WebXmlExploiter

November 11, 2020 ยท View on GitHub

License Issues open GitHub pull requests GitHub closed issues GitHub last commit

WebXmlExploiter

The WebXmlExploiter is a tool to exploit exposed by misconfiguration or path traversal web.xml files.
It will try to download all .class and xml files based on the information extracted from the web.xml file.

Notes

  • WebXmlExploiter is an exploitation tool only, not a vulnerability scanner.
  • I will not add a brute-forcing feature since tools like wfuzz,ffuzz, and burp suite can do it better.
  • I recommend running the jadx to decompile the .class files

Installation

Download the latest release and unpack it in the desired location.
Remember to install GoLang in case you want to run from the source.
WebXmlExploiter uses the github.com/antchfx/xmlquery libraries.

Check the following link for more information: https://github.com/antchfx/xmlquery/

  • Run: go get github.com/antchfx/xmlquery before running the WebXmlExploiter

License

WebXmlExploiter is licensed under the SushiWare license. Check docs/license.txt for more information.

Usage/Help

Please refer to the output of -h for usage information and general help. Also, you can contact me on ##spoonfed@freenode.org (two #)
Example: go run webxmlexploiter.go -u https://vulnapp/somedir/anotherdir/../../../WEB-INF/

Usage of webxmlexploiter:
  -u string
        Vulnerable URL without the web.xml at end. Ex:https://vulnapp/somedir/anotherdir/../../../WEB-INF/
  -v    Prints the current version and exit.

Go Version

Tested on:
go version go1.14.4 windows/amd64
go version go1.15.2 linux/amd64

To Do

Parsing enhancements Add cookies support