روش های مختلف یافتن صفحه مدیر سایت یا پیدا کردن admin page در سایت
زبان مقاله لاتین هست اما بسیار روان گفته شده.
How to find the login admin page of a website
One of the most common vulnerabilities one has to deal when coming accross dynamic sites is the administrator login page. For over a long time now a lot of hacking tutorials have been presented and recorded on youtube that present backdoors through the admin login pages for a variety of content management systems and blog platforms like wordpress, joomla, drupal etc. Today I will show you how to discover these pages (if not hidden) and how you can prevent someone from discovering them.
Adding text to the end of the URL
Usually most common CMS and blogging programs use common words under which the admin page is located. For example, OpenCart e-shop application uses /admin at the end. Try, after the website URL to add /keyword like the following:
www.website.com/admin
www.website.com/administrator
www.website.com/login
www.website.com/wp-login.php
www.website.com/admin.php
Exploit the robots.txt
robots.txt is a small file that search engines use to crawl through your site. Specifically when search engines bots visit your site, robots.txt tell them which pages should be indexed. Usually admin pages are being left by default. Use the following link:
Google dorks searching
Google dorks is all about searching the right way on Google everything you want to find for a website. In one of my former posts “How to use Google more efficiently” one can find some useful tips on how to find exactly what you want on Google. For our situation that we are looking for the admin login page the following search examples would fit:
site:website.com “login” (you can change the keyword to admin, administrator or something similar)
site:website.com inurl:login (same implies here)
site:website.com intitle:”admin login” (same implies here with the keywords)
Using the Yashar shahinzadeh admin page finder
If you are extremely bored to use the above, the following tool will check online and quickly most of the common login pages. This is a low level tool but for websites with the respective absent security countermeasures it does the job.
Yashar shahinzadeh admin page finder
Using the Havij Tool
Apart from a powerfull SQL injection tool, Havij offers a variety of services security services including an admin page finder. Havij exploits well known admin addresses and determines which ones are active and could be a possible login page. Havij comes as Free and Commercial version, by choosing the Free one you can use it as an admin page finder.
Are you a page admin? You should read this!
As you can see from the aforementioned, there are a lot of ways to discover the login page of a website. The best way to avoid any unwanted tracking and crawling is to transfer your login page somewhere where only you will know this place. Additionally it is essential not to name it in common words like “login” or “login_page”, find a word or a combination of words that you can easily remember and use it. For example, website.com/myplace.php.
There are many security plugins that you can use in your common php installations that can do the job for you. For example you can use WP Security for WordPress which easily changes the login page into your own, specialized login URL.
(ارگ کلاه فرنگی - بیرجند )