From aldeid
Jump to navigation Jump to search


Inspathx is a tool developed by YGN Ethical Hacker Group. It uses local sources of an application (php, asp[x], jsp[x], cfm) to make requests to the corresponding url and search for path inclusion error messages.

Read this article for more information about path disclosure:



You will need SubVersion:

$ sudo apt-get install subversion

As well as some Ruby libraries:

$ sudo apt-get install ruby libopenssl-ruby


Inspathx is a simple ruby executable file and doesn't require any installation. To download it, issue following commands:

$ mkdir -p /pentest/web/
$ cd /pentest/web/
$ svn co inspathx


Basic syntax

Usage: inspath [options]


-d, --dir <path>
Set source code directory/source path definition file of application [optional]
-u, --url <url>
Set url [Required if -g option is not specified]
-t, --threads <threads>
Set thread number
(default 10)
-l, --language <lang>
Set language [php,asp,aspx,jsp,jspx,cfm,all]
(default all - means scan all)
-m, --method <type>
Http method 'GET'|'POST'
(default: GET)
-h, --headers <headers>
Add http header
(eg. "cookie: sid[%00]=1\r\nX-pingback:: %00")
-q, --data
Http get/post data
(e.g "a=<script>&b=../../../")
-n, --null-cookie
Add null session cookie
(no need to specify cookie name).
-f, --follow
Follow http redirection
-p, --param-array
Identify parameters in target url,make 'em array & request (--data value untouched)
-r, --regexp <regexp>
Specify your own regexp to search in returned responses
(eg: "require\(([a-zA-Z.\/\.-]+)\)")
[will combine with built-in regexp]
-g, --gen <file>
Read source directory (-d) & generate file list so next time you can feed this file path in -d option instead of source directory.
remove source directory used to generate path file list
-c, --comment <string>
Comment for path definition file to be used with -g and -d options.
Date is automatically appended.
-x, --extension <ext>
Set file extensions (php4,php5,...)
Default regex: php4,php5,php6,php,asp,aspx,jsp,jspx
Show only paths in console and write them to file with path_vuln.txt sufix.
This does not contain target url portion.
-s, --search <string>
Search path definition files in paths/ & paths_vuln/ directories


Usage syntax examples

$ ruby inspathx.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin
$ ruby inspathx.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20 -l php
$ ruby inspathx.rb -d /sources/jspnuke -u http://localhost/jspnuke -t 20 -l jsp -x jsp,jspx -n
$ ruby inspathx.rb -d /sources/wordpress -g paths/wordpress-3.0.4
$ ruby inspathx.rb -d paths/wordpress-3.0.4 -u http://localhost/wp

The search feature enables to look for existing entries in /paths and /paths_vuln. Here is an example:

$ ruby inspathx.rb -s dvwa
Path Discloser (a.k.a inspathx) / Error Hunter
 (c) Aung Khant, aungkhant[at]
  YGN Ethical Hacker Group, Myanmar,

svn co inspathx
~ searching for "dvwa"  in path definition directories ...
--> paths/dvwa-1.0.7
--> paths_vuln/dvwa-1.0.7
~ 2 files found

Non vulnerable application

Vulnerable applications

Identified known applications

Proof of Concept

The following applications have been tested with Inspathx. This latest has identified these applications as vulnerable: