# # # # #
# Exploit Title: Photo Fusion - Free Stock Photos Script - Arbitrary File Upload
# Dork: N/A
# Date: 26.09.2017
# Vendor Homepage: http://teamworktec.com/
# Software Link: https://codecanyon.net/item/photo-fusion-free-stock-photos-script/20115244
# Demo: http://teamworktec.com/demo/photos-fusion/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
#
# The vulnerability allows an users upload arbitrary file....
#
# Vulnerable Source:
#
# /*Change profile picture*/
# public function changeAvatar(Request $request){
# if(Auth::user()){
# $user = User::find(Auth::id());
# $user->avatar = $request->picture->getClientOriginalName();
# $user->save();
# $file = $request->picture;
# $file->move('uploads', $file->getClientOriginalName());
# return $request->picture->getClientOriginalName();
# }
# return 'please login to change avatar';
# }
#
# /*Change profile cover*/
# public function changeCover(Request $request){
# if(Auth::user()){
# $user = User::find(Auth::id());
# $user->cover = $request->cover->getClientOriginalName();
# $user->save();
# $file = $request->cover;
# $file->move('uploads', $file->getClientOriginalName());
# return $request->cover->getClientOriginalName();
# }
# return 'please login to change avatar';
# }
#
# Proof of Concept:
#
# http://localhost/[PATH]/
# http://localhost/[PATH]/uploads/[FILE]
#
# Etc..
# # # # #
