Full Path Disclosure Attack

Hello Today I will discuss on FPD web application attack.

What is Full Path Disclosure?

To put it simply, Full Path Disclosure (FPD) is the revelation of the full path of a given file. FPD is performed by causing an error within a targeted website, which in turn, spits out an error message for an attacker to see. FPD vulnerabilities are generally looked upon as low risk and are too often overlooked by web-masters as nothing to worry about, I will take care of it later. This can sometimes be a fatal mistake. 

When and why are path disclosure vulnerabilities useful?

While FPD vulnerabilities are low risk, they can be used in conjunction with other exploiting techniques and can often be the key to a successful hack. 

One example of such a relationship would be the use of an LFI (Local File Include) vulnerability partnered with FPD. With LFI, the attacker may not be able to find the containing folder for a certain file they wish to view (for example: config.php) or maybe the standard includes folder has been renamed. If an attacker can cause an error that will spit out the location of the folder, it would make the hack much faster, smoother and easier then trying to guess the path. The attacker might even get lucky and find that the web-master uses txt files to store database information rather then SQL (do not laugh, it happens).

How do I find a path disclosure vulnerability?

There are a number of ways to test for FPD vulnerabilities, each take little time to achieve. 

The first method is to find a page that calls from an array, for example: index.php?page=home. To check this for a vulnerability, one would add an inoperable value to the URL. There are a number of ways to do this. The most effective of which would be to add open and closed square brackets [] to the end of the page value, this makes the call for the page defunct. The URL for this example would be index.php?page[]=home. This method would call such errors as:

Warning: opendir(Array): failed to open dir: No such file or directory in /home/www/example/kei/photo/index.php on line 297

Warning: pg_num_rows(): supplied argument is not a valid PostgreSQL result resource in /usr/home/example/html/pie/index.php on line 131

Another method that can cause an FPD is to add an inoperable value to a cookie. The easiest and most common of which is to null the session cookie. In order to do this, one must use Javascript injection to inject the invalid value. To do this, add the following line into the URL bar in a web browser: javascript:void(document.cookie='PHPSESSID='); (If you do not know how or why this works, refer to the Javascript injection article). This can cause the following error:

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2

Array[] Parameter Injection is made possible when a script is devising a call via the $_GET parameter. If the $_GET parameter is wrapped in a function that expects a string—for instance, htmlentities() or opendir()—but receives an array, it will result in an error message. The output of the error message will look similar to the following:

Warning: htmlentities() expects parameter 1 to be string, array given in /var/www/foobar.php on line 16
As the function is expecting that parameter to be a string, the result of the given array will render the parameter call defunct, outputting only the error from the function. 

How do I prevent such vulnerabilities?

The simplest way to prevent these vulnerabilities is to simply turn off error reporting within your server. This will immediately turn off any errors that may be caused. The problem with this method however is that if you do have a problem with one of your scripts, it can be hard to determine where and what the problem is without the aid of the error message. 

Regular expressions are also useful in disabling the errors, especially in the case of the cookie injection. With the array vulnerabilities, the is_array() function can be used to patch the vulnerability. The good thing about these last two methods is that you can also use them to echo fake errors to confuse your attacker. 


In conclusion, I would like to once again stress that these vulnerabilities are useful only in certain circumstances and wont allow you to penetrate a server/site with this technique alone. You will have to rely on other techniques in conjunction with this vulnerability or other insecure practices (bad file extensions etc). 

I hope you enjoyed the article and learned something from it. 

Thank you (zer0w0rm)

