Article directory
Prerequisite knowledge:
1. Traditional access: user access domain name –> resolution server IP –> access target host
2. Ordinary CDN: user access domain name –> CDN node –> real server IP –> access target host
3. CDN with WAF: user access domain name –> CDN node (WAF) –> real server IP –> access target host
Domestic service provider:
Alibaba Cloud, Baidu Cloud, Qiniu Cloud,
Tencent Cloud, Ucloud
360, ChinaCache
foreign service provider
CloudFlare StackPath Fastly
Akamai CloudFront Edgecast
CDNetworks Google Cloud CDN
CacheFly Keycdn Udomain CDN77
CDN configuration:
Configuration 1: Acceleration domain name - the domain name that needs to be enabled for acceleration
For example, a.whgojp.top enables acceleration, but b.whgojp.top does not enable, then b.whgojp.top corresponds to the real IP, and a.whgojp.top corresponds to the CDN node ip
Configuration 2: Acceleration region - the region where acceleration needs to be enabled
Opening the CDN will select a fixed area or domestic or global (according to the price corresponding to different CDN acceleration range), use the foreign super ping tool for global ping detection
Configuration 3: Acceleration Type - Resources that require acceleration to be enabled
Generally, webpage content is accelerated, or picture and video resources are accelerated, and the real IP can be judged by accessing the resource content that has not been accelerated.
Reference knowledge:
Super Ping: http://www.17ce.com/
Super Ping: https://ping.chinaz.com/
Interface query: https://get-site-ip.com/
Interface query: https://fofa. info/extensions/source
Foreign request: https://tools.ipip.net/cdn.php
Foreign request: https://boce.aliyun.com/detect/
IP community library: https://www.cz88.net/ Geo-public
full network scan: https://github.com/Tai7sy/fuckcdn
full network scan: https://github.com/boy-hack/w8fuckcdn
full network scan: https://github.com/Pluto-123 /Bypass_cdn
https://mp.weixin.qq.com/s/zxEH-HMqKukmq7qXfrdnQQ
Common methods:
sub-domain name, mail system, foreign access, certificate query, APP capture, network space
obtained through loopholes or leaks, scan the entire network, to measure Measurement, third-party interface query, etc.
#Pre-Post-CDN Service-Identification & Binding Access
Super Ping: http://17ce.com/
Super Ping: https://ping.chinaz.com/
Everywhere ping (CDN service is enabled when multiple IPs appear)
Rear position: binding HOST access analysis (refer to the basic course CDN security impact)
whgojp.top does not open CDN service
baidu.com opened the CDN service
An application - CDN bypass - active vulnerability & legacy files
In the configuration acceleration option, only the main domain name is accelerated, and other subdomain names are not accelerated (the resolved IP may be the same as the IP or C segment).
Interface query: https://get-site-ip.com/Interface
query: https://fofa. info/extensions/source
use network space & third-party function collection query judgment
An application - CDN bypass - active vulnerability & legacy files
1. Vulnerabilities such as: SSRF RCE and other
vulnerabilities are used to allow the real server of the other party to actively connect to the network, determine the source IP is the real IP
vps to open a simple http service, and request to access the website service opened by vps through ssrf to obtain the real IP
Simple demo using range ssrf
2. Legacy files: phpinfo-like functions
obtain address leakage caused by local IP by accessing similar PHPINFO-like code functions
The real server ip may be exposed in phpinfo
An application-CDN bypass-mail system
Judgment condition: the sender is the email username of the current domain name
-Let him take the initiative to send you:
If the deployed mail server sends mail to external users,
the source code of the mail header will contain the real IP address of the mail server.
Common email trigger points are:
1. RSS subscription
2. Mailbox registration and activation
3. Mailbox password retrieval
4. Product update email push
5. Email notification sent after a certain business is executed
6. Employee mailboxes and email management platforms Wait for the forgotten password at the entrance
-You send to an unknown mailbox: (requires your own mail server and cannot be a third party)
By sending an email to a non-existent email address, the send will fail because the user email does not exist, and you
will also receive a notification containing the real IP of the server that sent the email to you.
An application-CDN bypass-full network scan
1. Judging the acceleration manufacturer
2. Screening the address segment of the IP library
3. Scanning the configuration range
First scan the open port from the IP segment, and then visit the keyword from the IP, and save the matching result!
Vendor inquiry:
https://tools.ipip.net/cdn.php
Tool project:
https://www.cz88.net/geo-public
https://github.com/Tai7sy/fuckcdn