{"id":61,"date":"2016-09-21T00:00:02","date_gmt":"2016-09-20T18:30:02","guid":{"rendered":"http:\/\/www.geekboy.ninja\/blog\/?p=61"},"modified":"2016-09-22T08:06:00","modified_gmt":"2016-09-22T02:36:00","slug":"hijacking-tons-of-instapage-expired-users-domains-subdomains","status":"publish","type":"post","link":"http:\/\/www.geekboy.ninja\/blog\/hijacking-tons-of-instapage-expired-users-domains-subdomains\/","title":{"rendered":"Hijacking tons of Instapage expired users Domains & Subdomains"},"content":{"rendered":"

Hello all \ud83d\ude42<\/span><\/p>\n

so this post is about how I\u00a0was able to hijack ton’s of domains\/subdomains who using Instapage<\/strong> if\u00a0there service got expired.<\/span><\/p>\n

What is instapage ?<\/span><\/h2>\n

Instapage<\/a>\u00a0<\/b>is a service that lets you build landing pages for your online marketing and promotion campaigns with ease. It offers features such as A\/B Testing, multiple campaign management, easy page building, and a lot more!<\/span><\/p><\/blockquote>\n

it also allows users to map its\u00a0template\u00a0on\u00a0there own\u00a0domain or subdomains.<\/span><\/strong><\/p>\n

How i found it ?<\/span><\/h2>\n

as am one of researchers from HackerOne<\/strong><\/a> platform , I\u00a0was trying to get something on HackerOne<\/strong> itself as I want that Hacking Hackers<\/strong>\u00a0Badge<\/strong>\u00a0of my profile<\/a>.<\/span><\/p>\n

I found\u00a0hacker.one<\/strong> is inscope domain list which is one of the\u00a0officail\u00a0website of HackerOne<\/strong>, and when I\u00a0vistied it and\u00a0seen some error which caught in my eye and after figuring\u00a0it, I come to know it was Instapage<\/strong> error which\u00a0occurs when service\u00a0get expired or domain or subdoamin not linked properly and it takes just few mintues to figurte it out that I can publish my own template to any of misconfigured\u00a0and expired domains\/subdomains of instapage<\/strong> and luckly HackerOne<\/strong> is one of there users.<\/span><\/p>\n

Instapage error on Hacker.One :<\/span><\/h3>\n

\"bxwvtem\"<\/a><\/p>\n

 <\/p>\n

Vulnerable Post Request :<\/span><\/h3>\n
POST \/ajax\/builder2\/publish\/2340488 HTTP\/1.1\r\nHost: app.instapage.com\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; rv:36.0) Gecko\/20100101 Firefox\/36.04\r\nAccept: *\/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nReferer: http:\/\/app.instapage.com\/builder2?id=2340488\r\nContent-Length: 31\r\nCookie: cookie_value\r\nConnection: close\r\n\r\nversion=1&url=www.hacker.one<\/span><\/pre>\n
where url<\/strong> parameter value contain vulnerable domains .<\/span><\/p>\n
Hacker.One domain Takeover :\u00a0<\/span><\/h3>\n
\"insta-0day\"<\/a><\/p>\n
 <\/p>\n
Here is the Video POC :<\/span><\/h3>\n