Dot Net Nuke Hacking
Sunday, April 15, 2012
By
Unknown
DNN,
Dot Net Nuke,
hacking,
hacking tools,
Website Hacking
3
comments
DNN Portal Hijacking Tutorial
______________________________________________________
Author: Rishabh Saxena
Facebook Page: Learn to hack (https://www.facebook.com/teamLTH)
______________________________________________________________
Q) What is DNN ?
A) DNN stands for Dot Net Nuke.It is an open source CMS [Content management system] based on .Net platform . It allows management of websites without much technical language which supports large number of third party apps. It requires Internet Information services 6 [IIS 6.0] and ASP.NET and supports SQL server 2003 and 2008 .
Q) What is This hack about?
A) Well there is a security hole in DNN which allows any attacker to upload data to the server. This way you can upload a shell to the server.
So lets start!
______________________________
Steps:
1) Google dork for vulnerable websites : inurl:/tabid/36/language/
2) After searching the above dork in Google you will come across many sites , open anyone you like .
3)You will see /Home/tabid/36/Language/en-US/
4)Just replace it with /Providers/
5)Now you will see a page titled **LINK GALLERY** Having some upload options.
6)Now Choose option ""File"" .
7) The inject the following javascript code in the Browser address bar javascript:__doPostBack('ctlURL$cmdUpload','')
Explanation for ctlURL$cmdupload ctlurl is URL control function which opens the cmdupload option which allows attacker to upload a file.
Sometimes the Browser removes *JAVASCRIPT* from this command while copy-pasting , so after pasting the command in browser just check if the **javascript** is still written there if it isnt there write *javascript* before :__doPostBack('ctlURL$cmdUpload','')so the command should always look like :
javascript:__doPostBack('ctlURL$cmdUpload','')
8) Now the ""Choose file"" option will come up .
9) Now choose file and select root click on "upload selected file" , upload any deface html page or any shell and start having fun
10) Now you can view your file/shell at portals/0/
11) Additional step : Well sometimes website admin changes the upload permissions and adds filter to the uploader so that u can just upload .jpeg/.jpg/.txt files .
To bypass this filter just rename the shell to
shell.php;.txt
shell.php;.jpg
or any other extension which is allowed
this way when u parse the request for the page/shell in the browser it will read upto .php only it wont read .txt as ";" sign ends the request.
______________________________
Example scenario :
I googled the DORK and it disaplyed list of some sites .
i opened one of the site listed there :
http://www.*****.@@home/tabid/36/
then i changed the **home/tabid/36/language/
So the edited URL was like this :
http://www.*****.@@/Providers/
Then i clicked on Option ""File"" Then in the address bar i injected this javascript : javascript:__doPostBack('ctlUR
then a "Choose file" option comes up .
I Browsed to my page/shell and click on "Upload selected file" the file was uploaded to : http://www.*****.@@/portals/0/
______________________________
Well i am assuming that readers have knowledge about some terms mentioned above like :
CMS :- http://en.wikipedia.org/wiki/
DNN :- http://en.wikipedia.org/wiki/
.NET :- http://en.wikipedia.org/wiki/
SHELL :- http://en.wikipedia.org/wiki/
If you don't know ,just read from the links mentioned above.
NOTE: This tutorial is for educational purposes only, Use at your own risk. The Author And The Blog is not responsible for any consequence, be it Good or Bad!!
Original Author: Rishabh Saxena [Member Of Computer Korner]
Facebook Page: Learn to hack (https://www.facebook.com/teamLTH)
Do Not Forget to Visit The LTH Page To Get More Updates!
Thank You!
Feel Free To Leave A Comment
If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
______________________________________________________
Author: Rishabh Saxena
Facebook Page: Learn to hack (https://www.facebook.com/teamLTH)
______________________________________________________________
Q) What is DNN ?
A) DNN stands for Dot Net Nuke.It is an open source CMS [Content management system] based on .Net platform . It allows management of websites without much technical language which supports large number of third party apps. It requires Internet Information services 6 [IIS 6.0] and ASP.NET and supports SQL server 2003 and 2008 .
