What is an admin panel?
An admin panel of the website or web application is like a management system used by its admins or editors to manage the website like adding new pages, uploading images, changing the website layout, adding new posts, new notices, etc.
To access the admin panel you need these two things:
1. Credentials of the admin user (username and password)
2. URL of the login page, for example www.xyz.com/admin.php
Now the most important question, the path or URL for all websites is not always admin.php. Developers use different paths of filenames to hide admin panels so that hackers can’t find them easily.
How to find the admin panel of a website?
Well, there is no 100% working method for finding admin panels but all we can do is try multiple techniques to find the exact path. Let’s start finding a few methods for finding admin panels.
1. Guessing the path
One of the methods is guessing possible paths or filenames of mostly used admin panels. Developers may have used common names such as admin, admin-panel, administration, control-panel, administrator, etc. Now, we have to append the above guess at the end of our target website such as xyz.com/admin, xyz.com/admin-panel.
Most of the CMS/ Frameworks do have a predefined path for the admin panel. For example, the admin panel for WordPress is always at wp-admin. The admin panel of this blog is itself at https://hacknopedia.com/wp-admin/
Well, what if the developer or system admin is not stupid and not using a common URL for the admin panel? What if he/she is using a path like www.example.com/ram_124. In such cases, checking for common URLs will not work.
Let’s try something else now.
2. Crawling of Fuzzing
Crawling/Fuzzing is the process of fetching all the URLs present on the website. For example, if you enter the URL hacknopedia.com in a crawler, the program will find all the links on that page. Then it will visit all the linked pages and will search for further links. This process will go on until it meets a dead end.
There are many tools available for fuzzing endpoints. Some of the very popular tools are dirb, dirbuster, FFUF, etc. In the image below we have fuzzed the URL of hacknopedia and it found posts, directories, etc. To this, we have to give a list of possible files or paths which is called the dictionary.
Using Dirbuster
Using FFUF
ffuf is an acronym for “fuzz faster you fool!”, and it’s a cli-based web attack tool written in Go.
As shown above, FFUF successfully found the admin path in the targeted URL.
3. Using Google Dorks
As we all know google keeps crawling our websites regularly and stores the information on websites. By using google dorks we can find the admin panel of the website as shown below. In the image below we used google dorks such as site: com to give a target domain ending with .com and URL path admin to find the admin panel of all websites. We can also set our target website as site:
A few more google cheat sheet to find the admin panel is listed below. You can always try new things on your own by guessing possible paths and using them in google dorks.
inpage:admin site:example.com intitle:admin site:example.com inpage:login site:example.com intitle:login site:example.com intext:login site:example.com
4. Checking robots.txt file
Every website has a robots.txt file that contains URLs that should not be crawled or indexed by google. You can view this (not always) by going to example.com/robots.txt. Sometimes, the stupid developer may have included the admin panel URL in the robots.txt file to make it not visible to search engines. But, wait we are hackers, we look at robots.txt files at the very first stage of information gathering.
Well, these were a few of the methods posted here. If you know about some other way to find admin panels then please comment after all we all are here to learn. Aren’t we?
That’s all for now. I hope you enjoyed this article and learned something new.
[…] We can also find admin panels of a website using google dorks as described in this post. […]