php-backup-files: PHP Source - Backup File Information Disclosure

id: php-backup-files

info:
  name: PHP Source - Backup File Information Disclosure
  author: StreetOfHackerR007,pwnhxl,mastercho,0xpugal
  severity: medium
  description: PHP Source File is disclosed to external users.
  metadata:
    max-request: 1512
  tags: exposure,backup,php,disclosure,fuzz

http:
  - method: GET
    path:
      - "{{BaseURL}}{{filepath}}{{bakext}}"

    attack: clusterbomb
    payloads:
      filepath:
        - /wp-config.php # wordpress
        - /wp-config # wordpress
        - /site/default/settings.php # drupal
        - /installation/configuration.php # joomla
        - /app/etc/env.php # magento 2
        - /app/etc/local.xml # magento 1
        - /Application/Common/Conf/config.php # thinkphp
        - /environments/dev/common/config/main-local.php # yii
        - /environments/prod/common/config/main-local.php # yii
        - /common/config/main-local.php # yii
        - /system/config/default.php # opencart
        - /typo3conf/localconf.php # typo3
        - /config/config_global.php # discuz
        - /config/config_ucenter.php # discuz
        - /textpattern/config.php # textpattern
        - /data/common.inc.php # dedecms
        - /caches/configs/database.php # phpcms
        - /caches/configs/system.php # phpcms
        - /include/config.inc.php # phpcms
        - /include/config.php # xbtit
        - /includes/config.php # vbulletin
        - /includes/config # vbulletin
        - /phpsso_server/caches/configs/database.php # phpcms
        - /phpsso_server/caches/configs/system.php # phpcms
        - /zb_users/c_option.php # zblog
        - /e/class/config.php # empirecms
        - /e/config/config.php # empirecms
        - /data/sql_config.php # phpwind
        - /data/bbscache/config.php # phpwind
        - /app/config/parameters.yml # prestashop 1.7,1.8
        - /app/config/parameters.php # prestashop 1.7,1.8
        - /config/settings.inc.php # prestashop  > 1.5,1.6
        - /config/settings.old.php # prestashop  > 1.5,1.6
        - /manager/includes/config.inc.php # MODX CMS
        - /app/config/parameters.ini # Symfony
        - /phinx.yml # CS-Cart
        - /db.php
        - /conn.php
        - /database.php
        - /db_config.php
        - /config.inc.php
        - /data/config.php
        - /config/config.php
        - /index.php
        - /default.php
        - /main.php
        - /settings.php
        - /header.php
        - /footer.php
        - /login.php
        - /404.php
        - /wp-login.php
        - /config.php
        - /config
        - /const.DB.php.bak
        - /const.DB.php

      bakext:
        - ".~"
        - ".bk"
        - ".bak"
        - ".bkp"
        - ".BAK"
        - ".blank"
        - ".swp"
        - ".swo"
        - ".swn"
        - ".tmp"
        - ".save"
        - ".old"
        - ".new"
        - ".orig"
        - ".dist"
        - ".eski"  # Turkish word for .bak its common on file backups
        - ".txt"
        - ".disabled"
        - ".original"
        - ".backup"
        - "_bak"
        - "_1.bak"
        - "~"
        - "!"
        - ".0"
        - ".1"
        - ".2"
        - ".3"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - "<?php"
          - "<?="
        condition: or

      - type: word
        part: body
        words:
          - "?>"
          - "($"
          - "$_GET["
          - "$_POST["
          - "$_REQUEST["
          - "$_SERVER["
          - "'DB_PASSWORD'"
          - "'DBPASS'"
          - "'dbname'"
          - "'database_name'"
          - "database_type"
          - "_DB_NAME_"
          - "define('DB"
          - "environments:"
        condition: or

      - type: word
        part: header
        words:
          - "text/plain"
          - "bytes"
        condition: or
# digest: 4a0a00473045022100da22b43b225ff93e47d3efab04ac1dcfc79134b9351058524e55679574f0c9fe02206d287ccf7a70536e2836ff395ab274196c67774f5ecf3abbc03bfc898576f6a0:922c64590222798bb761d5b6d8e72950