Hi there,
This article is about more trivial finding, but nonetheless, misconfiguration was previously missed by other researchers. So, I decided to share it with a public as well.
As I wrote in my previous topic, all my research starts from reconnaissance of a target, and Yahoo was not an exception. When all my 'first round' custom scripts were finished, there were found ~4k subdomains for Yahoo domain, sure thing that not all of them were alive, but still too much... Now the time had come for the 'second round' of custom scripts, one of them is looking for common default files that have incorrect access permissions (e.g. phpinfo.php).
In couple of hours my script detected accessible phpinfo.php file at one of subdomains. My first thought was: "it's probably false-positive detection". But no, indeed, file was accessible at following URL: 'http://druid-hist25.lh.bf1.yahoo.com/phpinfo.php'
As you have noticed, subdomain found by me is in another Network than has been scanned by Patrik (CIDR: 98.136.0.0/14).
Now I need to find out IP range for a Network which contains following IP 74.6.49.57. I did it via whois service, and retrieved following info:
NetRange: 74.6.0.0 - 74.6.255.255
CIDR: 74.6.0.0/16
NetName: INKTOMI-BLK-6
NetHandle: NET-74-6-0-0-1
Parent: NET74 (NET-74-0-0-0-0)
I have dared to 'borrow' Patrik's script and follow by his example - scan all 65,025 IPs. The script executed ~2.5days, but that's fine, because of my non-stop server at DigitalOcean. :) And btw, on a commercial right, I would like to recommend you to use DigitalOcean platform for your remote pentesting server, use my referral link and get 10$ to your account.
Fortunately or unfortunately - I didn't find anything else at that IP range.
RESULTS:
Always believe in yourself and good luck.
Thanks for your attention.
Stas
This article is about more trivial finding, but nonetheless, misconfiguration was previously missed by other researchers. So, I decided to share it with a public as well.
As I wrote in my previous topic, all my research starts from reconnaissance of a target, and Yahoo was not an exception. When all my 'first round' custom scripts were finished, there were found ~4k subdomains for Yahoo domain, sure thing that not all of them were alive, but still too much... Now the time had come for the 'second round' of custom scripts, one of them is looking for common default files that have incorrect access permissions (e.g. phpinfo.php).
In couple of hours my script detected accessible phpinfo.php file at one of subdomains. My first thought was: "it's probably false-positive detection". But no, indeed, file was accessible at following URL: 'http://druid-hist25.lh.bf1.yahoo.com/phpinfo.php'
Frankly speaking, I was quite surprised by this finding, and due to the fact that I'm reading a lot of blogs written by another researchers. I remembered a finding by Patrik Fehrenbach at his blog post. The vulnerability is totally the same, target is the same, plus scanning whole Yahoo's NetRange for accessible file. My question was "How was the file missed?". In couple seconds I realized that such a huge corporation should probably have another Networks..
The quick ping of 'druid-hist25.lh.bf1.yahoo.com' putted everything into its place.
As you have noticed, subdomain found by me is in another Network than has been scanned by Patrik (CIDR: 98.136.0.0/14).
Now I need to find out IP range for a Network which contains following IP 74.6.49.57. I did it via whois service, and retrieved following info:
NetRange: 74.6.0.0 - 74.6.255.255
CIDR: 74.6.0.0/16
NetName: INKTOMI-BLK-6
NetHandle: NET-74-6-0-0-1
Parent: NET74 (NET-74-0-0-0-0)
I have dared to 'borrow' Patrik's script and follow by his example - scan all 65,025 IPs. The script executed ~2.5days, but that's fine, because of my non-stop server at DigitalOcean. :) And btw, on a commercial right, I would like to recommend you to use DigitalOcean platform for your remote pentesting server, use my referral link and get 10$ to your account.
Fortunately or unfortunately - I didn't find anything else at that IP range.
RESULTS:
| Bounty |  |
| Swag |  |
| HoF |  |
Always believe in yourself and good luck.
Thanks for your attention.
Stas
No comments:
Post a Comment