GitBook: [master] 2 pages modified

This commit is contained in:
CPol 2020-08-25 08:38:04 +00:00 committed by gitbook-bot
parent 00d5d2495a
commit 1e39766c50
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 7 additions and 1 deletions

View file

@ -4,7 +4,7 @@
1. Try to upload a file with a **double extension** \(ex: _file.png.php_ or _file.png.php5_\).
* PHP extensions: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, ._phps_, ._pht_, _.phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc_
* ASP extensions: _.asp, .aspx, .config_
* ASP extensions: _.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .asp, .cer, .shtml_
2. Try to **uppercase some letter\(s\)** of the extension. Like: _.pHp, .pHP5, .PhAr ..._
3. Try to upload some **double \(or more\) extension** \(useful to bypass misconfigured checks that test if a specific extension is just present\):
1. _file.png.php_

View file

@ -250,6 +250,12 @@ In several occasions you will need to **understand regular expressions** used, t
* Try using **different verbs** to access the file: _GET, POST, INVENTED_
* If _/path_ is blocked, try using _**/**_**%2e/**path __\(if the access is blocked by a proxy, this could bypass the protection\). Try also _/**%252e**/path_ \(double URL encode\)
* Try Unicode bypass: _/**%ef%bc%8f**path_ \(The URL encoded chars are like "/"\) so when encoded back it will be _//path_ and maybe you will have already bypassed the _/path_ name check
* **Other path bypasses**:
* site.com/secret > HTTP 403 Forbidden
* site.com/secret/ > HTTP 200 OK
* site.com/secret/. > HTTP 200 OK
* site.com//secret// > HTTP 200 OK
* site.com/./secret/.. > HTTP 200 OK
* Go to [https://archive.org/web/](https://archive.org/web/) and check if in the past that file was **worldwide accessible**.
* **Fuzz the page**: Try using HTTP Proxy **Headers**, HTTP Authentication Basic and NTLM brute-force \(with a few combinations only\) and other techniques. To do all of this I have created the tool [**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass).
* `X-Originating-IP: 127.0.0.1`