/Kyubi

A tool to discover and exploit Nginx alias traversal misconfiguration, the tool can bruteforce the URL path recursively to find out hidden files and directories.

Primary LanguagePython

made with python author co-author

Kyubi

A tool to discover Nginx alias traversal misconfiguration, read more https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/

Installation

OPTION 1:

git clone https://github.com/shibli2700/Kyubi.git
cd /Kyubi
sudo python3 setup.py install
pip install .

OPTION 2: Pulling the Docker Image from Docker Hub

You can pull the Docker image from Docker Hub and running it locally using the following command:

docker pull saydocerr/kyubi
docker run -it saydocerr/kyubi

Options

usage: kyubi [-h] [-v] [-a] url

This tool checks nginx alias traversal misconfiguration.

positional arguments:
  url         URL of the target

optional arguments:
  -h, --help  show this help message and exit
  -v          increase verbosity
  -a          append segment in the end

Usage

$ kyubi -v https://127.0.0.1/resources/images/users/profile/profile.png

Future Addition

  • Brute forcing with filenames and directories.
  • Web Interface.