Subdomain Takeover Via Campaignmonitor.Com
Subdomain Takeover via Campaignmonitor.com
was in Private Program on BugCrowd
what is createsend.com dns ?
its a dns service Belong to campaignmonitor.com
if you create an account on campaignmonitor
this will give you a subdomain on createsend.com
companies count on Campaign Monitor for email campaigns
So campaignmonitor is only for emails
*****************************************************************
Steps to subdomain Takeover example
*****************************************************************
*****************************************************************
When I go to
example.site.com
i found the site like this pic
i found the site like this pic
I notice that subdomain
example.site.com
is alias to
testexample.createsend.com
This mean the domain plan is expired on campaignmonitor
and ready to reactive on another email
1) So I created an account on campaignmonitor.com
and choose any name
name here i mean an example.createsend.com
2) After this you need only to add the subdomain of takeover
By going to
example.createsend.com/account
then
example.createsend.com/account/customize
Then Just Choose a Custom domain
example.createsend.com/account/customize/customdomain/manage
3) add your vulnerable subdomain example.site.com
Then Click next
wait 1 min and the setup will be verified
Congrats 😉
4) Now when you go to example.site.com
its will show your example.createsend.com
Takeover Steps is now finished
****************************************************************
Now when anyone go to example.site.com
it ask him to login to Campaign Monitor!
yes as I said at first Campaign Monitor is only to manage emails and Subscribes
Now if you need to create a small Page Show
you will only create a Subscribes Page
Go to this Path
https://example.site.com/templates/create
You can Upload your subscribe page or choose from the templates on the site
example like mine
***********************************************************************
Reward was 900$
Reward was 900$
fixed in 10 min from report
*****************************************************
*****************************************************
No comments
Please do not enter any spam link in comment box.