BACKFiLBACKup Files Locator

Helping to find files forgotten about on your webserver

Live Presentation at:http://www.youtube.com/watch?v=TMZ_GvRf4oE

1

Whoami

• Tobias Mccurry • @lordsaibat • 10 YR AF Veteran• Sr. Pentester• Breaker of web apps• Discovered XSS zero day in Collabnet software• NOVA – Hacker member

2

Agenda• Web Application methodology – overview• How do temporary/backup files happen to get on the server?• What does a backup file look like in the browser?• What does this tool do?• How does it fit into your testing?• Roadmap for the tool.• Success stories• Compared to other tools• Where to get it.• How to prevent backup files from getting on the server in the

first place.• Best Practice

3

Web Application Methodology – contConfiguration Management Testing

• 4.3.1 SSL/TLS Testing (OWASP-CM-001)

• 4.3.2 DB Listener Testing (OWASP-CM-002)

• 4.3.3 Infrastructure Configuration Management Testing (OWASP-CM-003)

• 4.3.4 Application Configuration Management Testing (OWASP-CM-004)

• 4.3.5 Testing for File Extensions Handling (OWASP-CM-005)

• 4.3.6 Old, Backup and Unreferenced Files (OWASP-CM-006)

• 4.3.7 Infrastructure and Application Admin Interfaces (OWASP-CM-007)

• 4.3.8 Testing for HTTP Methods and XST (OWASP-CM-008)

4

Web Application Methodology-cont4.3.5 Testing for File Extensions Handling (OWASP-CM-005)

• “An important source of vulnerability lies in files which have nothing to do with the application, but are created as a consequence of editing application files, or after creating on-the-fly backup copies, or by leaving in the web tree old files or unreferenced files. Performing in-place editing or other administrative actions on production web servers may inadvertently leave, as a consequence, backup copies (either generated automatically by the editor while editing files, or by the administrator who is zipping a set of files to create a backup).”

• Suggested test:#!/bin/bash server=www.targetapp.com port=80 while read url do echo -ne "$url\t" echo -e "GET /$url HTTP/1.0\nHost: $server\n" | netcat $server $port | head -1 done | tee outputfile

5

Results from OWASP Suggestion

• Input an URL on the terminal– The program will let you know if a file is found.

• Problems– You have to monitor it and input every file you can

think of.

6

How do temporary/backup files happen to get on the server?

• An administrator logs in to a server to edit a web file using nano.– Nano will create temporary files with the .save

extension.– The administrator logs out, nano will leave a .save

file.– An attacker comes along and discovers the

<file>.save file.

7

How do temporary/backup files happen to get on the server?

– Well what about Windows?– The administrator edits the file and then uploads

all the files in the directory.• The .BAK file(s) are copied with the other files.

8

What does a backup file look like in the browser?

The file shows up differently even though it is still the same file. The point is the attacker gains more knowledge about the application.

9

What does this tool do?

• Takes a list of URLs found during spidering, and iterates a list of 502 different extensions on every URL found.

• Will dump the output to an HTML result file or straight to the command line.

• Ability to test a single URL or a list of URLs.

10

How to export URLs the easy way

• Spider the site in Burp.– Click on: Target tab, Site map.– Right click on the site, Copy URLs in this host

11

How does it fit into your testing?

• To expand the testing surface, spider the site while authenticated.

• After spidering the site, export the URLs found and dump them into a text file.

• Fire off the tool and review the results.

12

Roadmap

• Future fuctionality:– Muti-threading– Intelligence on found files– Rules behavior– Exception handling– Timing options– Burp plugin– Metasploit

13

Roadmap - Rules

• Add an extension• Change the first letter of the file name• Adding dates – Before name – After name

14

Demo

http://www.youtube.com/watch?v=mzisanSYZeU

15

Success Stories

• Admin access to a CMS after finding a zip copy of the website.

• Discovered the functionality of an application due to old file left on server

• Discovered a web server backup including the etc/shadow and etc/passwd file.

16

Compared to other tools

• Wfuzz – designed to brute force web applications. Directory discovering, url encoding, and parameter fuzzing

• Webscarab- has automated checks for 15 types of backup files.

• WebSlayer- brute force checker. Time consuming.

17

Where to get it

• GitHub

• https://github.com/lordsaibat/backfil

• Other scripts/tools there soon…..

