ребят есть какие то апдейты на сегодня по топику ?
может кто нашел новые рабочие методы ?
может кто нашел новые рабочие методы ?
-
XSS.stack #1 – первый литературный журнал от юзеров форума
CloudFlare Bypass // Как узнать IP за CloudFlare и другими WAF и CND
- Автор темы tabac
- Дата начала
@ d3xNorth
(с) взял с exploit
Cloudflare WAF Bypass Using Payload Size Limit – Read the Docs, Break the Wall
You're in the middle of an engagement. You find a juicy SQL Injection on a login form.
You test the usual:
But instead of the sweet taste of unauthorized access, you get slapped with:
WAF detected your attack and locked you out.
You start hunting for the real IP of the server:
Shodan, Censys, subdomain brute-forcing... nothing.
Cloudflare’s doing a damn good job.
But what if I told you... there’s a way around this?
And the answer comes from Cloudflare’s own documentation.
The Trick: Exploit Cloudflare’s Request Body Size Limit
Cloudflare only scans the request body up to a certain size:
Enterprise plans: ~128 KB
Free/Pro/Business: even less
When a request body exceeds this limit, Cloudflare WAF skips inspecting the rest. That’s your opening.
The Bypass: How to Do It
Craft a POST request with a body that looks like this:
You’re flooding the top of the body with garbage.
Your payload is hidden far below, beyond the WAF inspection zone.
Send it using Burp Suite, curl, or your tool of choice.
Result?
No WAF challenge
SQLi payload reaches origin untouched
Why This Works
Because WAFs trade depth for performance.
Cloudflare's WAF simply stops parsing the body after the scan limit is reached.
So if your payload lives beyond that limit – it becomes invisible.
No need to deobfuscate IPs.
No need to burn hours scanning ranges.
Just prepend noise and push through.
(с) взял с exploit
Cloudflare WAF Bypass Using Payload Size Limit – Read the Docs, Break the Wall
You're in the middle of an engagement. You find a juicy SQL Injection on a login form.
You test the usual:
Код:
password=admin' OR 1=1--
Код:
“Attention Required | Cloudflare”You start hunting for the real IP of the server:
Shodan, Censys, subdomain brute-forcing... nothing.
Cloudflare’s doing a damn good job.
But what if I told you... there’s a way around this?
And the answer comes from Cloudflare’s own documentation.
The Trick: Exploit Cloudflare’s Request Body Size Limit
Cloudflare only scans the request body up to a certain size:
Enterprise plans: ~128 KB
Free/Pro/Business: even less
When a request body exceeds this limit, Cloudflare WAF skips inspecting the rest. That’s your opening.
The Bypass: How to Do It
Craft a POST request with a body that looks like this:
Код:
junk=AAAAAAA...[repeat until close to 128 KB]...
&password=admin' OR 1=1--Your payload is hidden far below, beyond the WAF inspection zone.
Send it using Burp Suite, curl, or your tool of choice.
Result?
Код:
200 OK – No CAPTCHASQLi payload reaches origin untouched
Why This Works
Because WAFs trade depth for performance.
Cloudflare's WAF simply stops parsing the body after the scan limit is reached.
So if your payload lives beyond that limit – it becomes invisible.
No need to deobfuscate IPs.
No need to burn hours scanning ranges.
Just prepend noise and push through.