Pen-testing List of Labs

Vulnerable Web Applications
OWASP BWA http://code.google.com/p/owaspbwa/
OWASP Hackademic http://hackademic1.teilar.gr/
OWASP SiteGenerator https://www.owasp.org/index.php/Owasp_SiteGenerator
OWASP Bricks http://sourceforge.net/projects/owaspbricks/
OWASP Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd
Damn Vulnerable Web App (DVWA) http://www.dvwa.co.uk/
Damn Vulnerable Web Services (DVWS) http://dvws.professionallyevil.com/
WebGoat.NET https://github.com/jerryhoff/WebGoat.NET/
PentesterLab https://pentesterlab.com/
Butterfly Security Project http://thebutterflytmp.sourceforge.net/
Foundstone Hackme Bank http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx
Foundstone Hackme Books http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
Foundstone Hackme Casino http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
Foundstone Hackme Shipping http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
Foundstone Hackme Travel http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
LAMPSecurity http://sourceforge.net/projects/lampsecurity/
Moth http://www.bonsai-sec.com/en/research/moth.php
WackoPicko https://github.com/adamdoupe/WackoPicko
BadStore http://www.badstore.net/
WebSecurity Dojo http://www.mavensecurity.com/web_security_dojo/
BodgeIt Store http://code.google.com/p/bodgeit/
hackxor http://hackxor.sourceforge.net/cgi-bin/index.pl
SecuriBench http://suif.stanford.edu/~livshits/securibench/
SQLol https://github.com/SpiderLabs/SQLol
CryptOMG https://github.com/SpiderLabs/CryptOMG
XMLmao  https://github.com/SpiderLabs/XMLmao
Exploit KB Vulnerable Web App http://exploit.co.il/projects/vuln-web-app/
PHDays iBank CTF http://blog.phdays.com/2012/05/once-again-about-remote-banking.html
GameOver http://sourceforge.net/projects/null-gameover/
Zap WAVE http://code.google.com/p/zaproxy/downloads/detail?name=zap-wave-0.1.zip
PuzzleMall http://code.google.com/p/puzzlemall/
VulnApp http://www.nth-dimension.org.uk/blog.php?id=88
sqli-labs https://github.com/Audi-1/sqli-labs
Drunk Admin Web Hacking Challenge https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/
bWAPP http://www.mmeit.be/bwapp/
NOWASP / Mutillidae 2  http://sourceforge.net/projects/mutillidae/
SocketToMe http://digi.ninja/projects/sockettome.php
Vulnerable Operating System Installations
Damn Vulnerable Linux http://sourceforge.net/projects/virtualhacking/files/os/dvl/
Metasploitable http://sourceforge.net/projects/virtualhacking/files/os/metasploitable/
LAMPSecurity http://sourceforge.net/projects/lampsecurity/
UltimateLAMP http://www.amanhardikar.com/mindmaps/practice-links.html
heorot: DE-ICE, hackerdemia http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso
hackerdemia – http://hackingdojo.com/downloads/iso/De-ICE_S1.123.iso
pWnOS http://www.pwnos.com/
Holynix http://sourceforge.net/projects/holynix/files/
Kioptrix http://www.kioptrix.com/blog/
exploit-exercises – nebula, protostar, fusion http://exploit-exercises.com/download
PenTest Laboratory  http://pentestlab.org/lab-in-a-box/
RebootUser Vulnix http://www.rebootuser.com/?page_id=1041
neutronstar http://neutronstar.org/goatselinux.html
scriptjunkie.us  http://www.scriptjunkie.us/2012/04/the-hacker-games/
21LTR http://21ltr.com/scenes/
SecGame # 1: Sauron http://sg6-labs.blogspot.co.uk/2007/12/secgame-1-sauron.html
Pentester Lab https://www.pentesterlab.com/exercises
Vulnserver http://www.thegreycorner.com/2010/12/introducing-vulnserver.html
TurnKey Linux http://www.turnkeylinux.org/
Bitnami https://bitnami.com/stacks
Elastic Server http://elasticserver.com
CentOS http://www.centos.org/
Sites for Downloading Older Versions of Various Software
Exploit-DB http://www.exploit-db.com/
Old Version http://www.oldversion.com/
Old Apps  http://www.oldapps.com/
VirtualHacking Repo sourceforge.net/projects/virtualhacking/files/apps%40realworld/
Sites by Vendors of Security Testing Software
Acunetix acuforum http://testasp.vulnweb.com/
Acunetix acublog http://testaspnet.vulnweb.com/
Acunetix acuart http://testphp.vulnweb.com/
Cenzic crackmebank http://crackme.cenzic.com
HP freebank http://zero.webappsecurity.com
IBM altoromutual http://demo.testfire.net/
Mavituna testsparker http://aspnet.testsparker.com
Mavituna testsparker http://php.testsparker.com
NTOSpider Test Site http://www.webscantest.com/
Sites for Improving Your Hacking Skills
EnigmaGroup http://www.enigmagroup.org/
Exploit Exercises http://exploit-exercises.com/
Google Gruyere http://google-gruyere.appspot.com/
Gh0st Lab http://www.gh0st.net/
Hack A Server  https://hackaserver.com/
Hack This Site  http://www.hackthissite.org/
HackThis  http://www.hackthis.co.uk/
HackQuest http://www.hackquest.com/
Hack.me https://hack.me
Hacking-Lab https://www.hacking-lab.com
Hacker Challenge http://www.dareyourmind.net/
Hacker Test http://www.hackertest.net/
hACME Game http://www.hacmegame.org/
Hax.Tor http://hax.tor.hu/
OverTheWire http://www.overthewire.org/wargames/
PentestIT  http://www.pentestit.ru/en/
p0wnlabs  http://p0wnlabs.com/
pwn0 https://pwn0.com/home.php
RootContest http://rootcontest.com/
Root Me http://www.root-me.org/?lang=en
Security Treasure Hunt http://www.securitytreasurehunt.com/
Smash The Stack http://www.smashthestack.org/
TheBlackSheep and Erik  http://www.bright-shadows.net/
ThisIsLegal http://thisislegal.com/
Try2Hack http://www.try2hack.nl/
WabLab http://www.wablab.com/hackme
XSS: Can You XSS This? http://canyouxssthis.com/HTMLSanitizer/
XSS: ProgPHP http://xss.progphp.com/
CTF Sites / Archives
CTFtime (Details of CTF Challenges) http://ctftime.org/ctfs/
shell-storm Repo http://shell-storm.org/repo/CTF/
CAPTF Repo http://captf.com/
VulnHub https://www.vulnhub.com
CTF365 http://ctf365.com/
Hacker Cons http://hackercons.org/
Hat Force https://www.hatforce.com/
Intense School http://www.intenseschool.com/resources/
SECore https://secore.info/
Mobile Apps
ExploitMe Mobile Android Labs http://securitycompass.github.io/AndroidLabs/
ExploitMe Mobile iPhone Labs http://securitycompass.github.io/iPhoneLabs/
OWASP iGoat  http://code.google.com/p/owasp-igoat/
OWASP Goatdroid https://github.com/jackMannino/OWASP-GoatDroid-Project
Damn Vulnerable iOS App (DVIA) http://damnvulnerableiosapp.com/
Damn Vulnerable Android App (DVAA) https://code.google.com/p/dvaa/
Damn Vulnerable FirefoxOS Application (DVFA) https://github.com/pwnetrationguru/dvfa/
NcN Wargame http://noconname.org/evento/wargame/
Hacme Bank Android http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx
InsecureBank http://www.paladion.net/downloadapp.html
VulnVPN http://www.rebootuser.com/?page_id=1041
VulnVoIP http://www.rebootuser.com/?page_id=1041
NETinVM http://informatica.uv.es/~carlos/docencia/netinvm/
GNS3 http://sourceforge.net/projects/gns-3/
XAMPP https://www.apachefriends.org/index.html

Thank you (zer0w0rm)