Github Subdomain Takeover

2019.02.03

FA Haxor (ID)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

What you need :
- Reverse IP (yougetsignal / hackertarget)
- Github Account (Better use new account)
- HTTP / HTTPS Status

First, go to Reverse IP , and then write github subdomain
*Default is : grab.github.io

Choose the subdomain without .github.io 
*Ex : myexploit.github.io

Check in HTTP / HTTPS Status
*If the domain status is 404 , you can takeover it

After you got 404 domain status, go to your github account
> Create New Repository (The repository name must *myexploit.com ! Don't use http:// or https://)
> Checklist Public
> Checklist Initialize this repository with a README
> Create new file
> Write or paste your defacement script (HTML)
> Open setting (not on profile)
> Search Github Page, change Source from "None" to "Master Branch"

Last, search Github Page again, and write "Custom Domain" with name of domain that you hijack (Ex : myexploit.com)

Thank's to All Indonesia Haxor

References:

https://www.youtube.com/watch?v=OYxri7L1zZ4

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Github Subdomain Takeover

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.