiSRNwPm2VjsaHXVT2eBoGhw24EVPT_-MZZIEWdsQvTXxC4o4WqqOZXKQ9b3_LulggOIYQjPXa_QfTHyrTfyVNnLhKozaNuFHYzncq2p2NZBlVrJszs4XS7Wc_q5ydbpIpxcE8QlOfCLv6Do4IhP8Hb4znrK-AgAA

3: H4sIAAAAAAAAAG2PS2vDMBCEf016KYiV7AT3sAeRNqdA6YP2EHpQpU0icCyxkvsA_fjKdi-F3mZ3ZplviwRAWSRIhCtmq232YXi07A7whmVyn8iwPV9v2Wdib-bsJ72bGJMS9URk-jJJnMLHqtEdVF_hSu3uXnWVzSRTJOuP3u7JJHoYib-XGuFCjbR4oXwO7jlsTd_XxRrH4feEXJ27f9AOaabSfEoiGjaXF9OPVIkVgiwNKlBQ2kmvF73B-9LhH5Jyg5GD00Otzqa_9SnWNlw-gG6mVyA3bVEV0vmU2dv8A8nXYOAyAQAA

like2think
  • 142
  • 2
  • 15

1 Answers1

4

Does this:

|100=1|101=0&rrcActionRcrd[0]=|100=Search+Criteria|101=webapps2.rrc.texas.gov%3A80|102=%2FEWA|103=%2FspecificLeaseQueryAction.do|104=methodToCall|105=unspecified|108=0&rrcActionRcrd[0][searchArgs.paramValue]=|2=01|3=2020|4=01|5=2020|6=O|8=specificLease|9=prodAndTotalDisp|10=0|102=08|103=20164|204=district

make sense for your third example?

Here is the second one:

|100=2|101=1&rrcActionRcrd[0]=|100=Search+Criteria|101=webapps2.rrc.texas.gov%3A80|102=%2FEWA|103=%2FspecificLeaseQueryAction.do|104=methodToCall|105=unspecified|108=0&rrcActionRcrd[0][searchArgs.paramValue]=|2=01|3=2019|4=01|5=2020|6=O|8=specificLease|9=prodAndTotalDisp|10=0|102=08|103=20162|204=district&rrcActionRcrd[1]=|100=District%3A+08|101=webapps2.rrc.texas.gov%3A80|102=%2FEWA|103=%2FspecificLeaseQueryAction.do|104=methodToCall|105=search|106=slPager.paramValue|108=0&rrcActionRcrd[1][searchArgs.paramValue]=|2=01|3=2019|4=01|5=2020|6=O|8=specificLease|9=dispDetails|10=0|102=08|103=20162|203=YADON%2C+C.+P.-STATE|204=district&rrcActionRcrd[1][slPager.paramValue]=|1=1|2=10|3=13|4=0|5=2|6=10

and the first one:

|100=2|101=1&rrcActionRcrd[0]=|100=Search+Criteria|101=webapps2.rrc.texas.gov%3A80|102=%2FEWA|103=%2FspecificLeaseQueryAction.do|104=methodToCall|105=unspecified|108=0&rrcActionRcrd[0][searchArgs.paramValue]=|2=01|3=2020|4=01|5=2020|6=O|8=specificLease|9=prodAndTotalDisp|10=0|102=08|103=20164|204=district&rrcActionRcrd[1]=|100=District%3A+08|101=webapps2.rrc.texas.gov%3A80|102=%2FEWA|103=%2FspecificLeaseQueryAction.do|104=methodToCall|105=search|106=slPager.paramValue|108=0&rrcActionRcrd[1][searchArgs.paramValue]=|2=01|3=2020|4=01|5=2020|6=O|8=specificLease|9=prodAndTotalDisp|10=0|102=08|103=20164|203=NORTH+COWDEN+UNIT|204=district&rrcActionRcrd[1][slPager.paramValue]=|1=1|2=10|3=1|4=0|5=1|6=10

What you have here is a Base64 encoded gzip stream. So to decoded you need to Base64 decoded it into a .gz and then unzip it. That's what I did and this is how I did it:

I took your first encoded block and saved it to a file. I did the same thing with the other two blocks. Went to https://www.base64decode.org/ and loaded the first file; downloaded the converted version and saved it with a .gz extension. Did the same thing with the other two files. Then I gunziped them and got the decoded results. I did have some problems with the first and second blocks, but it was related to the way it was showing in the page. Once I took a look at source code of the page and copied it from there I did not have a problem.

You will have to generate the proper format, that should be easy, then you need to gzip it and then encoded it. It will work.

Dan M
  • 4,340
  • 8
  • 20
  • I see, this is a duplication of the query string. I suppose I need to read up on Base64 decoding into .gz. Are you familiar enough with this methodology? What might the purpose be here, to use base converted values? Since I'm in Excel, can I use VBA to decode this? Or, rather, generate my own, now that we can see what it's doing? Do you have a link for an example of actually doing what you did to decode it? – like2think Jul 02 '20 at 00:54
  • 2
    Here is very important to mention, that this is not the standard Base64 encoding, but the URL safe one: + and / are substituted by - and _. You can use https://gchq.github.io/CyberChef/ anyway to encode those string: use the RECIPE: From Base64 with "A-Za-z0-9-_=" and as second Gunzip. Then paste your input into INPUT. Voila! – Janos Vinceller Jul 02 '20 at 09:21
  • I'm not having success using CyberChef to take the query string and apply gzip + Base64 to generate a key that's similar to the patterns I'm seeing above. Your example works decoding, but what step am I missing for encoding (to replicate / generate my own after altering the query string as needed)? I'd also like to do this in VBA- researching, but nothing quite yet. – like2think Jul 03 '20 at 19:29
  • http://www.vbforums.com/showthread.php?379072-VB-Fast-Base64-Encoding-and-Decoding and also https://stackoverflow.com/questions/58026702/how-to-decompress-http-responses-in-vba-excel – Dan M Jul 03 '20 at 21:27