Home » » inspathx - Path Disclosure Finder

inspathx - Path Disclosure Finder

Written By mediana saputra on Tuesday, 29 January 2013 | 06:15

A tool that uses local source tree to make requests to the url and search for path inclusion error messages. It's a common problem in PHP web applications that we've been hating to see. We hope this tool triggers no path disclosure flaws any more. See our article about path disclosure.


Report bugs/suggestions to inspathx at yehg dot net.

Web application developers sometimes fail to add safe checks against authentications, file inclusion ..etc are prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to Local File Inclusion vulnerability. For open-source applications, source code can be downloaded and checked to find such information.

This script will do this job.

First you have to download source archived file of your desired OSS.
Second, extract it.
Third, feed its path to inspath
The inspath takes

-d, --dir /source/app set source code directory/source path definition file of application Required
-u, --url http://site.com/ set url if -g option is not specified
-t, --threads 10 set thread number(default: 10)
-l, --language php set language [php,asp,aspx,jsp,jspx,cfm,all] (default all - means scan all)
-x, --extension php set file extensions (php4,php5,...) default regex: php4,php5,php6,php,asp,aspx,jsp

-m, --method TYPE http method get/post (default: get)
-h, --headers HEADERS add http header
-q, --data DATA http get/post data
-n, --null-cookie add null session cookie (no need to specify cookie name)
-f, --follow follow http redirection
-p, --param-array identify parameters in target url,make 'em array (value: 1 for , 2 for ,
3 for , n .... *n) <note: --data value untouched>
-r, --regexp REGEXP specify your own regexp to search in returned responses
-g, --gen FILE read source directory (-d) & generate file list so next time you can feed this file path in -d option instead of source directory.
--rm remove source directory used to generate path file list.
-c, --comment STRING comment for path definition file to be used with -g and -d options. date is automatically appended.
--x-p show only paths in console and write them to file with path_vuln.txt surfix. This does not contain target url portion.
--xp alias to --x-p
-s, --search STRING search path definition files in paths/ & paths_vuln/ directories.
See the sample logs in sample_logs folder - scan logs of latest mambo and wordpress applications

Similar terms: Full Path Disclosure, Internal Path Leakage

ruby inspathx.rb -u http://localhost/wordpress

ruby inspathx.rb -u http://localhost/wordpress -p 1

ruby inspathx.rb -d /sources/wordpress -u http://localhost/wordpress

ruby inspathx.rb -d /sources/wordpress -g paths/wordpress-3.0.4

ruby inspathx.rb -d paths/wordpress-3.0.4 -u http://localhost/wordpress

ruby inspathx.rb -d c:/sources/wordpress -u http://localhost/wordpress -t 20 -l php

ruby inspathx.rb -d /sources/jspnuke -u http://localhost/jspnuke -t 20 -l jsp -x jsp,jspx -n

See EXAMPLES for more information.

We love svn. Check it out at
svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx-read-only

Mambo 4.6.5 http://inspathx.googlecode.com/svn/trunk/sample_logs/localhost_mambo_.log
WordPress 3.0.1 http://inspathx.googlecode.com/svn/trunk/sample_logs/localhost_wp_.log


Use portable bash versions if you wish:

Share this article :

Post a Comment

Support : Creating Website | Johny Template | Mas Template
Copyright © 2011. Turorial Grapich Design and Blog Design - All Rights Reserved
Template Created by Creating Website Published by Mas Template
Proudly powered by Blogger