https://github.com/farinap5/webpwn

Web Vulnerability Detector (XSS,SQL,LFI,XST,WAF)
https://github.com/farinap5/webpwn

lfi lfi-exploitation pentesting python sqli-pentester sqli-vulnerability-scanner sqlinjection waf-detection webpwn xss-attacks xss-detection xss-exploitation xss-vulnerability xst

Last synced: 9 months ago
JSON representation

Web Vulnerability Detector (XSS,SQL,LFI,XST,WAF)

• Host: GitHub
• URL: https://github.com/farinap5/webpwn
• Owner: farinap5
• License: mit
• Created: 2020-12-07T18:27:23.000Z (over 5 years ago)
• Default Branch: main
• Last Pushed: 2020-12-08T15:14:09.000Z (over 5 years ago)
• Last Synced: 2025-05-16T12:40:06.594Z (about 1 year ago)
• Topics: lfi, lfi-exploitation, pentesting, python, sqli-pentester, sqli-vulnerability-scanner, sqlinjection, waf-detection, webpwn, xss-attacks, xss-detection, xss-exploitation, xss-vulnerability, xst
• Language: Python
• Homepage:
• Size: 19.5 KB
• Stars: 24
• Watchers: 1
• Forks: 9
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
WebPwn



Web Vulnerability Scanner

 

   



***

## Features

Web Application Firewall (WAF) detection.

Cross Site Scripting (XSS) tests.

SQL injection time based test.

SQL injection error based test.

Local File Inclusion (LFI) test.

Cross Site Tracing (XST) test.

***

### Download and Run

> git clone https://github.com/farinap5/webpwn.git

> cd webpwn

> python3 webpwn.py http://example.com/page.php?cat=1

***

### Example of Output

```

python3 webpwn.py http://example.com/page.php?cat=1

[*] No WAF Detected.

    WebPwn

    ------

Target: http://example.com/page.php?cat=1

Server: nginx/1.19.0

Data: Mon, 07 Dec 2020 18:24:50 GMT

Powered: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1

[!] Testing XSS

[!] 10 Payloads.

[+] 9 Payloads were found.

[*] Payload found!

[!] Payload: alert("inject")

[!] POC: http://example.com/page.php?cat=alert("inject")

[*] Payload found!

[!] Payload: %3Cscript%3Ealert%28%22inject%22%29%3C%2Fscript%3E

[!] POC: http://example.com/page.php?cat=%3Cscript%3Ealert%28%22inject%22%29%3C%2Fscript%3E

[!] Testing SQLi

[*] Blind SQL injection time based found!

[!] Payload: 1-SLEEP(2)

[!] POC: http://example.com/page.php?cat=1-SLEEP(2)

[*] SQL Error found.

[!] Payload: '

[!] POC: http://example.com/page.php?cat='

[!] Testing LFI

[*] Payload found!

[!] Payload: ../../../../etc/passwd

[!] POC: http://example.com/page.php?cat=../../../../etc/passwd

[!] Testing XST

[*] This site seems vulnerable to Cross Site Tracing (XST)!

```

***

## Discaimer

```

Usage of the webpwn for attack targets without prior mutual consent is illegal. 

It is the end user's responsability to obey all applicable local, state, federal and international laws. 

Developer assume no liability and not responsible for any misuse or damage caused by this program.

```