Photo Fusion - Arbitrary File Upload

EDB-ID:

42797




Platform:

PHP

Date:

2017-09-26


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

# # # # # 
# Exploit Title: Photo Fusion - Free Stock Photos Script - Arbitrary File Upload
# Dork: N/A
# Date: 26.09.2017
# Vendor Homepage: http://teamworktec.com/
# Software Link: https://codecanyon.net/item/photo-fusion-free-stock-photos-script/20115244
# Demo: http://teamworktec.com/demo/photos-fusion/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# 
# The vulnerability allows an users upload arbitrary file....
# 
# Vulnerable Source:
# 
#     /*Change profile picture*/
#     public function changeAvatar(Request $request){
#         if(Auth::user()){
#             $user = User::find(Auth::id());
#             $user->avatar = $request->picture->getClientOriginalName();
#             $user->save();
#             $file = $request->picture;
#             $file->move('uploads', $file->getClientOriginalName());
#             return $request->picture->getClientOriginalName();
#         }
#         return 'please login to change avatar';
#     }
# 
#     /*Change profile cover*/
#     public function changeCover(Request $request){
#         if(Auth::user()){
#             $user = User::find(Auth::id());
#             $user->cover = $request->cover->getClientOriginalName();
#             $user->save();
#             $file = $request->cover;
#             $file->move('uploads', $file->getClientOriginalName());
#             return $request->cover->getClientOriginalName();
#         }
#         return 'please login to change avatar';
#     }
# 	
# Proof of Concept: 
# 
# http://localhost/[PATH]/
# http://localhost/[PATH]/uploads/[FILE]
# 
# Etc..
# # # # #