Results 1 to 4 of 4

Thread: inspathx - Path Disclosure Finder

  1. #1
    Just burned his ISO
    Join Date
    Sep 2008
    Posts
    10

    Smile inspathx - Path Disclosure Finder

    WHAT¶

    A tool that uses local source tree to make requests to the url and search for path inclusion error messages. It's a common problem in PHP web applications that we've been hating to see. We hope this tool triggers no path disclosure flaws any more. See our article about path disclosure.

    [yehg.net] Download path disclosure vulnerability.txt

    Report bugs/suggestions to inspathx at yehg dot net.


    WHY¶

    Web application developers sometimes fail to add safe checks against authentications, file inclusion ..etc are prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to Local File Inclusion vulnerability. For open-source applications, source code can be downloaded and checked to find such information.

    This script will do this job.

    1. First you have to download source archived file of your desired OSS.
    2. Second, extract it.
    3. Third, feed its path to inspath

    The inspath takes

    * -d or --dir argument as source directory (of application)
    * -u or --url arguement as the target base URL (like Com.org - Only the best links ...)
    * -t or --threads argument as the number of threads concurrently to run (default is 10)
    * -l argument as your desired language php,asp,aspx,jsp,all (default is all)
    * -x argument as your desired extensions separated by comma(s) (default : php4,php5,php6,php,asp,aspx,jsp,jspx)

    Read the related text: [yehg.net] Download path disclosure vulnerability.txt

    See the sample logs in sample_logs folder - scan logs of latest mambo and wordpress applications

    Similar terms: Full Path Disclosure, Internal Path Leakage


    SUPPORTED LANGUAGES¶

    * PHP
    * ASP(X)
    * JSP(X)


    HOW¶

    ruby inspathx.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin -t 20

    ruby inspathx.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20

    ruby inspathx.rb -d c:/sources/dotnetnuke -u http://localhost/dotnetnuke -t 20 -l aspx

    ruby inspathx.rb -d c:/sources/jspnuke -u http://localhost/jspnuke -t 20 -l jsp -x jsp,jspx


    DOWNLOAD/UPDATE¶

    We love svn. Check it out at

    svn checkout inspathx - Revision 19: /trunk inspathx-read-only
    SAMPLE LOGS¶

    Mambo 4.6.5 - Administration [Mambo]

    WordPress 3.0.1 http://inspathx.googlecode.com/svn/t...alhost_wp_.log


    REFERENCES¶

    Full Path Disclosure - OWASP

    http://projects.webappsec.org/Information-Leakage

    CWE - CWE-209: Information Exposure Through an Error Message (1.10)

  2. #2
    Just burned his ISO
    Join Date
    Sep 2008
    Posts
    10

    Thumbs up Updated inspathx

    Updated inspathx


    Inspathx Tutorial: http://www.aldeid.com/index.php/Inspathx

    Bundled apps paths and vulnerable paths are included.
    https://code.google.com/p/inspathx/s...Ftrunk%2Fpaths
    https://code.google.com/p/inspathx/s...k%2Fpaths_vuln


    Updated one takes

    -d, --dir /source/app set source code directory/source path definition file of application Required?

    -u, --url http://site.com/ set url if -g option is not specified?

    -t, --threads 10 set thread number(default: 10)

    -l, --language php set language php,asp,aspx,jsp,jspx,cfm,all? (default all - means scan all)

    -x, --extension php set file extensions (php4,php5,...) default regex: php4,php5,php6,php,asp,aspx,jsp

    ,jspx,cfm

    -m, --method TYPE http method get/post (default: get)

    -h, --headers HEADERS add http header

    -q, --data DATA http get/post data

    -n, --null-cookie add null session cookie (no need to specify cookie name)

    -f, --follow follow http redirection

    -p, --param-array identify parameters in target url,make 'em array & request ( --data value untouched)

    -r, --regexp REGEXP specify your own regexp to search in returned responses

    -g, --gen FILE read source directory (-d) & generate file list so next time you can feed this file path in -d option instead of source directory.

    --rm remove source directory used to generate path file list.

    -c, --comment STRING comment for path definition file to be used with -g and -d options. date is automatically appended.

    --x-p show only paths in console and write them to file with path_vuln.txt surfix. This does not contain target url portion.

    -s, --search STRING search path definition files in paths/ & paths_vuln/ directories.

    See the sample logs in sample_logs folder - scan logs of latest mambo and wordpress applications

    Similar terms: Full Path Disclosure, Internal Path Leakage


    SUPPORTED LANGUAGES

    * PHP
    * ASP(X)
    * JSP(X)
    * ColdFusion?


    HOW

    ruby inspathx.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin

    ruby inspathx.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20 -l php

    ruby inspathx.rb -d /sources/jspnuke -u http://localhost/jspnuke -t 20 -l jsp -x jsp,jspx -n

    ruby inspathx.rb -d /sources/wordpress -g paths/wordpress-3.0.4

    ruby inspathx.rb -d paths/wordpress-3.0.4 -u http://localhost/wp


    See EXAMPLES for more information.

  3. #3
    Just burned his ISO
    Join Date
    Sep 2008
    Posts
    10

    Default 2011-03 update

    Added dotNet framework 1.x full path disclosure


    Check on server with error-display on:

    Code:
    $ ruby inspathx.rb -u http://10.3.22.45/
    
    =============================================================
    Path Discloser (a.k.a inspathx) / Error Hunter
     (c) Aung Khant, aungkhant[at]yehg.net
      YGN Ethical Hacker Group, Myanmar, http://yehg.net/
    
    svn co http://inspathx.googlecode.com/svn/trunk/ inspathx
    =============================================================
    
    
    # target: http://10.3.22.45
    # source: .DUMMY
    # log file: 10.3.22.45_.log
    # follow redirect: false
    # null cookie: false
    # total threads: 10
    # time: 18:15:31 03-22-2011
    
    [*] testing for dotnet 1.x full path disclosure ..
    
    [*] http://10.3.22.45/~.aspx
    
    # waiting for child threads to finish ..
    .
    
    
    ! Server path extracted = D:\inetpub\wwwroot\
    
    # vulnerable url(s) = 1
    # total requests = 1
    # done at 18:15:36 03-22-2011
    
    Send bugs, suggestions, contributions to inspathx[at]yehg.net

  4. #4
    Just burned his ISO
    Join Date
    Sep 2008
    Posts
    10

    Default 2011-03 Update 2

    Now, -p requires number to represent []
    You can now specify -p for any number of [] you like.



    Code:
    $ ruby inspathx.rb -u http://attacker.in/joomla160x/index.php -p
    
    missing argument: -p
    
    
    $ ruby inspathx.rb -u http://attacker.in/joomla160x/index.php -p 2
    
    option[][]=&view[][]=&Itemid[][]=&format[][]=&type[][]=&id[][]=&layout[][]=&catid[][]=&
    
    
    $ ruby inspathx.rb -u http://attacker.in/joomla160x/index.php  -p 5
    
    option[][][][][]=&view[][][][][]=&Itemid[][][][][]=&format[][][][][]=&type[][][][][]=&id[][][][][]=&layout[][][][][
    ]=&catid[][][][][]=&

    Without -p

    Code:
    $ ruby inspathx.rb -u http://attacker.in/joomla160x/index.php
    
    =============================================================
    Path Discloser (a.k.a inspathx) / Error Hunter
     (c) Aung Khant, aungkhant[at]yehg.net
      YGN Ethical Hacker Group, Myanmar, http://yehg.net/
    
    svn co http://inspathx.googlecode.com/svn/trunk/ inspathx
    =============================================================
    
    
    # target: http://attacker.in/joomla160x/index.php
    # source: .DUMMY
    # log file: attacker.in_joomla160x_index.php__.log
    # follow redirect: false
    # null cookie: false
    # param array: false
    # total threads: 10
    # time: 13:34:04 03-23-2011
    
    
    # waiting for child threads to finish ..
    .
    
    
    
    # vulnerable url(s) = 0
    # total requests = 1
    # done at 13:34:09 03-23-2011
    
    Send bugs, suggestions, contributions to inspathx[at]yehg.net

    With -p

    Code:
    $ ruby inspathx.rb -u http://attacker.in/joomla160x/index.php -p 2
    
    =============================================================
    Path Discloser (a.k.a inspathx) / Error Hunter
     (c) Aung Khant, aungkhant[at]yehg.net
      YGN Ethical Hacker Group, Myanmar, http://yehg.net/
    
    svn co http://inspathx.googlecode.com/svn/trunk/ inspathx
    =============================================================
    
    
    # target: http://attacker.in/joomla160x/index.php
    # source: .DUMMY
    # log file: attacker.in_joomla160x_index.php__.log
    # follow redirect: false
    # null cookie: false
    # param array: 2
    # total threads: 10
    # time: 13:30:22 03-23-2011
    
    
    # waiting for child threads to finish ..[*] http://attacker.in/joomla160x/index.php
    
    .
    
    
    ! Username detected = attacker
    ! Server path extracted = /home/attacker/public_html/
    
    # vulnerable url(s) = 1
    # total requests = 1
    # done at 13:30:27 03-23-2011
    
    Send bugs, suggestions, contributions to inspathx[at]yehg.net

Similar Threads

  1. Please explain how $PATH works
    By sephiroth111 in forum Beginners Forum
    Replies: 7
    Last Post: 04-19-2010, 02:58 PM
  2. can the TTL increase through the network path?
    By sl33p in forum OLD Pentesting
    Replies: 7
    Last Post: 01-09-2010, 05:27 AM
  3. how i give the path for wordlist by usb
    By argy1 in forum OLD Newbie Area
    Replies: 2
    Last Post: 12-05-2009, 01:26 PM
  4. $path
    By pentadavid in forum OLD Newbie Area
    Replies: 0
    Last Post: 09-29-2008, 09:07 AM
  5. Httprint work path fix
    By dapirates1 in forum OLD BT3beta Bugs and Fixes
    Replies: 3
    Last Post: 12-27-2007, 10:01 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •