id: php-backup-files info: name: PHP Source - Backup File Information Disclosure author: StreetOfHackerR007,pwnhxl,mastercho,0xpugazh severity: medium metadata: max-request: 1222 tags: exposure,backup,php,disclosure,fuzz http: - method: GET path: - "{{BaseURL}}{{filepath}}{{bakext}}" attack: clusterbomb payloads: filepath: - /wp-config.php # wordpress - /wp-config # wordpress - /site/default/settings.php # drupal - /installation/configuration.php # joomla - /app/etc/env.php # magento - /Application/Common/Conf/config.php # thinkphp - /environments/dev/common/config/main-local.php # yii - /environments/prod/common/config/main-local.php # yii - /common/config/main-local.php # yii - /system/config/default.php # opencart - /typo3conf/localconf.php # typo3 - /config/config_global.php # discuz - /config/config_ucenter.php # discuz - /textpattern/config.php # textpattern - /data/common.inc.php # dedecms - /caches/configs/database.php # phpcms - /caches/configs/system.php # phpcms - /include/config.inc.php # phpcms - /include/config.php # xbtit - /includes/config.php # vbulletin - /includes/config # vbulletin - /phpsso_server/caches/configs/database.php # phpcms - /phpsso_server/caches/configs/system.php # phpcms - /zb_users/c_option.php # zblog - /e/class/config.php # empirecms - /e/config/config.php # empirecms - /data/sql_config.php # phpwind - /data/bbscache/config.php # phpwind - /db.php - /conn.php - /database.php - /db_config.php - /config.inc.php - /data/config.php - /config/config.php - /index.php - /default.php - /main.php - /settings.php - /header.php - /footer.php - /login.php - /404.php - /wp-login.php - /config.php - /config - /const.DB.php.bak bakext: - ".~" - ".bk" - ".bak" - ".bkp" - ".BAK" - ".swp" - ".swo" - ".swn" - ".tmp" - ".save" - ".old" - ".new" - ".orig" - ".dist" - ".txt" - ".disabled" - ".original" - ".backup" - "_bak" - "_1.bak" - "~" - "!" - ".0" - ".1" - ".2" - ".3" matchers-condition: and matchers: - type: status status: - 200 - type: word part: body words: - "" - "($" - "$_GET[" - "$_POST[" - "$_REQUEST[" - "$_SERVER[" - "'DB_PASSWORD'" - "'DBPASS'" - "define('DB" condition: or - type: word part: header words: - "text/plain" - "bytes" condition: or # digest: 4a0a00473045022100c2f95f7ee299ff0299868d14fc020a840753a4c4f6de51d4b0885f1c98422f940220085e23eb052005bcb2af3da437bc0e2be2c6a32ef3612877cbb5483e04bb1f0a:922c64590222798bb761d5b6d8e72950