HIOB: WebSite Hacking Series Part 2: Hacking WebSites Using The DotNetNuke Vulnerability

Feb 11, 2015 07:12 PM
Feb 11, 2015 07:17 PM
635592501129306598.jpg

Today, I want to share a tutorial on one of the most useful but old methods which you could use to hack websites, that is using the Dot net nuke (DNN) vulnerability . I know some of you already know about this method.

Note: This method only works if the website has the vulnerability.

Using the DNN vulnerability, One can hack all sites hosted on the server and also upload any file. It is an easy method as compared to other hacking attacks such as SQL Injection ( here ) and Cross Site Scripting ( Coming Soon ) etc.

Introduction

DotNetNuke is an open source platform for building web sites based on Microsoft .NET technology. DotNetNuke is mainly for the personal websites.

The Vulnerability in DNN Content Management System (CMS) allows a user to Upload a File/Shell Remotely without authentication A link for more Information regarding the vulnerability is here on exploitdb

Getting Started

Here we will be using Google Dork to track down sites running DNN (Dot Net Nuke) CMS and are vulnerable to Remote File Upload.

Let's begin folks ...

Navigate to google search and hit any of the dorks below

1. inurl:/tabid/36/language/en-US/Default.aspx

2. inurl:fcklinkgallery.aspx

3. inurl:/portals/0/

inurl: simply tells the bot ( Google's Bot ) to search url's with the text after it ( i.e the text after the inurl: )

You could also limit the search according to countries by adding site:

site: followed by a country's initial, ( Eg, in - India ) will search domains with those initials .

635592433398839954.jpg

After navigating to your chosen website ... We need to perform a little task: Replace: home/tabid/36/language/en-US/Default.aspx with Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx in the url and navigate to the page

Choosing The Correct WebSite

Not all websites running DNN CMS are vulnerable ...

A Website like this is not vulnerable ...

635592436383456633.jpg

One like this is darmm vulnerable and we are good to go !

635592443249309648.jpg

Making The Magic Happen !!!

Hit: Ctrl + Shift + K to drop your javascript browser terminal

635592450273425265.jpg

Now select the 3rd radio button - File {A File On Your Site }

Our page should reload in most cases....

There are two ways here ... Execute Using The URL Bar or our javascript console ....

Type: javascript:_doPostBack('ctlURL$cmdUpload','') in the terminal box ...

635592459726592546.jpg

Should our code be a success, The Page Will Reload and we should now have an upload button to upload our shells, images or what have we ...

635592462312331785.jpg

Checking Upload Restrictions (If Any)

We can create a php shell and try to upload it ( Should The Upload Restrict Php Files, It will alert us ) . You can find how to generate a php shell or a back-connect file using weevely in Kali Linux here ...

Now let's Upload ...

635592468363737309.jpg

Ooops!!! Php Files Denied .... Valid Files: ( . swf, .jpg, .jpeg, .jpe, .gif, .bmp, .png, .doc, .xls, .ppt, .pdf, .txt, .xml, .xsl, .css, .zip )

635592481693356730.jpg

Well, I will cover how to bypass most file restrictions websites use in my upcoming tutorial's so be sure to stay tuned ...

Now let's create and upload a text file as it is accepted as a valid file...

Text File Name: null-byte_wonderhowto.txt

635592483923064409.jpg

Save it ... ( Create any if u can't )

Time For Upload

Now back to the browser, Click The Upload Button Again And Select The Text File and click: Upload Selected File ... ( We shouldn't have any error as this stage )

635592488582492875.jpg

Accessing Uploaded Files

Now to access the uploaded file, We simply replace the whole url with

the website's domain address and append "/portals/0/" followed by our file name

> http://target.com//portals/0/uploaded_file_name_goes_here

So it's gonna be: http://site.com/portals/0/null-byte_wonderhowto.txt

......................................................................................................................

635592494102805258.jpg

As you can see: We successfully uploaded our null-byte file ...

I will find time to discuss bypassing website upload restriction.

Hope you had luck performing the tutorial and Have a nice day !!!

Please correct me for any misinformation or error you may find as well as comment if you don't understand anything.

#Sky

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!