diff --git a/etc/link_ext.txt b/etc/link_ext.txt index aaf72a9..dae29de 100644 --- a/etc/link_ext.txt +++ b/etc/link_ext.txt @@ -2,296 +2,296 @@ :82 :2082 :2083 -admin.php -admin.html -index.php -login.php -login.html -administrator -admin -adminpanel -cpanel -login -wp-login.php -administrator -admins -logins -admin.asp -login.asp -adm/ -admin/ -admin/account.html -admin/login.html -admin/login.htm -admin/controlpanel.html -admin/controlpanel.htm -admin/adminLogin.html -admin/adminLogin.htm -admin.htm -admin.html -adminitem/ -adminitems/ -administrator/ -administrator/login.%EXT% -administrator.%EXT% -administration/ -administration.%EXT% -adminLogin/ -adminlogin.%EXT% -admin_area/admin.%EXT% -admin_area/ -admin_area/login.%EXT% -manager/ -superuser/ -superuser.%EXT% -access/ -access.%EXT% -sysadm/ -sysadm.%EXT% -superman/ -supervisor/ -panel.%EXT% -control/ -control.%EXT% -member/ -member.%EXT% -members/ -user/ -user.%EXT% -cp/ -uvpanel/ -manage/ -manage.%EXT% -management/ -management.%EXT% -signin/ -signin.%EXT% -log-in/ -log-in.%EXT% -log_in/ -log_in.%EXT% -sign_in/ -sign_in.%EXT% -sign-in/ -sign-in.%EXT% -users/ -users.%EXT% -accounts/ -accounts.%EXT% -bb-admin/login.%EXT% -bb-admin/admin.%EXT% -bb-admin/admin.html -administrator/account.%EXT% -relogin.htm -relogin.html -check.%EXT% -relogin.%EXT% -blog/wp-login.%EXT% -user/admin.%EXT% -users/admin.%EXT% -registration/ -processlogin.%EXT% -checklogin.%EXT% -checkuser.%EXT% -checkadmin.%EXT% -isadmin.%EXT% -authenticate.%EXT% -authentication.%EXT% -auth.%EXT% -authuser.%EXT% -authadmin.%EXT% -cp.%EXT% -modelsearch/login.%EXT% -moderator.%EXT% -moderator/ -controlpanel/ -controlpanel.%EXT% -admincontrol.%EXT% -adminpanel.%EXT% -fileadmin/ -fileadmin.%EXT% -sysadmin.%EXT% -admin1.%EXT% -admin1.html -admin1.htm -admin2.%EXT% -admin2.html -yonetim.%EXT% -yonetim.html -yonetici.%EXT% -yonetici.html -phpmyadmin/ -myadmin/ -ur-admin.%EXT% -ur-admin/ -Server.%EXT% -Server/ -wp-admin/ -administr8.%EXT% -administr8/ -webadmin/ -webadmin.%EXT% -administratie/ -admins/ -admins.%EXT% -administrivia/ -Database_Administration/ -useradmin/ -sysadmins/ -sysadmins/ -admin1/ -system-administration/ -administrators/ -pgadmin/ -directadmin/ -staradmin/ -ServerAdministrator/ -SysAdmin/ -administer/ -LiveUser_Admin/ -sys-admin/ -typo3/ -panel/ -cpanel/ -cpanel_file/ -platz_login/ -rcLogin/ -blogindex/ -formslogin/ -autologin/ -manuallogin/ -simpleLogin/ -loginflat/ -utility_login/ -showlogin/ -memlogin/ -login-redirect/ -sub-login/ -wp-login/ -login1/ -dir-login/ -login_db/ -xlogin/ -smblogin/ -customer_login/ -UserLogin/ -login-us/ -acct_login/ -bigadmin/ -project-admins/ -phppgadmin/ -pureadmin/ -sql-admin/ -radmind/ -openvpnadmin/ -wizmysqladmin/ -vadmind/ -ezsqliteadmin/ -hpwebjetadmin/ -newsadmin/ -adminpro/ -Lotus_Domino_Admin/ -bbadmin/ -vmailadmin/ -Indy_admin/ -ccp14admin/ -irc-macadmin/ -banneradmin/ -sshadmin/ -phpldapadmin/ -macadmin/ -administratoraccounts/ -admin4_account/ -admin4_colon/ -radmind-1/ -Super-Admin/ -AdminTools/ -cmsadmin/ -SysAdmin2/ -globes_admin/ -cadmins/ -phpSQLiteAdmin/ -navSiteAdmin/ -server_admin_small/ -logo_sysadmin/ -power_user/ -system_administration/ -ss_vms_admin_sm/ -bb-admin/ -panel-administracion/ -instadmin/ -memberadmin/ -administratorlogin/ -adm.