Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated Wordpress Fingerprint and Documents #176

Open
wants to merge 6 commits into
base: master
Choose a base branch
from

Conversation

0xPrial
Copy link

@0xPrial 0xPrial commented Sep 25, 2020

From my testing I got two scenarios where subdomain takeover is possible using Wordpress.com services.

Scenario-1:

If subdomain name is somethingtesttarget.target.com and if it's pointing to WordPress and vulnerable to takeover then visiting the subdomain will take user to https://wordpress.com/typo/?subdomain=somethingtesttarget where error page will look like below which confirms it's vulnerable to takeover
Screenshot 2020-09-25 at 8 31 56 PM

Scenario-2:

If subdomain name is something_test.target.com and if it's pointing to WordPress and vulnerable to takeover then visiting the subdomain will take user to https://wordpress.com/typo/?subdomain=something_test where error page will look like below
Screenshot 2020-09-25 at 8 27 16 PM

Note that it even says The address something_test.wordpress.com cannot be registered. Site names can only contain lowercase letters (a-z) and numbers. but ignore this as you can register a domain via a domain mapping upgrade of Wordpress.com and it will not matter what the underlying .wordpress.com address is.
Screenshot 2020-09-25 at 8 29 35 PM

How to Takeover and create P0C

To takeover a subdomain we need to use Domain Mapping service what is only available for Paid account so you need to buy the Personal package worth 48$ and then

  • Create a site using your wordpress free account .
  • Visit https://wordpress.com/domains/manage/ and click on Add a domain to this site button available at top of the webpage
  • Now go to bottom of the webpage and you will see Already own a domain? click on it and the select Map Your Domain option.
  • In following page past the subdomain name you want to takeover and click on Add button and you will be taken to Checkout webpage. [ You will also asked for upgrade account in these steps in that time select Personal package ]
  • Now In checkout page pay the pricing and you will get Domain Mapping free with you plan.
  • As I am already on a upgraded account of mine my checkout page will look like below

Screenshot 2020-09-25 at 8 46 53 PM

  • Now click on Complete checkout page and the domain will be added in your account and you can see it at https://wordpress.com/domains/manage
  • Now click on three dots and select Make Primary Domain to serve your P0C page on that subdomain directly.

Screenshot 2020-09-25 at 8 50 53 PM

Happy Hacking <3

@0xPrial
Copy link
Author

0xPrial commented Sep 27, 2020

Today I just got another Scenario for wordpress subdomain takeover. I will call this Scenario-3

Scenario-3

  • If subdomain name is somethingtesttarget.target.com and it's pointing to WordPress CNAME somethingtesttargetdottargetdotcom.wordpress.com
  • If there is already a site exist on somethingtesttargetdottargetdotcom.wordpress.com
    Then you will see a error page saying Warning! Domain mapping upgrade for this domain not found. which is also vulnerable to takeover

Screenshot_2020-09-28_at_2_45_39_AM

To takeover just follow the same steps to add the domain with you account via domain mapping service ;

@0xPrial
Copy link
Author

0xPrial commented Jan 4, 2021

Hey @codingo
can you take a look here ?

Thanks.

Copy link
Owner

@EdOverflow EdOverflow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @0xPrial. This looks good to me but I will let @codingo review this PR too before merging it.

@cyb3rsalih
Copy link

The finger print may change according to this article

https://sapt.medium.com/wordpress-subdomain-takeover-on-bugcrowd-private-program-f59b5a0d74a7
Screen Shot 2022-11-30 at 19 47 30

@0xPrial
Copy link
Author

0xPrial commented Nov 30, 2022

The finger print may change according to this article

https://sapt.medium.com/wordpress-subdomain-takeover-on-bugcrowd-private-program-f59b5a0d74a7 Screen Shot 2022-11-30 at 19 47 30

Hi @cyb3rsalih,
I can confirm wordpress updated contents of error page for Scenario-3 I described in above comment.

Thanks for your update <3

@muhammadahmad62
Copy link

Is this still vulnerable with the latest fingerprint and takeover is possible? anyone who has done it recently? I have recently reported a bug but they want a POC. Please let me know if a takeover is still possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants