Overview
DotDotPwn is a comprehensive directory traversal fuzzer designed to test web servers and applications for path traversal vulnerabilities. It supports multiple traversal patterns, encoding methods, and protocol variations. DotDotPwn is effective for testing various platforms including Apache, IIS, and custom web applications, making it a valuable tool for vulnerability assessment and penetration testing.
The tool systematically tests different traversal sequences, encoding techniques, and protocols to identify path traversal weaknesses that could allow unauthorized access to sensitive files.
Installation
Install via apt (Kali Linux/Debian)
sudo apt-get update
sudo apt-get install dotdotpwn
From source
git clone https://github.com/wireghoul/dotdotpwn.git
cd dotdotpwn
perl dotdotpwn.pl -h
Perl dependencies
# Install required Perl modules
sudo apt-get install libwww-perl
sudo apt-get install libio-socket-ssl-perl
# Or via cpan
cpan IO::Socket::SSL
cpan LWP::UserAgent
Verify installation
perl dotdotpwn.pl --version
perl dotdotpwn.pl --help
which dotdotpwn # If installed as symlink
Basic Usage
| Command | Description |
|---|
perl dotdotpwn.pl -h target.com -t http | Test HTTP for directory traversal |
perl dotdotpwn.pl -h target.com -t ftp | Test FTP for directory traversal |
perl dotdotpwn.pl -h target.com -p 8080 -t http | Test custom port |
perl dotdotpwn.pl -h target.com -u /file.txt -t http | Test specific URL path |
Common Traversal Patterns
HTTP traversal tests
# Basic HTTP traversal test
perl dotdotpwn.pl -h example.com -t http
# Test with verbose output
perl dotdotpwn.pl -h example.com -t http -v
# Test specific port
perl dotdotpwn.pl -h example.com -p 8080 -t http
# Test with custom URL
perl dotdotpwn.pl -h example.com -u /download.php -t http
FTP traversal tests
# Test FTP server
perl dotdotpwn.pl -h ftp.example.com -t ftp
# FTP on non-standard port
perl dotdotpwn.pl -h ftp.example.com -p 2121 -t ftp
# Test with credentials
perl dotdotpwn.pl -h ftp.example.com -t ftp -U user -P password
TFTP and other protocols
# Test TFTP
perl dotdotpwn.pl -h example.com -t tftp
# Test HTTP via HTTPS
perl dotdotpwn.pl -h example.com -p 443 -t https
Encoding Methods
| Encoding | Command | Description |
|---|
| No encoding | -e 0 | Plain ../ patterns |
| URL encoding | -e 1 | %2e%2e%2f patterns |
| Double encoding | -e 2 | %252e%252e%252f patterns |
| UTF-8 encoding | -e 3 | UTF-8 encoded traversal |
| Backslash | -e 4 | Windows-style backslash |
| All encodings | -e a | Test all encoding methods |
Testing different encodings
# Test plain traversal
perl dotdotpwn.pl -h example.com -e 0 -t http
# Test URL encoding
perl dotdotpwn.pl -h example.com -e 1 -t http
# Test double encoding
perl dotdotpwn.pl -h example.com -e 2 -t http
# Test UTF-8 encoding
perl dotdotpwn.pl -h example.com -e 3 -t http
# Test all encodings
perl dotdotpwn.pl -h example.com -e a -t http -v
Advanced Options
| Option | Usage | Description |
|---|
-m | -m 1 | Web server type (1=Apache, 2=IIS, 3=Tomcat, etc.) |
-d | -d 5 | Traversal depth (number of ../) |
-f | -f /etc/passwd | Specific file to look for |
-c | -c .php | Custom extension filter |
-s | -s | SSL/HTTPS support |
-o | -o results.txt | Output file |
-x | -x 5 | Timeout in seconds |
Custom file targets
# Look for /etc/passwd
perl dotdotpwn.pl -h example.com -f /etc/passwd -t http
# Look for Windows system files
perl dotdotpwn.pl -h example.com -f windows/win.ini -t http
# Look for web server config
perl dotdotpwn.pl -h example.com -f etc/apache2/apache2.conf -t http
# Look for application files
perl dotdotpwn.pl -h example.com -f app/config/database.yml -t http
Custom depths and patterns
# Shallow traversal (few ../ sequences)
perl dotdotpwn.pl -h example.com -d 3 -t http
# Deep traversal (many ../ sequences)
perl dotdotpwn.pl -h example.com -d 10 -t http
# Custom extension
perl dotdotpwn.pl -h example.com -c .asp -t http
# Multiple extensions
perl dotdotpwn.pl -h example.com -c .php,.jsp,.asp -t http
Output and Results
Save results to file
# Verbose output to file
perl dotdotpwn.pl -h example.com -t http -o results.txt
# Review findings
cat results.txt
# Extract successful paths
grep "VULNERABLE\|SUCCESS\|FOUND" results.txt
Parsing results
# Get only vulnerable URLs
perl dotdotpwn.pl -h example.com -t http | grep -i "vulnerable"
# Count potential vulnerabilities
perl dotdotpwn.pl -h example.com -t http | grep -c "FOUND\|SUCCESS"
# Extract file paths
perl dotdotpwn.pl -h example.com -t http | grep -oP '/[^/].*'
Real-World Scenarios
Web application assessment
# Full assessment with all encoding methods
perl dotdotpwn.pl -h target.com -u /download.php -t http -e a -v
# Test multiple paths
for path in /download /file /get /download.php; do
echo "[*] Testing path: $path"
perl dotdotpwn.pl -h target.com -u "$path" -t http -e a
done
# Save comprehensive results
perl dotdotpwn.pl -h target.com -t http -e a -o assessment_results.txt
FTP server assessment
# Test FTP with multiple encodings
perl dotdotpwn.pl -h ftp.target.com -t ftp -e a -v
# Test with credentials
perl dotdotpwn.pl -h ftp.target.com -t ftp -U admin -P password -e a
Specific file targeting
# Look for sensitive files
declare -a files=("/etc/passwd" "web.config" "config.php" "settings.xml")
for file in "${files[@]}"; do
echo "[*] Looking for: $file"
perl dotdotpwn.pl -h example.com -f "$file" -t http -e a
done
Multiple depth testing
# Test various traversal depths
for depth in 3 5 7 10 15; do
echo "[*] Testing depth: $depth"
perl dotdotpwn.pl -h example.com -d $depth -t http -v
done
Server-Specific Testing
Apache testing
# Test Apache specifically
perl dotdotpwn.pl -h apache.target.com -m 1 -t http
# Look for Apache config
perl dotdotpwn.pl -h apache.target.com -f etc/apache2/apache2.conf -t http
# Test for .htaccess
perl dotdotpwn.pl -h apache.target.com -f .htaccess -t http
IIS testing
# Test IIS specifically
perl dotdotpwn.pl -h iis.target.com -m 2 -t http
# Look for web.config
perl dotdotpwn.pl -h iis.target.com -f windows/web.config -t http
# IIS with backslash encoding
perl dotdotpwn.pl -h iis.target.com -e 4 -t http
Tomcat testing
# Test Tomcat specifically
perl dotdotpwn.pl -h tomcat.target.com -m 3 -t http
# Look for Tomcat configuration
perl dotdotpwn.pl -h tomcat.target.com -f conf/server.xml -t http
Troubleshooting
Connection issues
# Test connectivity first
ping target.com
nc -zv target.com 80
# Use timeout option
perl dotdotpwn.pl -h target.com -t http -x 10
# Check if SSL is needed
perl dotdotpwn.pl -h target.com -p 443 -s -t http
No results found
# Try verbose mode to see what's being tested
perl dotdotpwn.pl -h target.com -t http -v
# Test with specific path
perl dotdotpwn.pl -h target.com -u /download.php -t http -v
# Try all encoding methods
perl dotdotpwn.pl -h target.com -e a -t http -v
Permission issues
# Check Perl module installation
perl -e "use LWP::UserAgent; print 'OK\n'"
# Reinstall modules if needed
cpan -i IO::Socket::SSL
cpan -i LWP::UserAgent
Chain with vulnerability scanners
# Use DotDotPwn findings in other tools
perl dotdotpwn.pl -h example.com -t http > vulnerable_paths.txt
# Further test with curl
while read path; do
curl "http://example.com$path"
done < vulnerable_paths.txt
Automated assessment
#!/bin/bash
TARGET="example.com"
ENCODINGS=(0 1 2 3 4)
for encoding in "${ENCODINGS[@]}"; do
echo "[*] Testing encoding: $encoding"
perl dotdotpwn.pl -h "$TARGET" -e "$encoding" -t http -o "results_encoding_$encoding.txt"
done
# Combine results
cat results_*.txt | grep -i "vulnerable" > final_results.txt
Best Practices
- Test all encoding methods, not just plain traversal
- Try different path depths based on application structure
- Test multiple protocol types (HTTP, FTP, etc.)
- Look for specific sensitive files relevant to target application
- Document all successful traversal paths found
- Test both standard and non-standard ports
- Use appropriate timeouts for slow servers
- Be aware of rate limiting and WAF detection
- Respect scope and authorization for testing
- Combine with other vulnerability assessment tools
Resources
