From 095d5e89ac0d0b83b5b3f9841af16e65bb59e194 Mon Sep 17 00:00:00 2001
From: david <david@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Tue, 6 Mar 2012 17:51:26 +0000
Subject: [PATCH] Add http-config-backup.nse from Riccardo Cecolin.

This script checks for text editor backups of web configuration files.
---
 scripts/http-config-backup.nse | 228 +++++++++++++++++++++++++++++++++
 scripts/script.db              |   1 +
 2 files changed, 229 insertions(+)
 create mode 100644 scripts/http-config-backup.nse

diff --git a/scripts/http-config-backup.nse b/scripts/http-config-backup.nse
new file mode 100644
index 000000000..6d2be3260
--- /dev/null
+++ b/scripts/http-config-backup.nse
@@ -0,0 +1,228 @@
+description = [[
+Checks for backups and swap files of common content management system
+and web server configuration files.
+
+When web server files are edited in place, the text editor can leave
+backup or swap files in a place where the web server can serve them. The
+script checks for these files:
+
+* <code>wp-config.php</code>: WordPress
+* <code>config.php</code>: phpBB, ExpressionEngine
+* <code>configuration.php</code>: Joomla
+* <code>LocalSettings.php</code>: MediaWiki
+* <code>/mediawiki/LocalSettings.php</code>: MediaWiki
+* <code>mt-config.cgi</code>: Movable Type
+* <code>mt-static/mt-config.cgi</code>: Movable Type
+* <code>settings.php</code>: Drupal
+* <code>.htaccess</code>: Apache
+
+And for each of these file applies the following transformations (using
+<code>config.php</code> as an example):
+
+* <code>config.bak</code>: Generic backup.
+* <code>config.php.bak</code>: Generic backup.
+* <code>config.php~</code>: Vim, Gedit.
+* <code>#config.php#</code>: Emacs.
+* <code>config copy.php</code>: Mac OS copy.
+* <code>Copy of config.php</code>: Windows copy.
+* <code>config.php.save</code>: GNU Nano.
+* <code>.config.php.swp</code>: Vim swap.
+* <code>config.php.swp</code>: Vim swap.
+* <code>config.php.old</code>: Generic backup.
+
+This script is inspired by the CMSploit program by Feross Aboukhadijeh:
+http://www.feross.org/cmsploit/.
+]];
+
+---
+-- @usage
+-- nmap --script=http-config-backup <target>
+--
+-- @output
+-- PORT   STATE SERVICE REASON
+-- 80/tcp open  http    syn-ack
+-- | http-config-backup:
+-- |   /%23wp-config.php%23 HTTP/1.1 200 OK
+-- |_  /config.php~ HTTP/1.1 200 OK
+--
+-- @args http-config-backup.path the path where the CMS is installed
+-- @args http-config-backup.save directory to save all the valid config files found
+--
+
+author = "Riccardo Cecolin";
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
+categories = { "auth", "intrusive" };
+
+require 'http';
+require 'shortport';
+require 'url';
+
+portrule = shortport.http;
+
+local function make_grep(pattern)
+  return function(s)
+    return string.match(s, pattern)
+  end
+end
+
+local grep_php = make_grep("<%?php");
+local grep_cgipath = make_grep("CGIPath");
+
+local function check_htaccess(s)
+  return string.match("<Files") or string.match(s, "RewriteRule")
+end
+
+local CONFIGS = {
+  { filename = "wp-config.php", check = grep_php }, -- WordPress
+  { filename = "config.php", check = grep_php }, -- phpBB, ExpressionEngine
+  { filename = "configuration.php", check = grep_php }, -- Joomla
+  { filename = "LocalSettings.php", check = grep_php }, -- MediaWiki
+  { filename = "/mediawiki/LocalSettings.php", check = grep_php }, -- MediaWiki
+  { filename = "mt-config.cgi", check = grep_cgipath }, -- Movable Type
+  { filename = "mt-static/mt-config.cgi", check = grep_cgipath }, -- Movable Type
+  { filename = "settings.php", check = grep_php }, -- Drupal
+  { filename = ".htaccess", check = check_htaccess }, -- Apache
+};
+
+-- Return directory, filename pair. directory may be empty.
+local function splitdir(path)
+  local dir, filename
+
+  dir, filename = string.match(path, "^(.*/)(.*)$")
+  if not dir then
+    dir = ""
+    filename = path
+  end
+
+  return dir, filename
+end
+
+-- Return basename, extension pair. extension may be empty.
