Inspathx
Description
Inspathx is a tool developed by YGN Ethical Hacker Group. It uses local sources of an application (php, asp[x], jsp[x], cfm) to make requests to the corresponding url and search for path inclusion error messages.
Read this article for more information about path disclosure: http://yehg.net/lab/pr0js/articles/path_disclosure_vulnerability.txt?1296463845
Installation
Pre-requisites
You will need SubVersion:
$ sudo apt-get install subversion
As well as some Ruby libraries:
$ sudo apt-get install ruby libopenssl-ruby
Download
Inspathx is a simple ruby executable file and doesn't require any installation. To download it, issue following commands:
$ mkdir -p /pentest/web/ $ cd /pentest/web/ $ svn co http://inspathx.googlecode.com/svn/trunk/ inspathx
Usage
Basic syntax
Usage: inspath [options]
Options
- -d, --dir <path>
- Set source code directory/source path definition file of application [optional]
- -u, --url <url>
- Set url [Required if -g option is not specified]
- -t, --threads <threads>
- Set thread number
- (default 10)
- -l, --language <lang>
- Set language [php,asp,aspx,jsp,jspx,cfm,all]
- (default all - means scan all)
- -m, --method <type>
- Http method 'GET'|'POST'
- (default: GET)
- -h, --headers <headers>
- Add http header
- (eg. "cookie: sid[%00]=1\r\nX-pingback:: %00")
- -q, --data
- Http get/post data
- (e.g "a=<script>&b=../../../")
- -n, --null-cookie
- Add null session cookie
- (no need to specify cookie name).
- -f, --follow
- Follow http redirection
- -p, --param-array
- Identify parameters in target url,make 'em array & request (--data value untouched)
- -r, --regexp <regexp>
- Specify your own regexp to search in returned responses
- (eg: "require\(([a-zA-Z.\/\.-]+)\)")
- [will combine with built-in regexp]
- -g, --gen <file>
- Read source directory (-d) & generate file list so next time you can feed this file path in -d option instead of source directory.
- --rm
- remove source directory used to generate path file list
- -c, --comment <string>
- Comment for path definition file to be used with -g and -d options.
- Date is automatically appended.
- -x, --extension <ext>
- Set file extensions (php4,php5,...)
- Default regex: php4,php5,php6,php,asp,aspx,jsp,jspx
- --x-p
- Show only paths in console and write them to file with path_vuln.txt sufix.
- This does not contain target url portion.
- -s, --search <string>
- Search path definition files in paths/ & paths_vuln/ directories
Examples
Usage syntax examples
$ ruby inspathx.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin $ ruby inspathx.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20 -l php $ ruby inspathx.rb -d /sources/jspnuke -u http://localhost/jspnuke -t 20 -l jsp -x jsp,jspx -n $ ruby inspathx.rb -d /sources/wordpress -g paths/wordpress-3.0.4 $ ruby inspathx.rb -d paths/wordpress-3.0.4 -u http://localhost/wp
The search feature enables to look for existing entries in /paths and /paths_vuln. Here is an example:
$ ruby inspathx.rb -s dvwa ============================================================= Path Discloser (a.k.a inspathx) / Error Hunter (c) Aung Khant, aungkhant[at]yehg.net YGN Ethical Hacker Group, Myanmar, http://yehg.net/ svn co http://inspathx.googlecode.com/svn/trunk/ inspathx ============================================================= ~ searching for "dvwa" in path definition directories ... --> paths/dvwa-1.0.7 --> paths_vuln/dvwa-1.0.7 ~ 2 files found
Non vulnerable application
Vulnerable applications
Identified known applications
Proof of Concept
The following applications have been tested with Inspathx. This latest has identified these applications as vulnerable: