PHP Admin Scanner

1. <?php
2. error_reporting(0);
3. /**
4.  * PHP Admin Location Lookup
5.  *
6.  * @version 1.00
7.  * @author Christian Ditaputratama <ditatompel@gmail.com>
8.  *
9.  * Admin location finder for single site.
10.  * optionally dump scan result to text file.
11.  *
12.  * still very early release, just for testing and coding purpose :)
13.  *
14.  *------------------------------------------------------------------------+
15.  * This program is free software; you can redistribute it and/or modify   |
16.  * it under the terms of the GNU General Public License version 2 as      |
17.  * published by the Free Software Foundation.                             |
18.  *                                                                        |
19.  * This program is distributed in the hope that it will be useful,        |
20.  * but WITHOUT ANY WARRANTY; without even the implied warranty of         |
21.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          |
22.  * GNU General Public License for more details.                           |
23.  *                                                                        |
24.  * This script are often used solely for informative, educational         |
25.  * purposes only. Author cannot be held responsible for any               |
26.  * damage and (or) (ab)use of this script.                                |
27.  * Please submit changes of the script so other people can use            |
28.  * them as well. This script is free to use, don't abuse.                 |
29.  *------------------------------------------------------------------------+
30.  */
31. set_time_limit(0);
32. $greetz = '
33. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
34. PHP Admin Location Lookup by ditatompel < ditatompel [at] gmail [dot] com >
35. Please send bug report to help improving this script.
36.  
37. Greetings for all members of devilzc0de.org, all Indonesian c0ders,
38. and all GNU Generation ;-)
39. Thanks to : 5ynL0rd who always inspire me, I glue you all my regards.
40. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
41. ';
42. print $greetz;
43. if ( $argc < 2) {
44.     print_r('
45. -----------------------------------------------------------------------------
46.    Usage     : php '.$argv[0].' [target] [output]
47.    target    : domain / url
48.    output    : file name for Every [+] Wo0t! output will be saved to (optional)
49.    Example 1 : php '.$argv[0].' myhost.com
50.    Example 2 : php '.$argv[0].' myhost.com scan_result.txt
51. -----------------------------------------------------------------------------
52. ');
53. exit;
54. }
55.  
56. function doValidLink($link) {
57.     $validLink = preg_match("|^http(s)?://[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?(/.*)?$|i", $link) ? $link : "http://" . $link;
58.     return $validLink . '/';
59. }
60. function write($text) {
61.     global $fh;
62.     fwrite($fh, $text);
63. }
64.  
65. $url = doValidLink($argv[1]);
66. $output = $argv[2];
67.  
68. // usual admin login place. Add yours if you want ;p
69. $adminLookup = array(
70.     "admin1.php",
71.     "admin1.html",
72.     "admin2.php",
73.     "admin2.html",
74.     "administrator/",
75.     "administrator/index.html",
76.     "administrator/index.php",
77.     "administrator/login.html",
78.     "administrator/login.php",
79.     "administrator/account.html",
80.     "administrator/account.php",
81.     "administrator.php",
82.     "administrator.html",
83.     "admin/",
84.     "admin/account.php",
85.     "admin/account.html",
86.     "admin/index.php",
87.     "admin/index.html",
88.     "admin/login.php",
89.     "admin/login.html",
90.     "admin/home.php",
91.     "admin/controlpanel.html",
92.     "admin/controlpanel.php",
93.     "admin.php",
94.     "admin.html",
95.     "admin/cp.php",
96.     "admin/cp.html",
97.     "adm/",
98.     "account.php",
99.     "account.html",
100.     "admincontrol.php",
101.     "admincontrol.html",
102.     "adminpanel.php",
103.     "adminpanel.html",
104.     "admin1.asp",
105.     "admin2.asp",
106.     "admin/account.asp",
107.     "admin/index.asp",
108.     "admin/login.asp",
109.     "admin/home.asp",
110.     "admin/controlpanel.asp",
111.     "admin.asp",
112.     "admin/cp.asp",
113.     "administr8.php",
114.     "administr8.html",
115.     "administr8/",
116.     "administr8.asp",
117.     "yonetim.php",
118.     "yonetim.html",
119.     "yonetici.php",
120.     "yonetici.html",
121.     "maintenance/",
122.     "webmaster/",
123.     "configuration/",
124.     "configure/",
125.     "cp.php",
126.     "cp.html",
127.     "controlpanel/",
128.     "controlpanel.php",
129.     "controlpanel.html",
130.     "ccms/",
131.     "ccms/login.php",
132.     "ccms/index.php",
133.     "login.php",
134.     "login.html",
135.     "modelsearch/login.php",
136.     "moderator.php",
137.     "moderator.html",
138.     "moderator/login.php",
139.     "moderator/login.html",
140.     "moderator/admin.php",
141.     "moderator/admin.html",
142.     "moderator/",
143.     "yonetim.asp",
144.     "yonetici.asp",
145.     "cp.asp",
146.     "administrator/index.asp",
147.     "administrator/login.asp",
148.     "administrator/account.asp",
149.     "administrator.asp",
150.     "login.asp",
151.     "modelsearch/login.asp",
152.     "moderator.asp",
153.     "moderator/login.asp",
154.     "moderator/admin.asp",
155.     "account.asp",
156.     "controlpanel.asp",
157.     "admincontrol.asp",
