HackTricks
Kufichua CloudFlare
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Mbinu za Kawaida za Kufichua Cloudflare
- Unaweza kutumia huduma fulani inayokupa historical DNS records za domain. Labda ukurasa wa wavuti unafanya kazi kwenye anwani ya IP iliyotumika hapo awali.
- Ndivyo inaweza kufikiwa kwa checking historical SSL certificates ambazo zinaweza kuonyesha anwani ya origin IP address.
- Angalia pia DNS records of other subdomains pointing directly to IPs, kwani inawezekana subdomains nyingine zinaonyesha kwenye server ile ile (labda kwa kutoa FTP, mail au huduma nyingine yoyote).
- Ikiwa utapata SSRF inside the web application unaweza kuitumia kupata anwani ya IP ya server.
- Tafuta mnyororo wa kipekee wa ukurasa wa wavuti kwenye mashine za utafutaji kama shodan (na labda google na zinazofanana?). Labda unaweza kupata anwani ya IP yenye yale yaliyomo.
- Kwa njia inayofanana, badala ya kutafuta mnyororo wa kipekee unaweza kutafuta favicon icon kwa kutumia tool: https://github.com/karma9874/CloudFlare-IP au https://github.com/pielco11/fav-up
- Hii haitafanya kazi mara nyingi kwa sababu server lazima itume jibu lile lile inapofikiwa kwa anwani ya IP, lakini hujui.
Zana za kufichua Cloudflare
- Tafuta domain ndani ya http://www.crimeflare.org:82/cfs.html au https://crimeflare.herokuapp.com. Au tumia tool CloudPeler (ambayo inatumia API hiyo)
- Tafuta domain kwenye https://leaked.site/index.php?resolver/cloudflare.0/
- CF-Hero ni zana kamili ya uchunguzi iliyotengenezwa kugundua anwani halisi za IP za web applications zilizolindwa na Cloudflare. Inafanya ukusanyaji wa taarifa kutoka vyanzo vingi kwa kutumia mbinu mbalimbali.
- CloudFlair ni zana itakayotumia Censys certificates zinazojumuisha domain name, kisha itatafuta IPv4s ndani ya hizo certificates na hatimaye itajaribu kufikia ukurasa wa wavuti kwenye hizo IPs.
- CloakQuest3r: CloakQuest3r ni zana yenye nguvu ya Python iliyotengenezwa kwa umakini kufichua anwani halisi ya IP ya websites zilizolindwa na Cloudflare na mbadala nyingine, huduma inayotumika sana ya usalama wa wavuti na kuboresha utendaji. Lengo lake kuu ni kubaini kwa usahihi anwani halisi ya IP ya web servers zinazofichwa nyuma ya kinga ya Cloudflare.
- Censys
- Shodan
- Bypass-firewalls-by-DNS-history
- Ikiwa una seti ya IPs zinazowezekana ambapo ukurasa wa wavuti unako, unaweza kutumia https://github.com/hakluke/hakoriginfinder
# You can check if the tool is working with
prips 1.0.0.0/30 | hakoriginfinder -h one.one.one.one
# If you know the company is using AWS you could use the previous tool to search the
## web page inside the EC2 IPs
DOMAIN=something.com
WIDE_REGION=us
for ir in `curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="EC2") | select(.region|test("^us")) | .ip_prefix'`; do
echo "Checking $ir"
prips $ir | hakoriginfinder -h "$DOMAIN"
done
Kufichua Cloudflare kutoka miundombinu ya wingu
Kumbuka kwamba hata ikiwa hili lilifanywa kwa mashine za AWS, linaweza kufanywa kwa mtoa huduma mwingine wa wingu.
Kwa maelezo ya kina ya mchakato huu angalia:
# Find open ports
sudo masscan --max-rate 10000 -p80,443 $(curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="EC2") | .ip_prefix' | tr '\n' ' ') | grep "open" > all_open.txt
# Format results
cat all_open.txt | sed 's,.*port \(.*\)/tcp on \(.*\),\2:\1,' | tr -d " " > all_open_formated.txt
# Search actual web pages
httpx -silent -threads 200 -l all_open_formated.txt -random-agent -follow-redirects -json -no-color -o webs.json
# Format web results and remove eternal redirects
cat webs.json | jq -r "select((.failed==false) and (.chain_status_codes | length) < 9) | .url" | sort -u > aws_webs.json
# Search via Host header
httpx -json -no-color -list aws_webs.json -header Host: cloudflare.malwareworld.com -threads 250 -random-agent -follow-redirects -o web_checks.json
Kupita Cloudflare kupitia Cloudflare
Authenticated Origin Pulls
Mfumo huu unategemea client SSL certificates kuthibitisha muunganisho kati ya Cloudflare’s reverse-proxy servers na origin server, ambayo inaitwa mTLS.
