Today we will learn how we can find admin panel of a website.
What is an admin panel?
An admin panel of website is like a management system used by its admins or editors to manage the website like adding pages, images, changing website layout etc.
To access the admin panel you need these two things:
1. Credentials (username and password)
2. URL of the login page, for example www.example.com/admin.php
Now the most important question
How to find admin panel of a website?
Well there is no 100% working method for finding admin panels but all we can do is to try.
Lets start with exploiting human stupidity, I mean some stupid admins use URLs that are too common to guess like example.com/login, example.com/user_login, example.com/admin etc.
Checking these links manually is too time consuming so you can use this online admin finder which checks for 2500+ possible URLs.
But personally I prefer to use my python script written in python named Breacher. Here is a glimpse of Breacher:
If you want to try Breacher, you can download it from here. It works like the online panel finder I mentioned above but its feels good to use Breacher. *LOL*
Well what if the admin is not stupid and using a custom URL for the admin panel like www.example.com/mac_124. In such cases, checking for common URLs will not work.
Lets try something else now.
Crawling/Spidering is the process of fetching all* the URLs present in the website. For example if you enter the url example.com in a crawler, the program will find all the links in that page. Then it will visit all the linked pages and will search for further links. This process will go on until it meets an dead end.
Well there are a lot of online crawlers and other programs but I recommend to use OWASP ZAProxy.
Install and open inst
And you will have every link the crawler have found really soon:
Then look at the URLs one by one and open the URL which seems to be a possible admin panel.
If you find a admin panel then its great otherwise there are two possible reasons of the failure:
1. The admin panel is isolated from the website i.e. no webpage links to the admin panel.
2. The stupid has included the admin panel URL in robots.txt file. Well every website has a robots.txt file which contains those URLs which should not be crawled (even by google). You can view this (not always) by going to example.com/robots.txt. If contains a suspicious URL, visit it and check what is it.
If that doesn’t work as well then move on to the next trick.
We will use google to find all the page within the website which have the word “admin” in them.
Damn! We got nothing but you might be lucky. 🙂
Apart from intext:admin you can try
Well these were the methods I know and use if you know about some other way to find admin panels then please comment after all we all are here to learn. Aren’t we?
That’s all for now. I hope you enjoyed this article and learned something new.