Mohamed Elbadry | Blog
  • About Me
    • Acknowledgement
  • Dangling DNS
    • Amazon Web Services
      • Dangling DNS: Amazon EC2
      • Dangling DNS: Amazon EC2 IPs (Current State)
    • Vulnerable Services
      • Dangling DNS: Worksites.net
      • Dangling DNS: Announcekit
  • Write-ups
    • Fuzzing
      • Automate Cache Poisoning Vulnerability - Nuclei
      • How I built the PoC for the Log4j zero-day security vulnerability
Powered by GitBook
On this page
  • Worksites.net
  • Service Detection
  • Takeover Detection
  • Fingerprint
  • Takeover Steps
  • Can I takeover XYZ? - Issue

Was this helpful?

  1. Dangling DNS
  2. Vulnerable Services

Dangling DNS: Worksites.net

Another service vulnerable to subdomain takeover

This post is the write-up about subdomain takeover vulnerable service Worksites that I found back in April 2020. Although this is a paid service, It's possible to create a PoC without having to purchase the service.

Worksites.net

Worksites.net is a web service for building websites for contractors and growing businesses, which support custom domains feature.

Service Detection

A record should be pointing to static IP address 69.164.223.206

worksites.melbadry9.xyz. 60     IN      A       69.164.223.206

I use the following Nuclei template to check for possible candidates.

id: detect-worksites

info:
  name: worksites.net service detection
  author: melbadry9
  severity: info
  tags: dns

dns:
  - name: "{{FQDN}}"
    type: A
    class: inet
    recursion: true
    retries: 2
    matchers:
      - type: word
        words:
          - "69.164.223.206"

Takeover Detection

We should see a similar error page to verify whether the subdomain takeover may be possible.

Fingerprint

To detect a vulnerable subdomain, we use the following fingerprint based on the HTTP response; we confirm whether the subdomain is vulnerable or not.

{
    "status_code": 404,
    "text": [
        "Company Not Found",
        "Hello! Sorry, but the website you’re looking for doesn’t exist."
    ]
}

I use the following Nuclei template to check for the vulnerable subdomain.

id: worksites-takeover

info:
  name: worksites.net subdomain takeover
  author: melbadry9
  severity: high
  tags: takeover

requests:
  - method: GET
    path:
      - "{{BaseURL}}/"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Company Not Found"
          - "Hello! Sorry, but the website you’re looking for doesn’t exist."
        condition: and
      - type: status
        status:
          - 404

Takeover Steps

  • Register an account on Worksites.net

  • Go to https://app.worksites.net/website/domain-name

  • Set Your domain name to subdomain we want to takeover worksites.melbadry9.xyz

  • Visit worksites.melbadry9.xyz

  • Create a screenshot as PoC. We can publish the site for $27.00 per month.

Can I takeover XYZ? - Issue

I opened an issue on GitHub regarding this service:

PreviousVulnerable ServicesNextDangling DNS: Announcekit

Last updated 2 years ago

Was this helpful?

About Me
LogoWorksites vulnerable to subdomain takeover · Issue #142 · EdOverflow/can-i-take-over-xyzGitHub
Vulnerable Subdomain Error Page
Takeover Steps
Takerover by melbadry9 PoC
Page cover image