nuclei-templates/http/exposures/backups/php-backup-files.yaml

id: php-backup-files

info:
  name: PHP Source - Backup File Information Disclosure
  author: StreetOfHackerR007,pwnhxl,mastercho,0xpugazh
  severity: medium
  metadata:
    max-request: 1222
  tags: exposure,backup,php,disclosure,fuzz

http:
  - method: GET
    path:
      - "{{BaseURL}}{{filepath}}{{bakext}}"

    attack: clusterbomb
    payloads:
      filepath:
        - /wp-config.php # wordpress
        - /wp-config # wordpress
        - /site/default/settings.php # drupal
        - /installation/configuration.php # joomla
        - /app/etc/env.php # magento
        - /Application/Common/Conf/config.php # thinkphp
        - /environments/dev/common/config/main-local.php # yii
        - /environments/prod/common/config/main-local.php # yii
        - /common/config/main-local.php # yii
        - /system/config/default.php # opencart
        - /typo3conf/localconf.php # typo3
        - /config/config_global.php # discuz
        - /config/config_ucenter.php # discuz
        - /textpattern/config.php # textpattern
        - /data/common.inc.php # dedecms
        - /caches/configs/database.php # phpcms
        - /caches/configs/system.php # phpcms
        - /include/config.inc.php # phpcms
        - /include/config.php # xbtit
        - /includes/config.php # vbulletin
        - /includes/config # vbulletin
        - /phpsso_server/caches/configs/database.php # phpcms
        - /phpsso_server/caches/configs/system.php # phpcms
        - /zb_users/c_option.php # zblog
        - /e/class/config.php # empirecms
        - /e/config/config.php # empirecms
        - /data/sql_config.php # phpwind
        - /data/bbscache/config.php # phpwind
        - /app/config/parameters.yml # prestashop 1.7
        - /app/config/parameters.php # prestashop 1.7
        - /config/settings.inc.php # prestashop  > 1.5,1.6
        - /config/settings.old.php # prestashop  > 1.5,1.6
        - /manager/includes/config.inc.php # MODX CMS
        - /db.php
        - /conn.php
        - /database.php
        - /db_config.php
        - /config.inc.php
        - /data/config.php
        - /config/config.php
        - /index.php
        - /default.php
        - /main.php
        - /settings.php
        - /header.php
        - /footer.php
        - /login.php
        - /404.php
        - /wp-login.php
        - /config.php
        - /config
        - /const.DB.php
      bakext:
        - ".~"
        - ".bk"
        - ".bak"
        - ".bkp"
        - ".BAK"
        - ".blank"
        - ".swp"
        - ".swo"
        - ".swn"
        - ".tmp"
        - ".save"
        - ".old"
        - ".new"
        - ".orig"
        - ".dist"
        - ".txt"
        - ".disabled"
        - ".original"
        - ".backup"
        - "_bak"
        - "_1.bak"
        - "~"
        - "!"
        - ".0"
        - ".1"
        - ".2"
        - ".3"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - "<?php"
          - "<?="
        condition: or

      - type: word
        part: body
        words:
          - "?>"
          - "($"
          - "$_GET["
          - "$_POST["
          - "$_REQUEST["
          - "$_SERVER["
          - "'DB_PASSWORD'"
          - "'DBPASS'"
          - "database_type"
          - "define('DB"
        condition: or

      - type: word
        part: header
        words:
          - "text/plain"
          - "bytes"
        condition: or

# digest: 4a0a00473045022100c2f95f7ee299ff0299868d14fc020a840753a4c4f6de51d4b0885f1c98422f940220085e23eb052005bcb2af3da437bc0e2be2c6a32ef3612877cbb5483e04bb1f0a:922c64590222798bb761d5b6d8e72950
Updated php-backup extenstions 2023-06-23 22:25:37 +00:00			`id: php-backup-files`

			`info:`
			`name: PHP Source - Backup File Information Disclosure`
Update php-backup-files.yaml 2023-10-02 10:07:48 +00:00			`author: StreetOfHackerR007,pwnhxl,mastercho,0xpugazh`
Updated php-backup extenstions 2023-06-23 22:25:37 +00:00			`severity: medium`
			`metadata:`
TemplateMan Update [Tue Oct 3 09:17:07 UTC 2023] :robot: 2023-10-03 09:17:07 +00:00			`max-request: 1222`
TemplateMan Update [Thu Jul 6 07:04:08 UTC 2023] :robot: 2023-07-06 07:04:08 +00:00			`tags: exposure,backup,php,disclosure,fuzz`
Updated php-backup extenstions 2023-06-23 22:25:37 +00:00
			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}{{filepath}}{{bakext}}"`

