metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

backup_file.rb adds dictionary

Open enomothem opened this issue 2 years ago • 5 comments

Summary

backup_file.rb adds dictionary

Basic example

path

Motivation

image path does not recognize the dictionary path, but is treated as a path

enomothem avatar Apr 07 '23 18:04 enomothem

backup_file.rb adds dictionary

If I understand correctly, you want an additional option added to the module so the user can specify a dictionary of URL paths, instead of running the module multiple times?

path does not recognize the dictionary path, but is treated as a path

Correct. The PATH option is not a dictionary. The PATH option specifies the web directory / filename for which the module will attempt to find backups using the following file extensions:

https://github.com/rapid7/metasploit-framework/blob/599c8609a7bd37b474a074884a19f2c8ab2cf837/modules/auxiliary/scanner/http/backup_file.rb#L32-L42

and swap files:

https://github.com/rapid7/metasploit-framework/blob/599c8609a7bd37b474a074884a19f2c8ab2cf837/modules/auxiliary/scanner/http/backup_file.rb#L48-L51

bcoles avatar Apr 10 '23 10:04 bcoles

. If you want to add an option to the module that allows the user to specify a dictionary of URL paths, you could modify the existing code to include an additional command line argument that accepts a path to a file containing a list of URLs.

For example, you could add a new argument to the command line parser:

bash Copy code parser.add_argument('-d', '--dictionary', help='path to file containing list of URLs') Then, in the main function, you could check if the user has specified a dictionary file, and if so, read in the file and loop through the URLs:

css Copy code if args.dictionary: with open(args.dictionary, 'r') as f: urls = f.readlines() for url in urls: url = url.strip() backup_url(url, extensions) else: backup_url(args.url, extensions) Note that this assumes that the dictionary file contains one URL per line. You could modify the code to handle a different format if necessary.

Regarding your comment about the PATH option, it sounds like there may be some confusion around the terminology. In general, a "path" refers to a file or directory location on a computer's file system. However, in the context of a web server, a "path" typically refers to the portion of a URL that comes after the domain name. For example, in the URL "https://example.com/blog/post1.html", the path would be "/blog/post1.html". The PATH option in your module appears to refer to this latter type of path, rather than a file system path.

saurabhmj11 avatar Apr 12 '23 03:04 saurabhmj11

@saurabhmj11 please stop spamming the issue tracker with off topic copypasta from ChatGPT.

bcoles avatar Apr 12 '23 04:04 bcoles

@enomothem we can use : as a delimiter for paths

So that if you provide: /something:/else:/third

/something
/else
/third

will be looked sequentially

nrathaus avatar Apr 24 '24 09:04 nrathaus

A proposed fix https://github.com/rapid7/metasploit-framework/pull/19130

nrathaus avatar Apr 24 '24 09:04 nrathaus