• twitter of itsecteam
  • facebook of itsecteam
  • googleplus of itsecteam
Are your Web applications, Servers & Services, Network & Network Infrastructure
Are your Web applications, Servers & Services, Network & Network Infrastructure secure?
We can perform exhaustive penetration tests on your websites and applications, servers andservices, network andnetwork infrastructure. We can help tosafeguard your website and code, servers andservices, network andnetwork infrastructure against malicious attacks and potential data theft.
Design and Implementation of Secure Websites, Services and Software
Design and Implementation of Secure Websites, Services and Software
Professional Courses of Hacking and Security
Professional Courses of Hacking and Security
Web Vulnerabilities, Application Vulnerabilities and Exploiting Methods, CEH (Certified Ethical Hacking)

Web Application Exploiter (WAppEx)

Date:
27 Jan 2013

Home

WAppEx is an integrated Web Application security assessment and exploitation platform designed with the whole spectrum of security professionals to web application hobbyists in mind. It suggests a security assessment model which revolves around an extensible exploit database. Further, it complements the power with various tools required to perform all stages of a web application attack.

The Exploit Database contains the all the logic associated with trivial fingerprinting, exploitation techniques, and payloads that address a wide range of web application vulnerabilities with the emphasis being on high-risk and zero-day vulnerabilities.

Some of the vulnerabilities already bundled within the Exploit Database include Local File Disclosure (LFD), Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL Injection (SQLI), Remote OS Command Execution (RCE), and Server-side Code Injection (SCI). WAppEx can detect these vulnerabilities in a target, take full advantage of it, and through neatly designed payload codes get as much access to the exploited target as possible in as short a time as possible. Some of the payloads included within the database are various reverse shells, arbitrary code execution, command execution, arbitrary file upload…

Since all the attack logic rests in the form of scripts within the Exploit Database, it is easily extensible, flexible and updatable through community servers. Users, too, can add mature, sophisticated exploits and payloads in the same fashion. The database grows on a daily basis, and our dedicated team of research and development are working non-stop to maintain the richest, most up-to-date aggregate of exploits. The number of exploits is soon bound to surpass hundreds. Meanwhile, users can share their own created exploits and payloads with the community and contribute to this growing momentum.

The scripting language used to create new exploits and payloads is JavaScript with the addition of a few accessory objects and functions that automate daily penetration testing tasks and help integrate the script with the database. Using this feature, you can easily create and execute an exploit based on a newly discovered vulnerability.

WAppEx is also equipped with a penetration testing toolbox that makes an effective synergy with the Exploit Database and a crafty security expert. The provided tools include Manual Request, Exploit Editor, Dork Finder, Hidden File Checker… More tools, such as a crawler, a multi-purpose fuzzer… are to be added to the arsenal in the future releases of WAppEx.

Still, keep your eyes peeled as this is just the beginning of a new, powerful war machine in the pentest battleground.

The full list features is as below:

 

  • An exploit database covering a wide range of vulnerabilities.
  • A set of tools useful for penetration testing:
    • Manual Request
    • Dork Finder
    • Exploit Editor
    • Hidden File Checker
    • Neighbor Site Finder
    • Find Login Page
    • Online Hash Cracker
    • Encoder/Decoder
  • Execute multiple instances of one or more exploits simultaneously.
  • Execute multiple instances of one or more payloads (for every running exploit) simultaneously.
  • Test a list of target URL’s against a number of selected exploits.
  • Allows you to create your own exploits and payloads and share them online.
  • A number of featured exploits (6) and payloads (39) bundled within the software exploit database:
    • Testing and exploiting of Local File Inclusion vulnerabilities
    • Testing and exploiting of Local File Disclosure vulnerabilities
    • Testing and exploiting of Remote File Inclusion vulnerabilities
    • Testing and exploiting of SQL Injection vulnerabilities
    • Testing and exploiting of Remote Command Execution Inclusion vulnerabilities
    • Testing and exploiting of Server-side Code Injection vulnerabilities

Visit our download page to get WAppEx now.

Download

WAppEx 2.0, like its predecessor, has only been released a free trial. Click the download links below to download WAppEx 2.0, ITSecTeam End-User License Agreement, and the registration license file.

NOTICE: BY CLICKING ON ANY OF THE DOWNLOAD LINKS BELOW YOU ADMIT THAT YOU HAVE READ AND ACCEPT ITSECTEAM END USER LISENCE AGREEMENT.

Download WAppEx End-User License Agreement

Download WAppEx 2.0

Download License File

Enter ITSecTeam as the license name during registration.

Screenshot

Main
Admin Finder
Encoder
Exploit Editor
Exploit DB
Dork Finder
Online Hash Cracker
Manual Request
Local File Disclosure (LFD)
Local File Inclusion (LFI)
Connect-back Shell
Remote Code Execution (RCE)
SQL Injection (SQLI)
Neighbour Site Finder

History

Here is a brief history of changes made in different versions of WAppEx.

Version

Release Date

Changes
2.0 24/01/2013
  • Auto-detect feature deleted from exploits
  • Browser tool deleted
  • Exploits and payloads view changed
  • Exploit Database with the following features added:
    • New script syntax and structure
    • Searching, selecting, and executing of exploits.
    • Add/remove database entries (exploits or payloads)
    • Add exploits or payloads to the database using either the Exploit Wizard or the script file
    • Batch testing of multiple targets against multiple exploits
    • Execute multiple instances of one or more payloads (for every running exploit) simultaneously.
  • Following tools added:
    • Manual Request
    • Dork Finder
    • Exploit Editor
    • Hidden File Checker
    • Neighbor Site Finder
  • Local File Inclusion analyzer script updated
  • 24 new payloads for LFI, RFI, and PHP Code Execution vulnerabilities added:
    • Directory Explorer
    • CodeExec Bind
    • 3 connect-back shells
    • Code Execution
    • MySQL Dump
    • ServerInfo
    • 4 command execution payloads
  • Bug-fixes:
    • Find Login Page crashed on start
    • Problem with software registration
    • Stop button did not work when retrieving data from SQL server
    • Problem with saving SQL results
    • Crashed when closing Find Login Page
    • Status icons were not displayed properly in exploit tabs

 
1.0 23/06/2012

Initial release
 

Purchase

This version of WAppEx is only released as a free trial. If you need the software registration license, you can obtain it from the product download page.

Bug Report

Our team of experts and engineers work diligently to deliver the most reliable product possible. But however accurate the planning, development, and testing, some bugs do eventually creep into the released product – unexpected defects, faults, flaws, or imperfections. WAppEx’s developers wish to be informed about all reproducible bugs that may be encountered in the latest version of the software.

For this information to be useful and enable us to resolve the bug, we need detailed and specific information. Please be aware that incomplete or inaccurate reports waste valuable time and therefore may be discarded if the bug cannot be reproduced or the details are not clear enough.

NOTE: Before you complete or submit a bug report make sure you are using the latest available release of WAppEx.

To report a bug, contact us through.

 

Demo

Register
How to register WAppEx
 
Local File Inclusion
Exploiting LFI Vulnerability to execute system commands
 
SQL Injection
Exploiting SQLi Vulnerability and fetching database
 
Remote File Inclusion
Exploiting RFI vulnerability to upload web shell and execute system commands
 
Local File Disclosure
Exploiting LFD Vulnerability to read local files
 
Server-side Code Injection
Exploiting an SCI vulnerability to execute server-side codes such as PHP, JSP, and ASP, on the remote server
 
Remote OS Command Execution
Exploiting an RCE vulnerability to execute arbitrary operating system commands on the remote server
 
FCKEditor Exploitation
FCKEditor Exploitation
 

 

Help

All rights reserved to ITSecTeam Security Research © 2012

  • twitter of itsecteam
  • facebook of itsecteam
  • googleplus of itsecteam