created an admin page finder for the found URL's

This commit is contained in:
ekultek 2017-09-20 17:19:20 -05:00
parent 47561c3aab
commit 36259f3a12
4 changed files with 443 additions and 314 deletions

View file

@ -2,296 +2,296 @@
:82
:2082
:2083
admin.php
admin.html
index.php
login.php
login.html
administrator
admin
adminpanel
cpanel
login
wp-login.php
administrator
admins
logins
admin.asp
login.asp
adm/
admin/
admin/account.html
admin/login.html
admin/login.htm
admin/controlpanel.html
admin/controlpanel.htm
admin/adminLogin.html
admin/adminLogin.htm
admin.htm
admin.html
adminitem/
adminitems/
administrator/
administrator/login.%EXT%
administrator.%EXT%
administration/
administration.%EXT%
adminLogin/
adminlogin.%EXT%
admin_area/admin.%EXT%
admin_area/
admin_area/login.%EXT%
manager/
superuser/
superuser.%EXT%
access/
access.%EXT%
sysadm/
sysadm.%EXT%
superman/
supervisor/
panel.%EXT%
control/
control.%EXT%
member/
member.%EXT%
members/
user/
user.%EXT%
cp/
uvpanel/
manage/
manage.%EXT%
management/
management.%EXT%
signin/
signin.%EXT%
log-in/
log-in.%EXT%
log_in/
log_in.%EXT%
sign_in/
sign_in.%EXT%
sign-in/
sign-in.%EXT%
users/
users.%EXT%
accounts/
accounts.%EXT%
bb-admin/login.%EXT%
bb-admin/admin.%EXT%
bb-admin/admin.html
administrator/account.%EXT%
relogin.htm
relogin.html
check.%EXT%
relogin.%EXT%
blog/wp-login.%EXT%
user/admin.%EXT%
users/admin.%EXT%
registration/
processlogin.%EXT%
checklogin.%EXT%
checkuser.%EXT%
checkadmin.%EXT%
isadmin.%EXT%
authenticate.%EXT%
authentication.%EXT%
auth.%EXT%
authuser.%EXT%
authadmin.%EXT%
cp.%EXT%
modelsearch/login.%EXT%
moderator.%EXT%
moderator/
controlpanel/
controlpanel.%EXT%
admincontrol.%EXT%
adminpanel.%EXT%
fileadmin/
fileadmin.%EXT%
sysadmin.%EXT%
admin1.%EXT%
admin1.html
admin1.htm
admin2.%EXT%
admin2.html
yonetim.%EXT%
yonetim.html
yonetici.%EXT%
yonetici.html
phpmyadmin/
myadmin/
ur-admin.%EXT%
ur-admin/
Server.%EXT%
Server/
wp-admin/
administr8.%EXT%
administr8/
webadmin/
webadmin.%EXT%
administratie/
admins/
admins.%EXT%
administrivia/
Database_Administration/
useradmin/
sysadmins/
sysadmins/
admin1/
system-administration/
administrators/
pgadmin/
directadmin/
staradmin/
ServerAdministrator/
SysAdmin/
administer/
LiveUser_Admin/
sys-admin/
typo3/
panel/
cpanel/
cpanel_file/
platz_login/
rcLogin/
blogindex/
formslogin/
autologin/
manuallogin/
simpleLogin/
loginflat/
utility_login/
showlogin/
memlogin/
login-redirect/
sub-login/
wp-login/
login1/
dir-login/
login_db/
xlogin/
smblogin/
customer_login/
UserLogin/
login-us/
acct_login/
bigadmin/
project-admins/
phppgadmin/
pureadmin/
sql-admin/
radmind/
openvpnadmin/
wizmysqladmin/
vadmind/
ezsqliteadmin/
hpwebjetadmin/
newsadmin/
adminpro/
Lotus_Domino_Admin/
bbadmin/
vmailadmin/
Indy_admin/
ccp14admin/
irc-macadmin/
banneradmin/
