Menu

Search for hundreds of thousands of exploits

"DotNetNuke 9.5 - Persistent Cross-Site Scripting"

Author

Exploit author

"Sajjad Pourali"

Platform

Exploit platform

aspx

Release date

Exploit published date

2020-02-24

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
# Exploit Title: DotNetNuke 9.5 - Persistent Cross-Site Scripting
# Date: 2020-02-23
# Exploit Author: Sajjad Pourali
# Vendor Homepage: http://dnnsoftware.com/
# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip
# Version: <= 9.5
# CVE : N/A
# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175

DNN allows normal users to upload XML files by using journal tools in their profile. An attacker could upload XML files which may execute malicious scripts in the user’s browser.

In XML, a namespace is an identifier used to distinguish between XML element names and attribute names which might be the same. One of the standard namespaces is “http://www.w3.org/1999/xhtml” which permits us to run XHTML tags such as <script>.

For instance, uploading the following code as an XML file executes javascript and shows a non-harmful ‘XSS’ alert.

<?xml version="1.0" encoding="UTF-8"?>
<script xmlns="http://www.w3.org/1999/xhtml">
 alert('XSS');
</script>

Though stealing of authentication cookies are not possible at this time (because the authentication’s cookies are set as HttpOnly by default), XSS attacks are not limited to stealing users’ cookies. Using XSS vulnerability, an attacker can perform other more damaging attacks on other or high privileged users, for example, bypassing CSRF protections which allows uploading “aspx” extension files through settings page which leads to upload of backdoor files.
Release DateTitleTypePlatformAuthor
2020-04-01"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)"localwindowsHodorsec
2020-04-01"DiskBoss 7.7.14 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"remotehardwareMetasploit
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-31"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"SharePoint Workflows - XOML Injection (Metasploit)"remotewindowsMetasploit
2020-03-31"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-30"Joomla! com_fabrik 3.9.11 - Directory Traversal"webappsphpqw3rTyTy
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal"webappsjavahongphukt
2020-03-27"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution"webappsphpvikingfr
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-27"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Mustafa Emre Gül"
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"Joomla! Component GMapFP 3.30 - Arbitrary File Upload"webappsphpThelastVvV
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-24"Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-03-24"UCM6202 1.0.18.13 - Remote Command Injection"webappshardware"Jacob Baines"
2020-03-24"UliCMS 2020.1 - Persistent Cross-Site Scripting"webappsphpSunCSR
Release DateTitleTypePlatformAuthor
2020-02-24"DotNetNuke 9.5 - File Upload Restrictions Bypass"webappsaspx"Sajjad Pourali"
2020-02-24"DotNetNuke 9.5 - Persistent Cross-Site Scripting"webappsaspx"Sajjad Pourali"
2019-12-18"Telerik UI - Remote Code Execution via Insecure Deserialization"webappsaspx"Bishop Fox"
2019-12-17"NopCommerce 4.2.0 - Privilege Escalation"webappsaspx"Alessandro Magnosi"
2019-12-16"Roxy Fileman 1.4.5 - Directory Traversal"webappsaspx"Patrik Lantz"
2019-11-12"Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting"webappsaspxCy83rl0gger
2019-11-12"Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting"webappsaspxCy83rl0gger
2019-11-12"Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting"webappsaspxCy83rl0gger
2019-11-05"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection"webappsaspx"Fabian Mosch_ Nick Theisinger"
2019-09-25"Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistant Cross-Site Scripting"webappsaspx"Davide Cioccia"
2019-07-11"Sitecore 9.0 rev 171002 - Persistent Cross-Site Scripting"webappsaspx"Owais Mehtab"
2019-06-25"BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal"webappsaspx"Aaron Bishop"
2019-06-20"BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection"webappsaspx"Aaron Bishop"
2019-06-19"BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution"webappsaspx"Aaron Bishop"
2019-06-19"BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution"webappsaspx"Aaron Bishop"
2019-06-13"Sitecore 8.x - Deserialization Remote Code Execution"webappsaspx"Jarad Kopf"
2019-02-12"BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution"webappsaspx"Dustin Cobb"
2019-01-14"Umbraco CMS 7.12.4 - Authenticated Remote Code Execution"webappsaspx"Gregory Draperi"
2018-10-29"Library Management System 1.0 - 'frmListBooks' SQL Injection"webappsaspx"Ihsan Sencan"
2018-10-24"Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting"webappsaspx"Dino Barlattani"
2018-10-10"Ektron CMS 9.20 SP2 - Improper Access Restrictions"webappsaspxalt3kx
2018-08-06"Sitecore.Net 8.1 - Directory Traversal"webappsaspxChris
2018-06-04"EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting"webappsaspx"Chris Barretto"
2018-03-13"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities"webappsaspx"SEC Consult"
2018-02-02"IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting"webappsaspx1n3
2018-01-24"Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload"webappsaspx"Paul Taylor"
2018-01-24"Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Encryption Keys Disclosure"webappsaspx"Paul Taylor"
2017-12-27"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)"webappsaspx"Glafkos Charalambous"
2017-11-16"LanSweeper 6.0.100.75 - Cross-Site Scripting"webappsaspx"Miguel Mendez Z"
2017-09-27"SmarterStats 11.3.6347 - Cross-Site Scripting"webappsaspxsqlhacker
Release DateTitleTypePlatformAuthor
2020-02-24"DotNetNuke 9.5 - File Upload Restrictions Bypass"webappsaspx"Sajjad Pourali"
2020-02-24"DotNetNuke 9.5 - Persistent Cross-Site Scripting"webappsaspx"Sajjad Pourali"
2013-08-15"DotNetNuke DNNArticle Module 10.0 - SQL Injection"webappsphp"Sajjad Pourali"
2013-08-13"DotNetNuke 6.1.x - Cross-Site Scripting"webappsasp"Sajjad Pourali"
2013-01-07"Ettercap 0.7.5.1 - Stack Overflow"dosunix"Sajjad Pourali"
2012-01-13"MailEnable Webmail - Cross-Site Scripting"webappsasp"Sajjad Pourali"
2012-01-12"MailEnable 6.02 - 'ForgottonPassword.aspx' Cross-Site Scripting"webappsasp"Sajjad Pourali"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48124/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

CipherProtocolsSigalgTrusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

HostWAF detected

Browse exploit APIBrowse