Pages

9/30/2010

inspath - Path Disclosure Finder

A tool that uses local source tree to make requests to the url and
search for path inclusion error messages. It's ever a common problem
in PHP web applications that we're hating to see for ever. We hope
this tool triggers no path disclosure flaws any more. See our article
about path disclosure.
http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt

The inspath takes
* -d or --dir argument as source directory (of application)
* -u or --url arguement as the target base URL (like http://victim.com)
* -t or --threads argument as the number of threads concurrently to run (default is 10)

Example
ruby inspath.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin -t 20
ruby inspath.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20

Example Result
I, [2010-09-22 18:00:08 pid:#9284]  INFO -- : [*] http://localhost/mambo/includes/core.classes.php
[html_source]
Fatal error:  Class 'mosDBTable' not found in /home/victim/public_html/mambo/includes/core.classes.php on line 857
[/html_source]

I, [2010-09-22 18:00:20 pid:#9284]  INFO -- : [*] http://localhost/mambo/administrator/popups/modulewindow.php
[html_source]
Fatal error:  Call to undefined function mosGetParam() in /home/victim/public_html/mambo/administrator/popups/modulewindow.php on line 16
[/html_source]


Download (via SVN)

svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx-read-only 
REF: http://seclists.org/fulldisclosure/2010/Sep/375

No comments:

Post a Comment