Web Application Exploiter (WAppEx) v2.0 :
is an integrated Web Application security assessment and exploitation platform designed with the whole spectrum of security professionals to web application hobbyists in mind. It suggests a security assessment model which revolves around an extensible exploit database. Further, it complements the power with various tools required to perform all stages of a web application attack.
WAppEx is also equipped with a penetration testing toolbox that makes an effective synergy with the Exploit Database and a crafty security expert. The provided tools include Manual Request, Exploit Editor, Dork Finder, Hidden File Checker… More tools, such as a crawler, a multi-purpose fuzzer… are to be added to the arsenal in the future releases of WAppEx.
Still, keep your eyes peeled as this is just the beginning of a new, powerful war machine in the pentest battleground.
The full list features is as below:
- An exploit database covering a wide range of vulnerabilities.
A set of tools useful for penetration testing:
- Manual Request
- Dork Finder
- Exploit Editor
- Hidden File Checker
- Neighbor Site Finder
- Find Login Page
- Online Hash Cracker
- Execute multiple instances of one or more exploits simultaneously.
- Execute multiple instances of one or more payloads (for every running exploit) simultaneously.
- Test a list of target URL’s against a number of selected exploits.
- Allows you to create your own exploits and payloads and share them online.
A number of featured exploits (6) and payloads (39) bundled within the software exploit database:
- Testing and exploiting of Local File Inclusion vulnerabilities
- Testing and exploiting of Local File Disclosure vulnerabilities
- Testing and exploiting of Remote File Inclusion vulnerabilities
- Testing and exploiting of SQL Injection vulnerabilities
- Testing and exploiting of Remote Command Execution Inclusion vulnerabilities
- Testing and exploiting of Server-side Code Injection vulnerabilities
W3AF ( Web Application Attack and Audit Framework) :
w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much more.
The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities. w3af to identify more than 200 vulnerabilities and reduce your site’s overall risk exposure. Identify vulnerabilities like SQL Injection, Cross-Site Scripting, Guessable credentials, Unhandled application errors and PHP misconfigurations.
Documentation : http://w3af.org/howtos/understanding-the-basics
Download Tool : http://w3af.org/download or http://sourceforge.net/projects/w3af/
is a suite of tools for security testing of web applications. It was designed for security auditors to help them with web application planning and exploitation.
It currently contains a spectrum of efficient, fast and stable tools such as Web Crawler with the embedded File/ Dir Brute forcer, Fuzzer (for advanced exploitation of known and unusual vulnerabilities such as SQL Injections, Cross site scripting (XSS)), Brute force (for login forms and identification of firewall-filtered rules, DOS Attacks) and WEB Proxy (to analyze, intercept and manipulate the traffic between your browser and the target web application).
Download : http://sunrisetech.gr/?page=websurgery&tab=download
is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives.
It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.
Download Link : http://www.arachni-scanner.com/download/
is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
YouTube Videos :
- Cross Site Scripting (XSS)
- SQL Injection
- Directory Traversal
- URL Injection
- Error Detection
- File Uploads
- Sensitive Data Discovery
Download Link : http://www.subgraph.com/vega_download.php
is an open source project which is used to scan and analysis remote system
in order to find various type of vulnerabilities. This tool is very powerful
and support multiple vulnerabilities.
[+]Autopwn - Used From Metasploit For Scan and Exploit Target Service
[+]wmap - Scan,Crawler Target Used From Metasploit wmap plugin
[+]format infector - inject reverse & bind payload into file format
[+]phpmyadmin - Search Target phpmyadmin login page
[+]lfi - Scan,Bypass local file inclusion Vulnerability & can be bypass some WAF
[+]apache users - search server username directory (if use from apache webserver)
[+]Dir Bruter - brute target directory with wordlist
[+]admin finder - search admin & login page of target
[+]MLITM Attack - Man Left In The Middle, XSS Phishing Attacks
[+]MITM - Man In The Middle Attack
[+]Java Applet Attack - Java Signed Applet Attack
[+]MFOD Attack Vector - Middle Finger Of Doom Attack Vector
[+]USB Infection Attack - Create Executable Backdoor For Infect USB For Windows
[+]ARP DOS - ARP Cache Denial Of Service Attack With Random MAC
[+]Web Killer Attack - Down Your WebSite On Network(TCPKILL)
[+]Fake Update Attack - Create Fake Update Page For Target OS
[+]Fake Access point Attack - Create Fake AP & Sniff Victims Information