Nov 21, 2019

[ DNS Takeover ] Potentially Takeover for all SubDomains That uses Campaign Monitor Newsletters Services








Takeover for all SubDomains That uses Campaign Monitor  Newsletters Services 


Recently, I've found that all Campaign Monitor  Newsletters Services are vulnerable to Potentially Takeover. I've reported it 2 months ago and No reply due too I was banned from Bugcrowd So I will share this takeover here.

Explain of My Found:
There are many companies thats use Campaign Monitor as email service. so they must create  subdomian for this service example : 
newsletter.domain.com 
and must have cname 
cname.createsend.com
createsend.com is belong to Campaign Monitor services

all connected subdomains to this cname
can read all Campaign for other users 
So any attacker can create a new Campaign 
and connect it to the main subdomain.


Poc example :
I've attached my Campaign to a vulnerable subdomain
you will see it redirect to my DNS and my fake Campaign



********************************************************


Nov 20, 2019

Subdomain Takeover via Campaignmonitor.com








Subdomain Takeover via Campaignmonitor.com
was in Private Program on BugCrowd

what is createsend.com dns ?
its a dns service Belong to campaignmonitor.com
if you create an account on campaignmonitor 
this will give you a subdomain on createsend.com

companies count on Campaign Monitor for email campaigns
So campaignmonitor is only for emails 

*****************************************************************
Steps to subdomain Takeover example 
*****************************************************************
When I go to 
example.site.com 
i found the site like this pic


I notice that subdomain 
example.site.com 
is alias to 
testexample.createsend.com


This mean the domain plan is expired on campaignmonitor
and ready to reactive on another email 

1) So I created an account on campaignmonitor.com
and choose any name
name here i mean an  example.createsend.com

2) After this you need only to add the subdomain of takeover
By going to 
example.createsend.com/account
then 
example.createsend.com/account/customize

Then Just Choose a Custom domain 

example.createsend.com/account/customize/customdomain/manage

3) add your vulnerable subdomain example.site.com
Then Click next 
wait 1 min and the setup will be verified

Congrats 😉
 4) Now when you go to  example.site.com
its will show your example.createsend.com

Takeover Steps is now finished
****************************************************************
Now when anyone go to example.site.com 
it ask him to login to Campaign Monitor
yes as I said at first Campaign Monitor is only to manage emails and Subscribes 

Now if you need to create a small Page Show 
you will only create a Subscribes Page 

Go to this Path

https://example.site.com/templates/create

You can Upload your subscribe page or choose from the templates on the site

example like mine 



***********************************************************************
Reward was 900$
fixed in 10 min from report 
*****************************************************

Sep 20, 2019

How I able to Takeover 10 subdomains in a Private Program ?




Program : Private Program 
Vulnerability : Subdomain Takeover
Subdomain : 10 Subdomins
Bounty : 500$
______________________________________________________________

How I able to Takeover 10 subdomains in a Private Program ?


I was able to takeover 10 subdomains by ( Fastly Service ) due to the domain was not used on Fastly account 

when I tried to visit some subdomains 
it was show me this message 



This message mean it Possible to 
Takeover The domain By Fastly. 

So I tried to add the domain to my fastly account and it was allowed to added 
so this mean I've takeover the domainand every subdomain show the message above is takeover too .

10 subdomains were shown the same message !
so This was what i do .


You can see my blog about 
how to takeover by Fastly to Know what I mean.




_______________________________________________




Sep 5, 2019

DOM Based XSS in Private Program



--------------------------------------------------------------------------

Domain : redacted.com
Target : blog.redacted.com
Program : Private on HackerOne
Bounty : 500$

--------------------------------------------------------------------------
DOM Based XSS in Blog.redacted.com

PrettyPhoto is widely used in various WordPress themes and plugins. 
XSS was  in the setTimeout function in js/jquery.prettyPhoto.js in prettyPhoto 3.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted PATH_INTO to the default URI. 

--------------------------------------------------------------------------
Poc was
http://blog.redacted.com/#prettyPhoto[gallery]/1,<a%20onclick="document.write(document.cookie);">/



--------------------------------------------------------------------------
How to Fix
PrettyPhoto DOM Based XSS
You can fix the DOM based XSS in prettyPhoto by opening up jquery.prettyPhoto.js in your favorite editor. 
Scroll to line 876 and add the lines:

// xss prevention
hashIndex = parseInt(hashIndex);
hashRel = hashRel.replace(/([ #;&,.+*~\':"!^$[\]()=>|\/])/g,'\\$1');
At least versions 3.1.4 and 3.1.5 of prettyPhoto, depending on your download source, are vulnerable to this DOM based XSS. As always, test such code fixes first before putting it in production!


Jul 30, 2019

SQL Injection in private-site.com/login.php





SQL Injection in Login.php at Private Program

Program : Private on HackerOne
Method : POST
Affected Path : Login.php
Affected Parameter : username
Bounty : Out Of Scope
-----------------------------------------------

Vulnerable url was 
private-site.com/login.php

Tool

Site was Shown to me 2 login Places 
( Username & Password) 

in Username I've put only ( ' )

Then It shows me this error
This mean This site is vulnerable to SQL injection 

Now I just capture the request 
and Add it in list.txt file 

Then Used SQLMAP to dump the database








Jul 28, 2019

Old GitHub Profile Takeover!





Old GitHub Profile Takeover! 

Program : Private on HackerOne
Bounty : 1000$
Fix : by cooperate with company.

---------------------------------------------------------

Describe 
This bug was so simple and was a nice catch so I want to Write about it 

Simply what I've found ! 
When I searching for bugs in company code on GitHub.


There was many repositories & Codes mention a Old Github Profile which was worked well.


Example of work
---------------------------------
when you try to download some files from this link 
https://github.com/OldCOMPANYPROFILE/reponame/archive/master.zip

The link will redirect to 

https://github.com/NewCOMPANYPROFILE/reponame/archive/master.zip

And download will start Normally 

So what was the Bug here ? 
When I go to 
https://github.com/OldCOMPANYPROFILE/
an error was shown to me Not Found Profile


So I able to create any profile with the old company profile name !
And change some repositories to vulnerable files to prove poc

Not Found profile takeover can lead to disable migrate new Profile with Old Profile






-----------------------------------------------------------



Jun 11, 2019

Can I takeover XYZ ( Steps )

Can I takeover XYZ ( Steps ) ?

Based on can-i-take-over-xyz

_______________________________________________________________________

Service : HeroKu 
Fingerprint: No Such app

There is two Types of Takeover in this Service 
1) HerokuDNS ( Edgecase
2) HeroKuapp

Steps to Takeover : 
Please note : This takeover Edgecase ( HeroKuDns ) cause dns of this webiste is an Ip address belong to Heroku
 HeroKuapp takeover is the same steps but the dns of the domain or subdomain is example : haronapplication.herokuapp.com so you only will create anew app called haronapplication




_____________________________________________________________________

Service : Wufoo
FingerPrint : Profile Not found.
Steps: 
Subdomain cname will be like 
haronsurvey.wufoo.com
and full steps is here 


__________________________________________________________________________

Service : Unbounce 
Fingerprint: The requested url was not found on this server.

Takeover Steps : 
Still possible for old clients
Steps here 

_____________________________________________________________________________

Service : HubSpot
Fingerprint : Domain Not found.
Takeover Steps :
Possible 
Soon will be added.

info here 

____________________________________________________________________________

Service : Shopify 
FingerPrint : Sorry, this shop is currently unavailable.


Takeover Steps :
here

________________________________________________________________________

Service : Campaign Monitor
FingerPrint : Trying to access your account?

Takeover Steps : 

__________________________________________________________________________

Service : Fastly 
FingerPrint: Fastly error: unknown domain

Takeover Steps: 
Create your Fastly account for free and Do this steps in video




                                           

___________________________________________________________________________





Apr 13, 2019

[ Special Case ] HerkoKuDns is Still vulnerable to Subdomain Takeovers ( Live PoC )




Today I will Share a New Found about 
Subdomain Takeovers
Via HeroKuDNS 
[ Edge Case ]

Many Blogs says You can't takeover from herokudns any more 
because now they use a Random cname generator 

In this blog I will explain How could I takeover this Domain 
And Adding it to my Custom Domains List on my heroku dashboard
-----------------------------------------------
Explain 
Simply 
1) if you see the this pic 
which Show you in Title " No Such App "


2) Now Go to see DNS of the Subdomain 
if you found it like this ( IPS) 

3) You can Add it Directly to your Heroku Account to any App as a Custom domain 
Yes When You add it you will get a Random Cname Like what happen when I added dns-scratch.me to my account 



4)  Domain or Subdomain is now Connected 



---------------------------------------------------------

Apr 12, 2019

[RCE] Remote code execution at api.PrivateProgram.com (CVE-2017-5638)





Apache Struts CVE-2017-5638 
Remote Code Execution Vulnerability
Program : Private on HackerOne
Bounty : 2000$ and 250$ Bouns
Subdomain : Api.Private.com


Today I will Post my new Find 
Remote code execution
in Api Subdomain of Private Program 
which was used a Vulnerable version of Apache Struts
(CVE-2017-5638)

CVE-2017-5638 Describe : 
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Poc was : 


References : 





----------------------------------------------------------