Good Day!
I truly hope everything is awesome on your side of the screen! π
BackupFinder discovers backup files on web servers by generating intelligent patterns.
It creates thousands of potential backup file names based on your target domain.
Perfect for penetration testing, bug bounty hunting, and security audits.
For reference, here is an H1 report showing a backup file named after the domain:
https://hackerone.com/reports/1516520
Backup file: https://mtn.co.rw/mtn.zip
Thanks to everyone who made this tool possible:
- @infosec_au for wordlists (wordlists.assetnote.io)
- @coffinxp7 for inspiration and support
- @GodfatherOrwa for support
- Nishantbhagat57/backup-gen β inspired by and credit to this project
- ffuf β Fast web fuzzer
- ProjectDiscovery β Security automation tools
Thank you to the authors, maintainers, and the security community for your contributions and inspiration!
- Go 1.21 or higher
- Internet connection for installation
go install github.com/MuhammadWaseem29/BackupFinder/cmd/backupfinder@v1.0.2go install github.com/MuhammadWaseem29/BackupFinder/cmd/backupfinder@v1.0.2git clone https://github.com/MuhammadWaseem29/BackupFinder.git
cd BackupFinder
go build -o backupfinder ./cmd/backupfinder/
sudo mv backupfinder /usr/local/bin/# Check version
backupfinder version
# Verify assets are embedded
backupfinder health-check
# Quick test
backupfinder -u https://example.com --silent | head -3Usage:
backupfinder [flags]
Flags:
INPUT:
-u, -target string target URL/domain to scan
-l, -list string file containing list of targets
PATTERNS:
-w, -wordlist use wordlist mode (comprehensive 1900+ patterns)
-e, -extensions string custom extensions file
OUTPUT:
-o, -output string file to write output to
-je string export to JSON file
-json JSON output format
-silent show only results
-v, -verbose verbose mode
PERFORMANCE:
-c, -concurrency int number of concurrent workers (default 10)
-rate-limit int rate limit for requests (default 50)
-timeout int request timeout in seconds (default 30)
-retries int maximum number of retries (default 3)
CONFIGURATION:
-no-color disable colored output
-timestamp add timestamps to output
-stats show statistics (default true)
-store-resp store responses
-store-resp-dir response storage directory (default "responses")
COMMANDS:
version show version information
health-check verify installation and assets
templates list available pattern templates
help show this help message
# Basic scan (92 extension patterns)
backupfinder -u https://admin.microsoft.com
# Comprehensive scan (1907 wordlist patterns)
backupfinder -u https://admin.microsoft.com -w
# Multiple targets
backupfinder -l targets.txt
# Generate patterns silently for piping
backupfinder -u https://admin.microsoft.com --silent
backupfinder -u https://admin.microsoft.com -w --silent
# Save to file
backupfinder -u https://admin.microsoft.com -w -o patterns.txt# Verbose mode with statistics
backupfinder -u https://admin.microsoft.com -w -v
# JSON export
backupfinder -u https://admin.microsoft.com -w --json -o results.json
# Silent mode (perfect for automation)
backupfinder -u https://admin.microsoft.com -w --silentbackupfinder -u https://admin.microsoft.com --silent | ffuf -w /dev/stdin -u https://admin.microsoft.com/FUZZ -mc 200,403,500 -t 50
ffuf -w patterns.txt -u https://admin.microsoft.com/FUZZ -mc 200,403,500 -fc 404 -t 50 -o results.txt
# Find subdomains
subfinder -d microsoft.com -silent > subdomains.txt
# Check live targets
cat subdomains.txt | httpx -silent > live_subdomains.txt
# Generate patterns for all subdomains
cat live_subdomains.txt | while read url; do
backupfinder -u "$url" --silent >> all_patterns.txt
done
# Scan with ffuf
cat live_subdomains.txt | while read url; do
backupfinder -u "$url" --silent | ffuf -w /dev/stdin -u "$url/FUZZ" -mc 200,403,500 -fc 404 -t 50 > results.txt
donebackupfinder -u https://admin.microsoft.com --silent | ffuf -w /dev/stdin -u https://admin.microsoft.com/FUZZ
backupfinder -u https://admin.microsoft.com --silent | httpx -status-codesubfinder -d microsoft.com -silent | httpx -silent | head -5 | while read url; do
backupfinder -u "$url" -w --silent | ffuf -w /dev/stdin -u "$url/FUZZ" -mc 200,403,500 -fc 404 -t 50
doneecho -e "https://admin.microsoft.com\nhttps://api.microsoft.com" | while read url; do
backupfinder -u "$url" --silent | ffuf -w /dev/stdin -u "$url/FUZZ" -mc 200,403,500 -t 30
done
- 9000+ backup patterns in wordlist mode
- Smart subdomain handling (admin.example.com β admin.zip, admin-example.sql)
- Professional JSON export for automation
- Real-time statistics with performance metrics
- Concurrent processing for fast pattern generation
- Custom wordlists support
- Silent mode for integration with other tools
Common backup extensions: .bak, .backup, .old, .sql, .zip, etc.
Comprehensive patterns for database dumps, configuration backups, archive variants
Use your own pattern file (one pattern per line, supports # comments)
This project is licensed under the MIT License - see the LICENSE file for details.
- Issues: GitHub Issues
- Documentation: This README
- Discussions: GitHub Discussions
MuhammadWaseem
GitHub: @MuhammadWaseem29
Tool: BackupFinder v1.0.0
Thank you for using BackupFinder! We appreciate your support! β€οΈ
May you be well on your side of the screen :)