Assalamualaikum,
This write-up is about bypassing Cloudflare and getting origin servers.
Description:
Cloudflare is a security layer that protect a website. It works as a middleman between a server and users. It protect against web-based attacks such as XSS and SQLi Injections, Buffer Overflow and most significantly, DDoS attacks. In general, an attacker can't access origin server directly if cloudflare is enabled. So, it could be difficult to deploy such attacks.This is enough to give basic information about cloudflare security. Let's move into the bypassing part.
Fingerprinting:
First let's see if the server behind any Web Application Firewall (WAF) or not. To determine this simply visit the IP of a target. From "A" records we can get the sever IP. Use dig or https://toolbox.googleapps.com/apps/dig/#A/ to get "A" records.Eternyle$ dig redacted.com
;; ANSWER SECTION:
redacted.com. 299 IN A 1337.10.11.21
redacted.com. 299 IN A 1337.10.12.21
Let's visit one of this IP to check if WAF is implemented or we can just access directly.
It says "Direct IP Access not allowed" and "IP address that is part of the Cloudflare network" that means server is behind cloud flare. So we need to bypass and get the origin IP.
Alternatively we can use shodan to check if the server is behind CloudFlare or not.
https://censys.io/certificates?q=parsed.names%3A+redacted.com
Dork: parsed.names: redacted.com
Bypass:
There may have several ways to bypass or get the origin server. But Censys is a best option to get the origin servers.By using Censys we can get many IPs. Fact is which one is origin server?
We may get IPs from censys that maybe from cloudflare ranges but we need to get IPs which contains identical HTML contents of main domain.
We will use a tool called Cloudflair written by Christophe. That tool help us to get the origin server and it will match HTML identical contents to the main domain to determine the origin IP.
Eternyle$ python cloudflair.py redacted.com
[*] some outputs.....
[*] some outputs.....
[*] Found 2 likely origin servers of redacted.com!
- 132.102.12.193 (HTML content identical to redacted.com)
- 132.102.12.194 (HTML content identical to redacted.com)
So we get two origin servers. I think that is enough to submit a report.
Network Mapping:
Let's do a simple scan.
Eternlye$ nmap 132.102.12.193
Not shown: 979 filtered ports
PORT STATE SERVICE
25/tcp open smtp
43/tcp open whois
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
700/tcp open epp
993/tcp open imaps
995/tcp open pop3s
2000/tcp closed cisco-sccp
3389/tcp open ms-wbt-server
5222/tcp open xmpp-client
5432/tcp open postgresql
5900/tcp open vnc
5901/tcp open vnc-1
8080/tcp open http-proxy
8085/tcp open unknown
8099/tcp open unknown
9200/tcp open wap-wsp
By nmap scan we have many open ports. With these open ports we can do our further attacks.
So, we have successfully bypassed the cloudflare and got open ports.
I have reported this vulnerability to a program and got $250 bounty on @Federecy
References:
Find me on @Twitter
Have a good day! Ramadaan Mubarak. <3
1 Comments
These machines 1xbet and their bill acceptors are designed with advanced anti-cheating and anti-counterfeiting measures and are tough to defraud. Early computerized slot machines were generally defrauded via the use of of} cheating devices, such because the "slider", "monkey paw", "lightwand" and "the tongue". Many of those old cheating devices were made by the late Tommy Glenn Carmichael, a slot machine fraudster who reportedly stole over $5 million. In the trendy day, computerized slot machines are totally deterministic and thus outcomes can be generally successfully predicted.
ReplyDeletePost a Comment