search

Dir Traversal Fuzzer

This script is used to enumerate a directory traversal vulnerability when found. Just chmod and run the script then supply it the URL where the traversal was found. Then it will organize the found files into an html doc for quick reading of the output.

circle-info

Make sure to edit the script on line 14 to point to the wordlist you want to use.

#!/bin/bash
#Created by Prescott Rowe
echo "-------DirTraverseFuzzer-----"
echo "If you have found a web traversal vuln then you can use this script to fuzz it"
echo "Your files will be in the TravFuzz folder and can all be viewed with trav.html. Also make sure to edit the gobuster command on line 12."
echo "Enter your target URL/IP:"

read scan
echo "--Scanning--"
rm -r TravFuzz/ 2>/dev/null
mkdir TravFuzz
mkdir TravFuzz/pngs

gobuster dir -t 30 -w /usr/share/seclists/Fuzzing/lin-traversal.txt -u $scan -e --wildcard -l >> ./TravFuzz/found.txt;
i=0
echo "<HTML><BODY><BR>" > ./TravFuzz/trav.html
for url in $(cat ./TravFuzz/found.txt |grep "Status: 200\|Status: 204\|Status: 301\|Status: 302\|Status: 307\|Status: 403" |grep -v "Size: 0" |cut -d" " -f1);do
	((i++))
	cutycapt --url=$url --out=./TravFuzz/pngs/$i.png
	echo "<b>"$url":</b> <BR><IMG SRC=\""./pngs/""$i"".png"\" width=600 border="6"><BR><BR><BR>" >> ./TravFuzz/trav.html
done
echo "</BODY></HTML>" >> ./TravFuzz/trav.html
echo "--Finished--" 
echo "Check ./TravFuzz/trav.html"

hashtag
Traversal Files:

These are just the ones I use. Feel free to use your own.

LogoGitHub - danielmiessler/SecLists: SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.GitHubchevron-right

hashtag
Sample Output:

hashtag
Files created by the script:

trav.html: holds results

found.txt: holds urls that had hits

png folder: Used as reference for the html file

PreviousDirectory TraversalNextLFI

Last updated