inspath - Path Disclosure Finder

A tool that uses local source tree to make requests to the url and
search for path inclusion error messages. It's ever a common problem
in PHP web applications that we're hating to see for ever. We hope
this tool triggers no path disclosure flaws any more. See our article
about path disclosure.

The inspath takes
* -d or --dir argument as source directory (of application)
* -u or --url arguement as the target base URL (like
* -t or --threads argument as the number of threads concurrently to run (default is 10)

ruby inspath.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin -t 20
ruby inspath.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20

Example Result
I, [2010-09-22 18:00:08 pid:#9284]  INFO -- : [*] http://localhost/mambo/includes/core.classes.php
Fatal error:  Class 'mosDBTable' not found in /home/victim/public_html/mambo/includes/core.classes.php on line 857

I, [2010-09-22 18:00:20 pid:#9284]  INFO -- : [*] http://localhost/mambo/administrator/popups/modulewindow.php
Fatal error:  Call to undefined function mosGetParam() in /home/victim/public_html/mambo/administrator/popups/modulewindow.php on line 16

Download (via SVN)

svn checkout inspathx-read-only 

No comments:

Post a Comment