sshadmin/
phpldapadmin/
macadmin/
administratoraccounts/
admin4_account/
admin4_colon/
radmind-1/
Super-Admin/
AdminTools/
cmsadmin/
SysAdmin2/
globes_admin/
cadmins/
phpSQLiteAdmin/
navSiteAdmin/
server_admin_small/
logo_sysadmin/
power_user/
system_administration/
ss_vms_admin_sm/
bb-admin/
panel-administracion/
instadmin/
memberadmin/
administratorlogin/
adm.%EXT%
admin_login.%EXT%
panel-administracion/login.%EXT%
pages/admin/admin-login.%EXT%
pages/admin/
acceso.%EXT%
admincp/login.%EXT%
admincp/
adminarea/
admincontrol/
affiliate.%EXT%
adm_auth.%EXT%
memberadmin.%EXT%
administratorlogin.%EXT%
modules/admin/
administrators.%EXT%
siteadmin/
siteadmin.%EXT%
adminsite/
kpanel/
vorod/
vorod.%EXT%
vorud/
vorud.%EXT%
adminpanel/
PSUser/
secure/
webmaster/
webmaster.%EXT%
autologin.%EXT%
userlogin.%EXT%
admin_area.%EXT%
cmsadmin.%EXT%
security/
usr/
root/
secret/
admin/login.%EXT%
admin/adminLogin.%EXT%
moderator.php
moderator.html
moderator/login.%EXT%
moderator/admin.%EXT%
yonetici.%EXT%
0admin/
0manager/
aadmin/
cgi-bin/login%EXT%
login1%EXT%
login_admin/
login_admin%EXT%
login_out/
login_out%EXT%
login_user%EXT%
loginerror/
loginok/
loginsave/
loginsuper/
loginsuper%EXT%
login%EXT%
logout/
logout%EXT%
secrets/
super1/
super1%EXT%
super_index%EXT%
super_login%EXT%
supermanager%EXT%
superman%EXT%
superuser%EXT%
supervise/
supervise/Login%EXT%
super%EXT%
/admin.php
/admin.html
/index.php
/login.php
/login.html
/administrator
/admin
/adminpanel
/cpanel
/login
/wp-login.php
/administrator
/admins
/logins
/admin.asp
/login.asp
/adm/
/admin/
/admin/account.html
/admin/login.html
/admin/login.htm
/admin/controlpanel.html
/admin/controlpanel.htm
/admin/adminLogin.html
/admin/adminLogin.htm
/admin.htm
/admin.html
/adminitem/
/adminitems/
/administrator/
/administrator/login.%EXT%
/administrator.%EXT%
/administration/
/administration.%EXT%
/adminLogin/
/adminlogin.%EXT%
/admin_area/admin.%EXT%
/admin_area/
/admin_area/login.%EXT%
/manager/
/superuser/
/superuser.%EXT%
/access/
/access.%EXT%
/sysadm/
/sysadm.%EXT%
/superman/
/supervisor/
/panel.%EXT%
/control/
/control.%EXT%
/member/
/member.%EXT%
/members/
/user/
/user.%EXT%
/cp/
/uvpanel/
/manage/
/manage.%EXT%
/management/
/management.%EXT%
/signin/
/signin.%EXT%
/log-in/
/log-in.%EXT%
/log_in/
/log_in.%EXT%
/sign_in/
/sign_in.%EXT%
/sign-in/
/sign-in.%EXT%
/users/
/users.%EXT%
/accounts/
/accounts.%EXT%
/bb-admin/login.%EXT%
/bb-admin/admin.%EXT%
/bb-admin/admin.html
/administrator/account.%EXT%
/relogin.htm
/relogin.html
/check.%EXT%
/relogin.%EXT%
/blog/wp-login.%EXT%
/user/admin.%EXT%
/users/admin.%EXT%
/registration/
/processlogin.%EXT%
/checklogin.%EXT%
/checkuser.%EXT%
/checkadmin.%EXT%
/isadmin.%EXT%
/authenticate.%EXT%
/authentication.%EXT%
/auth.%EXT%
/authuser.%EXT%
/authadmin.%EXT%
/cp.%EXT%
