WAppEx : The Web Application Exploiter
WAppEx, which is an integrated, multi-platform framework for performing penetration testing and exploiting of web applications on Windows or Linux. It can automatically check for all type of security vulnerabilities in the given target and then let you to run various payloads to exploit and take advantages of the vulnerability.
WAppEx can exploit the following web application vulnerabilities:
1. SQL Injection: One of the most dangerous vulnerabilities in web applications. WAppEx uses the strong Havij engine to detect and exploit this vulnerability.
2. Remote File Inclusion: RFI’s allow an attacker to include a remote file and execute arbitrary code. WAppEx can check for this vulnerability and run various payloads to execute commands on web server.
3. Local File Inclusion: LFI’s allow an attacker to include a local file to execute arbitrary code. Just like RFI, WAppEx tests and exploits this vulnerability. OS Commands: This vulnerability allows an attacker to execute OS commands on the targeted server. WAppEx tests and exploits this vulnerability to execute custom commands to get a reverse shell.
4. Script injection: Script injections can be used by an attacker to introduce (or “inject”) script into a web application. WAppEx automatically tests and exploits this vulnerability to escalate access to web server and tries to get a reverse shell.
5. Local File Disclosure: Just as the name depicts, this vulnerability discloses the contents of local files on a targeted web server. WAppEx can exploit this vulnerability to read sensitive files on the server.
Additionally, WAppEx also contains the following tools to help you in penetration testing and exploiting web applications:
6. Online Hash Cracker: A tool for cracking hashes using the reverse lookup in online sites.
Encoder/Decoder: An encoder/decoder with a complete encryption algorithms.
Find Login Page: It looks for login pages on a target.
Browser: A small browser you can use to view source code and HTTP headers.