Saturday, November 10, 2018

Bypass Cloudflare To Get Real IP Address

What is CloudFlare

CloudFlare is one of the fastest growing CDN providers, which has free and premium service to accelerate, optimize & secure websites. There are more than 2,000,000 web properties powered by CloudFlare and I use their service too. If you are already using CloudFlare then you might have noticed IP address in DNS lookup get reflected with CloudFlare.

How this script works

this script is designed to discover the origin IP of a server that is behind Cloudflare,The work method of this script is to scan the NS of a domain,This tool only works to domains that are the domains of the original NS server This tool scans the default Private Name Server, and if they exist, they will find the original server IP

Example NS


ns1,"ns2","ns3","ns4","primary","host1","host2","masterdns","slavedns"
"dns1","dns2","master","slave","node1","node2"

Ping Test
With a ping of the domain, the Cloudflare fake IP is displayed :

C:\Users\root>ping cafeigapp.com

Pinging cafeigapp.com [172.64.197.10] with 32 bytes of data:
Reply from 172.64.197.10: bytes=32 time=153ms TTL=60
Reply from 172.64.197.10: bytes=32 time=150ms TTL=60
Reply from 172.64.197.10: bytes=32 time=149ms TTL=60
Reply from 172.64.197.10: bytes=32 time=155ms TTL=60

Ping statistics for 172.64.197.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 149ms, Maximum = 155ms, Average = 151ms

CloudFlare Bypasser script result The script has detected the original IP by scanning Name Server on port 80 and 53, real IP is 144.76.174.208


Enter your domain: cafeigapp.com
Starting...

[+] Open        ns1.cafeigapp.com                                 53    144.76.174.208
[+] Open        ns1.cafeigapp.com                                 80    144.76.174.208
[+] Open        ns2.cafeigapp.com                                 53    144.76.174.208
[+] Open        ns2.cafeigapp.com                                 80    144.76.174.208
[-] Hostname could not be resolved.
[-] Hostname could not be resolved.
[-] Hostname could not be resolved.
[-] Hostname could not be resolved.

[*] Finished!

Cloudflare Bypasser Script:

Download script 


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
'''
    File name: Bypass Cloudflare To Get Real IP Address
    Author: Dariush Nasirpour (Net.Edit0r)
    Date created: 11/10/2018
    Web: http://nasirpour.info
    Spicial Thanks to Ehsan Nezami
'''

import socket

socket.setdefaulttimeout(1)

domain = raw_input("Enter your domain: ")

try:
    print "Starting...\n\r"
    dns = ["ns1.", "ns2.", "ns3.", "ns4.", "primary.", "host1.", "host2.", "masterdns.", "slavedns.", "dns1.", "dns2.",
           "master.", "slave.", "node1.", "node2."]
    for dns_name in dns:
        remoteServerIP = dns_name + domain
        for port in [53, 80]:
            try:
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                IP = socket.gethostbyname(remoteServerIP)
                result = sock.connect_ex((remoteServerIP, port))
                if result == 0:
                    print "[+] Open\t{:<50}{:<3}\t{}".format(remoteServerIP, port, IP)
                sock.close()
            except socket.gaierror:
                print "[-] Hostname could not be resolved."
                pass
            except socket.error:
                print "[-] Couldn't connect to server"
                pass
    print "\n[*] Finished!"
except KeyboardInterrupt:
    print "You pressed Ctrl+C"
    pass

Friday, November 9, 2018

PHP Decoder "Encoding by TeleAgent.IR - ResellerCenter.IR"

This script will help you to decode files coded as "Encoding by TeleAgent.IR - ResellerCenter.IR".
For more detailed look here :


