OWASP · Manushya-a · Mar 22, 2025 · Mar 22, 2025 · Mar 23, 2025
@@ -0,0 +1,222 @@
+configuration.php_old
+configuration.php_new
+configuration.php~
+configuration.php.new
+configuration.php.new~
+configuration.php.old
+configuration.php.old~
+configuration.bak
+configuration.php.bak
+configuration.php.bkp
+configuration.txt
+configuration.php.txt
+configuration-Copy.php
+configuration.php.swo
+configuration.php_bak
+configuration.php#
+configuration.orig
+configuration.php.save
+configuration.php.original
+configuration.php.swp
+configuration.save
+.configuration.php.swp
+configuration.php1
+configuration.php2
+configuration.php3
+configuration.php4
+configuration.php6
+configuration.php7
+configuration.phtml
+configuration.php-dist
+config.php
+configuration.php
+settings.php
+db_config.php
+database.php
+app_config.php
+env.php
+site_config.php
+secure_config.php
+init.php
+wp-config.php
+wp-settings.php
+wp-db.php
+wp-config-sample.php
+wp-secrets.php
+joomla_config.php
+joomla-settings.php
+default.settings.php
+services.yml
+local.settings.php
+config.default.php
+app/etc/env.php
+app/etc/config.php
+.env
+config/app.php
+config/database.php
+config/cache.php
+config/settings.inc.php
+app/config/parameters.php
+admin/config.php
+LocalConfiguration.php
+AdditionalConfiguration.php
+config_default.php
+config-dist.php
+configure.php
+admin/includes/configure.php
+configurationsettings.php
+main_config.php
+app_settings.php
+global_config.php
+secure_settings.php
+private_config.php
+user_settings.php
+site_options.php
+system.php
+security.php
+server.php
+credentials.php
+app.php
+database.ini
+config.inc.php
+core_config.php
+default_config.php
+env_config.php
+master_config.php
+options.php
+private_settings.php
+secrets.php
+server_settings.php
+site_variables.php
+system_config.php
+vars.php
+config_1.php
+config_2.php
+config_bak.php
+config.old.php
+config.new.php
+config_copy.php
+config_dev.php
+config_prod.php
+config_test.php
+config_backup.php
+config-secure.php
+config-hidden.php
+config-local.php
+config-remote.php
+config-private.php
+xyz_config.php
+abc_settings.php
+random123.php
+secure_789.php
+sys_45config.php
+data_567.php
+hash_99.php
+custom_987.php
+hidden_333.php
+secure_app987.php
+config.xml
+settings.ini
+server.conf
+database.cfg
+environment.json
+config.ini
+settings.ini
+database.ini
+app.ini
+server.ini
+system.ini
+site.ini
+env.ini
+default.ini
+global.ini
+config.json
+settings.json
+database.json
+app.json
+package.json
+manifest.json
+firebase.json
+composer.json
+tsconfig.json
+eslint.json
+config.yaml
+settings.yaml
+database.yaml
+app.yaml
+docker-compose.yaml
+kubernetes.yaml
+ansible.cfg.yaml
+symfony.yaml
+cloudbuild.yaml
+netlify.yaml
+config.xml
+settings.xml
+database.xml
+app.xml
+pom.xml
+web.xml
+android_manifest.xml
+hibernate.cfg.xml
+log4j.xml
+struts-config.xml
+.env
+.env.local
+.env.production
+.env.testing
+.env.example
+.env.development
+.env.staging
+.envrc
+.env.dist
+.env.secret
+config.toml
+settings.toml
+database.toml
+app.toml
+Cargo.toml
+poetry.toml
+pyproject.toml
+netlify.toml
+hugo.toml
+tool-config.toml
+settings.cfg
+database.cfg
+app.cfg
+server.cfg
+system.cfg
+default.cfg
+global.cfg
+local.cfg
+environment.cfg
+network.cfg
+app.config
+web.config
+database.config
+machine.config
+security.config
+service.config
+default.config
+user.config
+global.config
+network.config
+settings.conf
+server.conf
+database.conf
+httpd.conf
+nginx.conf
+redis.conf
+supervisord.conf
+xorg.conf
+firewalld.conf
+sshd_config
+.babelrc
+.editorconfig
+.prettierrc
+.eslintrc.json
+.stylelintrc
+.gitattributes
+.gitconfig
+.gitignore
+.npmrc
+.yarnrc
@@ -0,0 +1,46 @@
+info:
+  name: config_file_scan
+  author: Manushya-a
+  severity: 3
+  description: Configuration file finder
+  reference:
+  profiles:
+    - scan
+    - http
+    - backup
+    - low_severity
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/{url_base_path}{{urls}}"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              urls:
+                read_from_file: wordlists/config_wordlist.txt
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: and
+          log: "response_dependent['url']"
+          conditions:
+            url:
+              regex: .*
+              reverse: false 
+            status_code:
+              regex: 200|403|401
+              reverse: false