/modelsearch/login.%EXT%
/moderator.%EXT%
/moderator/
/controlpanel/
/controlpanel.%EXT%
/admincontrol.%EXT%
/adminpanel.%EXT%
/fileadmin/
/fileadmin.%EXT%
/sysadmin.%EXT%
/admin1.%EXT%
/admin1.html
/admin1.htm
/admin2.%EXT%
/admin2.html
/yonetim.%EXT%
/yonetim.html
/yonetici.%EXT%
/yonetici.html
/phpmyadmin/
/myadmin/
/ur-admin.%EXT%
/ur-admin/
/Server.%EXT%
/Server/
/wp-admin/
/administr8.%EXT%
/administr8/
/webadmin/
/webadmin.%EXT%
/administratie/
/admins/
/admins.%EXT%
/administrivia/
/Database_Administration/
/useradmin/
/sysadmins/
/sysadmins/
/admin1/
/system-administration/
/administrators/
/pgadmin/
/directadmin/
/staradmin/
/ServerAdministrator/
/SysAdmin/
/administer/
/LiveUser_Admin/
/sys-admin/
/typo3/
/panel/
/cpanel/
/cpanel_file/
/platz_login/
/rcLogin/
/blogindex/
/formslogin/
/autologin/
/manuallogin/
/simpleLogin/
/loginflat/
/utility_login/
/showlogin/
/memlogin/
/login-redirect/
/sub-login/
/wp-login/
/login1/
/dir-login/
/login_db/
/xlogin/
/smblogin/
/customer_login/
/UserLogin/
/login-us/
/acct_login/
/bigadmin/
/project-admins/
/phppgadmin/
/pureadmin/
/sql-admin/
/radmind/
/openvpnadmin/
/wizmysqladmin/
/vadmind/
/ezsqliteadmin/
/hpwebjetadmin/
/newsadmin/
/adminpro/
/Lotus_Domino_Admin/
/bbadmin/
/vmailadmin/
/Indy_admin/
/ccp14admin/
/irc-macadmin/
/banneradmin/
/sshadmin/
/phpldapadmin/
/macadmin/
/administratoraccounts/
/admin4_account/
/admin4_colon/
/radmind-1/
/Super-Admin/
/AdminTools/
/cmsadmin/
/SysAdmin2/
/globes_admin/
/cadmins/
/phpSQLiteAdmin/
/navSiteAdmin/
/server_admin_small/
/logo_sysadmin/
/power_user/
/system_administration/
/ss_vms_admin_sm/
/bb-admin/
/panel-administracion/
/instadmin/
/memberadmin/
/administratorlogin/
/adm.%EXT%
/admin_login.%EXT%
/panel-administracion/login.%EXT%
/pages/admin/admin-login.%EXT%
/pages/admin/
/acceso.%EXT%
/admincp/login.%EXT%
/admincp/
/adminarea/
/admincontrol/
/affiliate.%EXT%
/adm_auth.%EXT%
/memberadmin.%EXT%
/administratorlogin.%EXT%
/modules/admin/
/administrators.%EXT%
/siteadmin/
/siteadmin.%EXT%
/adminsite/
/kpanel/
/vorod/
/vorod.%EXT%
/vorud/
/vorud.%EXT%
/adminpanel/
/PSUser/
/secure/
/webmaster/
/webmaster.%EXT%
/autologin.%EXT%
/userlogin.%EXT%
/admin_area.%EXT%
/cmsadmin.%EXT%
/security/
/usr/
/root/
/secret/
/admin/login.%EXT%
/admin/adminLogin.%EXT%
/moderator.php
/moderator.html
/moderator/login.%EXT%
/moderator/admin.%EXT%
/yonetici.%EXT%
/0admin/
/0manager/
/aadmin/
/cgi-bin/login%EXT%
/login1%EXT%
/login_admin/
/login_admin%EXT%
/login_out/
/login_out%EXT%
/login_user%EXT%
/loginerror/
/loginok/
/loginsave/
/loginsuper/
/loginsuper%EXT%
/login%EXT%
/logout/
/logout%EXT%
/secrets/
/super1/
/super1%EXT%
/super_index%EXT%
/super_login%EXT%
/supermanager%EXT%
/superman%EXT%
/superuser%EXT%
/supervise/
/supervise/Login%EXT%
/super%EXT%

