DotDotPwn is an intelligent, protocol-independent fuzzer designed to discover directory traversal vulnerabilities across various network services and web platforms.
DotDotPwn - The Directory Traversal Fuzzer
Security researchers and penetration testers use DotDotPwn to identify directory traversal flaws in HTTP, FTP, TFTP servers, and web applications such as CMSs and ERPs. It automates fuzzing to uncover vulnerabilities that could allow unauthorized access to sensitive files or directories.
DotDotPwn requires Perl and several Perl modules; users should ensure all dependencies are installed. Using the OS detection feature requires root privileges due to Nmap integration. As a fuzzing tool, it may generate significant network traffic and should be used responsibly and with permission on target systems.
Ensure Perl 5.8.8 or 5.10 is installed
Install required Perl modules: Net::FTP, TFTP (if fuzzing TFTP), Time::HiRes, Socket, IO::Socket, Getopt::Std
Use CPAN to install missing Perl modules: perl -MCPAN -e "install <MODULE_NAME>" or run cpan and then install <MODULE_NAME>
Install Nmap if OS detection feature is needed (requires root privileges)perl dotdotpwn.pl -h
Displays help and usage information for DotDotPwn
perl dotdotpwn.pl -m http -h <host> -p <port> -u <url>
Fuzz HTTP directory traversal vulnerabilities on the specified host, port, and URL
perl dotdotpwn.pl -m ftp -h <host> -p <port>
Fuzz FTP servers for directory traversal vulnerabilities
perl dotdotpwn.pl -m tftp -h <host> -p <port>
Fuzz TFTP servers for directory traversal vulnerabilities
perl dotdotpwn.pl -m payload -h <host> -p <port> -P <payload>
Send a custom payload to the specified host and port in a protocol-independent manner
perl dotdotpwn.pl -m stdout -P <payload>
Use DotDotPwn in scripting mode by outputting payloads to STDOUT