How I was able to bypass WAF and find the origin IP and a few sensitive files
Hello hunters,
This is Jan Muhammad from team Darkanon.
Today I’ll be demonstrating to you guyz how I was able to bypass WAF and find the origin IP in a jiffy, using shodan.
So let's begin.
I was hunting on a VDP program, let’s call it target.com. During my reconnaissance, it came to my notice that the target is protected by Cloudflare WAF. In order to find the origin IP, I opened my terminal and hit command:
nslookup target.com
But the resolved IPs were generated by Cloudflare with the intention to protect the origin server. Hitting those IP’s in URL were showing “Direct IP Access not allowed”
After referring to multiple articles I found this interesting regex:
Ssl.cert.subject.CN:”target.com” 200
Hitting this regex in Shodan search engine disclosed the origin IP of the server. Now, I was able to communicate with the server directly without going through WAF.
To confirm whether Cloudflare is bypassed or not I used wafw00f:
wafw00f target.com → Protected by Cloudflare
wafw00f origin_ip → No WAF detected
Now, let’s dive deeper.
I fired up the dirbuster and ffuf to Bruteforce the directories. Here I was able to find out multiple hidden files and directories which I was not able to find via the intended URL.
Bounty Awarded: $three_digits
Hit me up on Twitter: https://twitter.com/hasanakajan