Vailyn v3.0.0-2 (beta) releases: phased, evasive Path Traversal scanning & exploitation tool
Vailyn is a multi-phased vulnerability analysis and exploitation tool for path traversal/directory climbing vulnerabilities. It is built to make it as performant as possible and to offer a wide arsenal of filter evasion techniques.
How does it work?
Vailyn operates in 2 phases. First, it checks if the vulnerability is present. It does so by trying to access /etc/passwd, with all of its evasive payloads. Analyzing the response, payloads that worked are separated from the others.
Since v1.1, a custom file to check can be specified by argument.
Now, the user can choose freely which payloads to use. Only these payloads will be used in the second phase.
The second phase is the exploitation phase. Now, it tries to leak all possible files from the server using a file and a directory dictionary. The search depth and the directory permutation level can be adapted via arguments. Optionally, it can download found files, and save them in its loot folder.
Right now, it supports multiple attack methods: injection via query and path.
Since v1.2, cookie path traversals are supported, too! Use -a 3 for a cookie attack.
Why phase separation?
The separation in several phases is new in this version. It is done to hugely improve the performance of the tool. In previous versions, every file-directory combination was checked with every payload. This resulted in a huge overhead due to payloads being always used again, despite they are not working for the current server.
Changelog v3.0.0-2 (beta)
- fixed a crash introduced by 3.0.0-1, which occurred when using
--nosploitand no results have been found
- fixed a rare false positive in the path attack mode (
-a 2) by introducing another check
- fixed crash when passing authentication cookie via
-cand improved how this cookie is transferred to Arjun by the crawler
- added some new wrappers to
- wrappers now use filter evasion by random capitalization
$ git clone https://github.com/VainlyStrain/Vailyn
$ pip install -r requirements.txt # –user
Vailyn has 3 mandatory arguments: -v VIC, -a ACK and -l FIL PATH. However, depending on -a, more arguments may be required.
Vailyn currently supports 3 attack vectors. The attack performed is identified by the -a ACK argument.
You also must specify a target to attack. This is done via -v VIC and -q VIC2, where -v is the part before the injection point, and -q the rest.
Example: if the final URL should look like: https://site.com/download.php?file=<ATTACK>¶m2=necessaryvalue, you can specify -v https://site.com/download.php and -q ¶m2=necessaryvalue (and -p file, since this is a query attack).
To perform the bruteforce attack in phase 2, you need to specify 2 dictionaries:
- FIL, containing filenames only (e.g. index.php)
- PATH, containing directory names only. Note that each directory entry MUST end with a “/”. Also, Vailyn will handle directory permutation for you, so you’ll need only single directories in a line.
This is the analysis phase, where working payloads are separated from the others.
/etc/passwd is looked up. If the server is not running Linux, you can specify a custom file by -i FILENAME. Note that you must include subdirectories in FILENAME. You can modify the lookup depth with -c DEPTH (default=8).
This is the exploitation phase, where Vailyn will try to leak as many files as possible.
The depth of lookup in phase 2 (the maximal number of layers traversed back, and the level of subdirectory recursion) is specified by the -i argument. In future versions, these properties can be changed independently (using 2 arguments).
By specifying -n, Vailyn will not only display files on the terminal but also download and save the files into the loot folder.
If you want a verbose output (display every output, not only found files), you can use -s. Note that output gets really messy, this is basically just a debug help.
False Positive prevention
To distinguish real results from false positives, Vailyn does the following checks:
- check the status code of the response
- check if the response is identical to one taken before attack start: this is useful e.g, when the server returns 200, but ignores the payload input or returns a default page if the file is not found.
- check for empty responses
- check if common error signatures are in the response content
- check if the payload is contained in the response: this is an additional check for the case the server responds 200 for non-existing files, and reflects the payload in a message like (../../secret not found)
Copyright (C) 2020 VainlyStrain