Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


FPD aka Full Path Disclouser

  • 1 Vote(s) - 5 Average


08-10-2012, 01:43 AM #1
Sho0ter Offline MadLeets Vip ******
V.I.P
Posts:87 Threads:14 Joined:Jun 2012 Reputation: 1
Mood: Cool
Hey everybody.Today we are going to talk about a very common web vulnerbility "Full Path Disclosure".
Overview:=
Full Path Disclosure AKA, FPD vulnerabilities enable the attacker to see the internal path structure of an installation. Eg: /home/dir/htdocs/blahblah.

Severity:=Low to Medium

For FPD the severity level is said to be upto medium becoz usually, it's not a vulnerability. It's more of informational risk.
Most of the time it is not exploited itself.But it's a clue to exploitation of other web vulnerabilities like SQL injections loadfile() or LFI etc.


Reason:=
It may sometimes be due to web server application mis-configuration which reveals error messages to website
visitors. Sometimes, an application itself generates debugging error messages.

How To Generate An FPD Error:=
As i said before that FPD can be very useful in cases like SQL injections loadfile() or LFI.So what if you got a site vulnerable to SQL injections loadfile() or LFI but you dont know the root path.There is nothing you can do to it.Once you get the root path you can continue your digging.
Below we are going to discuss some common well known and few less known methods of generating errors for FPD.


1-Empty Array
If we have a site that uses a method of requesting a page like this:

Quote:http://site.com/index.php?page=about

We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:

Quote:http://site.com/index.php?page[]=about

This renders the page defunct thus spitting out an error:

Quote:Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131


2-Null Session Cookie

Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections. A simple injection using this method would look something like so:

PHP Code:
javascript:void(document.cookie="PHPSESSID="); 

By simply setting the PHPSESSID cookie to nothing (null) we get an error.

Quote:Warning: session_start() [function.session-start]: The session id contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2

Errors can contain useful information for site owner so instead of disabling the error reporting at all, it is possible to only hide errors from output by display_errors.

3-Dorks:


We can also use dorks to find the errors on a specific site.
Warning: * [function.*]: site:yourtargeritehere.

I prefer using bing.com for this purpose especially when i have to search full server for an error message.
ip:xxx.xxx.xxx.xx sql error
ip:xxx.xxx.xxx.xx fatal error
ip:xxx.xxx.xxx.xx warning:* [function.*]

The creativity of your dorks is upto you.

4-Using SQL Injection Loadfile()
This is also a very good possiblity.I am going to discuss it later in another tutorial. Smiley1

How to Patch FPD:=
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
error_reporting(0);

php.ini
PHP Code:
display_errors 'off' 

httpd.conf
PHP Code:
php_flag  display_errors  off 

Tools
https://code.google.com/p/inspathx/

Refrences:
http://yehg.net/l
https://www.owasp.org/index.php/Full_Path_Disclosure


Sho0ter

08-10-2012, 02:58 AM #2
H4x0rl1f3 Offline Commander In Cheif *******
Administrators
Posts:1,129 Threads:25 Joined:Jun 2012 Reputation: 15
Mood: Stoned
Thanks

Always Aspect Reward from the Creator and not anyone or anything Created.
For Complaints & Help Contact:- [email protected]
Zone-h
http://zone-h.org/archive/notifier=H4x0rL1f3
I am the orphan of Gaza & Kashmir. Ruins of Iraq,Syria & Palestine Bombarded of Pakistan,Afghanistan, Mali & Yemen Change of Libya and Egypt Discriminated of Bahrain & Turkey Freedom of Earth's paradise and Al-AQSA. I am the hunger stricken child of Somalia, Ethopia, & rest of Africa I am the suffering of each and every single corner of the world. But Listen!!! Hope is what I am!!


08-10-2012, 03:09 AM #3
Hitcher Offline MadLeets Vip ******
V.I.P
Posts:52 Threads:6 Joined:Jun 2012 Reputation: 0
Mood: None
Great share brother its really informative keep it up bro Smiley1

08-10-2012, 03:46 AM #4
CutY Offline MadLeets Vip ******
V.I.P
Posts:174 Threads:32 Joined:Jun 2012 Reputation: 1
Mood: None
Nice share...

08-10-2012, 05:14 AM #5
Tor Demon Offline MadLeets Vip ******
V.I.P
Posts:172 Threads:5 Joined:Jun 2012 Reputation: 0
Mood: None
Nice share

MERCY IS NOT TO FORGIVE ThE PEOPLEAngrysmiley

08-10-2012, 06:31 AM #6
P3NT3ST3R Offline Member ***
Registered
Posts:80 Threads:35 Joined:Jun 2012 Reputation: 0
Mood: None
Nice I made a video for this before . i just posted it:

http://www.madleets.com/showthread.php?t...43#pid2443

I Gr0W L3sS L3sS


[Image: 9w07ghszu17ystagikj.jpg]

08-10-2012, 11:17 PM #7
MindCracker Offline Junior Administrator **********
Junior Administrator
Posts:364 Threads:116 Joined:Jun 2012 Reputation: 10
Mood: None
Nice But Also have to Add How to Exploit it Smiley1 For a Guyss

 =^..^=   =^..^=   =^..^=    =^..^=    =^..^=    =^..^=    =^..^=    =^..^=
As a wise Chinese man once said: �do not anger one who has root on your server�
 =^..^=   =^..^=   =^..^=    =^..^=    =^..^=    =^..^=    =^..^=    =^..^=

08-11-2012, 03:44 AM #8
Sho0ter Offline MadLeets Vip ******
V.I.P
Posts:87 Threads:14 Joined:Jun 2012 Reputation: 1
Mood: Cool
MindCracker you need to read the tutoral.I am pretty sure you reply without even reading whats written over there in the tutorial.
The answer to your question is already in the documentation.

Code:
For FPD the severity level is said to be upto medium becoz usually, it's not a vulnerability. It's more of informational risk.
Most of the time it is not exploited itself.But it's a clue to exploitation of other web vulnerabilities like SQL injections loadfile() or LFI etc.


Sho0ter

08-11-2012, 06:18 AM #9
Invectus Offline Member ***
Registered
Posts:151 Threads:2 Joined:Jun 2012 Reputation: 0
Mood: None
Well written tutorial Sho0ter

08-17-2012, 07:38 PM #10
Pain006 Offline Super Moderator ******
Super Moderators
Posts:575 Threads:28 Joined:Jun 2012 Reputation: 0
Mood: None
cool nice tut Sho0ter
keep it up






Forum Jump:


Users browsing this thread:1 Guest(s)