inspathx - Path Disclosure Finder

[r3m0t3]

WHAT¶

A tool that uses local source tree to make requests to the url and search for path inclusion error messages. It's a common problem in PHP web applications that we've been hating to see. We hope this tool triggers no path disclosure flaws any more. See our article about path disclosure.

[yehg.net] Download path disclosure vulnerability.txt

Report bugs/suggestions to inspathx at yehg dot net.


WHY¶

Web application developers sometimes fail to add safe checks against authentications, file inclusion ..etc are prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to Local File Inclusion vulnerability. For open-source applications, source code can be downloaded and checked to find such information.

This script will do this job.

1. First you have to download source archived file of your desired OSS.
2. Second, extract it.
3. Third, feed its path to inspath

The inspath takes

* -d or --dir argument as source directory (of application)
* -u or --url arguement as the target base URL (like Com.org - Only the best links ...)
* -t or --threads argument as the number of threads concurrently to run (default is 10)
* -l argument as your desired language php,asp,aspx,jsp,all (default is all)
* -x argument as your desired extensions separated by comma(s) (default : php4,php5,php6,php,asp,aspx,jsp,jspx)

Read the related text: [yehg.net] Download path disclosure vulnerability.txt

See the sample logs in sample_logs folder - scan logs of latest mambo and wordpress applications

Similar terms: Full Path Disclosure, Internal Path Leakage


SUPPORTED LANGUAGES¶

* PHP
* ASP(X)
* JSP(X)


HOW¶

ruby inspathx.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin -t 20

ruby inspathx.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20

ruby inspathx.rb -d c:/sources/dotnetnuke -u http://localhost/dotnetnuke -t 20 -l aspx

ruby inspathx.rb -d c:/sources/jspnuke -u http://localhost/jspnuke -t 20 -l jsp -x jsp,jspx


DOWNLOAD/UPDATE¶

We love svn. Check it out at

svn checkout inspathx - Revision 19: /trunk inspathx-read-only
SAMPLE LOGS¶

Mambo 4.6.5 - Administration [Mambo]

WordPress 3.0.1 http://inspathx.googlecode.com/svn/t...alhost_wp_.log


REFERENCES¶

Full Path Disclosure - OWASP

http://projects.webappsec.org/Information-Leakage

CWE - CWE-209: Information Exposure Through an Error Message (1.10)

[r3m0t3]

Updated inspathx


Inspathx Tutorial: http://www.aldeid.com/index.php/Inspathx

Bundled apps paths and vulnerable paths are included.
https://code.google.com/p/inspathx/s...Ftrunk%2Fpaths
https://code.google.com/p/inspathx/s...k%2Fpaths_vuln


Updated one takes

-d, --dir /source/app set source code directory/source path definition file of application Required?

-u, --url http://site.com/ set url if -g option is not specified?

-t, --threads 10 set thread number(default: 10)

-l, --language php set language php,asp,aspx,jsp,jspx,cfm,all? (default all - means scan all)

-x, --extension php set file extensions (php4,php5,...) default regex: php4,php5,php6,php,asp,aspx,jsp

,jspx,cfm

-m, --method TYPE http method get/post (default: get)

-h, --headers HEADERS add http header

-q, --data DATA http get/post data

-n, --null-cookie add null session cookie (no need to specify cookie name)

-f, --follow follow http redirection

-p, --param-array identify parameters in target url,make 'em array & request ( --data value untouched)

-r, --regexp REGEXP specify your own regexp to search in returned responses

-g, --gen FILE read source directory (-d) & generate file list so next time you can feed this file path in -d option instead of source directory.

--rm remove source directory used to generate path file list.

-c, --comment STRING comment for path definition file to be used with -g and -d options. date is automatically appended.

--x-p show only paths in console and write them to file with path_vuln.txt surfix. This does not contain target url portion.

-s, --search STRING search path definition files in paths/ & paths_vuln/ directories.

See the sample logs in sample_logs folder - scan logs of latest mambo and wordpress applications

Similar terms: Full Path Disclosure, Internal Path Leakage


SUPPORTED LANGUAGES

* PHP
* ASP(X)
* JSP(X)
* ColdFusion?


