Panoptic: A tool to exploit path traversal vulnerabilities

Panoptic

Panoptic

Occasionally during a penetration test, I encounter a path traversal vulnerability which cannot be converted to an RFI and exploited easily. This can be quite a frustrating vulnerability to escalate your access to when you don’t have a large database of the default locations of known configurations, logs or other important files. It was out of this frustration that Panoptic was born. With the collaboration and invaluable help of Miroslav Stampar, we wrote a tool that searches for commonly known files through LFI vulnerabilities. In this post, I will be demonstrating some of the features and capabilities of Panoptic.

Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through path traversal vulnerability. You can find a sample run here.

Download

git clone https://github.com/lightos/Panoptic.git

Usage

Usage: panoptic.py –url TARGET [options]

Options:
-h/–help show this help message and exit
-v/–verbose display extra output information
-u/–url=URL set target URL
-p/–param=PARAM set parameter name to test for (e.g. “page”)
-d/–data=DATA set data for HTTP POST request (e.g. “page=default”)
-t/–type=TYPE set type of file to look for (“conf” or “log”)
-o/–os=OS set filter name for OS (e.g. “*NIX”)
-s/–software=SOFT.. set filter name for software (e.g. “PHP”)
-c/–category=CATE.. set filter name for category (e.g. “FTP”)
-l/–list=GROUP list available filters for group (e.g. “software”)
-a/–auto avoid user interaction by using default options
-w/–write-files write content of retrieved files to output folder
-x/–skip-parsing skip special tests if *NIX passwd file is found
–load=LISTFILE load and try user provided list from a file
–ignore-proxy ignore system default HTTP proxy
–proxy=PROXY set proxy (e.g. “socks5://192.168.5.92”)
–user-agent=UA set HTTP User-Agent header value
–random-agent choose random HTTP User-Agent header value
–cookie=COOKIE set HTTP Cookie header value (e.g. “sid=foobar”)
–header=HEADER set a custom HTTP header (e.g. “Max-Forwards=10”)
–prefix=PREFIX set prefix for file path (e.g. “../”)
–postfix=POSTFIX set postfix for file path (e.g. “%00”)
–multiplier=MULTI.. set multiplication number for prefix (default: 1)
–bad-string=STRING set a string occurring when file is not found
–replace-slash=RE.. set replacement for char / in paths (e.g. “/././”)
–threads=THREADS set number of threads (default: 1)
–update update Panoptic from official repository

 

Example

./panoptic.py –url “http://localhost/include.php?file=test.txt&id=1” –param file

Demo

Copyright (c) 2013-2015 Roberto Christopher Salgado Bjerre, Miroslav Stampar.

Source: https://github.com/lightos/