%EXT% -admin_login.%EXT% -panel-administracion/login.%EXT% -pages/admin/admin-login.%EXT% -pages/admin/ -acceso.%EXT% -admincp/login.%EXT% -admincp/ -adminarea/ -admincontrol/ -affiliate.%EXT% -adm_auth.%EXT% -memberadmin.%EXT% -administratorlogin.%EXT% -modules/admin/ -administrators.%EXT% -siteadmin/ -siteadmin.%EXT% -adminsite/ -kpanel/ -vorod/ -vorod.%EXT% -vorud/ -vorud.%EXT% -adminpanel/ -PSUser/ -secure/ -webmaster/ -webmaster.%EXT% -autologin.%EXT% -userlogin.%EXT% -admin_area.%EXT% -cmsadmin.%EXT% -security/ -usr/ -root/ -secret/ -admin/login.%EXT% -admin/adminLogin.%EXT% -moderator.php -moderator.html -moderator/login.%EXT% -moderator/admin.%EXT% -yonetici.%EXT% -0admin/ -0manager/ -aadmin/ -cgi-bin/login%EXT% -login1%EXT% -login_admin/ -login_admin%EXT% -login_out/ -login_out%EXT% -login_user%EXT% -loginerror/ -loginok/ -loginsave/ -loginsuper/ -loginsuper%EXT% -login%EXT% -logout/ -logout%EXT% -secrets/ -super1/ -super1%EXT% -super_index%EXT% -super_login%EXT% -supermanager%EXT% -superman%EXT% -superuser%EXT% -supervise/ -supervise/Login%EXT% -super%EXT% \ No newline at end of file +/admin.php +/admin.html +/index.php +/login.php +/login.html +/administrator +/admin +/adminpanel +/cpanel +/login +/wp-login.php +/administrator +/admins +/logins +/admin.asp +/login.asp +/adm/ +/admin/ +/admin/account.html +/admin/login.html +/admin/login.htm +/admin/controlpanel.html +/admin/controlpanel.htm +/admin/adminLogin.html +/admin/adminLogin.htm +/admin.htm +/admin.html +/adminitem/ +/adminitems/ +/administrator/ +/administrator/login.%EXT% +/administrator.%EXT% +/administration/ +/administration.%EXT% +/adminLogin/ +/adminlogin.%EXT% +/admin_area/admin.%EXT% +/admin_area/ +/admin_area/login.%EXT% +/manager/ +/superuser/ +/superuser.%EXT% +/access/ +/access.%EXT% +/sysadm/ +/sysadm.%EXT% +/superman/ +/supervisor/ +/panel.%EXT% +/control/ +/control.%EXT% +/member/ +/member.%EXT% +/members/ +/user/ +/user.%EXT% +/cp/ +/uvpanel/ +/manage/ +/manage.%EXT% +/management/ +/management.%EXT% +/signin/ +/signin.%EXT% +/log-in/ +/log-in.%EXT% +/log_in/ +/log_in.%EXT% +/sign_in/ +/sign_in.%EXT% +/sign-in/ +/sign-in.%EXT% +/users/ +/users.%EXT% +/accounts/ +/accounts.%EXT% +/bb-admin/login.%EXT% +/bb-admin/admin.%EXT% +/bb-admin/admin.html +/administrator/account.%EXT% +/relogin.htm +/relogin.html +/check.%EXT% +/relogin.%EXT% +/blog/wp-login.%EXT% +/user/admin.%EXT% +/users/admin.%EXT% +/registration/ +/processlogin.%EXT% +/checklogin.%EXT% +/checkuser.%EXT% +/checkadmin.%EXT% +/isadmin.%EXT% +/authenticate.%EXT% +/authentication.%EXT% +/auth.%EXT% +/authuser.%EXT% +/authadmin.%EXT% +/cp.%EXT% +/modelsearch/login.%EXT% +/moderator.%EXT% +/moderator/ +/controlpanel/ +/controlpanel.%EXT% +/admincontrol.%EXT% +/adminpanel.%EXT% +/fileadmin/ +/fileadmin.%EXT% +/sysadmin.%EXT% +/admin1.%EXT% +/admin1.html +/admin1.htm +/admin2.%EXT% +/admin2.html +/yonetim.%EXT% +/yonetim.html +/yonetici.