全路径泄漏

参考:
https://www.owasp.org/index.php/Full_Path_Disclosure
http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt

（一）危害
1）/var/www/html
可能导致文件夹遍历或LFI漏洞
2）/home/vicky/public_html/
用户名vicky被泄露，运行攻击者暴力破解
3）/data/secrets/financial/
文件夹不再webroot文件夹中。潜在敏感信息可能存储在该文件夹中。
（二）检查方法
1）空数组
例如：如果连接是http://site.com/index.php?page=about
我们可以使用 http://site.com/index.php?page[]=about
应答为：

Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131

2）Null Session Cookie
使用JavaScript注入：

javascript:void(document.cookie="PHPSESSID=");

我们获得应答为：

Warning: session_start() [function.session-start]: The session id contains illegal characters, 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2

3）错误Session Cookie
a）使用超长session
例如

javascript:void(document.cookie='PHPSESSID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');

b）使用保留字符
例如javascript:void(document.cookie='PHPSESSID=.');
这两种情况都会返回：

Warning: session_start(): The session id is too long or contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2

4）直接访问需要预加载的文件
例如：
web程序员有时没有检查那些需要预加载的库/函数。容易导致泄漏信息。
例如Mambo CMS，如果我们访问http://site.com/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php，我们会得到

<br />
<b>Fatal error</b>:  Class 'SpellChecker' not found in <b>/home/victim/public_html/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php</b> on line <b>9</b><br />

（三）检测工具
1)wpscan-kali默认
2)inspathx:项目主页：https://code.google.com/p/inspathx/
参数：

引用

-d, --dir /source/app set source code directory/source path definition file of application Required
-u, --url http://site.com/ set url if -g option is not specified
-t, --threads 10 set thread number(default: 10)
-l, --language php set language [php,asp,aspx,jsp,jspx,cfm,all] (default all - means scan all)
-x, --extension php set file extensions (php4,php5,...) default regex: php4,php5,php6,php,asp,aspx,jsp
,jspx,cfm

-m, --method TYPE http method get/post (default: get)
-h, --headers HEADERS add http header
-q, --data DATA http get/post data
-n, --null-cookie add null session cookie (no need to specify cookie name)
-f, --follow follow http redirection
-p, --param-array identify parameters in target url,make 'em array (value: 1 for , 2 for ,
3 for , n .... *n) <note: --data value untouched>
-r, --regexp REGEXP specify your own regexp to search in returned responses
-g, --gen FILE read source directory (-d) & generate file list so next time you can feed this file path in -d option instead of source directory.
--rm remove source directory used to generate path file list.
-c, --comment STRING comment for path definition file to be used with -g and -d options. date is automatically appended.
--x-p show only paths in console and write them to file with path_vuln.txt surfix. This does not contain target url portion.
--xp alias to --x-p
-s, --search STRING search path definition files in paths/ & paths_vuln/ directories.