Dangling DNS: Worksites.net
Another service vulnerable to subdomain takeover
This post is the write-up about subdomain takeover vulnerable service Worksites that I found back in April 2020. Although this is a paid service, It's possible to create a PoC without having to purchase the service.
Worksites.net is a web service for building websites for contractors and growing businesses, which support custom domains feature.
A record should be pointing to static IP address 69.164.223.206worksites.melbadry9.xyz. 60 IN A 69.164.223.206
YAML
id: detect-worksites
info:
name: worksites.net service detection
author: melbadry9
severity: info
tags: dns
dns:
- name: "{{FQDN}}"
type: A
class: inet
recursion: true
retries: 2
matchers:
- type: word
words:
- "69.164.223.206"
We should see a similar error page to verify whether the subdomain takeover may be possible.
Vulnerable Subdomain Error Page
To detect a vulnerable subdomain, we use the following fingerprint based on the HTTP response; we confirm whether the subdomain is vulnerable or not.
{
"status_code": 404,
"text": [
"Company Not Found",
"Hello! Sorry, but the website you’re looking for doesn’t exist."
]
}
YAML
id: worksites-takeover
info:
name: worksites.net subdomain takeover
author: melbadry9
severity: high
tags: takeover
requests:
- method: GET
path:
- "{{BaseURL}}/"
matchers-condition: and
matchers:
- type: word
words:
- "Company Not Found"
- "Hello! Sorry, but the website you’re looking for doesn’t exist."
condition: and
- type: status
status:
- 404
- Go to
https://app.worksites.net/website/domain-name - Set
Your domain nameto subdomain we want to takeoverworksites.melbadry9.xyz
Takeover Steps
- Visit
worksites.melbadry9.xyz - Create a screenshot as PoC. We can publish the site for $27.00 per month.
Takerover by melbadry9 PoC
Last modified 6mo ago