Note: This is a DoS attack not a DDoS attack, upload this on 2 servers and yeet there's your DDoS.
Note: This doesn't work with Under Attack mode. (yet)
Note: You need to pip install cfscrape
Installation:
- Upload & unzip the zipped file to your web server
- Make sure shell_exec is enabled
- Open cfhttp.php and edit
with the IP of whoever is going to be accessing the URL. This will work with CloudFlare on Apache, I customised it specifically. If you use nginx go to troubleshooting. If you have a custom proxy also go to troubleshooting.
- Visit the page on your browser to launch an attack with the following code:
http://your.website/cfhttp.php?key=...arget=cloudflareprotectedwebsite.com&time=300
Customisation:
Change anything between the apostrophes if you want your own password.
Change the 300's to any number you wish (in seconds). If you put a time that's too high good luck with your network usage.
- If you want you can remove the 2nd line completely. (The one containing the eval string, I added it to see if anyone will think this is a virus without trying to decode it LOL, check for yourself here.)
- If you're going to be attacking websites with Russian/Chinese characters etc I suggest you remove
or customise it in a better way.
Troubleshooting:
- I forgot the error, but nginx has an error about not being able to use "HTTP_CF_CONNECTING_IP", in this case read here.
- I typed the right IP but I'm still blacklisted = in this case, check if the IP being printed is your IP. If not, there's some form of proxy going on. DM me personally for help with it.
- STR Replace & Preg Replace errors. IF FOR WHATEVER REASON YOU GET THESE DO NOT DELETE THE LINES. GOOGLE A SOLUTION OR CONTACT A PROFESSIONAL. THE SECURITY CHECK IS CRITICAL. If the security check is removed, anyone has full shell access to your website. An example of this would be the following:
Vulnerable Code:
A way to exploit this would be the following (typed in URL):
http://localhost/cfhttp.php?key=76q...vCgZmDvFjQpupfXJrS8e3kM7gg7&target=google.com || mkdir injectedfolder&time=1
Long story short: don't remove the lines. Google an answer.
- How to prevent VPNS: It literally has an IP whitelist soo..
Note: This doesn't work with Under Attack mode. (yet)
Note: You need to pip install cfscrape
Installation:
- Upload & unzip the zipped file to your web server
- Make sure shell_exec is enabled
- Open cfhttp.php and edit
Code:
$whitelistedips = array('127.0.0.1', '127.0.0.2');
- Visit the page on your browser to launch an attack with the following code:
http://your.website/cfhttp.php?key=...arget=cloudflareprotectedwebsite.com&time=300
Customisation:
Code:
$secret = "76qnXZ33uFTLTvQK6jH3TKj4MdznGumEanRXXvCgZmDvFjQpupfXJrS8e3kM7gg7";
Code:
if (!ctype_digit($time) || $time > 300) die('Time too big. Max time is 300.');
- If you want you can remove the 2nd line completely. (The one containing the eval string, I added it to see if anyone will think this is a virus without trying to decode it LOL, check for yourself here.)
- If you're going to be attacking websites with Russian/Chinese characters etc I suggest you remove
Code:
$target = preg_replace('/[[:^print:]]/', '', $target);
Troubleshooting:
- I forgot the error, but nginx has an error about not being able to use "HTTP_CF_CONNECTING_IP", in this case read here.
- I typed the right IP but I'm still blacklisted = in this case, check if the IP being printed is your IP. If not, there's some form of proxy going on. DM me personally for help with it.
- STR Replace & Preg Replace errors. IF FOR WHATEVER REASON YOU GET THESE DO NOT DELETE THE LINES. GOOGLE A SOLUTION OR CONTACT A PROFESSIONAL. THE SECURITY CHECK IS CRITICAL. If the security check is removed, anyone has full shell access to your website. An example of this would be the following:
Vulnerable Code:
Code:
$whitelistedips = array('6.6.6.6', '127.0.0.2');
$secret = "76qnXZ33uFTLTvQK6jH3TKj4MdznGumEanRXXvCgZmDvFjQpupfXJrS8e3kM7gg7";
$key = $_GET["key"];
$target = htmlspecialchars($_GET["target"]);
$target = preg_replace('/[[:^print:]]/', '', $target);
$target = str_replace(' ', '-', $target);
$target = preg_replace('/[^A-Za-z0-9\-]/', '', $target);
$time = $_GET["time"];
$time = preg_replace('/\D/', '', $time);
$remoteip = $_SERVER["HTTP_CF_CONNECTING_IP"];
http://localhost/cfhttp.php?key=76q...vCgZmDvFjQpupfXJrS8e3kM7gg7&target=google.com || mkdir injectedfolder&time=1
Long story short: don't remove the lines. Google an answer.
- How to prevent VPNS: It literally has an IP whitelist soo..