- Joined
- 11 yrs. 6 mth. 27 days
- Messages
- 5,381
- Reaction score
- 18,380
- Age
- 45
- Wallet
- 11,590$
- [email protected]
Full Path Disclosure Tutorial
In this little write up today, I am going to try and explain you what 'FPD' is, how to detect it, analyze it, and some pretty good methods of finding it in the wild.
/* Note that my write up was intended to PHP-based websites, but some of the methods works for ASP/ASPX too. */
/* I never imply myself to be an expert. If you see any mistakes - You know what to do! */
But first... The hell is FPD?
'FPD' (Stands for Full Path Disclosure) is one of the most common methods of attacks (While I doubt this kind of action categorized as a form of an attack, it is still a highly-related method of website security testing), that Pen-testers / Hackers / whatever use in order to gain an error which will expose the full installation path of the targeted site.
Why is this happening?
By default (Don't quote me here. Some web-services and packages disable this function, but partly in most cases), the PHP error reporting function -
error_reporting(0);
'1' = On. ==> 0 = Off.
Any kind of PHP error that happens when you load up a page will display itself on the page. That error is meant to notify the programmer about a coding glitch on his page.
The common error would basically look something similar to this -
Warning: function(function.name) [Function_name]: Some brief summery in /home/user-name/public_html/website.pony/rawr.php on line 126
The regular programmer would take in account everything, expect the full path, which does not interest him that much (Aside from the file name itself)... Unlike the intruder.
Now the question is: Why is the path needed?
Because, it is a must-have detail at some cases of those three attacks:
SQL Injection using load_file() & outfile
Those two SQL Queries (Also the 'dumpfile' query, so make it three) require the full path of the targeted directory in order to execute themselves.
Example:
/**/load_file('/home/pony/www/httpdocs/public_html/index.php')--
/**/into outfile '/home/pony/www/httpdocs/public_html/rawr.txt'--
Local File Inclusion (LFI)
Some variants of LFI attacks won't allow you to poison logs / use filters, so you can try loading your own way through the site.
Symbolic linking (Symlinking)
At some cases, when uploading a shell is not an option, you'd rather know the path in order to work a symbolic link - A shortcut.
And more methods which I can't come up with as for this moment.
So, How to cause it?
Oh, there's quite a few methods:
[#] Transforming X type of variables to type Y
==>
Let's say 'err' is a number-y variable. It means, it could only $_GET numbers to it's related code.
Sooo... Try to insert a string instead. Might work.
[#] Using false file names
==>
Possible Output:
Warning: require(ThisDoesNotExist.php) [function.require]: failed to open stream: No such file or directory in /home/content/g/a/r/gardenlover/html/admin/index.php on line 25
Fatal error: require() [function.require]: Failed opening required 'ThisDoesNotExist.php' (include_path='.:/usr/local/php5/lib/php') in /home/content/g/a/r/gardenlover/html/admin/index.php on line 25
The script is including every kind name that goes through the $_GET, and prints the file under the requested name. Now, what will happen if we include a non-existing file?... ^This.
[#] Awkward 404 error pages - IIS Servers
==>
NOTE: This method will work most of the times under a windows based platform. To be accurate, it'll work mainly on the IIS servers, where the 404 error page (Which is a page you get redirected upon entering a page that doesn't exist. And no, just plain entering, without include() ) spills a BIT TOO MUCH info. So yeah, expect this from mostly .ASP / ASPX based sites.
[#] Basically messing around with the value of the parameter
==>
==>
==> !
Sometimes, the value will be limited to only one style of inputs, and any kind of tweak would result a "Divided By Zero" PHP error.
[#] braces.
==>
Well, it is messing up the parameter in a different way, so it's a different method xD
I believe this has something to do with the whole array usage at PHP (Uses braces?), not sure though.
Possible output:
Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131
[#] Messing around with the COOKIEZ
javascript:void(document.cookie="PHPSESSID="); <== Into your browser
(Does also possible from a cookie editor browser addon)
So, what did we just done?
Simple - We changed the value of the 'PHPSESSID' cookie (A default cookie name, found in probably-every-site-that-uses-cookies) into... Nothing. It becomes null.
Which, as you already guessed, fucks up something at the session:
Warning: session_start() [function.session-start]: The session id contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
You can try and edit other cookies of the site as well. In addition, you can also junk the cookie with illegal characters, and stuff like that.
[#] SQLi fuckery
==>
==>
==>
==>
==>
Possible Output:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/user14/domains/rawr.com/public_html/page.php on line 666
Creating an SQL data synthesizing error, which in result, will reveal us the asked FPD.