Q) What is This hack about?
A) Well there is a security hole in DNN which allows any attacker to upload data to the server. This way you can upload a shell to the server.
So lets start!
______________________________
Steps:
1) Google dork for vulnerable websites : inurl:/tabid/36/language/
2) After searching the above dork in Google you will come across many sites , open anyone you like .
3)You will see /Home/tabid/36/Language/en-US/
4)Just replace it with /Providers/
5)Now you will see a page titled **LINK GALLERY** Having some upload options.
6)Now Choose option ""File"" .
7) The inject the following javascript code in the Browser address bar javascript:__doPostBack('ctlURL$cmdUpload','')
Explanation for ctlURL$cmdupload ctlurl is URL control function which opens the cmdupload option which allows attacker to upload a file.
Sometimes the Browser removes *JAVASCRIPT* from this command while copy-pasting , so after pasting the command in browser just check if the **javascript** is still written there if it isnt there write *javascript* before :__doPostBack('ctlURL$cmdUpload','')so the command should always look like :
javascript:__doPostBack('ctlURL$cmdUpload','')
8) Now the ""Choose file"" option will come up .
9) Now choose file and select root click on "upload selected file" , upload any deface html page or any shell and start having fun
10) Now you can view your file/shell at portals/0/
11) Additional step : Well sometimes website admin changes the upload permissions and adds filter to the uploader so that u can just upload .jpeg/.jpg/.txt files .
To bypass this filter just rename the shell to
shell.php;.txt
shell.php;.jpg
or any other extension which is allowed
this way when u parse the request for the page/shell in the browser it will read upto .php only it wont read .txt as ";" sign ends the request.
______________________________
Example scenario :
I googled the DORK and it disaplyed list of some sites .
i opened one of the site listed there :
http://www.*****.@@home/tabid/36/
then i changed the **home/tabid/36/language/
So the edited URL was like this :
http://www.*****.@@/Providers/
Then i clicked on Option ""File"" Then in the address bar i injected this javascript : javascript:__doPostBack('ctlUR
then a "Choose file" option comes up .
I Browsed to my page/shell and click on "Upload selected file" the file was uploaded to : http://www.*****.@@/portals/0/
______________________________
Well i am assuming that readers have knowledge about some terms mentioned above like :
CMS :- http://en.wikipedia.org/wiki/
DNN :- http://en.wikipedia.org/wiki/
.NET :- http://en.wikipedia.org/wiki/
SHELL :- http://en.wikipedia.org/wiki/
If you don't know ,just read from the links mentioned above.
NOTE: This tutorial is for educational purposes only, Use at your own risk. The Author And The Blog is not responsible for any consequence, be it Good or Bad!!
Original Author: Rishabh Saxena [Member Of Computer Korner]
Facebook Page: Learn to hack (https://www.facebook.com/teamLTH)
Do Not Forget to Visit The LTH Page To Get More Updates!
Thank You!
Feel Free To Leave A Comment
If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Written by CK Admins
Computer Korner is an open knowledge sharing site, where the we try to share our experience with IT, Security, Networking, System Administration tasks faced in day to day life. Articles from visitors are highly appreciated. Contact Us at : Click Here
![Admin Login Page Finder [FIND HIM]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtkK9xhlqxxiLTBdn2Nnai294ujo71klhdSRyAPP-erxvA4kRqWB0AfwZ2S8aXyQIyATI61-kmDnU_Bqf0f2fRWmUTH7pGawZX6icydUI5aEcpbfzBWYBazS9n619PxaXef4rVaJbV46k/s72-c/mysqladded.PNG){kind=small}
I have checked this on many websites but after the link gallery page and adding that javascript.No "choose file" come .Tell me wht's the problem?
ReplyDeleteans at 143ajaygupta@gmail.com
There is no problem, DNN is very old. they are patched now, if no upload option is found, check with other sites.
ReplyDeleteCan you tell me a good and simple shell.
ReplyDeleteI tried r57 but it shows a text, also i tried killer3n but i can't understand it.
Please tell a shell for purpose of just replacing index.html