XAttacker is a perl tool capable of scanning and auto-exploiting vulnerabilities in web applications. By providing a target website to the tool, it auto detects its’ architecture if using a Content Management Service (CMS) and tries to find vulnerabilities based on the detected CMS. Currently supported CMS include Wordpress, Joomla, Drupal, PrestaShop, and LokoMedia.
How to Install the Tool?
XAttacker can be installed by cloning the setup from Github repository using the following command.
git clone https://github.com/Moham3dRiahi/XAttacker.git
The cloning process may ask for a username and password to proceed. Another option to get the tool is to download the ZIP file from the github repository and extract the files. The unzipped files can be viewed by following the XAttacker’s downloaded folder path and list the folder items using the following command. The folder must contain the XAttacker.pl file.
cd XAttacker-master ls
Scan and Exploit with XAttacker
Using XAttacker is pretty simple. First of all, save the target website(s) in a text file. In the next step, run the tool using the following command.
perl XAttacker.pl
The above command runs the tool and asks to select one of two options regarding the target website list. Select the appropriate option and provide the path to the file containing the target website(s) created earlier. For demonstration purposes, we have added the target website in a file named as ‘mylist’, saved on the desktop.
If the target website contains the supported CMS, the tool starts exploring the possibilities of exploiting the website based on vulnerabilities in the pre-defined set of resources. For instance, in a Wordpress website, the tool searches for vulnerabilities in resources like plugins, forms, php code, and specific themes. Similarly, in Drupal, the tool looks for Admin panel vulnerabilities. If there is no vulnerability found in the targeted website, the tool returns to the initial step.
However, if XAttacker finds a vulnerability, it exploits that automatically if the attacker chooses to do so. XAttacker could be useful for red team exercises in particular.
What Bunny rating does it get?
XAttacker is very simple to use. The tool can scan a large number of websites provided in a file using three simple steps, i-e (i) create list of target websites (ii) run XAttacker.pl, and (iii) provide path to the list of target websites when prompted. One downside we noticed is that sometimes the tool fails to detect the CMS and stops the scanning process. we will be rating this tool with 3.5 out of 5 bunnies.
Want to learn more about ethical hacking?
We have a networking hacking course that is of a similar level to OSCP, get an exclusive 95% discount HERE
Do you know of another GitHub related hacking tool?
Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.