Menu

websploit-en




websploit

Phase(s):

Primary: Exploitation.
Secondary: N/A.

Description:

Tool that helps exploiting the detected vulnerabilities present on a web application offering several predefined attack scenarios.

Objective:

  • Compromise the users systems from the web application.
  • Gain access to directories from the web application.

Features:

Supported technologies: Web applications (HTTP/HTTPS).

Operative mode: Active.

Compromise the users systems from the web application.

  • Performs attacks using modules for the metasploit tool in order to compromise the users systems such as loading a malicious Java applet or URL.

Gain access to directories on the web application.

  • Performs brute force attacks on the web application directories in order to gain unauthorized access.

Reports:
Output reports:

  • Merge report from the exploitation and data mining in TXT and XML format.

    Basic usage:

    Perform a brute force attack on the web application directories. Start the tool with the following command:

    ./websploit


    The tool will remain on stand-by waiting for instructions; enter the following command to select the required module.

    wsf > use web/dir_scanner
    wsf:Dir_Scanner >


    Enter “show options” to visualize the available options required to configure in order to execute the attack.

    wsf:Dir_Scanner > show options
    Options Value
    --------- --------------
    TARGET http://google.com


    Modify the “TARGET” default value for the required web application URL address.

    wsf:Dir_Scanner > set TARGET URL_A_ATACAR
    TARGET => URL_A_ATACAR



    Begin the attack by entering the following.

    wsf:Dir_Scanner > run
    [*] Your Target : http://google.com
    [*]Loading Path List ... Please Wait ...
    ....


    The tool will display the attack progress for each of the directories tested.


    [index] ... [400 Bad Request]
    [images] ... [400 Bad Request]
    [download] ... [400 Bad Request]
    [2006] ... [400 Bad Request]
    [news] ... [400 Bad Request]
    [crack] ... [400 Bad Request]
    [serial] ... [200 OK]
    [warez] ... [400 Bad Request]
    [full] ... [400 Bad Request]
    [12] ... [400 Bad Request]


    The tool does not save any execution information, so it is required to continuously monitor the output sent to the console to identify those directories that exist in the application.

    Resources:

    Link: http://sourceforge.net/projects/Websploit.
    Author(s): Fardin Allahverdinazhand.
    Contact: 0x0ptim0us [at] gail.com.
    License: GNU GENERAL PUBLIC LICENSE Version 3.