How i was able to pwned application by Bypassing Cloudflare WAF

Hello Guys !!

I was working with one of private program(ex: xyz.com) . so as per my methodology i did recon to get all subdomain from dnsdumpster , virustotal , aquatone , sublister , findsubdomains.com etc. and out of that i got one subdomain which is running over wordpress. so , i checked for basic stuffs to get xss if they are using older version.

After running script to check wp directory i saw that x.xyz.com/wp-login.php ?action=register and i saw this

Looks like its blocked by cloudflare , yeah i was like Huh :(:(

what if we can bypass their WAF and get Origin IP yeah,

Basics about cloudflare :

Cloudflare allows websites to protect against all sorts of attacks. It can also act as a Web Application Firewall (WAF) to block the exploitation of web-based vulnerabilities.

I used CFBYPASS tool , after running this , i got their Origin IP . cool write-up at https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/

There are multiple ways to get that Origin IP #Bugbountytip

Next i tried that origin IP , x.x.x.x/wp-login.php?action=register and i was able to see signup page and can signup there using my email and pwned their system

Thanks for reading guys , I always believed that sharing is caring. Hope You liked this finding. Many more are coming. Stay tuned. feel free to comment if you have any question , or shoot me DM in twitter (twitter.com/vis_hacker )