Directory Traversal still alive? I mean, does your tool bypass Apache, IIS latest versions? Or it is applicable to IIS 4? It would be nice to have new techniques, improve multi-byte encoders and so on. Sent via BlackBerry from Danux Network -----Original Message----- From: "chr1x" <chr1x@xxxxxxxxxxxxx> Date: Fri, 29 Oct 2010 23:47:20 To: <full-disclosure@xxxxxxxxxxxxxxxxx>; <websecurity@xxxxxxxxxxxxx> Cc: <webappsec@xxxxxxxxxxxxxxxxxxxxxxx>; <bugtraq@xxxxxxxxxxxxxxxxx> Subject: [WEB SECURITY] [TOOL] DotDotPwn v2.1 - The Directory Traversal Fuzzer CubilFelino Security Research Lab and Chatsubo (IN) Security Labs proudly present... DotDotPwn v2.1 - The Directory Traversal Fuzzer =============================================== Authors: Christian Navarrete (chr1x @ http://chr1x.sectester.net) and Alejandro HernÃndez H. (nitr0us @ http://chatsubo-labs.blogspot.com) Release date: 29/Oct/2010 (PUBLIC Release at BugCon Security Conferences 2010) Tool Description ================ It's a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as Web/FTP/TFTP servers, Web platforms such as CMSs, ERPs,Blogs, etc. Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module. It's written in perl programming language and can be run either under *NIX or Windows platforms. Fuzzing modules supported in this version: - HTTP - HTTP URL - FTP - TFTP - Payload (Protocol independent) - STDOUT Discovered Vulnerabilities ========================== - HTTP (4 security advisories) * MultiThreaded HTTP Server @ http://www.inj3ct0r.com/exploits/11894 * Wing FTP Server v3.4.3 @ http://packetstormsecurity.org/1005-exploits/wingftp-traversal.txt * Yaws 1.89 * Mongoose 2.11 - FTP (2 security advisories) * VicFTPS v5.0 @ http://www.inj3ct0r.com/exploits/12131 * Home FTP Server vr1.11.1 (build 149) @ http://www.exploit-db.com/exploits/15349 - TFTP (2 security advisories) * TFTP Desktop 2.5 @ http://www.exploit-db.com/exploits/14857 * TFTPDWIN v0.4.2 @ http://www.exploit-db.com/exploits/14856 Download ======== Official site: http://dotdotpwn.sectester.net Mirror site: http://chatsubo-labs.blogspot.com Contact ======= Contact: dotdotpwn@xxxxxxxxxxxxx Vote for DotDotPwn as tool for next BackTrack release!! -> http://www.backtrack-linux.org/forums/tool-requests/32082-dotdotpwn.html ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] To unsubscribe email websecurity-unsubscribe@xxxxxxxxxxxxx and reply to the confirmation email Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates
