Published on February 10th, 2012 | by MaxiSoler0
DotDotPwn v3.0 Released
It’s a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.
Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module.
Changes / Enhancements / Features:
- -X switch that implements the Bisection Algorithm in order to detect the exact deepness once a directory traversal vulnerability has been found. (Wikipedia)
- -M switch to specify another method different from the default (GET) when the http module is used. Other HTTP methods are [POST | HEAD | COPY | MOVE]
- -e switch to specify the file extension to be appended at the end of each fuzz string (e.g. “.php”, “.jpg”, “.inc”)
- New dots & slashes encodings (fuzz patterns) based on: Canonicalization, locale and Unicode | URI Encoding Bypass IDS/IPS
Fuzzing modules supported in this version:
- HTTP URL
- Payload (Protocol independent)
Download DotDotPwn v3.0