Mohamed Elbadry | Blog
Search…
About Me
Dangling DNS
Amazon Web Services
Vulnerable Services
Dangling DNS: Worksites.net
Dangling DNS: Announcekit
Write-ups
Fuzzing
Powered By GitBook
Dangling DNS: Worksites.net
Another service vulnerable to subdomain takeover
This post is the write-up about subdomain takeover vulnerable service Worksites that I found back in April 2020. Although this is a paid service, It's possible to create a PoC without having to purchase the service.

Worksites.net

Worksites.net is a web service for building websites for contractors and growing business, which support custom domains feature.

Service Detection

A record should be pointing to static IP address 69.164.223.206
1
worksites.melbadry9.xyz. 60 IN A 69.164.223.206
Copied!
I use the following Nuclei template to check for possible candidates.
YAML
1
id: detect-worksites
2
3
info:
4
name: worksites.net service detection
5
author: melbadry9
6
severity: info
7
tags: dns
8
9
dns:
10
- name: "{{FQDN}}"
11
type: A
12
class: inet
13
recursion: true
14
retries: 2
15
matchers:
16
- type: word
17
words:
18
- "69.164.223.206"
Copied!

Takeover Detection

To verify whether subdomain takeover may be possible we should see a similar error page.
Vulnerable Subdomain Error Page

Fingerprint

To detect vulnerable subdomain we use the following fingerprint based on HTTP response we confirm whether subdomain is vulnerable or not.
1
{
2
"status_code": 404,
3
"text": [
4
"Company Not Found",
5
"Hello! Sorry, but the website you’re looking for doesn’t exist."
6
]
7
}
Copied!
I use the following Nuclei template to check for vulnerable subdomain.
YAML
1
id: worksites-takeover
2
3
info:
4
name: worksites.net subdomain takeover
5
author: melbadry9
6
severity: high
7
tags: takeover
8
9
requests:
10
- method: GET
11
path:
12
- "{{BaseURL}}/"
13
matchers-condition: and
14
matchers:
15
- type: word
16
words:
17
- "Company Not Found"
18
- "Hello! Sorry, but the website you’re looking for doesn’t exist."
19
condition: and
20
- type: status
21
status:
22
- 404
Copied!

Takeover Steps

  • Register an account on Worksites.net
  • Go to https://app.worksites.net/website/domain-name
  • Set Your domain name to subdomain we want to takeover worksites.melbadry9.xyz
Takeover Steps
  • Visit worksites.melbadry9.xyz
  • Create screenshot as PoC, we can publish site for $27.00 per month
Takerover by melbadry9 PoC

Can I takeover XYZ? - Issue

I have opened an issue on GitHub regarding this service:
Worksites vulnerable to subdomain takeover · Issue #142 · EdOverflow/can-i-take-over-xyz
GitHub
Dangling DNS - Previous
Vulnerable Services
Next
Dangling DNS: Announcekit
Last modified 7mo ago
Copy link
Contents
Worksites.net
Service Detection
Takeover Detection
Fingerprint
Takeover Steps
Can I takeover XYZ? - Issue