Script http-config-backup
Script types:
portrule
Categories:
auth, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-config-backup.nse
Script Summary
Checks for backups and swap files of common content management system and web server configuration files.
When web server files are edited in place, the text editor can leave backup or swap files in a place where the web server can serve them. The script checks for these files:
wp-config.php
: WordPressconfig.php
: phpBB, ExpressionEngineconfiguration.php
: JoomlaLocalSettings.php
: MediaWiki/mediawiki/LocalSettings.php
: MediaWikimt-config.cgi
: Movable Typemt-static/mt-config.cgi
: Movable Typesettings.php
: Drupal.htaccess
: Apache
And for each of these file applies the following transformations (using
config.php
as an example):
config.bak
: Generic backup.config.php.bak
: Generic backup.config.php~
: Vim, Gedit.#config.php#
: Emacs.config copy.php
: Mac OS copy.Copy of config.php
: Windows copy.config.php.save
: GNU Nano..config.php.swp
: Vim swap.config.php.swp
: Vim swap.config.php.old
: Generic backup.
This script is inspired by the CMSploit program by Feross Aboukhadijeh: http://www.feross.org/cmsploit/.
Script Arguments
- http-config-backup.save
directory to save all the valid config files found
- http-config-backup.path
the path where the CMS is installed
- slaxml.debug
See the documentation for the slaxml library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
Example Usage
nmap --script=http-config-backup <target>
Script Output
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-config-backup: | /%23wp-config.php%23 HTTP/1.1 200 OK |_ /config.php~ HTTP/1.1 200 OK
Requires
Author:
License: Same as Nmap--See https://nmap.org/book/man-legal.html