How i was able to pwned application by Bypassing Cloudflare WAF
Hello Guys !!
I was working with one of private program(ex: xyz.com) . so as per my methodology i did recon to get all subdomain from dnsdumpster , virustotal , aquatone , sublister , findsubdomains.com etc. and out of that i got one subdomain which is running over wordpress. so , i checked for basic stuffs to get xss if they are using older version.
After running script to check wp directory i saw that x.xyz.com/wp-login.php ?action=register and i saw this
Looks like its blocked by cloudflare , yeah i was like Huh :(:(
what if we can bypass their WAF and get Origin IP yeah,
Basics about cloudflare :
Cloudflare allows websites to protect against all sorts of attacks. It can also act as a Web Application Firewall (WAF) to block the exploitation of web-based vulnerabilities.
I used CFBYPASS tool , after running this , i got their Origin IP . cool write-up at https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/
There are multiple ways to get that Origin IP #Bugbountytip
Next i tried that origin IP , x.x.x.x/wp-login.php?action=register and i was able to see signup page and can signup there using my email and pwned their system
Thanks for reading guys , I always believed that sharing is caring. Hope You liked this finding. Many more are coming. Stay tuned. feel free to comment if you have any question , or shoot me DM in twitter (twitter.com/vis_hacker )