Nmap Development mailing list archives
Re: [NSE] http-config-backup
From: David Fifield <david () bamsoftware com>
Date: Tue, 6 Mar 2012 09:56:26 -0800
On Wed, Feb 29, 2012 at 09:56:14PM +0100, Riccardo Cecolin wrote:
I ran cmsploit.coffee with the default configuration and then with "swapFiles" and "configFiles" fully enabled, the first resulted in just 12 GET requests while the second in 88 (both attached). Currently http-backup-finder.nse checks 60 paths, and it's not a subset of the 88 mentioned above, so it's necessary to decide which are the most interesting ones. I added the directory save option and added another check for the "path" so it's not necessary to specify the leading slash.
Thanks for doing this work. I just committed the script. I fiddled a bit with the list of paths and transformations. Here is the diff with CMSploit for an example path: /%23LocalSettings.php%23 -/._LocalSettings.php +/Copy%20of%20LocalSettings.php +/LocalSettings%20copy.php +/LocalSettings.bak /LocalSettings.php~ /LocalSettings.php.bak /LocalSettings.php.old /LocalSettings.php.save -/LocalSettings.php.save.1 -/LocalSettings.php.save.2 -/LocalSettings.php.swo /.LocalSettings.php.swp /LocalSettings.php.swp Our script removes the "._" resource fork, and ".save.1", ".save.2", and ".save.swo". My thinking on this is that the later files like ".save.1" will usually only exist if ".save" already exists, and we already check for that. We also add a few more generic copy transformations. I did some quick tests and found that Vim doesn't add a leading dot if the file name already start with a dot, for example ".htaccess" goes to ".htaccess.swp", not "..htaccess.swp". I changed the transformations to respect that. The CMSploit program does a spider of the root page to get a list of subdirectories and subdomains, and also tested those. Our script doesn't do that, but it does check a few common CMS subdirectories for certain files. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-config-backup Riccardo Cecolin (Feb 14)
- Re: [NSE] http-config-backup David Fifield (Feb 14)
- Re: [NSE] http-config-backup Riccardo Cecolin (Feb 14)
- Re: [NSE] http-config-backup David Fifield (Feb 28)
- Re: [NSE] http-config-backup Riccardo Cecolin (Feb 29)
- Re: [NSE] http-config-backup David Fifield (Mar 06)
- Re: [NSE] http-config-backup Riccardo Cecolin (Mar 08)
- Re: [NSE] http-config-backup Riccardo Cecolin (Feb 29)
- Re: [NSE] http-config-backup David Fifield (Feb 14)