> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/enumeration/hidden-directory/trick-0229.md).

# Information Disclosure via Backup Directory

***

Look for common or application-specific directories that web applications might use to store backup files, logs, or configuration data. These directories can sometimes be publicly accessible and contain sensitive information like database credentials, private keys, configuration files, internal documentation, or source code.

You can attempt to access known common backup paths or paths observed during application analysis using a web browser or enumeration tools. For example, in a specific SweetRice CMS instance, accessing the following path revealed SQL backup files containing credentials:

```
http://[TARGET_IP]/content/inc/mysql_backup/
```

Once such a file is located, tools like `wget` can be used to download it directly:

```bash
wget http://[TARGET_IP]/content/inc/mysql_backup/backup.sql
```

Automated tools are also effective for discovering such exposed directories and files. For instance, `gobuster` can be used for directory and file brute-forcing against web servers. A typical command might look like this:

```bash
gobuster dir -u http://[TARGET_IP] -w /path/to/wordlist.txt -x .sql,.zip,.bak,.tgz
```

This command targets the specified URL (`-u`), uses a wordlist for common directory and file names (`-w`), and looks for extensions commonly associated with backups or configuration files (`-x`).

To refine the scan, you can specify status codes to ignore, such as 403 (Forbidden) or 404 (Not Found), to reduce noise in the output. The `-s` flag is used for this:

```bash
gobuster dir -u http://example.com -w /path/to/wordlist -x .php,.html,.txt,.bak -s 404,403
```

Adding a trailing slash to each directory entry in the wordlist can be helpful, which can be done using the `-f` flag. Increasing the number of concurrent threads with the `-t` flag can speed up the scanning process, but be mindful of the target server's capacity.

Another useful tool is `nikto`, which performs comprehensive checks against web servers for various vulnerabilities, including the presence of interesting files and directories. A basic scan can be initiated with:

```bash
nikto -h http://[TARGET_IP]
```

These tools help automate the process of identifying potentially vulnerable paths where sensitive information might be stored.
