WebXmlExploiter

WebXmlExploiter
https://github.com/crashbrz/WebXmlExploiter

The WebXmlExploiter is a tool to exploit exposed by misconfiguration or path traversal web.xml files.
It will try to download all .class and XML files based on the information extracted from the web.xml file.

Notes
WebXmlExploiter is an exploitation tool only, not a vulnerability scanner.
I will not add a brute-forcing feature since tools like wfuzz,ffuzz, and burp suite can do it better.
I recommend running the jadx to decompile the .class files.

Installation
Download the latest release and unpack it in the desired location.
Remember to install GoLang in case you want to run from the source.
WebXmlExploiter uses the github.com/antchfx/xmlquery libraries.

Check the following link for more information: https://github.com/antchfx/xmlquery/

Run: go get github.com/antchfx/xmlquery before running the WebXmlExploiter.

License
WebXmlExploiter is licensed under the SushiWare license. Check docs/license.txt for more information.
Usage/Help

Please refer to the output of -h for usage information and general help. Also, you can contact me on ##spoonfed@freenode.org (two #)


Example: go run webxmlexploiter.go -u https://vulnapp/somedir/anotherdir/../../../WEB-INF/

Go Version

Tested on:
go version go1.14.4 windows/amd64
go version go1.15.2 linux/amd64

To Do
Parsing enhancements Add cookies support.