Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/backup_file.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::WmapScanFile

9
  include Msf::Auxiliary::Scanner

10
  include Msf::Auxiliary::Report

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'HTTP Backup File Scanner',

17
        'Description'	=> %q{

18
          This module identifies the existence of possible copies

19
          of a specific file in a given path.

20
        },

21
        'Author' => [ 'et [at] cyberspace.org' ],

22
        'License'	=> BSD_LICENSE,

23
        'Notes' => {

24
          'Reliability' => UNKNOWN_RELIABILITY,

25
          'Stability' => UNKNOWN_STABILITY,

26
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

27
        }

28
      )

29
    )

30


31
    register_options(

32
      [

33
        OptString.new('PATH', [ true, "The path/file to identify backups", '/index.asp'])

34
      ]

35
    )

36
  end

37


38
  def run_host(ip)

39
    bakextensions = [

40
      '.backup',

41
      '.bak',

42
      '.copy',

43
      '.copia',

44
      '.old',

45
      '.orig',

46
      '.temp',

47
      '.txt',

48
      '~'

49
    ]

50


51
    bakextensions.each do |ext|

52
      file = normalize_uri(datastore['PATH']) + ext

53
      check_for_file(file, ip)

54
    end

55
    if datastore['PATH'] =~ %r#(.*)(/.+$)#

56
      file = $1 + $2.sub('/', '/.') + '.swp'

57
      check_for_file(file, ip)

58
    end

59
  end

60


61
  def check_for_file(file, ip)

62
    begin

63
      res = send_request_cgi({

64
        'uri' => file,

65
        'method' => 'GET',

66
        'ctype'	=> 'text/plain'

67
      }, 20)

68


69
      if (res and res.code >= 200 and res.code < 300)

70
        print_good("Found #{wmap_base_url}#{file}")

71


72
        report_web_vuln(

73
          :host	=> ip,

74
          :port	=> rport,

75
          :vhost => vhost,

76
          :ssl => ssl,

77
          :path	=> file,

78
          :method => 'GET',

79
          :pname => "",

80
          :proof => "Res code: #{res.code.to_s}",

81
          :risk => 0,

82
          :confidence => 100,

83
          :category => 'file',

84
          :description => 'Backup file found.',

85
          :name => 'backup file'

86
        )

87


88
      else

89
        vprint_status("NOT Found #{wmap_base_url}#{file}")

90
        # To be removed or just displayed with verbose debugging.

91
      end

92
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

93
    rescue ::Timeout::Error, ::Errno::EPIPE

94
    end

95
  end

96
end

97


98