[#] Inner-library-files-thingie
==>
Traveling into inner files that has an undefined / defined twice functions will might result an output of the full FPD.
In this little write up today, I am going to try and explain you what 'FPD' is, how to detect it, analyze it, and some pretty good methods of finding it in the wild.
/* Note that my write up was intended to PHP-based websites, but some of the methods works for ASP/ASPX too. */
/* I never imply myself to be an expert. If you see any mistakes - You know what to do! */
But first... The hell is FPD?
'FPD' (Stands for Full Path Disclosure) is one of the most common methods of attacks (While I doubt this kind of action categorized as a form of an attack, it is still a highly-related method of website security testing), that Pen-testers / Hackers / whatever use in order to gain an error which will expose the full installation path of the targeted site.
Why is this happening?
By default (Don't quote me here. Some web-services and packages disable this function, but partly in most cases), the PHP error reporting function -
error_reporting(0);
'1' = On. ==> 0 = Off.
Any kind of PHP error that happens when you load up a page will display itself on the page. That error is meant to notify the programmer about a coding glitch on his page.
The common error would basically look something similar to this -
Warning: function(function.name) [Function_name]: Some brief summery in /home/user-name/public_html/website.pony/rawr.php on line 126
The regular programmer would take in account everything, expect the full path, which does not interest him that much (Aside from the file name itself)... Unlike the intruder.
Now the question is: Why is the path needed?
Because, it is a must-have detail at some cases of those three attacks:
SQL Injection using load_file() & outfile
Those two SQL Queries (Also the 'dumpfile' query, so make it three) require the full path of the targeted directory in order to execute themselves.
Example:
/**/load_file('/home/pony/www/httpdocs/public_html/index.php')--
/**/into outfile '/home/pony/www/httpdocs/public_html/rawr.txt'--
Local File Inclusion (LFI)
Some variants of LFI attacks won't allow you to poison logs / use filters, so you can try loading your own way through the site.
Symbolic linking (Symlinking)
At some cases, when uploading a shell is not an option, you'd rather know the path in order to work a symbolic link - A shortcut.
And more methods which I can't come up with as for this moment.
So, How to cause it?
Oh, there's quite a few methods:
[#] Transforming X type of variables to type Y
==>
Let's say 'err' is a number-y variable. It means, it could only $_GET numbers to it's related code.
Sooo... Try to insert a string instead. Might work.
[#] Using false file names
==>
Possible Output:
Warning: require(ThisDoesNotExist.php) [function.require]: failed to open stream: No such file or directory in /home/content/g/a/r/gardenlover/html/admin/index.php on line 25
Fatal error: require() [function.require]: Failed opening required 'ThisDoesNotExist.php' (include_path='.:/usr/local/php5/lib/php') in /home/content/g/a/r/gardenlover/html/admin/index.php on line 25
The script is including every kind name that goes through the $_GET, and prints the file under the requested name. Now, what will happen if we include a non-existing file?... ^This.
[#] Awkward 404 error pages - IIS Servers
==>
NOTE: This method will work most of the times under a windows based platform. To be accurate, it'll work mainly on the IIS servers, where the 404 error page (Which is a page you get redirected upon entering a page that doesn't exist. And no, just plain entering, without include() ) spills a BIT TOO MUCH info. So yeah, expect this from mostly .ASP / ASPX based sites.
[#] Basically messing around with the value of the parameter
==>
==>
==> !
Sometimes, the value will be limited to only one style of inputs, and any kind of tweak would result a "Divided By Zero" PHP error.
[#] braces.
==>
Well, it is messing up the parameter in a different way, so it's a different method xD
I believe this has something to do with the whole array usage at PHP (Uses braces?), not sure though.
Possible output:
Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131
[#] Messing around with the COOKIEZ
javascript:void(document.cookie="PHPSESSID="); <== Into your browser
(Does also possible from a cookie editor browser addon)
So, what did we just done?
Simple - We changed the value of the 'PHPSESSID' cookie (A default cookie name, found in probably-every-site-that-uses-cookies) into... Nothing. It becomes null.
Which, as you already guessed, fucks up something at the session:
Warning: session_start() [function.session-start]: The session id contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
You can try and edit other cookies of the site as well. In addition, you can also junk the cookie with illegal characters, and stuff like that.
[#] SQLi fuckery
==>
==>
==>
==>
==>
Possible Output:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/user14/domains/rawr.com/public_html/page.php on line 666
Creating an SQL data synthesizing error, which in result, will reveal us the asked FPD.
[#] Inner-library-files-thingie
==>
Traveling into inner files that has an undefined / defined twice functions will might result an output of the full FPD.