wireghoul/dotdotpwn

Single deepness / deepness range

Opened this issue · 5 comments

Hi,

for some scenarios it could be useful to set a single deepnes or a deepness range to the traversal pattern. For example if we know that the traversal is in this url:

http://example.com/foo/bar/foo/bar/foo.php?=TRAVERSAL

it doesn't make any sense when testing for /etc/passwd to traversal like:

http://example.com/foo/bar/foo/bar/foo.php?=../../etc/passwd

The minimum traversal deepnes should be 4 in this case which could speed up the testing a lot as the deepnes of 1 to 3 probably won't get any results. Any opinions to this?

Hi,

Thanks for taking the time to evaluate the tool. I'm not entirely sure I understand your question.
Typically if you have a file in /var/www which calls include($_GET['file']) then it doesn't really matter if you're hitting ../../etc/passwd or ../../../../../../etc/passwd, they will both return the file. dotdotpwn does support the use of Bisection (-X) to determine the actual number of directories deep the traverrsal is although it appears to be broken in the current codebase. You can also set the deepness with the -d switch.
If you were to specify both bisection and deepness it will go from max to low, ie: it will try ../../../../../../etc/passwd first.

I think the only thing missing is full path inclusion, the vulnerable example code above also allows the use of '/etc/passwd' without traversing and dotdotpwn does not currently detect this.

I will look at fixing the bisection algorithm though as I think this is the solution you seek.

Hi,

and thank you for the reply and for maintaining this software/repository.

Consider the following scenario:

URL: http://example.com/foo/getfile.php?f=TRAVERSAL
Webroot: /var/www/foo
Skript getfile.php using include($_GET['f'])

If you're using the -d switch with -d 3 dotdotpwn will create the following pattern:

http://example.com/foo/getfile.php?f=../etc/passwd
http://example.com/foo/getfile.php?f=../../etc/passwd
http://example.com/foo/getfile.php?f=../../../etc/passwd

and go from low to high. But we know that the first two will never reach /etc/passwd.

The same happens when we use the -X swtich. If i understand this correctly the following patterns will be created:

http://example.com/foo/getfile.php?f=../../../etc/passwd
http://example.com/foo/getfile.php?f=../../etc/passwd
http://example.com/foo/getfile.php?f=../etc/passwd

If no vulnerability is found all three patterns from high to low are used even if we know that the last three won't get any results. Or am i wrong?

Then it could be useful to create a switch like -dm where a min. deepness can be specified to save the requests where we know that they don't get any results back.

Thanks for your time.

Part of the problem is that on a penetration test you won't know how many directories deep the traversal is. IIRC the longest I've seen in the wild was 13 deep which is actaully not detected by many tools. You can use -b to break after the first vulnerability is found which should also determine the exact deepness of the traversal. I'm not sure I see the real value in skipping two requests, sure it will improve performance by a small margin, however you can gain far better performance by targetting a specific file such as /etc/passwd instead of bruteforcing several file options.

The -X algorithm goes from 16 deep to low and determines the actual deepnes of the traversal. With your example the output should be:
[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)

[+] Replacing "TRAVERSAL" with the traversals created and sending

[*] Testing URL: http://localhost/inc.php?f=../../../../../../../../../../../../../../../../etc/passwd <- VULNERABLE

[========= BISECTION ALGORITHM =========]

[+] Medium point between 1 - 16 = 8; Vulnerable = YES
[+] Medium point between 1 - 8 = 4; Vulnerable = YES
[+] Medium point between 1 - 4 = 2; Vulnerable = YES
[+] Medium point between 1 - 2 = 1; Vulnerable = NO

[+] EXACT TRAVERSAL: ../../etc/passwd
[+] EXACT DEEPNESS : 2 times '../'

[+] Fuzz testing finished after 0.00 minutes (0 seconds)
[+] Total Traversals found: 1
[+] Report saved: Reports/localhost_03-05-2014_16-20.txt

I have fixed the bisection algorithm in my repo. If you would like to explain the reason behind your feature request I might get it otherrwise I don't think it's really worth the time it would take to implement.

Hi,

and sorry for the late reply.

During the last pentests where i have used DotDotPwn the exact physical path was known from various sources like application stack traces, phpinfo and so on.

But i havn't really tested the -X parameter and thanks to your post i know now how it works.

So it should be enough to use the -X parameter to go from high to low and break the run of DotDotPwn after the highest deepness which matches the known physical path.

If i have some free time i will make some digging through the code and create a pull request containing a parameter for a single deepness. This could be useful in my opinion so i don't need to watch the console and break the run of DotDotPwn if no vulnerability was found but the highest deepness was running through.

Hi,

closing this as the -X parameter is exactly doing the "single deepness" which i was talking about.