Further Full Path Disclosure (FPD) Techniques #1895
Description
sqlmap often has the need for the user to input the web server root's full path for things like uploading a shell, reading files, etc. I believe sqlmap has some built in techniques such as attempting to guess the path from known common configurations.
To expand on this I propose that sqlmap attempts to cause errors in the application by using known techniques as detailed here http://blog.dewhurstsecurity.com/2011/10/05/full-path-disclosure-fpd.html and here https://www.owasp.org/index.php/Full_Path_Disclosure
Here is some very high level pseudocode:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
# Main FPD class
class FullPathDisclosure():
def empty_array():
# Original: http://site.com/index.php?page=about
# Crafted: http://site.com/index.php?page[]=about
def invalid_session_cookie():
# Original: Cookie: PHPSESSID=ef7f786sd78f6ds78f6;
# Crafted: Cookie: PHPSESSID=;
# Crafted: Cookie: PHPSESSID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
# Crafted: Cookie: PHPSESSID=.;
def direct_object_reference():
# Popular known pages that give FPD.
# http://localhost/wp/wp-includes/wp-db.php
def invalid_file_names():
# Original: http://www.host.com/default.aspx
# Crafted: http://www.host.com/default~.aspx
def parse_fpd():
# Extract FPD from errors using regex.
The crawler could also potentially use the FullPathDisclosure class to search each page it visits for FPD, just running regex against each page, and/or actively testing each page for empty arrays, etc.