hacktricks/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md
2024-12-12 11:39:29 +01:00

3.2 KiB

DotNetNuke (DNN)

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

DotNetNuke (DNN)

If you enter as administrator in DNN it's easy to obtain RCE.

RCE

Via SQL

A SQL console is accessible under the Settings page where you can enable xp_cmdshell and run operating system commands.

Use these lines to enable xp_cmdshell:

EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

And press "Run Script" to run that sQL sentences.

Then, use something like the following to run OS commands:

xp_cmdshell 'whoami'

Via ASP webshell

In Settings -> Security -> More -> More Security Settings you can add new allowed extensions under Allowable File Extensions, and then clicking the Save button.

Add asp or aspx and then in /admin/file-management upload an asp webshell called shell.asp for example.

Then access to /Portals/0/shell.asp to access your webshell.

Privilege Escalation

You can escalate privileges using the Potatoes or PrintSpoofer for example.

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}