View file

@ -0,0 +1,105 @@
import os
import urllib2
from lib.settings import (
logger,
replace_http,
set_color,
create_tree
)
def check_for_admin_page(url, exts, protocol="http://", show_possibles=False, verbose=False):
possible_connections, connections = set(), set()
stripped_url = replace_http(url.strip())
for ext in exts:
ext = ext.strip()
true_url = "{}{}{}".format(protocol, stripped_url, ext)
if verbose:
logger.debug(set_color(
"trying '{}'...".format(true_url), level=10
))
try:
urllib2.urlopen(true_url, timeout=5)
logger.info(set_color(
"connected successfully to '{}'...".format(true_url)
))
connections.add(true_url)
except urllib2.HTTPError as e:
data = str(e).split(" ")
if verbose:
if "Access Denied" in str(e):
logger.warning(set_color(
"got access denied, possible control panel found without external access on '{}'...".format(
true_url
),
level=30
))
possible_connections.add(true_url)
else:
logger.error(set_color(
"failed to connect got error code {}...".format(
data[2]
), level=40
))
else:
pass
except Exception as e:
if verbose:
if "<urlopen error timed out>" or "timeout: timed out" in str(e):
logger.warning(set_color(
"connection timed out after five seconds "
"assuming won't connect and skipping...", level=30
))
else:
logger.exception(set_color(
"failed to connect with unexpected error '{}'...".format(str(e)), level=50
))
else:
pass
possible_connections, connections = list(possible_connections), list(connections)
data_msg = "found {} possible connections(s) and {} successful connection(s)..."
logger.info(set_color(
data_msg.format(len(possible_connections), len(connections))
))
if len(connections) != 0:
logger.info(set_color(
"creating connection tree..."
))
create_tree(url, connections)
else:
logger.fatal(set_color(
"did not find any successful connections to {}'s "
"admin page", level=50
))
if show_possibles:
if len(possible_connections) != 0:
logger.info(set_color(
"creating possible connection tree..."
))
create_tree(url, possible_connections)
else:
logger.fatal(set_color(
"did not find any possible connections to {}'s "
"admin page", level=50
))
def __load_extensions(filename="{}/etc/link_ext.txt"):
with open(filename.format(os.getcwd())) as ext:
return ext.readlines()
def main(url, show=False, verbose=False):
logger.info(set_color(
"loading extensions..."
))
extensions = __load_extensions()
if verbose:
logger.debug(set_color(
"loaded a total of {} extensions...".format(len(extensions)), level=10
))
logger.info(set_color(
"attempting to bruteforce admin panel..."
))
check_for_admin_page(url, extensions, show_possibles=show, verbose=verbose)

View file

@ -17,7 +17,7 @@ import bin.unzip_gecko
# clone link
CLONE = "https://github.com/ekultek/zeus-scanner.git"
# current version <major.minor.commit.patch ID>
VERSION = "1.0.12"
VERSION = "1.0.13"
# colors to output depending on the version
VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30}
# version string formatting
@ -241,10 +241,12 @@ def replace_http(url):
delete the queries from the URL
"""
return data.split("/")[0]
url_list = url.split("//")
new_url = url_list[1]
return __remove_queries(new_url)
try:
url_list = url.split("//")
new_url = url_list[1]
return __remove_queries(new_url)
except IndexError:
return url
def grab_random_agent(agent_path="{}/etc/agents.txt", verbose=False):
@ -340,4 +342,15 @@ def update_zeus():
else:
logger.fatal(set_color(
"no git repository found in directory, unable to update automatically..."
))
))
def create_tree(start, conns, down="|", over="-", sep="-" * 40):
print("{}\nStarting URL: {}\n\nConnections:".format(sep, start))
for con in conns:
print(
"{}{}{}".format(
down, over, con
)
)
print(sep)

