PHP and Website Security

Is DNN Exploit Still Alive?

Dot Net Nuke (DNN) is still the most popular ASP.NET content management systems available today. But is the Dot Net Nuke Exploit also known as the Semi-Colon Bug still alive today? Yes it is still alive but for DNN versions 4.9.2 and below, thus you need to update your version now before your site gets backdoored.

For those of you who are not familiar of the DNN Exploit, lemme explain it in my own way (n00bz way). This kind of exploit allows an attacker or a script kiddie uploads any file into the server like images, ASP backdoor shells, text files, etc.

The vulnerable link is a sub-folder of the on a DNN site which can be found here: Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx

DNN Vulnerable Portal

In fact the above link can be used as a Google dork in order to find vulnerable sites easier but we can also have inurl:”/portals/0″ to find other DNN sites which may be vulnerable or non-vulnerable. Until today a lot of websites have this kind of vulnerability which was once a zero day vulnerability which for me is like the Tinthumb vulnerability of this year. 

The next thing an attacker does is to chose the third option: File ( A File On Your Site )

After selecting the third option, the attacker replaces the URL bar with a java script and it should allow you to upload a file such as .txt,.jpg,swf,.gif,etc.  Below is the java script that allows the attacker to deface the website:

javascript:__doPostBack(‘ctlURL$cmdUpload’,”)

Remote File Uploader

The last thing the attacker does is to find the destination of the file that he uploaded on the website. How? So if the attacker uploaded it in the directory named as “/Images”, then he just need to go to the destination or the URL of the site which is http://www.site.com/portals/0/Images/nameofthefile.txt or if he uploaded it in the Root directory he can find it under http://www.site.com/portals/0/nameofthefile.txt.

In some websites the files with .aspx or .asp can’t be uploaded but can be bypassed though through a Null  Byte Injection which is to rename the file extension to filename.asp;a.jpg. Thus, an attacker could upload his backdoor shell which looks like this:

ASP Backdoor Shell

How to prevent this kind of exploit? There are many ways to fix this kind of vulnerability; update your version to the latest DNN version, rename the fcklinkgallery.aspx, upgrade to IIS 7 or higher, and remove the execute permission on the Portals folder of your DNN site. 

Some Fun Facts: 

1. ABS-CBN was once pawned using the DNN Exploit.

2. There are a lot of websites that are still vulnerable especially if you use the Google dork “fcklinkgallery.aspx”.

3. E-Commerce Philippines is still vulnerable to this exploit.

4. Some DNN websites are also vulnerable to SQL Injection.

4 Comments

  1. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! keep up the good work.

    Reply

Leave a Reply