CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Auxiliary::WmapScanFile
11
  include Msf::Auxiliary::Scanner
12
  include Msf::Auxiliary::Report
13

14
  def initialize(info = {})
15
    super(update_info(info,
16
      'Name'   		=> 'HTTP Backup File Scanner',
17
      'Description'	=> %q{
18
        This module identifies the existence of possible copies
19
        of a specific file in a given path.
20
      },
21
      'Author' 		=> [ 'et [at] cyberspace.org' ],
22
      'License'		=> BSD_LICENSE))
23

24
    register_options(
25
      [
26
        OptString.new('PATH', [ true,  "The path/file to identify backups", '/index.asp'])
27
      ])
28

29
  end
30

31
  def run_host(ip)
32
    bakextensions = [
33
      '.backup',
34
      '.bak',
35
      '.copy',
36
      '.copia',
37
      '.old',
38
      '.orig',
39
      '.temp',
40
      '.txt',
41
      '~'
42
    ]
43

44
    bakextensions.each do |ext|
45
      file = normalize_uri(datastore['PATH'])+ext
46
      check_for_file(file, ip)
47
    end
48
    if datastore['PATH'] =~ %r#(.*)(/.+$)#
49
      file = $1 + $2.sub('/', '/.') + '.swp'
50
      check_for_file(file, ip)
51
    end
52
  end
53
  def check_for_file(file, ip)
54
    begin
55
      res = send_request_cgi({
56
          'uri'  		=>  file,
57
          'method'   	=> 'GET',
58
          'ctype'		=> 'text/plain'
59
          }, 20)
60

61
      if (res and res.code >= 200 and res.code < 300)
62
        print_good("Found #{wmap_base_url}#{file}")
63

64
        report_web_vuln(
65
          :host	=> ip,
66
          :port	=> rport,
67
          :vhost  => vhost,
68
          :ssl    => ssl,
69
          :path	=> file,
70
          :method => 'GET',
71
          :pname  => "",
72
          :proof  => "Res code: #{res.code.to_s}",
73
          :risk   => 0,
74
          :confidence   => 100,
75
          :category     => 'file',
76
          :description  => 'Backup file found.',
77
          :name   => 'backup file'
78
        )
79

80
      else
81
        vprint_status("NOT Found #{wmap_base_url}#{file}")
82
        #To be removed or just displayed with verbose debugging.
83
      end
84

85
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
86
    rescue ::Timeout::Error, ::Errno::EPIPE
87
    end
88

89

90
  end
91
end
92

93