From f7c6047f13b9f8b47080c7fd200f0aa7679ab072 Mon Sep 17 00:00:00 2001
From: "M. Dehghani" <mohammadamindehghani@pm.me>
Date: Sat, 11 May 2024 13:48:32 +0330
Subject: [PATCH 1/2] Add sql server backup exposure

---
 http/exposures/backups/sql-server-dump.yaml | 59 +++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 http/exposures/backups/sql-server-dump.yaml

diff --git a/http/exposures/backups/sql-server-dump.yaml b/http/exposures/backups/sql-server-dump.yaml
new file mode 100644
index 00000000000..2445673182e
--- /dev/null
+++ b/http/exposures/backups/sql-server-dump.yaml
@@ -0,0 +1,59 @@
+id: default-sql-server-dump
+
+info:
+  name: SQL Server - Dump Files
+  author: userdehghani
+  severity: medium
+  description: A SQL Server dump file was found
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cwe-id: CWE-200
+  metadata:
+    max-request: 21
+  tags: exposure,backup,sql-server
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}{{paths}}"
+    payloads:
+      paths:
+        - "/1.bak"
+        - "/sa.bak"
+        - "/wwwroot.bak"
+        - "/backup.bak"
+        - "/database.bak"
+        - "/data.bak"
+        - "/db_backup.bak"
+        - "/dbdump.bak"
+        - "/db.bak"
+        - "/dump.bak"
+        - "/{{Hostname}}.bak"
+        - "/{{Hostname}}_db.bak"
+        - "/localhost.bak"
+        - "/mysqldump.bak"
+        - "/mysql.bak"
+        - "/site.bak"
+        - "/sql.bak"
+        - "/temp.bak"
+        - "/translate.bak"
+        - "/users.bak"
+        - "/www.bak"
+        - "/wp-content/uploads/dump.bak"
+        - "/wp-content/mysql.bak"
+
+    headers:
+      Range: "bytes=0-500"
+    max-size: 500 # Size in bytes - Max Size to read from server response
+
+    matchers-condition: and
+    matchers:
+      - type: binary
+        regex:
+          - "54415045" # Microsoft Tape Format
+        part: body
+
+      - type: status
+        status:
+          - 200
\ No newline at end of file

From 935f507907a7f2696b528a37886dbd83bb1cf566 Mon Sep 17 00:00:00 2001
From: "M. Dehghani" <m.a.dehghani609@gmail.com>
Date: Sat, 11 May 2024 13:55:21 +0330
Subject: [PATCH 2/2] Update sql-server-dump.yaml

---
 http/exposures/backups/sql-server-dump.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/http/exposures/backups/sql-server-dump.yaml b/http/exposures/backups/sql-server-dump.yaml
index 2445673182e..c8aa049b363 100644
--- a/http/exposures/backups/sql-server-dump.yaml
+++ b/http/exposures/backups/sql-server-dump.yaml
@@ -50,10 +50,10 @@ http:
     matchers-condition: and
     matchers:
       - type: binary
-        regex:
+        binary:
           - "54415045" # Microsoft Tape Format
         part: body
 
       - type: status
         status:
-          - 200
\ No newline at end of file
+          - 200