Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
25 février 2011 5 25 /02 /février /2011 21:01

For those who feel concerned with website/webapp security, I'm gonna post here a few hints to :

- find the technology behind a website/portal (based on the fingerprinting idea, within the URL itself)

- check that the default admin URL is still accessible (leading to the questions: accessible for everyone? with default password?...)


This comes from my own experience, and also from the work of the guys owning the Nikto project (BTW: great job for the tool!).

 

Obviously, you may complete that with a real (HTTP?) headers check: very often the website will tell you its version and even what's running on it!

 

Here is the list, first version, and to my knowledge, there is not equivalent list on the web:


/backend_dev.php
/admin
/admin/login.php
/admin/phpinfo.php
/admin/system.php3
/administrator
/administration
/.admin
/stats
/server-status
/phpinfo
/phpinfo.php
/phpmyadmin/
/manager/list
/cfide/administrator
/wp-login.php
/?q=admin
/cgi-bin/printenv
/.htaccess
/bin/fpadmin.htm
/iisadmin
/_vti_bin/fpadmin.htm
/webadmin.nsf
/admin-serv/config/admpw
/servlet/AdminServlet
/lists/admin
/server
/siteminder/smadmin.html
/forum/admin/wwforum.mdb
/hostadmin/?page=
/sips/sipssys/users/a/admin/user
/simplebbs/users/users.php
/SiteServer/Admin/knowledge/persmbr/vs.asp
/IDSWebApp/IDSjsp/Login.jsp
/signon

/wp-admin
/login_form
/phpmyldap

/misc/drupal.js



And to finish with, I have been told that a well know french website hoster uses this port for the admin interface: 10000...
(so the URL to test could be something like subdomain.domain.tld:10000 ....)

 

I'll do my best to update that bill (update 1, done).

 

Please note that I can't be held responsible if you use that piece of information without having the right to assess security level (I mean auditing a system/app).

 

 

Partager cet article

Repost0

commentaires