From 52886318ca9a8969ee507e6c80253890d7ae20ff Mon Sep 17 00:00:00 2001
From: sallam <108616378+h0tak88r@users.noreply.github.com>
Date: Thu, 14 Mar 2024 17:37:31 +0200
Subject: [PATCH] Update subov88r.go

---
 subov88r.go | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/subov88r.go b/subov88r.go
index d9d270c..184b2aa 100644
--- a/subov88r.go
+++ b/subov88r.go
@@ -5,8 +5,10 @@ import (
 	"flag"
 	"fmt"
 	"net"
+	"net/http"
 	"os"
 	"os/exec"
+	"regexp"
 	"strings"
 )
 
@@ -43,10 +45,7 @@ func main() {
 		subdomain := scanner.Text()
 
 		// Get the CNAME record for the subdomain
-		cname, err := net.LookupCNAME(subdomain)
-		if err != nil {
-			return
-		}
+		cname, _ := net.LookupCNAME(subdomain)
 
 		// Get the status of the subdomain
 		status, err := getStatus(subdomain)
@@ -55,6 +54,13 @@ func main() {
 			continue
 		}
 
+		isVuln := azureSTO(cname, status)
+
+		if isVuln {
+			fmt.Printf("[%v,%v,%v] Possiply Vulnerable to subdomain takevover", subdomain, cname, status)
+			continue
+		}
+
 		// Print results with ANSI colors
 		fmt.Printf("%sSubdomain: %s %s, %sCNAME: %s %s, %sStatus: %s%s\n", Red, subdomain, NC, Blue, cname, NC, Green, status, NC)
 	}
@@ -82,3 +88,17 @@ func getStatus(subdomain string) (string, error) {
 	}
 	return status, nil
 }
+
+// function that check for subdomain takeover in azure services
+func azureSTO(cname string, status string) bool {
+	azureRegex := regexp.MustCompile(`(?i)^(?:[a-z0-9-]+\.)?(?:cloudapp\.net|azurewebsites\.net|cloudapp\.azure\.com)$`)
+
+	if strings.Contains(status, "NXDOMAIN") && azureRegex.MatchString(cname) {
+		url := fmt.Sprintf("https://%s", cname)
+		_, err := http.Get(url)
+		if err != nil {
+			return true // If there's an error, assume it's a possible subdomain takeover
+		}
+	}
+	return false
+}