Bugtraq mailing list archives
Re: [WEB SECURITY] [TOOL] DotDotPwn v2.1 - The Directory Traversal Fuzzer
From: neza0x () gmail com
Date: Wed, 3 Nov 2010 20:49:06 +0000
Directory Traversal still alive? I mean, does your tool bypass Apache, IIS latest versions? Or it is applicable to IIS 4? It would be nice to have new techniques, improve multi-byte encoders and so on. Sent via BlackBerry from Danux Network -----Original Message----- From: "chr1x" <chr1x () sectester net> Date: Fri, 29 Oct 2010 23:47:20 To: <full-disclosure () lists grok org uk>; <websecurity () webappsec org> Cc: <webappsec () lists securityfocus com>; <bugtraq () securityfocus com> Subject: [WEB SECURITY] [TOOL] DotDotPwn v2.1 - The Directory Traversal Fuzzer CubilFelino Security Research Lab and Chatsubo (IN) Security Labs proudly present... DotDotPwn v2.1 - The Directory Traversal Fuzzer =============================================== Authors: Christian Navarrete (chr1x @ http://chr1x.sectester.net) and Alejandro Hernández H. (nitr0us @ http://chatsubo-labs.blogspot.com) Release date: 29/Oct/2010 (PUBLIC Release at BugCon Security Conferences 2010) Tool Description ================ It's a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as Web/FTP/TFTP servers, Web platforms such as CMSs, ERPs,Blogs, etc. Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module. It's written in perl programming language and can be run either under *NIX or Windows platforms. Fuzzing modules supported in this version: - HTTP - HTTP URL - FTP - TFTP - Payload (Protocol independent) - STDOUT Discovered Vulnerabilities ========================== - HTTP (4 security advisories) * MultiThreaded HTTP Server @ http://www.inj3ct0r.com/exploits/11894 * Wing FTP Server v3.4.3 @ http://packetstormsecurity.org/1005-exploits/wingftp-traversal.txt * Yaws 1.89 * Mongoose 2.11 - FTP (2 security advisories) * VicFTPS v5.0 @ http://www.inj3ct0r.com/exploits/12131 * Home FTP Server vr1.11.1 (build 149) @ http://www.exploit-db.com/exploits/15349 - TFTP (2 security advisories) * TFTP Desktop 2.5 @ http://www.exploit-db.com/exploits/14857 * TFTPDWIN v0.4.2 @ http://www.exploit-db.com/exploits/14856 Download ======== Official site: http://dotdotpwn.sectester.net Mirror site: http://chatsubo-labs.blogspot.com Contact ======= Contact: dotdotpwn () sectester net Vote for DotDotPwn as tool for next BackTrack release!! -> http://www.backtrack-linux.org/forums/tool-requests/32082-dotdotpwn.html ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] To unsubscribe email websecurity-unsubscribe () webappsec org and reply to the confirmation email Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates
Current thread:
- Re: [WEB SECURITY] [TOOL] DotDotPwn v2.1 - The Directory Traversal Fuzzer neza0x (Nov 04)
- Re: [WEB SECURITY] [TOOL] DotDotPwn v2.1 - The Directory Traversal Fuzzer Arturo 'Buanzo' Busleiman (Nov 04)