devploit/nomore403 devploit/nomore403

  • Stars
    star
    1,091
  • Rank 42,463 (Top 0.9 %)
  • Language
    Go
  • License
    MIT License
  • Created over 3 years ago
  • Updated 5 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
devploit/nomore403
github

devploit

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Tool to bypass 403/40X response codes.

contributions welcome

dontgo403 is a tool to bypass 40X errors.

Installation

Grab the latest release for your OS from RELEASES

Or compile by your own:

git clone https://github.com/devploit/dontgo403; cd dontgo403; go get; go build

Customization

If you want to edit or add new bypasses, you can add it directly to the specific file in payloads folder and the tool will use it.

Options

./dontgo403 -h

Command line application that automates different ways to bypass 40X codes.

Usage:
  dontgo403 [flags]

Flags:
  -i, --bypassIp string       Try bypass tests with a specific IP address (or hostname). i.e.: 'X-Forwarded-For: 192.168.0.1' instead of 'X-Forwarded-For: 127.0.0.1'
  -d, --delay int             Set a delay (in ms) between each request (default 0ms)
  -f, --folder string         Define payloads folder (if it's not in the same path as binary)
  -H, --header strings        Add a custom header to the requests (can be specified multiple times)
  -h, --help                  help for dontgo403
      --http                  Set HTTP schema for request-file requests (default HTTPS)
  -t, --httpMethod string     HTTP method to use (default 'GET')
  -m, --max_goroutines int    Set the max number of goroutines working at same time (default 50)
      --nobanner              Set nobanner ON (default OFF)
  -p, --proxy string          Proxy URL. For example: http://127.0.0.1:8080
  -r, --request-file string   Path to request file to load flags from
  -u, --uri string            Target URL
  -a, --useragent string      Set the User-Agent string (default 'dontgo403')
  -v, --verbose               Set verbose mode ON (default OFF)

Usage

Output example:

                                                                                       .#%%:  -#%%%*.  +#%%#+.
                                                                                      =@*#@: =@+  .%%.:+-  =@*
         :::.                             ...                                       .#@= *@: *@:   *@:  :##%@-
         :::.                             :::.             ..    -:..-.    ..   ::  =%%%%@@%:=@*. :%% =*-  :@%
 .::::::::::.   .::::::.   .:::::::::.  ::::::::.  .:::::::::.  .=::..:==-=+++:.         +#.  -*#%#+.  =*###+.
.:::....::::. .:::....:::. .::::...:::. ..::::..  ::::....:::   --::..-=+*=:.
:::.     :::. :::.    .::: .:::    .:::   :::.   ::::     .:::  -=::-*#+=:
::::    .:::. ::::    :::: .:::    .:::   :::.   .:::.    :::.  +-:::=::.
 :::::.:::::.  ::::..::::  .:::    .:::   .:::.:. .:::::::::.  .+=:::::.
  ..::::.:::    ..::::..   .:::     :::    ..:::.   .....::::.   -=:.::
                                                 .:::     ::::
                                                  :::::..::::.
	
Target: 		        https://domain.com/admin
Headers: 		        false
User Agent: 		        dontgo403
Proxy: 			        false
Method: 		        GET
Payloads folder:                payloads
Custom bypass IP:               false
Verbose: 		        false
โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” DEFAULT REQUEST โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”
403 	  429 bytes https://domain.com/admin

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” VERB TAMPERING โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” HEADERS โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” CUSTOM PATHS โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”
200 	 2047 bytes https://domain.com/;///..admin

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” CASE SWITCHING โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”
200 	 2047 bytes https://domain.com/%61dmin

Basic usage:

./dontgo403 -u https://domain.com/admin

Verbose mode + proxy enabled:

./dontgo403 -u https://domain.com/admin -p http://127.0.0.1:8080 -v

Parse request from Burp:

./dontgo403 -r request.txt

Use custom header + specific IP address for bypasses:

./dontgo403 -u https://domain.com/admin -H "Environment: Staging" -b 8.8.8.8

Set new max of goroutines + add delay between requests:

./dontgo403 -u https://domain.com/admin -m 10 -d 200

Contact

Twitter: devploit

More Repositories

1

awesome-ctf-resources

A list of Capture The Flag (CTF) frameworks, libraries, resources and software for started/experienced CTF players ๐Ÿšฉ
431
star
2

XORpass

Encoder to bypass WAF filters using XOR operations.
Python
250
star
3

debugHunter

Discover hidden debugging parameters and uncover web application secrets
JavaScript
228
star
4

CTF_OnlineTools

Repository to index useful online tools for CTF
147
star
5

put2win

Script to automate PUT HTTP method exploitation to get shell
Shell
124
star
6

unaalmes-writeups

Repository to save all write-ups from UAM challenges
Python
29
star
7

pwny.cc

Repository of useful payloads and tips for pentesting/bug bounty.
24
star
8

pentesting-wiki

I am tired of cherrytree and I think that having useful information online to consult comfortably can be a good option. Feel free to send corrections / extra tips.
4
star
9

pwnygames_2021

TODO
1
star
10

blog

Shell
1
star
11

devploit

1
star
12

ctf-writeups

Repository to store public writeups from some CTFs.
1
star