Skip to content

Updated Wordpress Fingerprint and Documents #176

Open
0xPrial wants to merge 6 commits intoEdOverflow:masterfrom
0xPrial:master
Open

Updated Wordpress Fingerprint and Documents #176
0xPrial wants to merge 6 commits intoEdOverflow:masterfrom
0xPrial:master

Conversation

@0xPrial
Copy link

@0xPrial 0xPrial commented Sep 25, 2020

From my testing I got two scenarios where subdomain takeover is possible using Wordpress.com services.

Scenario-1:

If subdomain name is somethingtesttarget.target.com and if it's pointing to WordPress and vulnerable to takeover then visiting the subdomain will take user to https://wordpress.com/typo/?subdomain=somethingtesttarget where error page will look like below which confirms it's vulnerable to takeover
Screenshot 2020-09-25 at 8 31 56 PM

Scenario-2:

If subdomain name is something_test.target.com and if it's pointing to WordPress and vulnerable to takeover then visiting the subdomain will take user to https://wordpress.com/typo/?subdomain=something_test where error page will look like below
Screenshot 2020-09-25 at 8 27 16 PM

Note that it even says The address something_test.wordpress.com cannot be registered. Site names can only contain lowercase letters (a-z) and numbers. but ignore this as you can register a domain via a domain mapping upgrade of Wordpress.com and it will not matter what the underlying .wordpress.com address is.
Screenshot 2020-09-25 at 8 29 35 PM

How to Takeover and create P0C

To takeover a subdomain we need to use Domain Mapping service what is only available for Paid account so you need to buy the Personal package worth 48$ and then

  • Create a site using your wordpress free account .
  • Visit https://wordpress.com/domains/manage/ and click on Add a domain to this site button available at top of the webpage
  • Now go to bottom of the webpage and you will see Already own a domain? click on it and the select Map Your Domain option.
  • In following page past the subdomain name you want to takeover and click on Add button and you will be taken to Checkout webpage. [ You will also asked for upgrade account in these steps in that time select Personal package ]
  • Now In checkout page pay the pricing and you will get Domain Mapping free with you plan.
  • As I am already on a upgraded account of mine my checkout page will look like below

Screenshot 2020-09-25 at 8 46 53 PM

  • Now click on Complete checkout page and the domain will be added in your account and you can see it at https://wordpress.com/domains/manage
  • Now click on three dots and select Make Primary Domain to serve your P0C page on that subdomain directly.

Screenshot 2020-09-25 at 8 50 53 PM

Happy Hacking <3

@0xPrial
Copy link
Author

0xPrial commented Sep 27, 2020

Today I just got another Scenario for wordpress subdomain takeover. I will call this Scenario-3

Scenario-3

  • If subdomain name is somethingtesttarget.target.com and it's pointing to WordPress CNAME somethingtesttargetdottargetdotcom.wordpress.com
  • If there is already a site exist on somethingtesttargetdottargetdotcom.wordpress.com
    Then you will see a error page saying Warning! Domain mapping upgrade for this domain not found. which is also vulnerable to takeover

Screenshot_2020-09-28_at_2_45_39_AM

To takeover just follow the same steps to add the domain with you account via domain mapping service ;

@0xPrial
Copy link
Author

0xPrial commented Jan 4, 2021

Hey @codingo
can you take a look here ?

Thanks.

EdOverflow
EdOverflow approved these changes Jan 7, 2021
View reviewed changes
Copy link
Owner

@EdOverflow EdOverflow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @0xPrial. This looks good to me but I will let @codingo review this PR too before merging it.

@cyb3rsalih
Copy link

cyb3rsalih commented Nov 30, 2022

The finger print may change according to this article

https://sapt.medium.com/wordpress-subdomain-takeover-on-bugcrowd-private-program-f59b5a0d74a7
Screen Shot 2022-11-30 at 19 47 30

@0xPrial
Copy link
Author

0xPrial commented Nov 30, 2022
edited
Loading

The finger print may change according to this article

https://sapt.medium.com/wordpress-subdomain-takeover-on-bugcrowd-private-program-f59b5a0d74a7 Screen Shot 2022-11-30 at 19 47 30

Hi @cyb3rsalih,
I can confirm wordpress updated contents of error page for Scenario-3 I described in above comment.

Thanks for your update <3

@muhammadahmad62
Copy link

muhammadahmad62 commented Apr 15, 2024

Is this still vulnerable with the latest fingerprint and takeover is possible? anyone who has done it recently? I have recently reported a bug but they want a POC. Please let me know if a takeover is still possible.

@knavesec
Copy link

knavesec commented Mar 27, 2025
edited
Loading

The finger print may change according to this article

https://sapt.medium.com/wordpress-subdomain-takeover-on-bugcrowd-private-program-f59b5a0d74a7 Screen Shot 2022-11-30 at 19 47 30

Tried to do this takeover recently, it now requires authentication. when you try to connect it to an external domain, it appears to ask for a domain authorization code which you'd have to get from the domain registrar. Might be possible if someone finds a way around it, but I couldn't in our timeline. Speaking specifically for this fingerprint, can't comment on the others above

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EdOverflow EdOverflow EdOverflow approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@0xPrial @cyb3rsalih @muhammadahmad62 @knavesec @EdOverflow