import framework # unique to module class Module(framework.module): def __init__(self, params): framework.module.__init__(self, params) self.register_option('source', 'db', 'yes', 'source of hosts for module input (see \'info\' for options)') self.info = { 'Name': 'Dot Net Nuke Remote File Upload Vulnerability Checker', 'Author': 'Jay Turla (@shipcod3)', 'Description': 'Checks the hosts for a DNN fcklinkgallery page which is possibly vulnerable to Remote File Upload.', 'Comments': [ 'Source options: [ db | | ./path/to/file | query ]', 'http://www.exploit-db.com/exploits/12700/', ] } def module_run(self): hosts = self.get_source(self.options['source']['value'], 'SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL ORDER BY host') # check all hosts for DNN fcklinkgallery page protocols = ['http', 'https'] cnt = 0 for host in hosts: for proto in protocols: url = '%s://%s/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx' % (proto, host) try: resp = self.request(url, redirect=False) code = resp.status_code except KeyboardInterrupt: raise KeyboardInterrupt except: code = 'Error' if code == 200 and '> Link Gallery' in resp.text: self.alert('%s => %s. Possible DNN Fcklinkgallery page found!' % (url, code)) cnt += 1 else: self.verbose('%s => %s' % (url, code)) self.output('%d DNN Fcklinkgallery pages found' % (cnt))