<?php //MS4w
/* ---------------------------------------------------------------------------------
-  PHP Encoding by TeleAgent.IR - ResellerCenter.IR  -
-  PHP Encoder Version      : 1.0                                                  -
-  This code was created on : 2018/10/01 at 13:00                                  -
-  Checksum                 : 6fj65a682a445d8cb5734720ed67dae2                     -
---------------------------------------------------------------------------------- */
$_CLHHKEE=__FILE__;$_NQRSZPKB=__LINE__;$_CHDAOJMPYXT=__DIR__ ;$_FNMHVDO=__FUNCTION__;
function I1IIIIIII11I1II() {return __CLASS__;}function I1IIIIIII() {return __LINE__;}
$_CSYPWGZ=__CLASS__;$_TTBLNSD=__TRAIT__ ;$_MDGRSQS=__METHOD__ ;$_NEVYW=__NAMESPACE__;
function I1IIIIIII1II() {return __FUNCTION__;}function I1I1IIII() {return __TRAIT__;}
function I1IIIIIII11I11II() {return __FILE__;}function I1III1IIII() {return __DIR__;}
function I1III11I1I() {return __METHOD__;}function I1II1III() {return __NAMESPACE__;}
$_QXXCZD="\142\141\163\x65\x36\64\137\144\145\x63\157\x64\145";@echo("?>".$_QXXCZD("PD9waHAgJF9.

Download script 
To execute this script, just execute it and give it your path.
Enjoy.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
'''
    File name: PHP Decoder "Encoding by TeleAgent.IR - ResellerCenter.IR".py
    Author: Ehsan Nezami
    Date created: 19/11/2018
    Web: http://nezami.me/
    Python Version: 2.7
'''

import os
import re
import base64
import zlib

def listFiles(path, extension):
    return [f for f in os.listdir(path) if f.endswith(extension)]

path_name = raw_input("What is your path of php files? \n Example : C:\\files\\ \n ")
for files in listFiles(path_name, '.php'):
    print files
        
    start = '$_QXXCZD("'
    end = '"));'
    
    f=open(files,'r')
    for input in f.readlines():
        data= re.findall(re.escape(start)+"(.*)"+re.escape(end),input)
        for x in data:
            x=base64.b64decode(x)
    
            start1 = '.$_ZUI("'
            end1 = '"));'
            data1= re.findall(re.escape(start1)+"(.*)"+re.escape(end1),x)
            for x1 in data1:
                x1=base64.b64decode(x1)
                start2 = '$_IRRGRHMF("'
                end2 = '"));'
                data2= re.findall(re.escape(start2)+"(.*)"+re.escape(end2),x1)
    
                for x2 in data2:
                    x2=base64.b64decode(x2)
                    start3 = '$_EFTYPYA("'
                    end3 = '"));'
                    data3= re.findall(re.escape(start3)+"(.*)"+re.escape(end3),x2)
    
                    for x3 in data3:
                        x3=base64.b64decode(x3)
                        start4 = '$_AOKDOJCRH("'
                        end4 = '"));'
                        data4= re.findall(re.escape(start4)+"(.*)"+re.escape(end4),x3)
    
                        for x4 in data4:
                            x4=base64.b64decode(x4)
    
                            start5 = '$_NZHLDCOUMASYWHUKYETFVEDDJELK("'
                            end5 = '")));'
                            data5= re.findall(re.escape(start5)+"(.*)"+re.escape(end5),x4)
                            for x5 in data5:
                                compressed = base64.b64decode(x5)
                                decoded=zlib.decompress(compressed, -15)
                                print decoded
                                output=file('dec-'+files,'a')
                                output.write(decoded)

Wednesday, November 7, 2018

Random Session (Sqlmap Tamper)


SQLMAP is Automatic SQL injection and database takeover tool.
this tamper can use to bypass some web application firewall via the random session.

Download script


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/usr/bin/env python
 """
Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
author: 3H34N(nezami.me)
"""
import string
import random
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
 def dependencies():
    pass
 def randomsession():
    length = 32
    chars = string.ascii_letters.lower() + string.digits
    password = ''.join(random.choice(chars) for i in range(length))
    return "PHPSESSID="+password
 def tamper(payload, **kwargs):
    """
    Append a random session HTTP header 'PHPSESSID' to bypass
    WAF (usually application based) protection
    """
    headers = kwargs.get("headers", {})
    headers["Cookie"] = randomsession()
    return payload