Updated Wordpress Fingerprint and Documents

[0xPrial]

From my testing I got two scenarios where subdomain takeover is possible using Wordpress.com services.

Scenario-1:

If subdomain name is somethingtesttarget.target.com and if it's pointing to WordPress and vulnerable to takeover then visiting the subdomain will take user to https://wordpress.com/typo/?subdomain=somethingtesttarget where error page will look like below which confirms it's vulnerable to takeover

Scenario-2:

If subdomain name is something_test.target.com and if it's pointing to WordPress and vulnerable to takeover then visiting the subdomain will take user to https://wordpress.com/typo/?subdomain=something_test where error page will look like below

Note that it even says The address something_test.wordpress.com cannot be registered. Site names can only contain lowercase letters (a-z) and numbers. but ignore this as you can register a domain via a domain mapping upgrade of Wordpress.com and it will not matter what the underlying .wordpress.com address is.

How to Takeover and create P0C

To takeover a subdomain we need to use Domain Mapping service what is only available for Paid account so you need to buy the Personal package worth 48$ and then

• Create a site using your wordpress free account .
• Visit https://wordpress.com/domains/manage/ and click on Add a domain to this site button available at top of the webpage
• Now go to bottom of the webpage and you will see Already own a domain? click on it and the select Map Your Domain option.
• In following page past the subdomain name you want to takeover and click on Add button and you will be taken to Checkout webpage. [ You will also asked for upgrade account in these steps in that time select Personal package ]
• Now In checkout page pay the pricing and you will get Domain Mapping free with you plan.
• As I am already on a upgraded account of mine my checkout page will look like below

• Now click on Complete checkout page and the domain will be added in your account and you can see it at https://wordpress.com/domains/manage
• Now click on three dots and select Make Primary Domain to serve your P0C page on that subdomain directly.

Happy Hacking <3

[0xPrial]

Today I just got another Scenario for wordpress subdomain takeover. I will call this Scenario-3

Scenario-3

• If subdomain name is somethingtesttarget.target.com and it's pointing to WordPress CNAME somethingtesttargetdottargetdotcom.wordpress.com
• If there is already a site exist on somethingtesttargetdottargetdotcom.wordpress.com
  Then you will see a error page saying Warning! Domain mapping upgrade for this domain not found. which is also vulnerable to takeover

To takeover just follow the same steps to add the domain with you account via domain mapping service ;

[0xPrial]

Hey @codingo
can you take a look here ?

Thanks.

[EdOverflow]

Thank you, @0xPrial. This looks good to me but I will let @codingo review this PR too before merging it.

[cyb3rsalih]

The finger print may change according to this article

https://sapt.medium.com/wordpress-subdomain-takeover-on-bugcrowd-private-program-f59b5a0d74a7

[0xPrial]

The finger print may change according to this article

https://sapt.medium.com/wordpress-subdomain-takeover-on-bugcrowd-private-program-f59b5a0d74a7

Hi @cyb3rsalih,
I can confirm wordpress updated contents of error page for Scenario-3 I described in above comment.

Thanks for your update <3

[muhammadahmad62]

Is this still vulnerable with the latest fingerprint and takeover is possible? anyone who has done it recently? I have recently reported a bug but they want a POC. Please let me know if a takeover is still possible.