ابزار DotDotPwn یک fuzzer قدرتمند، منعطف و هوشمند جهت یافتن آسیب پذیری Directory Traversal روی سرورهای HTTP/FTP/TFTP و برنامه های وب CMSs, ERPs, Blogs می باشد. این ابزار با Perl نوشته شده و روی Platform های ویندوز و لینوکس قابل استفاده می باشد.
ماژول های Fuzzing که توسط این ابزار پشتیبانی می شوند.
HTTP HTTP URL FTP TFTP Payload (Protocol independent) STDOUT
لینک منبع: https://github.com/wireghoul/dotdotpwn
لایسنس: GPLv2
سازنده: chr1x, nitr0us
نمونه دستور:
[email protected]:~# dotdotpwn.pl ################################################################################# # # # CubilFelino Chatsubo # # Security Research Lab and [(in)Security Dark] Labs # # chr1x.sectester.net chatsubo-labs.blogspot.com # # # # pr0udly present: # # # # ________ __ ________ __ __________ # # \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ # # | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ # # | ` \( <_> )| | | ` \( <_> )| | | | \ /| | \ # # /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / # # \/ \/ \/ # # - DotDotPwn v3.0 - # # The Directory Traversal Fuzzer # # http://dotdotpwn.sectester.net # # [email protected] # # # # by chr1x & nitr0us # ################################################################################# Usage: ./dotdotpwn.pl -m -h [OPTIONS] Available options: -m Module [http | http-url | ftp | tftp | payload | stdout] -h Hostname -O Operating System detection for intelligent fuzzing (nmap) -o Operating System type if known ("windows", "unix" or "generic") -s Service version detection (banner grabber) -d Depth of traversals (e.g. deepness 3 equals to ../../../; default: 6) -f Specific filename (e.g. /etc/motd; default: according to OS detected, defaults in TraversalEngine.pm) -E Add @Extra_files in TraversalEngine.pm (e.g. web.config, httpd.conf, etc.) -S Use SSL - for HTTP and Payload module (use https:// for in url for http-uri) -u URL with the part to be fuzzed marked as TRAVERSAL (e.g. http://foo:8080/id.php?x=TRAVERSAL&y=31337) -k Text pattern to match in the response (http-url & payload modules - e.g. "root:" if trying /etc/passwd) -p Filename with the payload to be sent and the part to be fuzzed marked with the TRAVERSAL keyword -x Port to connect (default: HTTP=80; FTP=21; TFTP=69) -t Time in milliseconds between each test (default: 300 (.3 second)) -X Use the Bisection Algorithm to detect the exact deepness once a vulnerability has been found -e File extension appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc") -U Username (default: 'anonymous') -P Password (default: '[email protected]') -M HTTP Method to use when using the 'http' module [GET | POST | HEAD | COPY | MOVE] (default: GET) -r Report filename (default: 'HOST_MM-DD-YYYY_HOUR-MIN.txt') -b Break after the first vulnerability is found -q Quiet mode (doesn't print each attempt) -C Continue if no data was received from host
طریقه استفاده:
[email protected]:~# dotdotpwn.pl -m http -h 192.168.1.1 -M GET ################################################################################# # # # CubilFelino Chatsubo # # Security Research Lab and [(in)Security Dark] Labs # # chr1x.sectester.net chatsubo-labs.blogspot.com # # # # pr0udly present: # # # # ________ __ ________ __ __________ # # \______ \ ____ _/ |_\______ \ ____ _/ |_\______ \__ _ __ ____ # # | | \ / _ \\ __\| | \ / _ \\ __\| ___/\ \/ \/ // \ # # | ` \( <_> )| | | ` \( <_> )| | | | \ /| | \ # # /_______ / \____/ |__| /_______ / \____/ |__| |____| \/\_/ |___| / # # \/ \/ \/ # # - DotDotPwn v3.0 - # # The Directory Traversal Fuzzer # # http://dotdotpwn.sectester.net # # [email protected] # # # # by chr1x & nitr0us # ################################################################################# [+] Report name: Reports/192.168.1.1_05-20-2014_08-41.txt [========== TARGET INFORMATION ==========] [+] Hostname: 192.168.1.1 [+] Protocol: http [+] Port: 80 [=========== TRAVERSAL ENGINE ===========] [+] Creating Traversal patterns (mix of dots and slashes) [+] Multiplying 6 times the traversal patterns (-d switch) [+] Creating the Special Traversal patterns [+] Translating (back)slashes in the filenames [+] Adapting the filenames according to the OS type detected (generic) [+] Including Special sufixes [+] Traversal Engine DONE ! - Total traversal tests created: 19680 [=========== TESTING RESULTS ============] [+] Ready to launch 3.33 traversals per second [+] Press Enter to start the testing (You can stop it pressing Ctrl + C)
نکته: با استفاده از ماژول HTTP scan روی هاست 192.168.1.1 عملیات اسکن را با استفاده از GET انجام می دهد.