Badala ya kusanidi certificate zao, wateja wanaweza kutumia tu certificate ya Cloudflare kuruhusu muunganisho wowote kutoka Cloudflare, bila kujali the tenant.
Caution
Kwa hiyo, mshambuliaji anaweza tu kuweka domain in Cloudflare using Cloudflare’s certificate and point kwa victim domain IP address. Kwa njia hii, akiwa ameweka domain yake bila ulinzi kabisa, Cloudflare haitalinda maombi yatakayomtumwa.
More info here.
Allowlist Cloudflare IP Addresses
Hii itakataa connections that do not originate from Cloudflare’s IP address ranges. Hii pia inabadiliwa na usanidi uliotajwa hapo awali ambapo mshambuliaji anaweza tu point his own domain in Cloudflare kwa victim IP address na kui-shambuliza.
More info here.
Kupitisha Cloudflare kwa scraping
Cache
Wakati mwingine unataka kupita Cloudflare ili tu scrape ukurasa wa wavuti. Kuna chaguzi kadhaa kwa hili:
- Use Google cache:
https://webcache.googleusercontent.com/search?q=cache:https://www.petsathome.com/shop/en/pets/dog - Use other cache services such as https://archive.org/web/
Zana
Baadhi ya zana kama zifuatazo zinaweza bypass (au ziliweza bypass) ulinzi wa Cloudflare dhidi ya scraping:
Cloudflare Solvers
Kumezuliwa idadi ya Cloudflare solvers zilizotengenezwa:
- FlareSolverr
- cloudscraper Guide here
- cloudflare-scrape
- CloudflareSolverRe
- Cloudflare-IUAM-Solver
- cloudflare-bypass [Archived]
- CloudflareSolverRe
Fortified Headless Browsers
Tumia headless browser ambayo haigunduliki kama automated browser (huenda ukahitaji kuibadilisha kwa ajili ya hili). Baadhi ya chaguzi ni:
- Puppeteer: The stealth plugin for puppeteer.
- Playwright: The stealth plugin is coming to Playwright soon. Follow developments here and here.
- Selenium: SeleniumBase ni framework ya kisasa ya browser automation yenye uwezo wa kujificha (built-in stealth capabilities). Inatoa mode mbili: UC Mode, patch ya Selenium ChromeDriver iliyoboreshwa msingi kwa undetected-chromedriver, na CDP Mode, ambayo inaweza bypass bot detection, kutatua CAPTCHAs, na kutumia mbinu za Chrome DevTools Protocol.
Smart Proxy With Cloudflare Built-In Bypass
Smart proxies zinaendelea kusasishwa na kampuni maalum, zikitafuta kupita tahadhari za usalama za Cloudflare (hiyo ndio biashara yao).
Baadhi yao ni:
- ScraperAPI
- Scrapingbee
- Oxylabs
- Smartproxy are noted for their proprietary Cloudflare bypass mechanisms.
Kwa wale wanaotafuta suluhisho lililo optimized, ScrapeOps Proxy Aggregator inasimama nje. Huduma hii inaunganisha zaidi ya watoaji proxy 20 katika API moja, ikichagua kiotomatiki proxy bora na yenye gharama nafuu kwa domain zako za lengo, hivyo kutoa chaguo bora kwa kuzunguka ulinzi wa Cloudflare.
Reverse Engineer Cloudflare Anti-Bot Protection
Reverse engineering ya Cloudflare’s anti-bot measures ni taktiki inayotumika na watoaji smart proxy, inayofaa kwa scraping kubwa bila gharama kubwa ya kuendesha headless browsers nyingi.
Faida: Njia hii inaruhusu uundaji wa bypass yenye ufanisi sana inayolenga haswa ukaguzi wa Cloudflare, inafaa kwa shughuli za wigo mkubwa.
Hasara: Hasara ni ugumu wa kuelewa na kudanganya mfumo wa anti-bot uliotengenezwa kwa makusudi, ukihitaji juhudi za kuendelea kujaribu mbinu tofauti na kusasisha bypass wakati Cloudflare inaboresha ulinzi wake.
Pata maelezo zaidi kuhusu jinsi ya kufanya hili katika original article.
References
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.