Repeated BASE64 encode injection – possible to recover payload?

The firewall only logs the first 200 characters.
If you want to log the full $_POST[‘d’] payload, you can use the .htninja script and add your own code to do it.

You probably were aware, but the fragment from the log file can be decoded at https://www.base64decode.org
It will lead you to (one of) the source(s) of the hack source code…

Thanks for all the answers. I am no programmer though. Can I use this code snippet in .htninja script to log POST payload?

file_put_contents("post.log", print_r($_POST, true));

• This reply was modified 4 years, 6 months ago by medard22.
• This reply was modified 4 years, 6 months ago by medard22.

@gwdlarry : you can decode a base64 string, even a partial one. You can use a command line:
$ echo -e BASE64-ENCODE-STRING | base64 -d

But that is unlikely your issue. Hackers try to inject the same code using many different vulnerabilities. This one is blocked by the firewall.

@medard22 : you can use this code:

if (! empty( $_POST ) ) {
   file_put_contents( __DIR__ .'/post.log', print_r( $_POST, true ) );
}

Be careful: when you log in to your admin dashboard, the user password will be written to the log!