%EXT% +/yonetici.html +/phpmyadmin/ +/myadmin/ +/ur-admin.%EXT% +/ur-admin/ +/Server.%EXT% +/Server/ +/wp-admin/ +/administr8.%EXT% +/administr8/ +/webadmin/ +/webadmin.%EXT% +/administratie/ +/admins/ +/admins.%EXT% +/administrivia/ +/Database_Administration/ +/useradmin/ +/sysadmins/ +/sysadmins/ +/admin1/ +/system-administration/ +/administrators/ +/pgadmin/ +/directadmin/ +/staradmin/ +/ServerAdministrator/ +/SysAdmin/ +/administer/ +/LiveUser_Admin/ +/sys-admin/ +/typo3/ +/panel/ +/cpanel/ +/cpanel_file/ +/platz_login/ +/rcLogin/ +/blogindex/ +/formslogin/ +/autologin/ +/manuallogin/ +/simpleLogin/ +/loginflat/ +/utility_login/ +/showlogin/ +/memlogin/ +/login-redirect/ +/sub-login/ +/wp-login/ +/login1/ +/dir-login/ +/login_db/ +/xlogin/ +/smblogin/ +/customer_login/ +/UserLogin/ +/login-us/ +/acct_login/ +/bigadmin/ +/project-admins/ +/phppgadmin/ +/pureadmin/ +/sql-admin/ +/radmind/ +/openvpnadmin/ +/wizmysqladmin/ +/vadmind/ +/ezsqliteadmin/ +/hpwebjetadmin/ +/newsadmin/ +/adminpro/ +/Lotus_Domino_Admin/ +/bbadmin/ +/vmailadmin/ +/Indy_admin/ +/ccp14admin/ +/irc-macadmin/ +/banneradmin/ +/sshadmin/ +/phpldapadmin/ +/macadmin/ +/administratoraccounts/ +/admin4_account/ +/admin4_colon/ +/radmind-1/ +/Super-Admin/ +/AdminTools/ +/cmsadmin/ +/SysAdmin2/ +/globes_admin/ +/cadmins/ +/phpSQLiteAdmin/ +/navSiteAdmin/ +/server_admin_small/ +/logo_sysadmin/ +/power_user/ +/system_administration/ +/ss_vms_admin_sm/ +/bb-admin/ +/panel-administracion/ +/instadmin/ +/memberadmin/ +/administratorlogin/ +/adm.%EXT% +/admin_login.%EXT% +/panel-administracion/login.%EXT% +/pages/admin/admin-login.%EXT% +/pages/admin/ +/acceso.%EXT% +/admincp/login.%EXT% +/admincp/ +/adminarea/ +/admincontrol/ +/affiliate.%EXT% +/adm_auth.%EXT% +/memberadmin.%EXT% +/administratorlogin.%EXT% +/modules/admin/ +/administrators.%EXT% +/siteadmin/ +/siteadmin.%EXT% +/adminsite/ +/kpanel/ +/vorod/ +/vorod.%EXT% +/vorud/ +/vorud.%EXT% +/adminpanel/ +/PSUser/ +/secure/ +/webmaster/ +/webmaster.%EXT% +/autologin.%EXT% +/userlogin.%EXT% +/admin_area.%EXT% +/cmsadmin.%EXT% +/security/ +/usr/ +/root/ +/secret/ +/admin/login.%EXT% +/admin/adminLogin.%EXT% +/moderator.php +/moderator.html +/moderator/login.%EXT% +/moderator/admin.%EXT% +/yonetici.%EXT% +/0admin/ +/0manager/ +/aadmin/ +/cgi-bin/login%EXT% +/login1%EXT% +/login_admin/ +/login_admin%EXT% +/login_out/ +/login_out%EXT% +/login_user%EXT% +/loginerror/ +/loginok/ +/loginsave/ +/loginsuper/ +/loginsuper%EXT% +/login%EXT% +/logout/ +/logout%EXT% +/secrets/ +/super1/ +/super1%EXT% +/super_index%EXT% +/super_login%EXT% +/supermanager%EXT% +/superman%EXT% +/superuser%EXT% +/supervise/ +/supervise/Login%EXT% +/super%EXT% \ No newline at end of file diff --git a/lib/attacks/admin_panel_finder/__init__.py b/lib/attacks/admin_panel_finder/__init__.py new file mode 100644 index 0000000..50978ae --- /dev/null +++ b/lib/attacks/admin_panel_finder/__init__.py @@ -0,0 +1,105 @@ +import os +import urllib2 + +from lib.settings import ( + logger, + replace_http, + set_color, + create_tree +) + + +def check_for_admin_page(url, exts, protocol="http://", show_possibles=False, verbose=False): + possible_connections, connections = set(), set() + stripped_url = replace_http(url.strip()) + for ext in exts: + ext = ext.strip() + true_url = "{}{}{}".format(protocol, stripped_url, ext) + if verbose: + logger.debug(set_color( + "trying '{}'...".format(true_url), level=10 + )) + try: + urllib2.urlopen(true_url, timeout=5) + logger.info(set_color( + "connected successfully to '{}'...".format(true_url) + )) + connections.add(true_url) + except urllib2.HTTPError as e: + data = str(e).split(" ") + if verbose: + if "Access Denied" in str(e): + logger.warning(set_color( + "got access denied, possible control panel found without external access on '{}'...".format( + true_url + ), + level=30 + )) + possible_connections.add(true_url) + else: + logger.error(set_color( + "failed to connect got error code {}...".format( + data[2] + ), level=40 + )) + else: + pass + except Exception as e: + if verbose: + if "" or "timeout: timed out" in str(e): + logger.warning(set_color( + "connection timed out after five seconds " + "assuming won't connect and skipping...", level=30 + )) + else: + logger.exception(set_color( + "failed to connect with unexpected error '{}'...".format(str(e)), level=50 + )) + else: + pass + possible_connections, connections = list(possible_connections), list(connections) + data_msg = "found {} possible connections(s) and {} successful connection(s)..." + logger.info(set_color( + data_msg.format(len(possible_connections), len(connections)) + )) + if len(connections) != 0: + logger.info(set_color( + "creating connection tree..." + )) + create_tree(url, connections) + else: + logger.fatal(set_color( + "did not find any successful connections to {}'s " + "admin page", level=50 + )) + if show_possibles: + if len(possible_connections) != 0: + logger.info(set_color( + "creating possible connection tree..." + )) + create_tree(url, possible_connections) + else: + logger.fatal(set_color( + "did not find any possible connections to {}'s " + "admin page", level=50 + )) + + +def __load_extensions(filename="{}/etc/link_ext.txt"): + with open(filename.format(os.getcwd())) as ext: + return ext.readlines() + + +def main(url, show=False, verbose=False): + logger.info(set_color( + "loading extensions..." + )) + extensions = __load_extensions() + if verbose: + logger.debug(set_color( + "loaded a total of {} extensions...".format(len(extensions)), level=10 + )) + logger.info(set_color( + "attempting to bruteforce admin panel..." + )) + check_for_admin_page(url, extensions, show_possibles=show, verbose=verbose) diff --git a/lib/settings.py b/lib/settings.py index 8f4c864..3ccd96b 100644 --- a/lib/settings.py +++ b/lib/settings.py @@ -17,7 +17,7 @@ import bin.unzip_gecko # clone link CLONE = "https://github.com/ekultek/zeus-scanner.git" # current version -VERSION = "1.0.12" +VERSION = "1.0.13" # colors to output depending on the version VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30} # version string formatting @@ -241,10 +241,12 @@ def replace_http(url): delete the queries from the URL """ return data.split("/")[0] - - url_list = url.split("//") - new_url = url_list[1] - return __remove_queries(new_url) + try: + url_list = url.split("//") + new_url = url_list[1] + return __remove_queries(new_url) + except IndexError: + return url def grab_random_agent(agent_path="{}/etc/agents.txt", verbose=False): @@ -340,4 +342,15 @@ def update_zeus(): else: logger.fatal(set_color( "no git repository found in directory, unable to update automatically..." - )) \ No newline at end of file + )) + + +def create_tree(start, conns, down="|", over="-", sep="-" * 40): + print("{}\nStarting URL: {}\n\nConnections:".format(sep, start)) + for con in conns: + print( + "{}{}{}".format( + down, over, con + ) + ) + print(sep) diff --git a/zeus.py b/zeus.py index 576a626..0df9bcf 100644 --- a/zeus.py +++ b/zeus.py @@ -10,6 +10,7 @@ import httplib as http_client from var import blackwidow from var.google_search import search from lib.errors import InvalidInputProvided +from lib.attacks.admin_panel_finder import main from lib.attacks.nmap_scan.nmap_opts import NMAP_API_OPTS from lib.attacks.sqlmap_scan.sqlmap_opts import SQLMAP_API_OPTIONS @@ -67,6 +68,8 @@ if __name__ == "__main__": help="Run a Nmap port scan on the discovered URL's") attacks.add_option("-i", "--intel-check", dest="intelCheck", action="store_true", help="Check if a URL's host is exploitable via Intel ME AMT (CVE-2017-5689)") + attacks.add_option("-a", "--admin-panel", dest="adminPanelFinder", action="store_true", + help="Search for the websites admin panel") attacks.add_option("--sqlmap-args", dest="sqlmapArguments", metavar="SQLMAP-ARGS", help="Pass the arguments to send to the sqlmap API within quotes & " "separated by a comma. IE 'dbms mysql, verbose 3, level 5'") @@ -77,8 +80,12 @@ if __name__ == "__main__": help="Attempt to automatically find sqlmap on your system") attacks.add_option("--search-here", dest="givenSearchPath", metavar="PATH-TO-START", help="Start searching for sqlmap in this given path") - attacks.add_option("--show", dest="showSqlmapArguments", action="store_true", + attacks.add_option("--show-sqlmap", dest="showSqlmapArguments", action="store_true", help="Show the arguments that the sqlmap API understands") + attacks.add_option("--show-nmap", dest="showNmapArgs", action="store_true", + help="Show the arguments that nmap understands") + attacks.add_option("-P", "--show-possibles", dest="showAllConnections", action="store_true", + help="Show all connections made during the admin panel search") # search engine options engines = optparse.OptionGroup(parser, "Search engine arguments", @@ -297,7 +304,7 @@ if __name__ == "__main__": def __run_attacks( url, sqlmap=False, verbose=False, nmap=False, - intel=False, given_path=None, auto=False, batch=False + intel=False, admin=False, given_path=None, auto=False, batch=False ): """ run the attacks if any are requested @@ -319,6 +326,8 @@ if __name__ == "__main__": elif intel: url_ip_address = replace_http(url.strip()) return intel_me.intel_amt_main(url_ip_address, proxy=proxy_to_use, verbose=verbose) + elif admin: + main(url, show=opt.showAllConnections, verbose=verbose) else: pass else: @@ -348,12 +357,12 @@ if __name__ == "__main__": pass urls_to_use = get_latest_log_file(URL_LOG_PATH) - if opt.runSqliScan or opt.runPortScan or opt.intelCheck: + if opt.runSqliScan or opt.runPortScan or opt.intelCheck or opt.adminPanelFinder: with open(urls_to_use) as urls: for url in urls.readlines(): __run_attacks(url.strip(), sqlmap=opt.runSqliScan, nmap=opt.runPortScan, intel=opt.intelCheck, - given_path=opt.givenSearchPath, auto=opt.autoStartSqlmap, verbose=opt.runInVerbose, - batch=opt.runInBatch) + admin=opt.adminPanelFinder, given_path=opt.givenSearchPath, + auto=opt.autoStartSqlmap, verbose=opt.runInVerbose, batch=opt.runInBatch) # use a file full of dorks as the queries elif opt.dorkFileToUse is not None: @@ -375,12 +384,12 @@ if __name__ == "__main__": pass urls_to_use = get_latest_log_file(URL_LOG_PATH) - if opt.runSqliScan or opt.runPortScan or opt.intelCheck: + if opt.runSqliScan or opt.runPortScan or opt.intelCheck or opt.adminPanelFinder: with open(urls_to_use) as urls: for url in urls.readlines(): __run_attacks(url.strip(), sqlmap=opt.runSqliScan, nmap=opt.runPortScan, intel=opt.intelCheck, - given_path=opt.givenSearchPath, auto=opt.autoStartSqlmap, verbose=opt.runInVerbose, - batch=opt.runInBatch) + admin=opt.adminPanelFinder, given_path=opt.givenSearchPath, + auto=opt.autoStartSqlmap, verbose=opt.runInVerbose, batch=opt.runInBatch) # use a random dork as the query elif opt.useRandomDork: @@ -398,12 +407,14 @@ if __name__ == "__main__": proxy=proxy_to_use, agent=agent_to_use ) urls_to_use = get_latest_log_file(URL_LOG_PATH) - if opt.runSqliScan or opt.runPortScan or opt.intelCheck: + if opt.runSqliScan or opt.runPortScan or opt.intelCheck or opt.adminPanelFinder: with open(urls_to_use) as urls: for url in urls.readlines(): - __run_attacks(url.strip(), sqlmap=opt.runSqliScan, nmap=opt.runPortScan, intel=opt.intelCheck, - given_path=opt.givenSearchPath, auto=opt.autoStartSqlmap, verbose=opt.runInVerbose, - batch=opt.runInBatch) + __run_attacks(url.strip(), sqlmap=opt.runSqliScan, nmap=opt.runPortScan, + intel=opt.intelCheck, + admin=opt.adminPanelFinder, given_path=opt.givenSearchPath, + auto=opt.autoStartSqlmap, verbose=opt.runInVerbose, batch=opt.runInBatch) + except Exception as e: logger.exception(set_color( "ran into exception '{}' and cannot continue, saved to current log file...".format(e), @@ -429,12 +440,12 @@ if __name__ == "__main__": blackwidow.blackwidow_main(opt.spiderWebSite, agent=agent_to_use, proxy=proxy_to_use, verbose=opt.runInVerbose) urls_to_use = get_latest_log_file(SPIDER_LOG_PATH) - if opt.runSqliScan or opt.runPortScan or opt.intelCheck: + if opt.runSqliScan or opt.runPortScan or opt.intelCheck or opt.adminPanelFinder: with open(urls_to_use) as urls: for url in urls.readlines(): __run_attacks(url.strip(), sqlmap=opt.runSqliScan, nmap=opt.runPortScan, intel=opt.intelCheck, - given_path=opt.givenSearchPath, auto=opt.autoStartSqlmap, verbose=opt.runInVerbose, - batch=opt.runInBatch) + admin=opt.adminPanelFinder, given_path=opt.givenSearchPath, + auto=opt.autoStartSqlmap, verbose=opt.runInVerbose, batch=opt.runInBatch) else: logger.critical(set_color(