http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt
Report bugs/suggestions to inspathx at yehg dot net.
WHY
Web application developers sometimes fail to add safe checks against authentications, file inclusion ..etc are prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to Local File Inclusion vulnerability. For open-source applications, source code can be downloaded and checked to find such information.
This script will do this job.
First you have to download source archived file of your desired OSS.
Second, extract it.
Third, feed its path to inspath
The inspath takes
-d, --dir /source/app set source code directory/source path definition file of application Required
-u, --url http://site.com/ set url if -g option is not specified
-t, --threads 10 set thread number(default: 10)
-l, --language php set language [php,asp,aspx,jsp,jspx,cfm,all] (default all - means scan all)
-x, --extension php set file extensions (php4,php5,...) default regex: php4,php5,php6,php,asp,aspx,jsp
,jspx,cfm
-m, --method TYPE http method get/post (default: get)
-h, --headers HEADERS add http header
-q, --data DATA http get/post data
-n, --null-cookie add null session cookie (no need to specify cookie name)
-f, --follow follow http redirection
-p, --param-array identify parameters in target url,make 'em array (value: 1 for , 2 for ,
3 for , n .... *n) <note: --data value untouched>
-r, --regexp REGEXP specify your own regexp to search in returned responses
-g, --gen FILE read source directory (-d) & generate file list so next time you can feed this file path in -d option instead of source directory.
--rm remove source directory used to generate path file list.
-c, --comment STRING comment for path definition file to be used with -g and -d options. date is automatically appended.
--x-p show only paths in console and write them to file with path_vuln.txt surfix. This does not contain target url portion.
--xp alias to --x-p
-s, --search STRING search path definition files in paths/ & paths_vuln/ directories.
See the sample logs in sample_logs folder - scan logs of latest mambo and wordpress applications
Similar terms: Full Path Disclosure, Internal Path Leakage
SUPPORTED LANGUAGES
PHP
ASP(X)
JSP(X)
ColdFusion
HOW
ruby inspathx.rb -u http://localhost/wordpress
ruby inspathx.rb -u http://localhost/wordpress -p 1
ruby inspathx.rb -d /sources/wordpress -u http://localhost/wordpress
ruby inspathx.rb -d /sources/wordpress -g paths/wordpress-3.0.4
ruby inspathx.rb -d paths/wordpress-3.0.4 -u http://localhost/wordpress
ruby inspathx.rb -d c:/sources/wordpress -u http://localhost/wordpress -t 20 -l php
ruby inspathx.rb -d /sources/jspnuke -u http://localhost/jspnuke -t 20 -l jsp -x jsp,jspx -n
See EXAMPLES for more information.
DOWNLOAD/UPDATE
We love svn. Check it out at
svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx-read-only
SAMPLE LOGS
Mambo 4.6.5 http://inspathx.googlecode.com/svn/trunk/sample_logs/localhost_mambo_.log
WordPress 3.0.1 http://inspathx.googlecode.com/svn/trunk/sample_logs/localhost_wp_.log
REFERENCES
http://www.owasp.org/index.php/Full_Path_Disclosure
http://projects.webappsec.org/Information-Leakage
http://cwe.mitre.org/data/definitions/209.html
Use portable bash versions if you wish:
http://www.pentesterscripting.com/discovery/web_requester
http://www.pentesterscripting.com/exploitation/bash_web_parameter_fuzzer
Source-
http://code.google.com/p/inspathx/
Post a Comment