search

Ekultek / WhatWaf

Detect and bypass web application firewalls and protection systems
Other
2.63k stars 446 forks source link

Unknown Firewall (92c09beb2) #621

Closed WhatWaf-Firewalls closed 4 years ago

WhatWaf-Firewalls commented 4 years ago

WhatWaf version: 1.6.11 Running context: whatwaf.py -u ************************************************************************************** -p 81*1*1*1*1*1*1* Fingerprint:

<!--
GET http://naturiste.ca HTTP/1.1
Status code: 403
Date: Fri, 29 Nov 2019 06:48:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
CF-Chl-Bypass: 1
Set-Cookie: __cfduid=d10105e217f6915adef9380afd235ebd51575010088; expires=Sun, 29-Dec-19 06:48:08 GMT; path=/; domain=.naturiste.ca; HttpOnly
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 53d2a25a2ea54e3a-DME
Content-Encoding: gzip
-->
<!DOCTYPE html>

<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]>    <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Attention Required! | Cloudflare</title>
<meta id="captcha-bypass" name="captcha-bypass"/>
<meta charset="utf-8"/>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type"/>
<meta content="IE=Edge,chrome=1" http-equiv="X-UA-Compatible"/>
<meta content="noindex, nofollow" name="robots"/>
<meta content="width=device-width,initial-scale=1,maximum-scale=1" name="viewport"/>
<link href="/cdn-cgi/styles/cf.errors.css" id="cf_styles-css" media="screen,projection" rel="stylesheet" type="text/css"/>
<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->
<style type="text/css">body{margin:0;padding:0}</style>
<!--[if gte IE 10]><!--><script src="/cdn-cgi/scripts/zepto.min.js" type="text/javascript"></script><!--<![endif]-->
<!--[if gte IE 10]><!--><script src="/cdn-cgi/scripts/cf.common.js" type="text/javascript"></script><!--<![endif]-->
</head>
<body>
<div id="cf-wrapper">
<div class="cf-alert cf-alert-error cf-cookie-error" data-translate="enable_cookies" id="cookie-alert">Please enable cookies.</div>
<div class="cf-error-details-wrapper" id="cf-error-details">
<div class="cf-wrapper cf-header cf-error-overview">
<h1 data-translate="challenge_headline">One more step</h1>
<h2 class="cf-subheadline"><span data-translate="complete_sec_check">Please complete the security check to access</span> naturiste.ca</h2>
</div><!-- /.header -->
<div class="cf-section cf-highlight cf-captcha-container">
<div class="cf-wrapper">
<div class="cf-columns two">
<div class="cf-column">
<div class="cf-highlight-inverse cf-form-stacked">
<form action="/fr/catalogsearch/result/?cat=81*1*1*1*1*1*1*&amp;q=barre%20proteinees81*1*1*1*1*1*1*&amp;__cf_chl_captcha_tk__=b5de853ac3247edf70c856c75a52a2fbf0dedb0a-1575010088-0-AXtT79yHwm6z0QWKcWyjndayBhB5ZILIekcbpvp_Iqa0vqXX0qXrTlzJrE4TEv78o-6oh8Nxu8SyBN3FUCte9Stqizy1A5IBBnmml1mPrIlDQQs6VNApxAAfgOqHZs-jpHjbIGpG6hlin_WfbiUcbQZcAbSJSXlVYfkz8ZfrOPtVsT8MWR9j7p1GxY0G61JcBtJmatpB4HtI_5sVG0VeEP0FUWCoLMihuZ8YuADXSKaxQAJICUCoSkjsQTlNCV7vIvt0NgMFiho6V7dTzqnF5UMCYSABXdgSWQg15FY1jxwKwKCdvjFvHNVfOhA8aUcbxgSJP-ZrNm2qI-ntJorWl9SnADUfQK5Fe92FipZjnbAPXdxbvjHvDKdB9Bxb3ZvU-a0zcOB-qJ4VcEAwM85u4-FaqILjSvbagsam94zuWt0-waQXV40BVxeS-F_RGrpBRCVjOON7L30aDYCrW48lWyM" class="challenge-form" enctype="application/x-www-form-urlencoded" id="challenge-form" method="POST">
<input name="r" type="hidden" value="48335701882f0da59a2d253740dffcb58bf2b500-1575010088-0-Af/rAx/s1K4MAua4iLQjhJdgvaxUtU0zqecCW+o3ElK2LyYbQBNPtaVHqRLYvk2kUSwiNFka/Jkfv/s9M5yqnGGXunKsrnGQQbIsZoFD5v7OfEp8rCnEz0fZPUzPZ5KNOqHh4F1sgMzNKaMHneQHpDv+YuWufz0Ld/T3TV7ZRtkPlw0dLLAS/SalWrfBCU9kJL9GGRWXpKGnRHjjCbUaOFkHUg//GBjQjvPkLpat/WrsmwVT5EuO5KwvkwTejLcp955+6VVKn3VHqP2rb6/8DpoMzd9k1hAUsiQTjlC2r4o4ODp/x2kEXfUgZgl48n/TUiSl4pGJ6tC6ik9i3xMV6HAp0tnkqKrlUMMhqoqfoyCMZK8vsP6D6sk/9zQsXisOF3a9cyIB7aq4Qf5CK7Y5r8FCOyHE2J250I4ugA72A72BKqL7mNNv5hg8SlfNMVIEc3Bt/mu+B/WeSaeN8iVGWyK4IJR5UnZVvR4a25Mz9+/gUiiuCh5zyEWrB74forsSQ9x85JGbextll6WciHfo1/ElL3D2S3gwQ42BwP1H4/Z9Igsmm5I0Z+E6CmcBTsTpJ5oL+BT28iFVSyxN4UMb+/vxRWpKg9H7dOWyweOiMpOLomwx1ti7sx1fsPQWtsBtW5dtGibbd1SO49/5zMTDnakhi23X8rv+RTaWWN9uH4SqwsvbrK1HZC8nmd/p1sSqcgYgdRCzqYPJBfU7213fHZUzgufYa44Aff4KwuvnZRvcNDQm+iCDMp0x6KpWQpnSqUE/OAQrZP2ZzWyovZCPX0MKAUnv8KbLhzAjHSo3omInG1edRWjEimEU3+W3gTd6vGiERGAu3DNIne+JcaXfGdibx7u/kzYFraLGNdCP8CaESqZHPgALXwsv57OWr3tAXaxxeLXejBT6KJhTsC1dcO6uhBxKw8rpB4b55/Xj7BRLi3DZYL6mP9lWY3f1bWoIBJlFJheF+eyHn4dcPRotYRQYQcQ4J+KDKqRx/+NecN1YNIYO4X/BbS4RHzJuM7Lxj4reyTDhaC9LyMc5CdkPk19C6zFMAi9SpVgFlxVnjbasEHbtkM0yu/UuIdZg/GGXSqh13eYrNJkaBB7T7BI+QwME9RGYp/2y/hBdKNyPL/djjHjZWAfSAOZaiVPHbMdB+jtKqMUlH2JSJfA7P4RYjUyZ0np7DFgBVqCzfJ5W9y4qJlmrI8DLF+CN/UGxZJMeuX3Hx7t+2gpeKHg7YMNx41lJKh5mI/iof7HJDItObDmyXbKicOXZn1EvDFZ2mUot+LMOGmUhLid0gxzDSd88EdQ="/>
<script async="" data-ray="53d2a25a2ea54e3a" data-sitekey="6LfBixYUAAAAABhdHynFUIMA_sa4s-XsJvnjtgB0" data-type="normal" src="/cdn-cgi/scripts/cf.challenge.js" type="text/javascript"></script>
<div class="g-recaptcha"></div>
<noscript class="cf-captcha-info" id="cf-captcha-bookmark">
<div><div style="width: 302px">
<div>
<iframe frameborder="0" scrolling="no" src="https://www.google.com/recaptcha/api/fallback?k=6LfBixYUAAAAABhdHynFUIMA_sa4s-XsJvnjtgB0" style="width: 302px; height:422px; border-style: none;"></iframe>
</div>
<div style="width: 300px; border-style: none; bottom: 12px; left: 25px; margin: 0px; padding: 0px; right: 25px; background: #f9f9f9; border: 1px solid #c1c1c1; border-radius: 3px;">
<textarea class="g-recaptcha-response" id="g-recaptcha-response" name="g-recaptcha-response" style="width: 250px; height: 40px; border: 1px solid #c1c1c1; margin: 10px 25px; padding: 0px; resize: none;"></textarea>
<input type="submit" value="Submit"/>
</div>
</div></div>
</noscript>
</form>
<script type="text/javascript">
  (function(){
    var a = function() {try{return !!window.addEventListener} catch(e) {return !1} },
    b = function(b, c) {a() ? document.addEventListener("DOMContentLoaded", b, c) : document.attachEvent("onreadystatechange", b)};
    b(function(){
      if (!a()) return;

