Skip to content

Inspathx

Web application developers sometimes fail to add safe checks against authentications, file inclusion, which could lead to possible sensitive information disclosure when application URLs are directly requested. Sometimes, it's a clue to File Inclusion vulnerability. For open-source applications, source code can be downloaded and checked to find such information.

This script will do this job. First you have to download source archived file of your desired OSS. Second, extract it. Third, feed its path to inspathx.

Usage

Pre require

You will need SubVersion:

$ sudo apt-get install subversion

As well as some Ruby libraries:

$ sudo apt-get install ruby libopenssl-ruby

Download

$ mkdir -p /pentest/web/
$ cd /pentest/web/
$ svn co http://inspathx.googlecode.com/svn/trunk/ inspathx

Basic syntax

Usage: inspath [options]

Options

-d, --dir <path>
    Set source code directory/source path definition file of application [optional]
-u, --url <url>
    Set url [Required if -g option is not specified]
-t, --threads <threads>
    Set thread number(default 10)
-l, --language <lang>
    Set language [php,asp,aspx,jsp,jspx,cfm,all](default all - means scan all)
-m, --method <type>
    Http method 'GET'|'POST'(default: GET)
-h, --headers <headers>
    Add http header(eg. "cookie: sid[%00]=1\r\nX-pingback:: %00")
-q, --data
    Http get/post data(e.g "a=<script>&b=../../../")
-n, --null-cookie
    Add null session cookie(no need to specify cookie name).
-f, --follow
    Follow http redirection
-p, --param-array
    Identify parameters in target url,make 'em array & request (--data value untouched)
-r, --regexp <regexp>
    Specify your own regexp to search in returned responses(eg: "require\(([a-zA-Z.\/\.-]+)\)")[will combine with built-in regexp]
-g, --gen <file>
    Read source directory (-d) & generate file list so next time you can feed this file path in -d option instead of source directory.
--rm
    remove source directory used to generate path file list
-c, --comment <string>
    Comment for path definition file to be used with -g and -d options.
    Date is automatically appended.
-x, --extension <ext>
    Set file extensions (php4,php5,...)
    Default regex: php4,php5,php6,php,asp,aspx,jsp,jspx
--x-p
    Show only paths in console and write them to file with path_vuln.txt sufix.
    This does not contain target url portion.
-s, --search <string>
    Search path definition files in paths/ & paths_vuln/ directories

Examples

Usage syntax examples

$ ruby inspathx.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin
$ ruby inspathx.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20 -l php
$ ruby inspathx.rb -d /sources/jspnuke -u http://localhost/jspnuke -t 20 -l jsp -x jsp,jspx -n
$ ruby inspathx.rb -d /sources/wordpress -g paths/wordpress-3.0.4
$ ruby inspathx.rb -d paths/wordpress-3.0.4 -u http://localhost/wp