local coroutine = require "coroutine"
local http = require "http"
local io = require "io"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local url = require "url"
description = [[
Checks for backups and swap files of common content management system
and web server configuration files.
When web server files are edited in place, the text editor can leave
backup or swap files in a place where the web server can serve them. The
script checks for these files:
* wp-config.php
: WordPress
* config.php
: phpBB, ExpressionEngine
* configuration.php
: Joomla
* LocalSettings.php
: MediaWiki
* /mediawiki/LocalSettings.php
: MediaWiki
* mt-config.cgi
: Movable Type
* mt-static/mt-config.cgi
: Movable Type
* settings.php
: Drupal
* .htaccess
: Apache
And for each of these file applies the following transformations (using
config.php
as an example):
* config.bak
: Generic backup.
* config.php.bak
: Generic backup.
* config.php~
: Vim, Gedit.
* #config.php#
: Emacs.
* config copy.php
: Mac OS copy.
* Copy of config.php
: Windows copy.
* config.php.save
: GNU Nano.
* .config.php.swp
: Vim swap.
* config.php.swp
: Vim swap.
* config.php.old
: Generic backup.
This script is inspired by the CMSploit program by Feross Aboukhadijeh:
http://www.feross.org/cmsploit/.
]];
---
-- @usage
-- nmap --script=http-config-backup
--
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-config-backup:
-- | /%23wp-config.php%23 HTTP/1.1 200 OK
-- |_ /config.php~ HTTP/1.1 200 OK
--
-- @args http-config-backup.path the path where the CMS is installed
-- @args http-config-backup.save directory to save all the valid config files found
--
author = "Riccardo Cecolin";
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = { "auth", "intrusive" };
portrule = shortport.http;
local function make_grep(pattern)
return function(s)
return string.match(s, pattern)
end
end
local grep_php = make_grep("<%?php");
local grep_cgipath = make_grep("CGIPath");
local function check_htaccess(s)
return string.match("