			`attack: clusterbomb`
			`payloads:`
			`filepath:`
templateman update 2023-10-14 11:27:55 +00:00			`- /wp-config.php # wordpress`
			`- /wp-config # wordpress`
			`- /site/default/settings.php # drupal`
			`- /installation/configuration.php # joomla`
			`- /app/etc/env.php # magento`
			`- /Application/Common/Conf/config.php # thinkphp`
			`- /environments/dev/common/config/main-local.php # yii`
			`- /environments/prod/common/config/main-local.php # yii`
			`- /common/config/main-local.php # yii`
			`- /system/config/default.php # opencart`
			`- /typo3conf/localconf.php # typo3`
			`- /config/config_global.php # discuz`
			`- /config/config_ucenter.php # discuz`
			`- /textpattern/config.php # textpattern`
			`- /data/common.inc.php # dedecms`
			`- /caches/configs/database.php # phpcms`
			`- /caches/configs/system.php # phpcms`
			`- /include/config.inc.php # phpcms`
			`- /include/config.php # xbtit`
			`- /includes/config.php # vbulletin`
Updated php-backup extenstions 2023-06-23 22:25:37 +00:00			`- /includes/config # vbulletin`
templateman update 2023-10-14 11:27:55 +00:00			`- /phpsso_server/caches/configs/database.php # phpcms`
			`- /phpsso_server/caches/configs/system.php # phpcms`
			`- /zb_users/c_option.php # zblog`
			`- /e/class/config.php # empirecms`
			`- /e/config/config.php # empirecms`
			`- /data/sql_config.php # phpwind`
			`- /data/bbscache/config.php # phpwind`
added more config of presta 2024-01-07 03:09:02 +00:00			`- /app/config/parameters.yml # prestashop 1.7`
			`- /app/config/parameters.php # prestashop 1.7`
			`- /config/settings.inc.php # prestashop > 1.5,1.6`
			`- /config/settings.old.php # prestashop > 1.5,1.6`
added MODX config 2024-01-07 04:00:10 +00:00			`- /manager/includes/config.inc.php # MODX CMS`
Updated php-backup extenstions 2023-06-23 22:25:37 +00:00			`- /db.php`
			`- /conn.php`
			`- /database.php`
			`- /db_config.php`
			`- /config.inc.php`
			`- /data/config.php`
			`- /config/config.php`
			`- /index.php`
			`- /default.php`
			`- /main.php`
			`- /settings.php`
			`- /header.php`
			`- /footer.php`
			`- /login.php`
			`- /404.php`
			`- /wp-login.php`
			`- /config.php`
Updated php-backup-files template 2023-09-11 14:00:09 +00:00			`- /config`
added more config of presta 2024-01-07 03:09:02 +00:00			`- /const.DB.php`
Updated php-backup extenstions 2023-06-23 22:25:37 +00:00			`bakext:`
			`- ".~"`
			`- ".bk"`
			`- ".bak"`
			`- ".bkp"`
			`- ".BAK"`
added MODX config 2024-01-07 04:00:10 +00:00			`- ".blank"`
Updated php-backup extenstions 2023-06-23 22:25:37 +00:00			`- ".swp"`
			`- ".swo"`
			`- ".swn"`
			`- ".tmp"`
			`- ".save"`
			`- ".old"`
			`- ".new"`
			`- ".orig"`
			`- ".dist"`
			`- ".txt"`
			`- ".disabled"`
			`- ".original"`
			`- ".backup"`
			`- "_bak"`
			`- "_1.bak"`
			`- "~"`
			`- "!"`
			`- ".0"`
			`- ".1"`
			`- ".2"`
			`- ".3"`

			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`

			`- type: word`
			`part: body`
			`words:`
			`- "<?php"`
			`- "<?="`
			`condition: or`

			`- type: word`
			`part: body`
			`words:`
			`- "?>"`
			`- "($"`
			`- "$_GET["`
			`- "$_POST["`
			`- "$_REQUEST["`
			`- "$_SERVER["`
Fix FN php-backup-files.yaml 2023-07-06 12:14:08 +00:00			`- "'DB_PASSWORD'"`
Update php-backup-files.yaml 2023-10-02 10:07:48 +00:00			`- "'DBPASS'"`
added MODX config 2024-01-07 04:00:10 +00:00			`- "database_type"`
Update php-backup-files.yaml 2023-10-02 10:07:48 +00:00			`- "define('DB"`
Updated php-backup extenstions 2023-06-23 22:25:37 +00:00			`condition: or`

			`- type: word`
			`part: header`
			`words:`
			`- "text/plain"`
			`- "bytes"`
Fix FN php-backup-files.yaml 2023-07-06 12:14:08 +00:00			`condition: or`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4a0a00473045022100c2f95f7ee299ff0299868d14fc020a840753a4c4f6de51d4b0885f1c98422f940220085e23eb052005bcb2af3da437bc0e2be2c6a32ef3612877cbb5483e04bb1f0a:922c64590222798bb761d5b6d8e72950`