Hi hackers,
Hope you’re doing well!
What is Shodan?
Shodan is a specialized search engine used by bug bounty hunters and penetration testers to find a target’s origin IP, open ports, and services. It is crucial because it can reveal the real server behind a service like Cloudflare, along with potential CVEs based on the technology versions in use. This makes Shodan a powerful tool for the reconnaissance process.
Let’s Explain Some Basic Queries:
Query 1: ssl: Domain INC
If the target has a large scope, you can visit the site, check its SSL certificate, and copy the "Organization (O)" value (e.g., "Hilton International Holding LLC"). This query finds all domains related to that certificate, and you might discover assets that aren’t in the public scope.
Query 2: Ssl.cert.subject.CN:"domain.com"
This query searches for SSL certificates where the Common Name (CN) matches your target, effectively listing subdomains associated with the domain.
Now, Let’s Get to the Bug:
After performing my usual subdomain enumeration, I found sub.domain.com, which returned a 403 Forbidden response. I tried content discovery on it but found nothing.
I then shifted to finding the origin IP address using Shodan with the query: Ssl.cert.subject.CN:"sub.domain.com". I identified the origin server’s IP and confirmed it was accessible, returning a 200 OK response with a default PHP page, completely bypassing Cloudflare.
How I Confirmed the Vulnerability:
- First, I verified the origin server was responding to the correct host header:
bash curl -i -H "Host: sub.domain.com" http://[IP_ADDRESS] Returns:
bash HTTP/1.1 301 Moved Permanently Location: https://sub.domain.com/ - After some directory fuzzing on the direct IP, I discovered that the /.well-known/acme-challenge/ directory was exposed and listing
its contents.
Unfortunately, the test.txt file did not contain any sensitive information, so I reported it as a low-severity issue.
Impact
Cloudflare Bypass: The WAF and other security protections can be circumvented by directly accessing the origin IP.
Information Disclosure: The exposed acme-challenge directory reveals internal paths and could potentially contain leftover files that assist an attacker.
Key Takeaways for Hackers
- 403 ≠ Safe: A 403 Forbidden on the front end doesn’t mean the backend is secure. Always check the origin IP.
- Shodan is Your Best Friend: For any target behind a CDN, Shodan (and similar tools like Censys or Fofa) should be a mandatory step in your reconnaissance process.
That’s it!! 🚀
Happy Hunting!
Find me :
To add your blog, send an email to hello@bugbountydirectory.com
