psychoPATH: hunting file uploads & LFI in the dark
psychoPATH – a blind webroot file upload & LFI detection tool (now available in the Burp App Store!)
psychoPATH – hunting file uploads & LFI in the dark
This tool is a highly configurable payload generator detecting LFI & web root file uploads. Involves advanced path traversal evasive techniques, dynamic web root list generation, output encoding, site map-searching payload generator, LFI mode, nix & windows support plus single byte generator.
This tool helps to discover several kinds of vulnerabilities not detected by most known scanners and payload sets:
- local file inclusion/arbitrary file read vulnerable to path traversal with weak filters involved (e.g. non-recurrent)
- file upload vulnerable to path traversal with the upload directory located inside the document root
- file upload vulnerable to path traversal with the upload directory outside the document root
- file upload not vulnerable to path traversal, but having the upload directory inside of the document root, with no direct links to the uploaded file exposed by the application
Also, the Directory checker
payload generator can be used for other purposes, e.g. selective invasive content discovery or checking allowed HTTP methods per directory.
At the moment, this plugin extends Burp Intruder with four payload generators:
Byte generator
Additionally, another payload generator simply called Byte
is available. It simply generates single bytes from the chosen range. Available ranges:
- non-alphanumeric
- alphanumeric
- non-alphanumeric printable
- non-alphanumeric non-printable
- all
This is quite handy for general fuzzing, discovering bad characters where feedback from the application is available, defeating filters (like file upload extension control), searching for a an effective string terminator (a character that makes the application to ignore the following string – usually white characters or some format separators like ,’,| etc.) and so on.
This generator produces output in accordance to the global psychoPATH output encoding settings (available: none, URL, doubleURL as of writing this).