具体原理可以查看原作者的文章,以及翻译版本

本文讲讲如何安装使用这个工具.恩。。貌似telegram上某bot的查询cf源站功能就是使用的这个脚本。
我也接了个到自己的bot,方便调用,python中直接os.popen调用了,也懒得去改。

CloudFlair 开源地址:https://github.com/christophetd/CloudFlair
这个工具是用pytohn编写的,兼容 python2.7 和 3.5

配置

  1. https://censys.io/register 注册一个账号(免费)

  2. 访问https://censys.io/account/api 页面,获取账号的 API IDAPI secret,并设置到环境变量中

1
2
$ export CENSYS_API_ID='<here-is-your-api-id>'
$ export CENSYS_API_SECRET='<here-is-your-api-secret>'
  1. 克隆这个仓库
1
$ git clone https://github.com/christophetd/cloudflair.git
  1. 安装程序运行所需依赖
1
2
$ cd cloudflair
$ pip install -r requirements.txt
  1. 运行 CloudFlair 
1
$ python cloudflair.py myvulnerable.site

用法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ python cloudflair.py --help

usage: cloudflair.py [-h] [-o OUTPUT_FILE] [--censys-api-id CENSYS_API_ID]
                     [--censys-api-secret CENSYS_API_SECRET]
                     domain

positional arguments:
  domain                The domain to scan

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT_FILE, --output OUTPUT_FILE
                        A file to output likely origin servers to (default:
                        None)
  --censys-api-id CENSYS_API_ID
                        Censys API ID. Can also be defined using the
                        CENSYS_API_ID environment variable (default: None)
  --censys-api-secret CENSYS_API_SECRET
                        Censys API secret. Can also be defined using the
                        CENSYS_API_SECRET environment variable (default: None)

python cloudflair.py 后面跟上需要查找的域名即可

一些可选参数解释:

1
2
3
4
5
6
7
-h, --help  查看帮助  
  -o OUTPUT_FILE, --output OUTPUT_FILE
                        输出可能的源站服务器地址到文件中  
  --censys-api-id CENSYS_API_ID
                        手动指定Censys API ID  
  --censys-api-secret CENSYS_API_SECRET
                        手动指定Censys API secret

参数很少也很简单

运行示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ python cloudflair.py myvulnerable.site

[*] The target appears to be behind CloudFlare.
[*] Looking for certificates matching "myvulnerable.site" using Censys
[*] 75 certificates matching "myvulnerable.site" found.
[*] Looking for IPv4 hosts presenting these certificates...
[*] 10 IPv4 hosts presenting a certificate issued to "myvulnerable.site" were found.
  - 51.194.77.1
  - 223.172.21.75
  - 18.136.111.24
  - 127.200.220.231
  - 177.67.208.72
  - 137.67.239.174
  - 182.102.141.194
  - 8.154.231.164
  - 37.184.84.44
  - 78.25.205.83

[*] Retrieving target homepage at https://myvulnerable.site

[*] Testing candidate origin servers
  - 51.194.77.1
  - 223.172.21.75
  - 18.136.111.24
        responded with an unexpected HTTP status code 404
  - 127.200.220.231
        timed out after 3 seconds
  - 177.67.208.72
  - 137.67.239.174
  - 182.102.141.194
  - 8.154.231.164
  - 37.184.84.44
  - 78.25.205.83

[*] Found 2 likely origin servers of myvulnerable.site!
  - 177.67.208.72 (HTML content identical to myvulnerable.site)
  - 182.102.141.194 (HTML content identical to myvulnerable.site)