On the Concept of cloud WAF bypass such as quickshield

Recently, we have been engaged in some web security issues, but we still have some gains. Actually, I am not a hacker. I am really a white hat. Today, we are going to penetrate a website. We have used several traditional injection methods and found that security Bao's interception information has been popping up all the time. This makes me very uncomfortable. Let's first introduce security Bao. What security treasures

Quickshield is an incubator for innovative workshops and a cloud-based WAF (Web Application Firewall ). There are also some products in China, such as jiasule and July 360. This type of product is actually equivalent to the website's CDN, and all traffic is forwarded through it. However, these services often fail to meet the standard CDN service standards. I have tried jiasule, but actually, it is better to visit our site directly. Besides the CDN acceleration function, another function can hide the actual IP address of the website.

Traditional access:User Access domain name --> resolution IP --> access target host

However, access to CDN is much more troublesome. The simplest mode is as follows:User Access domain name --> CDN forwarding --> real IP --> Target Host. Obviously, the real IP address is protected. In fact, this is only the simplest. In actual use, CDN Forwarding is based on multi-level forwarding, and the fastest node is found to make actual access faster.

Therefore, the cloud Waf actually makes an article in The CDN forwarding process. The rules we use in traditional tests are very weak, and we have bypassed the idea on the Internet. This type of article only adds some characters to the existing rules, thus bypassing these steps. Therefore, if we really want to bypass it, we need to find his real IP address. Then we use the hosts file to forcibly resolve the domain name, and XX Bao will be wiped out. So how to find the real IP address?

Search for real IP addresses

(In this process, I combined the content on wooyun and other websites, and some of my summary, the success rate is still very high)

1. Search for second-level domain names. Generally, many websites of some second-level domain names do not provide CDN services because of the huge CDN traffic fee or the reasons such as content confidentiality. For example, bbs. blog. oa. mail. Through these subdomain names, you can quickly obtain the real IP address.

2. Find some web pages of webmaster tools through the search engine, and record the IP addresses when they do not have CDN. It is likely to be a real address. Is there this lascivious http://webscan.360.cn/index/checkwebsite? Url =

3. ping the root domain name directly. Many websites allow the root domain name to flow freely. Therefore, this method works very well.

4. Find the phpinfo file and use wwwscan. If the dictionary is powerful, you can find the phpinfo file. This file is available on many websites. But you cannot scan it.

5. lustful email: many websites send emails to you during registration. At this time, we can view the source code of the email and find the real IP address.

6. When foreign DNS nslookup is used, some websites only provide CDN services for Chinese users. Therefore, when we access these websites abroad, CDN will automatically return to the source and find the real IP address.

7. Lie to the IP address.

Note that the modified hosts may not take effect on the spot because of the cache. So clear the dns cache, ipconfig/flushdns under cmd.