mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
48 lines
1.2 KiB
Markdown
48 lines
1.2 KiB
Markdown
# DotNetNuke (DNN)
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|
|
|
|
## DotNetNuke (DNN)
|
|
|
|
If you enter as **administrator** in DNN it's easy to obtain RCE.
|
|
|
|
## RCE
|
|
|
|
### Via SQL
|
|
|
|
A SQL console is accessible under the **`Settings`** page where you can enable **`xp_cmdshell`** and **run operating system commands**.
|
|
|
|
Use these lines to enable **`xp_cmdshell`**:
|
|
|
|
```sql
|
|
EXEC sp_configure 'show advanced options', '1'
|
|
RECONFIGURE
|
|
EXEC sp_configure 'xp_cmdshell', '1'
|
|
RECONFIGURE
|
|
```
|
|
|
|
And press **"Run Script"** to run that sQL sentences.
|
|
|
|
Then, use something like the following to run OS commands:
|
|
|
|
```sql
|
|
xp_cmdshell 'whoami'
|
|
```
|
|
|
|
### Via ASP webshell
|
|
|
|
In `Settings -> Security -> More -> More Security Settings` you can **add new allowed extensions** under `Allowable File Extensions`, and then clicking the `Save` button.
|
|
|
|
Add **`asp`** or **`aspx`** and then in **`/admin/file-management`** upload an **asp webshell** called `shell.asp` for example.
|
|
|
|
Then access to **`/Portals/0/shell.asp`** to access your webshell.
|
|
|
|
### Privilege Escalation
|
|
|
|
You can **escalate privileges** using the **Potatoes** or **PrintSpoofer** for example.
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|
|
|
|
|
|
|