mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 01:17:36 +00:00
GitBook: [master] 2 pages modified
This commit is contained in:
parent
00d5d2495a
commit
1e39766c50
2 changed files with 7 additions and 1 deletions
|
@ -4,7 +4,7 @@
|
|||
|
||||
1. Try to upload a file with a **double extension** \(ex: _file.png.php_ or _file.png.php5_\).
|
||||
* PHP extensions: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, ._phps_, ._pht_, _.phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc_
|
||||
* ASP extensions: _.asp, .aspx, .config_
|
||||
* ASP extensions: _.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .asp, .cer, .shtml_
|
||||
2. Try to **uppercase some letter\(s\)** of the extension. Like: _.pHp, .pHP5, .PhAr ..._
|
||||
3. Try to upload some **double \(or more\) extension** \(useful to bypass misconfigured checks that test if a specific extension is just present\):
|
||||
1. _file.png.php_
|
||||
|
|
|
@ -250,6 +250,12 @@ In several occasions you will need to **understand regular expressions** used, t
|
|||
* Try using **different verbs** to access the file: _GET, POST, INVENTED_
|
||||
* If _/path_ is blocked, try using _**/**_**%2e/**path __\(if the access is blocked by a proxy, this could bypass the protection\). Try also _/**%252e**/path_ \(double URL encode\)
|
||||
* Try Unicode bypass: _/**%ef%bc%8f**path_ \(The URL encoded chars are like "/"\) so when encoded back it will be _//path_ and maybe you will have already bypassed the _/path_ name check
|
||||
* **Other path bypasses**:
|
||||
* site.com/secret –> HTTP 403 Forbidden
|
||||
* site.com/secret/ –> HTTP 200 OK
|
||||
* site.com/secret/. –> HTTP 200 OK
|
||||
* site.com//secret// –> HTTP 200 OK
|
||||
* site.com/./secret/.. –> HTTP 200 OK
|
||||
* Go to [https://archive.org/web/](https://archive.org/web/) and check if in the past that file was **worldwide accessible**.
|
||||
* **Fuzz the page**: Try using HTTP Proxy **Headers**, HTTP Authentication Basic and NTLM brute-force \(with a few combinations only\) and other techniques. To do all of this I have created the tool [**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass).
|
||||
* `X-Originating-IP: 127.0.0.1`
|
||||
|
|
Loading…
Reference in a new issue