id: zip-backup-files info: name: Compressed Web File author: Toufik Airane & @dwisiswant0 severity: medium requests: - method: GET path: - "{{BaseURL}}/{{Hostname}}.7z" - "{{BaseURL}}/{{Hostname}}.bz2" - "{{BaseURL}}/{{Hostname}}.gz" - "{{BaseURL}}/{{Hostname}}.lz" - "{{BaseURL}}/{{Hostname}}.rar" - "{{BaseURL}}/{{Hostname}}.tar.gz" - "{{BaseURL}}/{{Hostname}}.xz" - "{{BaseURL}}/{{Hostname}}.zip" - "{{BaseURL}}/{{Hostname}}.z" - "{{BaseURL}}/{{Hostname}}.tar.z" - "{{BaseURL}}/{{Hostname}}.db" - "{{BaseURL}}/{{Hostname}}.sqlite" - "{{BaseURL}}/{{Hostname}}.sqlitedb" - "{{BaseURL}}/{{Hostname}}.sql.7z" - "{{BaseURL}}/{{Hostname}}.sql.bz2" - "{{BaseURL}}/{{Hostname}}.sql.gz" - "{{BaseURL}}/{{Hostname}}.sql.lz" - "{{BaseURL}}/{{Hostname}}.sql.rar" - "{{BaseURL}}/{{Hostname}}.sql.tar.gz" - "{{BaseURL}}/{{Hostname}}.sql.xz" - "{{BaseURL}}/{{Hostname}}.sql.zip" - "{{BaseURL}}/{{Hostname}}.sql.z" - "{{BaseURL}}/{{Hostname}}.sql.tar.z" matchers-condition: and matchers: - type: binary binary: - "377ABCAF271C" # 7z - "314159265359" # bz2 - "53514c69746520666f726d6174203300" # SQLite format 3. - "1f8b" # gz tar.gz - "526172211A0700" # rar RAR archive version 1.50 - "526172211A070100" # rar RAR archive version 5.0 - "FD377A585A0000" # xz tar.xz - "1F9D" # z tar.z - "1FA0" # z tar.z - "4C5A4950" # lz - "504B0304" # zip condition: or part: body - type: regex regex: - "application/[-\\w.]+" part: header - type: status status: - 200