The WebXmlExploiter is a tool to exploit exposed by misconfiguration or path traversal web.xml files.
It will try to download all .class and xml files based on the information extracted from the web.xml file.
- WebXmlExploiter is an exploitation tool only, not a vulnerability scanner.
- I will not add a brute-forcing feature since tools like wfuzz,ffuzz, and burp suite can do it better.
- I recommend running the jadx to decompile the .class files
Download the latest release and unpack it in the desired location.
Remember to install GoLang in case you want to run from the source.
WebXmlExploiter uses the github.com/antchfx/xmlquery libraries.
Check the following link for more information: https://github.com/antchfx/xmlquery/
- Run: go get github.com/antchfx/xmlquery before running the WebXmlExploiter
WebXmlExploiter is licensed under the SushiWare license. Check docs/license.txt for more information.
Please refer to the output of -h for usage information and general help. Also, you can contact me on ##[email protected] (two #)
Example: go run webxmlexploiter.go -u https://vulnapp/somedir/anotherdir/../../../WEB-INF/
Usage of webxmlexploiter:
-u string
Vulnerable URL without the web.xml at end. Ex:https://vulnapp/somedir/anotherdir/../../../WEB-INF/
-v Prints the current version and exit.
Tested on:
go version go1.14.4 windows/amd64
go version go1.15.2 linux/amd64
Parsing enhancements Add cookies support