Nmap Development mailing list archives

Re: [NSE] http-config-backup

From: Riccardo Cecolin <nmap () rikiji de>
Date: Thu, 8 Mar 2012 12:22:04 +0100

Nice, now looks more complete than the original script. I also think
that there's no need for deep spidering here, and the script supports
a "path" option too.
Thank you for your help.

Riccardo

On Tue, Mar 6, 2012 at 6:56 PM, David Fifield <david () bamsoftware com> wrote:

On Wed, Feb 29, 2012 at 09:56:14PM +0100, Riccardo Cecolin wrote:

I ran cmsploit.coffee with the default configuration and then with
"swapFiles" and "configFiles" fully enabled, the first resulted in
just 12 GET requests while the second in 88 (both attached). Currently
http-backup-finder.nse checks 60 paths, and it's not a subset of the
88 mentioned above, so it's necessary to decide which are the most
interesting ones.

I added the directory save option and added another check for the
"path" so it's not necessary to specify the leading slash.


Thanks for doing this work. I just committed the script.

I fiddled a bit with the list of paths and transformations. Here is the
diff with CMSploit for an example path:

 /%23LocalSettings.php%23
-/._LocalSettings.php
+/Copy%20of%20LocalSettings.php
+/LocalSettings%20copy.php
+/LocalSettings.bak
 /LocalSettings.php~
 /LocalSettings.php.bak
 /LocalSettings.php.old
 /LocalSettings.php.save
-/LocalSettings.php.save.1
-/LocalSettings.php.save.2
-/LocalSettings.php.swo
 /.LocalSettings.php.swp
 /LocalSettings.php.swp

Our script removes the "._" resource fork, and ".save.1", ".save.2", and
".save.swo". My thinking on this is that the later files like ".save.1"
will usually only exist if ".save" already exists, and we already check
for that. We also add a few more generic copy transformations.

I did some quick tests and found that Vim doesn't add a leading dot if
the file name already start with a dot, for example ".htaccess" goes to
".htaccess.swp", not "..htaccess.swp". I changed the transformations to
respect that.

The CMSploit program does a spider of the root page to get a list of
subdirectories and subdomains, and also tested those. Our script doesn't
do that, but it does check a few common CMS subdirectories for certain
files.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] http-config-backup Riccardo Cecolin (Feb 14)
- Re: [NSE] http-config-backup David Fifield (Feb 14)
  - Re: [NSE] http-config-backup Riccardo Cecolin (Feb 14)
- Re: [NSE] http-config-backup David Fifield (Feb 28)
  - Re: [NSE] http-config-backup Riccardo Cecolin (Feb 29)
    - Re: [NSE] http-config-backup David Fifield (Mar 06)
    - Re: [NSE] http-config-backup Riccardo Cecolin (Mar 08)