This is a vulnerability checking script for Recon-NG that looks for hosts with a Dot Net Nuke fcklinkgallery page that allows for a remote shell upload.
ed7c15cc25a3447557533bfd64be83d545b106112fe7ad39f81e52e6935755c3
import framework
# unique to module
class Module(framework.module):
def __init__(self, params):
framework.module.__init__(self, params)
self.register_option('source', 'db', 'yes', 'source of hosts for module input (see \'info\' for options)')
self.info = {
'Name': 'Dot Net Nuke Remote File Upload Vulnerability Checker',
'Author': 'Jay Turla (@shipcod3)',
'Description': 'Checks the hosts for a DNN fcklinkgallery page which is possibly vulnerable to Remote File Upload.',
'Comments': [
'Source options: [ db | <hostname> | ./path/to/file | query <sql> ]',
'http://www.exploit-db.com/exploits/12700/',
]
}
def module_run(self):
hosts = self.get_source(self.options['source']['value'], 'SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL ORDER BY host')
# check all hosts for DNN fcklinkgallery page
protocols = ['http', 'https']
cnt = 0
for host in hosts:
for proto in protocols:
url = '%s://%s/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx' % (proto, host)
try:
resp = self.request(url, redirect=False)
code = resp.status_code
except KeyboardInterrupt:
raise KeyboardInterrupt
except:
code = 'Error'
if code == 200 and '> Link Gallery' in resp.text:
self.alert('%s => %s. Possible DNN Fcklinkgallery page found!' % (url, code))
cnt += 1
else:
self.verbose('%s => %s' % (url, code))
self.output('%d DNN Fcklinkgallery pages found' % (cnt))