Starting day 11 with interesting information that can be gathered from the wayback machine which will increase the information found in the recon process. Besides recon, day 11 comes with two vulnerabilities which are memory vulnerabilities such as, buffer overflow, and subdomain takeover.
Fetching Juicy Information from Wayback Machine
From Rajesh Ranjan, In today post, I have tried to improve my recon methodology and I was reading about how can we use the wayback machine and get some sensitive Endpoints. I found an amazing write about usage of wayback machine and here it is. A big shoutout to ghostlulz.
So in this writeup, ghostlulz explained that, how can we grab URL from wayback, and get some open redirects, SSRF and XSS. to use this. Just replace the your target URL with the following:
And it will pull down a list of paths that the wayback machine has crawled. Now we can also make this automatically with a tool from TomNomNom.
Tools to automate this stuff
From Sam (CoffeeJunkie),Most of the application webs rely in computer to store and execute the application’s code. A memory vulnerability exploits a bug in the application’s memory management. This kind of vulnerabilities allow attackers to execute their own commands. There are certain languages that are susceptible to memory vulnerabilities, as an example C++ is more vulnerable than Ruby, Python, PHP, and Java. Before performing couple actions, the developer most ensure how much memory they need for the application, otherwise, bugs such as buffer overflow might happen. These kind of vulnerabilities can be complex, Peter Yaworski recommend the books. The Art of Exploitation by Jon Erickson or A Bug Hunter’s Diary: A Guided Tour Through the Wilds of Software Security by Tobias Klein, in order to understand in depth this vulnerabilities.
A buffer overflow vulnerability is a bug where an application writes data that is too big for the memory allocated for the data. Depending how the attacker is able to control the overflow of the vulnerability, it can lead to RCE and compromise other parts of the web application, depending the privileges that the user has.
Read Out Of Bounds
This kind of vulnerabilities can lead attackers to read data outside the memory boundary. This usually happens when the application reads too much memory for a given variable or action and this might lead to leak sensitive information. As an example of this bug exist Open SSL Heart Bleed vulnerability which allowed attackers to read private information from the memory server, thing such as keys and passwords.
Write Up and Explanation
The attacker discover ftp_genlist() function which was vulnerable to buffer overflow. The memory was not managing very well the data that can be overwritten in memory which it leads to remote code execution.
The server is vulnerable to heap buffer overflow due to pack_string function. The overflow can be triggered by adding a large string in one of the value parameters.
The function curl_easy_duphandle() can be used to send sensitive data that it is not suppose to be send. This is due on how the server handles the data in memory.
In short words, subdomain takeover happens when an attacker is able to claim a subdomain from a legitimate site.
Understanding Domain Names
Companies register and use domain names which are URLs that access websites and they’re mapped with IP addresses by Domain Name Servers (DNS). There is certain hierarchy with domains, these domains are separated by a period, most of top level domain include
.com, .ca, .info. Subdomains comprise the left most part of the URLs and can host separate websites on the same registered domain. Site owners have different methods to register these subdomains, one of the methods is by A record or CNAME record. These A and CNAME record have an unique name and can be only registered by site administrators, unless you find a vulnerability.
How Subdomain Take Over Work
A subdomain takeover occurs when a user can control the IP addresses or URLs that an A record or a CNAME record points to. As one of the examples and impact offered in this kind of attack, the attacker can steal cookies that are shared by other subdomains.
Write Ups and Explanations
So, the attacker found a CNAME record that was not claimed in the subdomain
There are many vulnerabilities that can be achieved in different ways. As an example memory vulnerabilities require certain complexity than subdomain take overs. In the other side, recon can be achieved by gathering urls and information from the wayback machine