search

EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
Creative Commons Attribution 4.0 International
4.89k stars 718 forks source link

Getresponse.com vulnerable to subdomain takeover #235

Open darkpills opened 3 years ago

darkpills commented 3 years ago

Service name

GetResponse - https://www.getresponse.com/

Vulnerable domain which can be takeover

image

Fingerprint: "Cette landing page n'est plus disponible" (FR)

Steps to takeover

  1. Register an account on https://www.getresponse.com/
  2. Create a new domain : My Account > Manage account > Landing page domain > Add domain: declare the victim subdomain to takeover: sub.victim.com
  3. Do a "dig sub.victim.com" to get the CNAME. There should be a CNAME for any of the getresponse tool domains: gr8.com, subscribemenow.com, getresponsepages.com
  4. Create a new landing page that will be displayed. In the Edit settings > landging page url settings > put the subdomain you saw previously like: test.gr8.com to make your landing page response to the sub.victim.com
TheElgo64 commented 2 years ago

Hmmm, not vulnerable now. 30/12/2021

darkpills commented 2 years ago

I remember I could not make the association between the vulnerable domain with the admin interface, I had to open a ticket to the support to make them associate the domain even if it is not associated with any customer.

GDATTACKER-RESEARCHER commented 2 years ago

working i have tested

lovepentest commented 1 year ago

Not working now

VictimV59 commented 1 year ago

is this still vulnerable? it's showing me that the victim subdomain is used in another account so that i can't register that and connect that here, but I'm unaware of how do they verify, no txt record or other verifications are done by them.

So, is this still vulnerable in any other way? and if not, how are they verifying that the victim subdomain doesn't belong to the attacker? is there a bypass to that?

looking forward to hearing from someone who has knowledge on this, also @lovepentest what did you see when you tested this, can you share that with us?

Thanks, happy hacking!

GDATTACKER-RESEARCHER commented 1 year ago

is this still vulnerable? it's showing me that the victim subdomain is used in another account so that i can't register that and connect that here, but I'm unaware of how do they verify, no txt record or other verifications are done by them.

So, is this still vulnerable in any other way? and if not, how are they verifying that the victim subdomain doesn't belong to the attacker? is there a bypass to that?

looking forward to hearing from someone who has knowledge on this, also @lovepentest what did you see when you tested this, can you share that with us?

Thanks, happy hacking!

It simply means it's already claimed by org or someone but the default page is not changed.

VictimV59 commented 1 year ago

Do you mean, this service is still vulnerable if not claimed? But, in my case one party has claimed it already, they just haven't changed the landing page right?

Thanks, in advance for explaining @GDATTACKER-RESEARCHER 😄

GDATTACKER-RESEARCHER commented 1 year ago

Do you mean, this service is still vulnerable if not claimed? But, in my case one party has claimed it already, they just haven't changed the landing page right?

Thanks, in advance for explaining @GDATTACKER-RESEARCHER 😄

Yes

VictimV59 commented 1 year ago

Thanks for explaining😄