41
zeus.py
View file

@ -10,6 +10,7 @@ import httplib as http_client
from var import blackwidow
from var.google_search import search
from lib.errors import InvalidInputProvided
from lib.attacks.admin_panel_finder import main
from lib.attacks.nmap_scan.nmap_opts import NMAP_API_OPTS
from lib.attacks.sqlmap_scan.sqlmap_opts import SQLMAP_API_OPTIONS
@ -67,6 +68,8 @@ if __name__ == "__main__":
help="Run a Nmap port scan on the discovered URL's")
attacks.add_option("-i", "--intel-check", dest="intelCheck", action="store_true",
help="Check if a URL's host is exploitable via Intel ME AMT (CVE-2017-5689)")
attacks.add_option("-a", "--admin-panel", dest="adminPanelFinder", action="store_true",
help="Search for the websites admin panel")
attacks.add_option("--sqlmap-args", dest="sqlmapArguments", metavar="SQLMAP-ARGS",
help="Pass the arguments to send to the sqlmap API within quotes & "
"separated by a comma. IE 'dbms mysql, verbose 3, level 5'")
@ -77,8 +80,12 @@ if __name__ == "__main__":
help="Attempt to automatically find sqlmap on your system")
attacks.add_option("--search-here", dest="givenSearchPath", metavar="PATH-TO-START",
help="Start searching for sqlmap in this given path")
attacks.add_option("--show", dest="showSqlmapArguments", action="store_true",
attacks.add_option("--show-sqlmap", dest="showSqlmapArguments", action="store_true",
help="Show the arguments that the sqlmap API understands")
attacks.add_option("--show-nmap", dest="showNmapArgs", action="store_true",
help="Show the arguments that nmap understands")
attacks.add_option("-P", "--show-possibles", dest="showAllConnections", action="store_true",
help="Show all connections made during the admin panel search")
# search engine options
engines = optparse.OptionGroup(parser, "Search engine arguments",
@ -297,7 +304,7 @@ if __name__ == "__main__":
def __run_attacks(
url, sqlmap=False, verbose=False, nmap=False,
intel=False, given_path=None, auto=False, batch=False
intel=False, admin=False, given_path=None, auto=False, batch=False
):
"""
run the attacks if any are requested
@ -319,6 +326,8 @@ if __name__ == "__main__":
elif intel:
url_ip_address = replace_http(url.strip())
return intel_me.intel_amt_main(url_ip_address, proxy=proxy_to_use, verbose=verbose)
elif admin:
main(url, show=opt.showAllConnections, verbose=verbose)
else:
pass
else:
@ -348,12 +357,12 @@ if __name__ == "__main__":
pass
urls_to_use = get_latest_log_file(URL_LOG_PATH)
if opt.runSqliScan or opt.runPortScan or opt.intelCheck:
if opt.runSqliScan or opt.runPortScan or opt.intelCheck or opt.adminPanelFinder:
with open(urls_to_use) as urls:
for url in urls.readlines():
__run_attacks(url.strip(), sqlmap=opt.runSqliScan, nmap=opt.runPortScan, intel=opt.intelCheck,
given_path=opt.givenSearchPath, auto=opt.autoStartSqlmap, verbose=opt.runInVerbose,
batch=opt.runInBatch)
admin=opt.adminPanelFinder, given_path=opt.givenSearchPath,
auto=opt.autoStartSqlmap, verbose=opt.runInVerbose, batch=opt.runInBatch)
# use a file full of dorks as the queries
elif opt.dorkFileToUse is not None:
@ -375,12 +384,12 @@ if __name__ == "__main__":
pass
urls_to_use = get_latest_log_file(URL_LOG_PATH)
if opt.runSqliScan or opt.runPortScan or opt.intelCheck:
if opt.runSqliScan or opt.runPortScan or opt.intelCheck or opt.adminPanelFinder:
with open(urls_to_use) as urls:
for url in urls.readlines():
__run_attacks(url.strip(), sqlmap=opt.runSqliScan, nmap=opt.runPortScan, intel=opt.intelCheck,
given_path=opt.givenSearchPath, auto=opt.autoStartSqlmap, verbose=opt.runInVerbose,
batch=opt.runInBatch)
admin=opt.adminPanelFinder, given_path=opt.givenSearchPath,
auto=opt.autoStartSqlmap, verbose=opt.runInVerbose, batch=opt.runInBatch)
# use a random dork as the query
elif opt.useRandomDork:
@ -398,12 +407,14 @@ if __name__ == "__main__":
proxy=proxy_to_use, agent=agent_to_use
)
urls_to_use = get_latest_log_file(URL_LOG_PATH)
if opt.runSqliScan or opt.runPortScan or opt.intelCheck:
if opt.runSqliScan or opt.runPortScan or opt.intelCheck or opt.adminPanelFinder:
with open(urls_to_use) as urls:
for url in urls.readlines():
__run_attacks(url.strip(), sqlmap=opt.runSqliScan, nmap=opt.runPortScan, intel=opt.intelCheck,
given_path=opt.givenSearchPath, auto=opt.autoStartSqlmap, verbose=opt.runInVerbose,
batch=opt.runInBatch)
__run_attacks(url.strip(), sqlmap=opt.runSqliScan, nmap=opt.runPortScan,
intel=opt.intelCheck,
admin=opt.adminPanelFinder, given_path=opt.givenSearchPath,
auto=opt.autoStartSqlmap, verbose=opt.runInVerbose, batch=opt.runInBatch)
except Exception as e:
logger.exception(set_color(
"ran into exception '{}' and cannot continue, saved to current log file...".format(e),
@ -429,12 +440,12 @@ if __name__ == "__main__":
blackwidow.blackwidow_main(opt.spiderWebSite, agent=agent_to_use, proxy=proxy_to_use, verbose=opt.runInVerbose)
urls_to_use = get_latest_log_file(SPIDER_LOG_PATH)
if opt.runSqliScan or opt.runPortScan or opt.intelCheck:
if opt.runSqliScan or opt.runPortScan or opt.intelCheck or opt.adminPanelFinder:
with open(urls_to_use) as urls:
for url in urls.readlines():
__run_attacks(url.strip(), sqlmap=opt.runSqliScan, nmap=opt.runPortScan, intel=opt.intelCheck,
given_path=opt.givenSearchPath, auto=opt.autoStartSqlmap, verbose=opt.runInVerbose,
batch=opt.runInBatch)
admin=opt.adminPanelFinder, given_path=opt.givenSearchPath,
auto=opt.autoStartSqlmap, verbose=opt.runInVerbose, batch=opt.runInBatch)
else:
logger.critical(set_color(