18

Best Practices

• Don’t edit files on the production server.– File editors are going to write temporary files and they

might not remove them.• Separate files you intend to copy to the production

server and the working directory. – Prevents copying all the files to the server except the

ones you want to update.• Do not use Git or SVN in the web directory of the

production server.– It creates a hidden directory that could be enumerated.

19

QA

• Any questions?

20

Reference Slides

21

Web Application Methodology

• OWASP - 11 category methodology (v4)– 4.1 Introduction and Objectives– 4.2 Information Gathering– 4.3 Configuration Management Testing– 4.4 Business logic testing– 4.5 Authentication Testing– 4.6 Authorization Testing– 4.7 Session Management Testing– 4.8 Data Validation Testing– 4.9 Testing for Denial of Service– 4.10 Web Services Testing– 4.11 Ajax Testing

22

Tools Reference

– Wfuzz• https://code.google.com/p/wfuzz/wiki/Howto

– Webscarab• https://www.owasp.org/index.php/Category:OWASP_

WebScarab_Project

– Webslayer• https://www.owasp.org/index.php/Category:OWASP_

Webslayer_Project

23

Extensions Tested!@!$$$---011100b01b11-step20192b999a$vababkabkabkprjacradkaeaaffajaajlamkarcarcarmarzasdashbakashdiscasvasvateavzawbbacbackupbackupbackupdbbak

bakbakbakbakbakbakbakbakbakbakbakbakbak~bazbbbbbbbkbbzbc6bc7bcabckpbcmbdbbdbbdcbdfbffbfsbfwbinbjfbk!bk0bk1bk1bk1bk2bk3bk4bk5bk6bk7

bk8bk9bkcbkfbkibkobkpbksbksbkubkupbkybkzblend1blend2bm3bmrbmsbp0bp1bp2bp3bp4bpbbpnbppbprbpsbpsdbrzbsrbtxbucbudbupbvsbvwbwsbwsbz1camcascbk

cbkcbkcbucdbcdrcedatacigckpcmbcmbcmpcpscpscrashedcrdscrtctfctxctxctzcvtda0da1datbak0dat_mcrdat_olddbedbkdbkdbkdbqdirdiydkbdl_dmddmfdrscandrtdsbdskdskdsk

dssdt6dwtebfebiebkedkegewbexex_fbfbcfbffbkfbufezfifflbfpbffriftmbfwbfxhfzbgb1gbckgbkgbmgbpgcbghoghsgrbgsbagwshbihbkhcbhdbhdkhm4hm~

i5di5siabibakibzicbuichatimaimaimageimgimgimmin0in1inciobitipdipefile extensionfile extensionjafjbkjbkjpajrsjsonjtbackupjwckb2kbbkrtlbklcbldblidllxloaderbackupmbfmbkmbkmbkpmbsb

mbsyncstatembumcgmdbackupmddatamdinfomdomdrmdsmibmkzmonmoz-backupmpbmprmrimgmscxmsczmsnbakmtbmv_mycnabnabnb7nbanbaknbdnbfnbinbunbzncondunfbnfcnhvnpbnpfnpfnr4nrbnrc

nrdnrgnrhnrinrmnrsnrunrwnsdntjnu3nvnv3nvfobob5obakobkobkochoebofboldomgoptorigoriginal_epuboriginal_mobioutovboyxp15p24p2ip2vp3cpalpartimgpartimg.bz2

24

Extensions Testedpartimg.gzpbpbbpbfpbfpbrpcapcdpchdpckpcupcvpcvpd2pd3pd4pd5pmz4pqbpqipreviousprvpsapsb

pscpspautosavepswptbpurgeableqb2013qb2014qbbqbkqbmbqbmdqcnqdbqdf-backupqdkqibqicqmdQuickBooksAutoDataRecoveryquickenbackupr00r02

r03r04r05r06r07r08r09r10r11r12r13r14r15r16r17r18r19r20r21r22r23r24r25r26

r27rarrawrb0rb1rb4rbcrbfrbfrbkrbrrdbre3recrenrgmbrimrmanrmbrmbakromrpkrrrsafe

satsavesavedsbbsbfsbksbuscpsdcsetsidsiksimsisskbsn1sn2sn4snssparsebundlesparseimagespbspi

spssqbssbsspstgsunsv2isvdsvgsvlsvsswcswpsyncdbtb2tbitbktbktbktcstdrtibtigtk2

tlbackuptlytmbtmptmrtofptotalsbackuptpbtrnttbkuasuciudifumbundoutbv2bv2ivbbvbfvbk

25