Comments (5)
Hi,
Thanks for taking the time to evaluate the tool. I'm not entirely sure I understand your question.
Typically if you have a file in /var/www which calls include($_GET['file']) then it doesn't really matter if you're hitting ../../etc/passwd or ../../../../../../etc/passwd, they will both return the file. dotdotpwn does support the use of Bisection (-X) to determine the actual number of directories deep the traverrsal is although it appears to be broken in the current codebase. You can also set the deepness with the -d switch.
If you were to specify both bisection and deepness it will go from max to low, ie: it will try ../../../../../../etc/passwd first.
I think the only thing missing is full path inclusion, the vulnerable example code above also allows the use of '/etc/passwd' without traversing and dotdotpwn does not currently detect this.
I will look at fixing the bisection algorithm though as I think this is the solution you seek.
from dotdotpwn.
Hi,
and thank you for the reply and for maintaining this software/repository.
Consider the following scenario:
URL: http://example.com/foo/getfile.php?f=TRAVERSAL
Webroot: /var/www/foo
Skript getfile.php using include($_GET['f'])
If you're using the -d switch with -d 3 dotdotpwn will create the following pattern:
http://example.com/foo/getfile.php?f=../etc/passwd
http://example.com/foo/getfile.php?f=../../etc/passwd
http://example.com/foo/getfile.php?f=../../../etc/passwd
and go from low to high. But we know that the first two will never reach /etc/passwd.
The same happens when we use the -X swtich. If i understand this correctly the following patterns will be created:
http://example.com/foo/getfile.php?f=../../../etc/passwd
http://example.com/foo/getfile.php?f=../../etc/passwd
http://example.com/foo/getfile.php?f=../etc/passwd
If no vulnerability is found all three patterns from high to low are used even if we know that the last three won't get any results. Or am i wrong?
Then it could be useful to create a switch like -dm where a min. deepness can be specified to save the requests where we know that they don't get any results back.
Thanks for your time.
from dotdotpwn.
Part of the problem is that on a penetration test you won't know how many directories deep the traversal is. IIRC the longest I've seen in the wild was 13 deep which is actaully not detected by many tools. You can use -b to break after the first vulnerability is found which should also determine the exact deepness of the traversal. I'm not sure I see the real value in skipping two requests, sure it will improve performance by a small margin, however you can gain far better performance by targetting a specific file such as /etc/passwd instead of bruteforcing several file options.
The -X algorithm goes from 16 deep to low and determines the actual deepnes of the traversal. With your example the output should be:
[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)
[+] Replacing "TRAVERSAL" with the traversals created and sending
[*] Testing URL: http://localhost/inc.php?f=../../../../../../../../../../../../../../../../etc/passwd <- VULNERABLE
[========= BISECTION ALGORITHM =========]
[+] Medium point between 1 - 16 = 8; Vulnerable = YES
[+] Medium point between 1 - 8 = 4; Vulnerable = YES
[+] Medium point between 1 - 4 = 2; Vulnerable = YES
[+] Medium point between 1 - 2 = 1; Vulnerable = NO
[+] EXACT TRAVERSAL: ../../etc/passwd
[+] EXACT DEEPNESS : 2 times '../'
[+] Fuzz testing finished after 0.00 minutes (0 seconds)
[+] Total Traversals found: 1
[+] Report saved: Reports/localhost_03-05-2014_16-20.txt
I have fixed the bisection algorithm in my repo. If you would like to explain the reason behind your feature request I might get it otherrwise I don't think it's really worth the time it would take to implement.
from dotdotpwn.
Hi,
and sorry for the late reply.
During the last pentests where i have used DotDotPwn the exact physical path was known from various sources like application stack traces, phpinfo and so on.
But i havn't really tested the -X parameter and thanks to your post i know now how it works.
So it should be enough to use the -X parameter to go from high to low and break the run of DotDotPwn after the highest deepness which matches the known physical path.
If i have some free time i will make some digging through the code and create a pull request containing a parameter for a single deepness. This could be useful in my opinion so i don't need to watch the console and break the run of DotDotPwn if no vulnerability was found but the highest deepness was running through.
from dotdotpwn.
Hi,
closing this as the -X parameter is exactly doing the "single deepness" which i was talking about.
from dotdotpwn.
Related Issues (20)
- can't find the Reports folder HOT 5
- No issue
- Make -k switch optional and use sane defaults for patterns
- Fix directory separator in file variants
- vulnerable results 403 forbidden HOT 3
- Ping reply as condition to continue the test HOT 2
- Redirected URLs leads to false positive results. HOT 1
- Changing port from default just shows 443 HOT 4
- https HOT 1
- Basic auth for http? HOT 3
- Setting Authorization (or any other) Header HOT 1
- Web Server (all-around-audit-solutions.com) Didn't Respond HOT 1
- System-wide install HOT 1
- Cookie support and custom headers? HOT 2
- using case HOT 1
- too slow HOT 3
- Typo in help banner HOT 2
- Web server didn't respond HOT 4
- Error load scriptlib perl HOT 5
- No Cookie Usage HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dotdotpwn.