Monday, February 9, 2015

Nikto , sqlmap, Curl ... + avoiding CloudFlare challenge in CentOS6 in terminal (Solved)

It is possible you find with this situation.
  • No windows environment
  • Just text browser
  • You want to run a "nikto"
  • the target/host is protected with cloudflare.
Result: everything is false-positive:

+Server: cloudflare-nginx
+ Uncommon header 'cf-ray' found, with contents: 1aad22aaaaaaa7-MAD
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Cookie __cfduid created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server banner has changed from 'cloudflare-nginx' to '-nginx' which may suggest a WAF, load balancer or proxy is in place
+ "robots.txt" contains 1 entry which should be manually viewed.
+ lines
+ /crossdomain.xml contains 0 line which should be manually viewed for improper domains or wildcards.
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 2221478, size: 1150, mtime: 0x4c35de66b2900
+ Uncommon header 'cf-cache-status' found, with contents: HIT
+ /kboard/: KBoard Forum 0.3.0 and prior have a security problem in forum_edit_post.php, forum_post.php and forum_reply.php
+ /lists/admin/: PHPList pre 2.6.4 contains a number of vulnerabilities including remote administrative access, harvesting user info and more. Default login to admin interface is admin/phplist
.
.
(a lot of more lines)

If you repeat it again with a "verbose" mode in other window like:

tcpdump -A -s0 port 80 |grep title

you will see:

 <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>
  <title>Just a moment...</title>


What is happening?

In some sites CloudFlare offers (for protection of the site) one challenge before the real webpage. There are two types:

  • Javascript challenge
  • Captcha challenge

The second option is the normal option when you are using Tor to visit the site. There is not a good solution for that option.



For the first one, the cloudflare-scrape project is our solution. You can develop whatever you want with that module for python.

For our problem, i was in CentOS, the procedure was:
  1. yum install python-requests #this is for installing the package dependencies but request library for centos is not enough, >= 2.x is a MUST 
  2. yum install python-pyV8 #look at my post about pyV8 RPM 
  3. yum install python-pip #to install the newest request module 
  4. pip install requests --upgrade #this is the correct module version
  5. yum install ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/halocaridina:/security/CentOS_CentOS-6/noarch/nikto-2.1.5-8.1.noarch.rpm #our nikto in centos
Later:

git clone https://github.com/Anorov/cloudflare-scrape

and I made a fast-ugly script (i am not developer) with the module:

import sys
import requests
import cfscrape

sess = requests.session()
sess.mount("http://", cfscrape.CloudflareAdapter())
sess.get (sys.argv[1])

print "\"cf_clearance\"=\"%s\";\"__cfduid\"=\"%s\"" % (sess.cookies["cf_clearance"] , sess.cookies["__cfduid"])


Now, the sugar: We have to use the same user agent in nikto and cloudflare-scrape. Both of them permit to change the user-agent.

Now we run the script:

python  myscriptcf.py http://www.xxxxxxxxxxx.com/
"cf_clearance"="4960843aaaaaaaaaaaaaaaaa42c4bdb23aaaaaaaaaaa-aaaaaaaaaaa3-1205";"__cfduid"="df59aaaaaaaaaaaaaaaaaaaa53"

This cookie goes to the STATIC-COOKIE in the /etc/nikto/config.

and now, retry-time: Re-run nikto and you try to look at the "verbose" screen with the output of tcpdump:

<title>HOLAHOLAWEBSITE</title>
<title>HOLAHOLAWEBSITE</title>
<title>404 Not Found</title>
<title>404 Not Found</title>
<title>404 Not Found</title>
<title>404 Not Found</title>
<title>404 Not Found</title>
<title>404 Not Found</title>
<title>404 Not Found</title>
<title>404 Not Found</title>
<title>404 Not Found</title>

Yeah, challenge accepted and it works! ;)

Other example:

SITE=www.sitewithcloudflarechallenge.com; curl -s -s $SITE -A 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36' |grep title
 <title>Just a moment...</title>

Script (we need to clean the quotes here - different format to nikto config):

import sys
import requests
import cfscrape

sess = requests.session()
sess.mount("http://", cfscrape.CloudflareAdapter())
sess.get (sys.argv[1])

print "cf_clearance=%s;__cfduid=%s" % (sess.cookies["cf_clearance"] , sess.cookies["__cfduid"])

and...

SITE=www.sitewithcloudflarechallenge.com; curl --cookie `./myscriptcf.py $SITE` -s $SITE -A 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36' |grep title

<title>sitewithcloudflarechallenge</title>

Cool?. You think about to make a proxy with this now.... yeah! very coooooool!


No comments:

Post a Comment