Awesome

WebXmlExploiter

The WebXmlExploiter is a tool to exploit exposed by misconfiguration or path traversal web.xml files.<br> It will try to download all .class and xml files based on the information extracted from the web.xml file.

Notes

• WebXmlExploiter is an exploitation tool only, not a vulnerability scanner.
• I will not add a brute-forcing feature since tools like wfuzz,ffuzz, and burp suite can do it better.
• I recommend running the jadx to decompile the .class files

Installation

Download the latest release and unpack it in the desired location.<br> Remember to install GoLang in case you want to run from the source.<br> WebXmlExploiter uses the github.com/antchfx/xmlquery libraries.

Check the following link for more information: https://github.com/antchfx/xmlquery/

• Run: go get github.com/antchfx/xmlquery before running the WebXmlExploiter

License

WebXmlExploiter is licensed under the SushiWare license. Check docs/license.txt for more information.

Usage/Help

Please refer to the output of -h for usage information and general help. Also, you can contact me on ##spoonfed@freenode.org (two #)<br> Example: go run webxmlexploiter.go -u https://vulnapp/somedir/anotherdir/../../../WEB-INF/

Usage of webxmlexploiter:
  -u string
        Vulnerable URL without the web.xml at end. Ex:https://vulnapp/somedir/anotherdir/../../../WEB-INF/
  -v    Prints the current version and exit.

Go Version

Tested on:<br> go version go1.14.4 windows/amd64<br> go version go1.15.2 linux/amd64

To Do

Parsing enhancements Add cookies support