HOW

ruby inspathx.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin

ruby inspathx.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20 -l php

ruby inspathx.rb -d /sources/jspnuke -u http://localhost/jspnuke -t 20 -l jsp -x jsp,jspx -n

ruby inspathx.rb -d /sources/wordpress -g paths/wordpress-3.0.4

ruby inspathx.rb -d paths/wordpress-3.0.4 -u http://localhost/wp


See EXAMPLES for more information.

[r3m0t3]

Added dotNet framework 1.x full path disclosure


Check on server with error-display on:

Code:

$ ruby inspathx.rb -u http://10.3.22.45/

=============================================================
Path Discloser (a.k.a inspathx) / Error Hunter
 (c) Aung Khant, aungkhant[at]yehg.net
  YGN Ethical Hacker Group, Myanmar, http://yehg.net/

svn co http://inspathx.googlecode.com/svn/trunk/ inspathx
=============================================================


# target: http://10.3.22.45
# source: .DUMMY
# log file: 10.3.22.45_.log
# follow redirect: false
# null cookie: false
# total threads: 10
# time: 18:15:31 03-22-2011

[*] testing for dotnet 1.x full path disclosure ..

[*] http://10.3.22.45/~.aspx

# waiting for child threads to finish ..
.


! Server path extracted = D:\inetpub\wwwroot\

# vulnerable url(s) = 1
# total requests = 1
# done at 18:15:36 03-22-2011

Send bugs, suggestions, contributions to inspathx[at]yehg.net

[r3m0t3]

Now, -p requires number to represent []
You can now specify -p for any number of [] you like.

Code:

$ ruby inspathx.rb -u http://attacker.in/joomla160x/index.php -p

missing argument: -p


$ ruby inspathx.rb -u http://attacker.in/joomla160x/index.php -p 2

option[][]=&view[][]=&Itemid[][]=&format[][]=&type[][]=&id[][]=&layout[][]=&catid[][]=&


$ ruby inspathx.rb -u http://attacker.in/joomla160x/index.php  -p 5

option[][][][][]=&view[][][][][]=&Itemid[][][][][]=&format[][][][][]=&type[][][][][]=&id[][][][][]=&layout[][][][][
]=&catid[][][][][]=&

Without -p

Code:

$ ruby inspathx.rb -u http://attacker.in/joomla160x/index.php

=============================================================
Path Discloser (a.k.a inspathx) / Error Hunter
 (c) Aung Khant, aungkhant[at]yehg.net
  YGN Ethical Hacker Group, Myanmar, http://yehg.net/

svn co http://inspathx.googlecode.com/svn/trunk/ inspathx
=============================================================


# target: http://attacker.in/joomla160x/index.php
# source: .DUMMY
# log file: attacker.in_joomla160x_index.php__.log
# follow redirect: false
# null cookie: false
# param array: false
# total threads: 10
# time: 13:34:04 03-23-2011


# waiting for child threads to finish ..
.



# vulnerable url(s) = 0
# total requests = 1
# done at 13:34:09 03-23-2011

Send bugs, suggestions, contributions to inspathx[at]yehg.net

With -p

Code:

$ ruby inspathx.rb -u http://attacker.in/joomla160x/index.php -p 2

=============================================================
Path Discloser (a.k.a inspathx) / Error Hunter
 (c) Aung Khant, aungkhant[at]yehg.net
  YGN Ethical Hacker Group, Myanmar, http://yehg.net/

svn co http://inspathx.googlecode.com/svn/trunk/ inspathx
=============================================================


# target: http://attacker.in/joomla160x/index.php
# source: .DUMMY
# log file: attacker.in_joomla160x_index.php__.log
# follow redirect: false
# null cookie: false
# param array: 2
# total threads: 10
# time: 13:30:22 03-23-2011


# waiting for child threads to finish ..[*] http://attacker.in/joomla160x/index.php

.


! Username detected = attacker
! Server path extracted = /home/attacker/public_html/

# vulnerable url(s) = 1
# total requests = 1
# done at 13:30:27 03-23-2011

Send bugs, suggestions, contributions to inspathx[at]yehg.net