Awesome
WebXmlExploiter
The WebXmlExploiter is a tool to exploit exposed by misconfiguration or path traversal web.xml files.<br> It will try to download all .class and xml files based on the information extracted from the web.xml file.
Notes
- WebXmlExploiter is an exploitation tool only, not a vulnerability scanner.
- I will not add a brute-forcing feature since tools like wfuzz,ffuzz, and burp suite can do it better.
- I recommend running the jadx to decompile the .class files
Installation
Download the latest release and unpack it in the desired location.<br> Remember to install GoLang in case you want to run from the source.<br> WebXmlExploiter uses the github.com/antchfx/xmlquery libraries.
Check the following link for more information: https://github.com/antchfx/xmlquery/
- Run: go get github.com/antchfx/xmlquery before running the WebXmlExploiter
License
WebXmlExploiter is licensed under the SushiWare license. Check docs/license.txt for more information.
Usage/Help
Please refer to the output of -h for usage information and general help. Also, you can contact me on ##spoonfed@freenode.org
(two #)<br>
Example: go run webxmlexploiter.go -u https://vulnapp/somedir/anotherdir/../../../WEB-INF/
Usage of webxmlexploiter:
-u string
Vulnerable URL without the web.xml at end. Ex:https://vulnapp/somedir/anotherdir/../../../WEB-INF/
-v Prints the current version and exit.
Go Version
Tested on:<br> go version go1.14.4 windows/amd64<br> go version go1.15.2 linux/amd64
To Do
Parsing enhancements Add cookies support