158.     "adminpanel.asp",
159.     "fileadmin/",
160.     "fileadmin.php",
161.     "fileadmin.asp",
162.     "fileadmin.html",
163.     "administration/",
164.     "administration.php",
165.     "administration.html",
166.     "sysadmin.php",
167.     "sysadmin.html",
168.     "phpmyadmin/",
169.     "myadmin/",
170.     "sysadmin.asp",
171.     "sysadmin/",
172.     "ur-admin.asp",
173.     "ur-admin.php",
174.     "ur-admin.html",
175.     "ur-admin/",
176.     "Server.php",
177.     "Server.html",
178.     "Server.asp",
179.     "Server/",
180.     "webadmin/",
181.     "webadmin.php",
182.     "webadmin.asp",
183.     "webadmin.html",
184.     "administratie/",
185.     "admins/",
186.     "admins.php",
187.     "admins.asp",
188.     "admins.html",
189.     "administrivia/",
190.     "Database_Administration/",
191.     "WebAdmin/",
192.     "useradmin/",
193.     "sysadmins/",
194.     "admin1/",
195.     "system-administration/",
196.     "administrators/",
197.     "pgadmin/",
198.     "directadmin/",
199.     "staradmin/",
200.     "ServerAdministrator/",
201.     "SysAdmin/",
202.     "administer/",
203.     "LiveUser_Admin/",
204.     "sys-admin/",
205.     "typo3/",
206.     "panel/",
207.     "cpanel/",
208.     "cPanel/",
209.     "cpanel_file/",
210.     "platz_login/",
211.     "rcLogin/",
212.     "blogindex/",
213.     "formslogin/",
214.     "autologin/",
215.     "support_login/",
216.     "meta_login/",
217.     "manuallogin/",
218.     "simpleLogin/",
219.     "loginflat/",
220.     "utility_login/",
221.     "showlogin/",
222.     "memlogin/",
223.     "members/",
224.     "login-redirect/",
225.     "sub-login/",
226.     "wp-login/",
227.     "wp-admin/",
228.     "blog/wp-admin/",
229.     "blog/wp-login/",
230.     "forum/admin/",
231.     "login1/",
232.     "dir-login/",
233.     "login_db/",
234.     "xlogin/",
235.     "smblogin/",
236.     "customer_login/",
237.     "UserLogin/",
238.     "login-us/",
239.     "acct_login/",
240.     "admin_area/",
241.     "bigadmin/",
242.     "project-admins/",
243.     "phppgadmin/",
244.     "pureadmin/",
245.     "sql-admin/",
246.     "radmind/",
247.     "openvpnadmin/",
248.     "wizmysqladmin/",
249.     "vadmind/",
250.     "ezsqliteadmin/",
251.     "hpwebjetadmin/",
252.     "newsadmin/",
253.     "adminpro/",
254.     "Lotus_Domino_Admin/",
255.     "bbadmin/",
256.     "vmailadmin/",
257.     "Indy_admin/",
258.     "ccp14admin/",
259.     "irc-macadmin/",
260.     "banneradmin/",
261.     "sshadmin/",
262.     "phpldapadmin/",
263.     "macadmin/",
264.     "administratoraccounts/",
265.     "admin4_account/",
266.     "admin4_colon/",
267.     "radmind-1/",
268.     "Super-Admin/",
269.     "AdminTools/",
270.     "cmsadmin/",
271.     "SysAdmin2/",
272.     "globes_admin/",
273.     "cadmins/",
274.     "phpSQLiteAdmin/",
275.     "navSiteAdmin/",
276.     "server_admin_small/",
277.     "logo_sysadmin/",
278.     "server/",
279.     "database_administration/",
280.     "power_user/",
281.     "system_administration/",
282.     "ss_vms_admin_sm/",
283.     "websvn/"
284. );
285. echo "\r\nChecking " . $url . "\r\n";
286.  
287. // get server headers
288. $check = get_headers($url, 1);
289. if ( empty($check)) {
290.     print_r('
291.    No repsond from server.
292.    make sure your target url are correct!
293.    Exiting...
294. -----------------------------------------------------------------------------
295. '); exit;
296. }
297. $serverInfo = $check['Server'];
298. // handle for redirect status.
299. // replace target path with server redirect location.
300. if (preg_match('/301/', $check[0]) || preg_match('/302/', $check[0]) ) {
301.     $url = $check['Location'];
302.     $serverInfo = $check['Server'][0];
303. }
304.  
305. $additionalInfo = NULL;
306. if ( !empty($output) ) {
307.     $fh = fopen($output, 'w');
308.     $additionalInfo = $fh ? 'Every [+] Wo0t! output will be saved on ' . $output : '[!] Cannot write scan result to ' . $output;
309. }
310.  
311. $info = '
312. -----------------------------------------------------------------------------
313.    Target : ' . $url . '
314.    Status : ' . $check[0] . '
315.    Server : ' . $serverInfo . '
316.    Start Scan : ' . date("Y-m-d H:i:s") . '
317.    ' . $additionalInfo . '
318. -----------------------------------------------------------------------------
319. ';
320. print_r($info);
321.  
322. if ( $fh ) {
323.     write($greetz);
324.     write($info);
325. }
326.  
327. foreach ($adminLookup as $admin){
328.     $headers = get_headers($url . $admin, 1);
329.     if ( preg_match('/200/', $headers[0]) ) {
330.         $result = "[+] Wo0t! " . $url . $admin . " Found!\r\n";
331.         echo $result;
332.         if ( $fh ) { write($result); }
333.     }
334.     elseif (preg_match('/301/', $headers[0]) || preg_match('/302/', $headers[0]) ) {
335.         $result = "[+] Wo0t! " . $url . $admin . " Found! redirect to -> " . $headers['Location'] . "\r\n";
336.         echo $result;
337.         if ( $fh ) { write($result); }
338.     }
339.     else {
340.         echo "[-] " . $url . $admin . " NOT Found!\r\n";
341.     }
342. }
343. if ( !empty($output) ) {
344.     write("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Finish -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n");
345.     fclose($fh);
346. }
347. echo "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Finish -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n";
348. ?>