Further Full Path Disclosure (FPD) Techniques #1895

Open
ethicalhack3r opened this Issue May 25, 2016 · 3 comments

Projects

None yet

5 participants

@ethicalhack3r

sqlmap often has the need for the user to input the web server root's full path for things like uploading a shell, reading files, etc. I believe sqlmap has some built in techniques such as attempting to guess the path from known common configurations.

To expand on this I propose that sqlmap attempts to cause errors in the application by using known techniques as detailed here http://blog.dewhurstsecurity.com/2011/10/05/full-path-disclosure-fpd.html and here https://www.owasp.org/index.php/Full_Path_Disclosure

Here is some very high level pseudocode:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

"""
Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

# Main FPD class
class FullPathDisclosure():
    def empty_array():
        # Original: http://site.com/index.php?page=about
        # Crafted: http://site.com/index.php?page[]=about

    def invalid_session_cookie():
        # Original: Cookie: PHPSESSID=ef7f786sd78f6ds78f6;
        # Crafted: Cookie: PHPSESSID=;
        # Crafted: Cookie: PHPSESSID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
        # Crafted: Cookie: PHPSESSID=.;

    def direct_object_reference():
        # Popular known pages that give FPD.
        # http://localhost/wp/wp-includes/wp-db.php

    def invalid_file_names():
        # Original: http://www.host.com/default.aspx
        # Crafted: http://www.host.com/default~.aspx

    def parse_fpd():
        # Extract FPD from errors using regex.

The crawler could also potentially use the FullPathDisclosure class to search each page it visits for FPD, just running regex against each page, and/or actively testing each page for empty arrays, etc.

@stamparm stamparm self-assigned this May 25, 2016
@stamparm stamparm added this to the 1.1 milestone May 25, 2016
@iwantaturboman

If this could be implemented ; an "admin panel finder" could also finds its place.
What do you think ?

@erwinsalarda

Very nice suggestion. Including the cloudflare protected website. Tge IT
team in my country are to lazy to update some security bugs to our gov
website. Even we send them the bugs. So we need to teach them some lesson.
One of our trusted gov website is vulnerable thru sqli and i found the
admin account but the cloud flare kick when i try to locate the location of
the admin panel..

Sorry for my poor english.
On 18 Jun 2016 02:31, "iwantaturboman" notifications@github.com wrote:

If this could be implemented ; an "admin panel finder" could also finds
its place.
What do you think ?


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#1895 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AJlzx6VMVPZ2WPcYNBxp8DEBW9dv5tKTks5qMugKgaJpZM4ImYrk
.

@stormwin

Find admin panel is not related with sql inections. Try other tools for that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment