1. Tim Tomes
  2. Recon-ng


Recon-ng / modules / discovery / exploitable / http / dnn_fcklinkgallery.py

import framework
# unique to module

class Module(framework.module):

    def __init__(self, params):
        framework.module.__init__(self, params)
        self.register_option('source', 'db', 'yes', 'source of hosts for module input (see \'info\' for options)')
        self.info = {
                     'Name': 'Dot Net Nuke Remote File Upload Vulnerability Checker',
                     'Author': 'Jay Turla (@shipcod3)',
                     'Description': 'Checks the hosts for a DNN fcklinkgallery page which is possibly vulnerable to Remote File Upload.',
                     'Comments': [
                                  'Source options: [ db | <hostname> | ./path/to/file | query <sql> ]',

    def module_run(self):
        hosts = self.get_source(self.options['source']['value'], 'SELECT DISTINCT host FROM hosts WHERE host IS NOT NULL ORDER BY host')

        # check all hosts for DNN fcklinkgallery page
        protocols = ['http', 'https']
        cnt = 0
        for host in hosts:
            for proto in protocols:
                url = '%s://%s/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx' % (proto, host)
                    resp = self.request(url, redirect=False)
                    code = resp.status_code
                except KeyboardInterrupt:
                    raise KeyboardInterrupt
                    code = 'Error'
                if code == 200 and '> Link Gallery' in resp.text:
                    self.alert('%s => %s. Possible DNN Fcklinkgallery page found!' % (url, code))
                    cnt += 1
                    self.verbose('%s => %s' % (url, code))
        self.output('%d DNN Fcklinkgallery pages found' % (cnt))