      window.addEventListener("message", handleMessage, false)

      function handleMessage(event) {
        if (event.data && event.data.type === 'results') {
          var f = document.getElementById('challenge-form');

          if (f) {
            addInput(f, 'bf_challenge_id', '3622');
            addInput(f, 'bf_execution_time', event.data.executionTimeMs);
            addInput(f, 'bf_result_hash', event.data.resultHash);
          }

          window.removeEventListener("message", handleMessage, false)
        }
      }

      function addInput(parent, name, value) {
        var input = document.createElement('input');
        input.type = 'hidden';
        input.name = name;
        input.value = value;
        parent.appendChild(input);
      }

      function withIframe(iframeContent) {
        var iframe = document.createElement('iframe');
        iframe.id = 'bf_test_iframe';
        iframe.style.visibility = 'hidden';
        document.body.appendChild(iframe);
        var doc = (iframe.contentWindow || iframe.contentDocument).document;
        doc.write(iframeContent);
        doc.close();
      }

      withIframe("<!DOCTYPE html>\n<meta charset=utf-8>\n\n<title><\/title>\n\n<script src=\"https:\/\/ajax.cloudflare.com\/cdn-cgi\/scripts\/697236fc\/cloudflare-static\/bot-filter.js\"><\/__script__>\n\n\n<style>\n@keyframes anim {\n  from { left: 0px; }\n  to   { left: 100px; }\n}\n<\/style>\n<body>\n<div><\/div>\n\n<\/body>\n<script>\"use strict\";function e(t,n){return r(t,\"div\",n)}function r(t,n,e){e||(e=document);var r=e.createElement(n||\"div\");return e.body.appendChild(r),t.add_cleanup(function(){r.remove()}),r}function t(t){return Number(String(t).match(\/^(-?[\\d.]+)px$\/)[1])}function n(e,r,u,a){function i(t){var n=1-t;return 3*n*n*t*e+3*n*t*t*u+t*t*t}function o(t){var n=1-t;return 3*n*n*t*r+3*n*t*t*a+t*t*t}function c(t){for(var n=0,e=1,r=0;r<30;++r){var u=(n+e)\/2,a;t<i(u)?e=u:n=u}return(n+e)\/2}return function t(n){return 0==n?0:1==n?1:o(c(n))}}test(function(t){var n=e(t);n.style.animation=\"anim 10s frames(2) forwards\",n.style.animationDelay=\"-4999ms\",__c$1(getComputedStyle(n).left),n.style.animationDelay=\"-5000ms\",__c$1(getComputedStyle(n).left)});<\/__script__>".replace(/\/__script__/g, '/script'));

    }, false);
  })();
  </script>
</div>
</div>
<div class="cf-column">
<div class="cf-screenshot-container">
<span class="cf-no-screenshot"></span>
</div>
</div>
</div><!-- /.columns -->
</div>
</div><!-- /.captcha-container -->
<div class="cf-section cf-wrapper">
<div class="cf-columns two">
<div class="cf-column">
<h2 data-translate="why_captcha_headline">Why do I have to complete a CAPTCHA?</h2>
<p data-translate="why_captcha_detail">Completing the CAPTCHA proves you are a human and gives you temporary access to the web property.</p>
</div>
<div class="cf-column">
<h2 data-translate="resolve_captcha_headline">What can I do to prevent this in the future?</h2>
<p data-translate="resolve_captcha_antivirus">If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware.</p>
<p data-translate="resolve_captcha_network">If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices.</p>
</div>
</div>
</div><!-- /.section -->
<a href="https://tempestsw.com/nightingalesguilt.php?entry_id=0" style="display: none;">table</a>
<div class="cf-error-footer cf-wrapper">
<p>
<span class="cf-footer-item">Cloudflare Ray ID: <strong>53d2a25a2ea54e3a</strong></span>
<span class="cf-footer-separator">•</span>
<span class="cf-footer-item"><span>Your IP</span>: 94.41.36.53</span>
<span class="cf-footer-separator">•</span>
<span class="cf-footer-item"><span>Performance &amp; security by</span> <a href="https://www.cloudflare.com/5xx-error-landing?utm_source=error_footer" id="brand_link" target="_blank">Cloudflare</a></span>
</p>
</div><!-- /.error-footer -->
</div><!-- /#cf-error-details -->
</div><!-- /#cf-wrapper -->
<script type="text/javascript">
  window._cf_translation = {};

</script>
<script src="https://ajax.cloudflare.com/cdn-cgi/scripts/f8ce4a63/cloudflare-static/pic-chl.js"></script>
<script type="text/javascript">
  (function(){
    var a = function() {try{return !!window.addEventListener} catch(e) {return !1} },
    b = function(b, c) {a() ? document.addEventListener("DOMContentLoaded", b, c) : document.attachEvent("onreadystatechange", b)};
    b(function(){
      var f = document.getElementById('challenge-form');
      if (f) {
        var input = document.createElement('input');
        input.type = 'hidden';
        input.name = 'cv_chal_result';
        input.value = window.__CF$cv$chal([0xc7875b4fe8,0xfc36266da3]);
        f.appendChild(input);
        try {
           if (window.__CF$cv$fp) {
              var input = document.createElement('input');
              input.type = 'hidden';
              input.name = 'cv_chal_fp';
              input.value = window.__CF$cv$fp();
              f.appendChild(input);
           }
        } catch (e) { }
      }
    }, false);
  })();
</script>
</body>
</html>
Ekultek commented 4 years ago 
python whatwaf.py -u "http://naturiste.ca" -p 81*1*1*1*1*1*1* --tor

                              ,------.  
                             '  .--.  ' 
    ,--.   .--.   ,--.   .--.|  |  |  | 
    |  |   |  |   |  |   |  |'--'  |  | 
    |  |   |  |   |  |   |  |    __.  | 
    |  |.'.|  |   |  |.'.|  |   |   .'  
    |         |   |         |   |___|   
    |   ,'.   |hat|   ,'.   |af .---.   
    '--'   '--'   '--'   '--'   '---'  
%00/><script>alert("WhatWaf?<|>v1.6.11($dev)");</script>

[20:01:09][INFO] checking for updates
[20:01:09][INFO] running behind proxy 'socks5://127.0.0.1:9050'
[20:01:09][INFO] using User-Agent 'whatwaf/1.6.11 (Language=2.7.15rc1; Platform=Linux)'
[20:01:09][INFO] using provided payloads
[20:01:09][INFO] testing connection to target URL before starting attack (Tor is initialized which may increase latency)
[20:01:11][SUCCESS] connection succeeded, continuing
[20:01:11][INFO] running single web application 'http://naturiste.ca'
[20:01:11][WARN] URL does not appear to have a query (parameter), this may interfere with the detection results
[20:01:11][INFO] request type: GET
[20:01:11][INFO] gathering HTTP responses
[20:01:13][INFO] gathering normal response to compare against
[20:01:13][INFO] loading firewall detection scripts
[20:01:13][INFO] running firewall detection checks
[20:01:20][FIREWALL] detected website protection identified as 'CloudFlare Web Application Firewall (CloudFlare)'
[20:01:20][INFO] starting bypass analysis
[20:01:20][INFO] loading payload tampering scripts
[20:01:20][INFO] running tampering bypass checks
^C[20:01:22][FATAL] user aborted scanning

can't reproduce, email me the actual link and lemme know when its done