nuclei-templates/http/exposures/backups/php-backup-files.yaml

125 lines
3.1 KiB
YAML

id: php-backup-files
info:
name: PHP Source - Backup File Information Disclosure
author: StreetOfHackerR007,pwnhxl,mastercho
severity: medium
metadata:
max-request: 1170
tags: exposure,backup,php,disclosure,fuzz
http:
- method: GET
path:
- "{{BaseURL}}{{filepath}}{{bakext}}"
attack: clusterbomb
payloads:
filepath:
- /wp-config.php # wordpress
- /wp-config # wordpress
- /site/default/settings.php # drupal
- /installation/configuration.php # joomla
- /app/etc/env.php # magento
- /Application/Common/Conf/config.php # thinkphp
- /environments/dev/common/config/main-local.php # yii
- /environments/prod/common/config/main-local.php # yii
- /common/config/main-local.php # yii
- /system/config/default.php # opencart
- /typo3conf/localconf.php # typo3
- /config/config_global.php # discuz
- /config/config_ucenter.php # discuz
- /textpattern/config.php # textpattern
- /data/common.inc.php # dedecms
- /caches/configs/database.php # phpcms
- /caches/configs/system.php # phpcms
- /include/config.inc.php # phpcms
- /include/config.php # xbtit
- /includes/config.php # vbulletin
- /includes/config # vbulletin
- /phpsso_server/caches/configs/database.php # phpcms
- /phpsso_server/caches/configs/system.php # phpcms
- /zb_users/c_option.php # zblog
- /e/class/config.php # empirecms
- /e/config/config.php # empirecms
- /data/sql_config.php # phpwind
- /data/bbscache/config.php # phpwind
- /db.php
- /conn.php
- /database.php
- /db_config.php
- /config.inc.php
- /data/config.php
- /config/config.php
- /index.php
- /default.php
- /main.php
- /settings.php
- /header.php
- /footer.php
- /login.php
- /404.php
- /wp-login.php
- /config.php
bakext:
- ".~"
- ".bk"
- ".bak"
- ".bkp"
- ".BAK"
- ".swp"
- ".swo"
- ".swn"
- ".tmp"
- ".save"
- ".old"
- ".new"
- ".orig"
- ".dist"
- ".txt"
- ".disabled"
- ".original"
- ".backup"
- "_bak"
- "_1.bak"
- "~"
- "!"
- ".0"
- ".1"
- ".2"
- ".3"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "<?php"
- "<?="
condition: or
- type: word
part: body
words:
- "?>"
- "($"
- "$_GET["
- "$_POST["
- "$_REQUEST["
- "$_SERVER["
- "'DB_PASSWORD'"
- "define('DB_"
condition: or
- type: word
part: header
words:
- "text/plain"
- "bytes"
condition: or