+local function splitext(filename)
+  local base, ext;
+
+  base, ext = string.match(filename, "^(.+)(%..+)")
+  if not base then
+    base = filename
+    ext = ""
+  end
+
+  return base, ext
+end
+
+-- Functions mangling filenames.
+local TRANSFORMS = {
+  function(fn)
+    local base, ext = splitext(fn);
+    if ext ~= "" then
+      return base .. ".bak" -- generic bak file
+    end
+  end,
+  function(fn) return fn .. ".bak" end,
+  function(fn) return fn .. "~" end, -- vim, gedit
+  function(fn) return "#" .. fn .. "#" end, -- Emacs
+  function(fn)
+    local base, ext = splitext(fn);
+    return base .. " copy" .. ext -- mac copy
+  end,
+  function(fn) return "Copy of " .. fn end, -- windows copy
+  function(fn) return fn .. ".save" end, -- nano
+  function(fn) if string.sub(fn, 1, 1) ~= "." then return "." .. fn .. ".swp" end end, -- vim swap
+  function(fn) return fn .. ".swp" end, -- vim swap
+  function(fn) return fn .. ".old" end, -- generic backup
+};
+
+---
+--Creates combinations of backup names for a given filename
+--Taken from: http-backup-finder.nse
+local function backupNames (filename)
+  local dir, basename;
+
+  dir, basename = splitdir(filename);
+  return coroutine.wrap(function()
+    for _, transform in ipairs(TRANSFORMS) do
+      local result = transform(basename);
+
+      if result == nil then
+      elseif type(result) == "string" then
+        coroutine.yield(dir .. result);
+        result = {result}
+      elseif type(result) == "table" then
+        for _, r in ipairs(result) do
+          coroutine.yield(dir .. r);
+        end
+      end
+    end
+  end)
+end
+
+---
+--Writes string to file
+--Taken from: hostmap.nse
+-- @param filename Filename to write
+-- @param contents Content of file
+-- @return True if file was written successfully
+local function write_file (filename, contents)
+  local f, err = io.open(filename, "w");
+  if not f then
+    return f, err;
+  end
+  f:write(contents);
+  f:close();
+  return true;
+end
+
+action = function (host, port)
+  local path = stdnse.get_script_args("http-config-backup.path") or "/";
+  local save = stdnse.get_script_args("http-config-backup.save");
+
+  local backups = {};
+
+  if not path:match("/$") then
+    path = path .. "/";
+  end
+
+  if not path:match("^/") then
+    path = "/" .. path;
+  end
+
+  if (save and not(save:match("/$") ) ) then
+    save = save .. "/";
+  end
+
+  -- for each config file
+  for _, cfg in ipairs(CONFIGS) do
+    -- for each alteration of the filename
+    for entry in backupNames(cfg.filename) do
+      local url_path
+
+      url_path = url.build({path = path .. entry});
+      -- http request
+      local response = http.get(host, port, url_path);
+
+      if (response.status == 200) then
+        -- check it if is valid before inserting
+        if cfg.check(response.body) then
+          local filename = ((host.targetname or host.ip) .. url_path):gsub("/", "-");
+
+          -- save the content
+          if save then
+            local status, err = write_file(save .. filename, response.body);
+            if status then
+              stdnse.print_debug(1, "%s saved", filename);
+            else
+              stdnse.print_debug(1, "error saving %s", err);
+            end
+          end
+
+          table.insert(backups, url_path .. " " .. response["status-line"]);
+        else
+          stdnse.print_debug(1, SCRIPT_NAME .. ": %s: found but not matching: %s",
+            host.targetname or host.ip, url_path);
+        end
+      end
+    end
+  end
+
+  return stdnse.format_output(true, backups);
+end;
diff --git a/scripts/script.db b/scripts/script.db
index 0fb9e8c45..1b89348b1 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -108,6 +108,7 @@ Entry { filename = "http-backup-finder.nse", categories = { "discovery", "safe",
 Entry { filename = "http-barracuda-dir-traversal.nse", categories = { "auth", "exploit", "intrusive", } }
 Entry { filename = "http-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "http-cakephp-version.nse", categories = { "discovery", "safe", } }
+Entry { filename = "http-config-backup.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "http-cors.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "http-date.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-default-accounts.nse", categories = { "auth", "discovery", "safe", } }