search

EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
Creative Commons Attribution 4.0 International
4.58k stars 689 forks source link

Subdomain takeover via LaunchRock #74

Open ghost opened 5 years ago

ghost commented 5 years ago

Service name

LaunchRock offers service to create marketing pages.

Proof

I was able to perform subdomain takeover in the private program on H1. The POC costed me a 9$ to buy the Premium plan on service (adding custom subdomain is available only on Premium plan). The issue was confirmed, fixed, and rewarded.

Documentation

String to determine subdomain takeover:

It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.

The vulnerable subdomain can be pointed to the LaunchRock via CNAME (example.launchrock.com) or via next A records:

54.243.190.28
54.243.190.39
54.243.190.47
54.243.190.54

If above conditions are met, we can perform subdomain takeover by adding a vulnerable subdomain as LaunchRock custom domain in the control panel

Ability to inject custom JS

Yes, we can add arbitrary Javascript through control panel.

Last checked date

Dec 2018

TheTechromancer commented 1 year ago

The fingerprint for this appears to have changed. Unclaimed subdomains now respond with an HTTP 500.

thepoorhacker commented 3 months ago

Hello @TheTechromancer , is it still vulnerable?