OWASP Mth3l3m3nt Framework Project

Mth3l3m3nt Framework Project

OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.

Description

The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers:

• Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)
• LFI/RFI exploitation Module
• Web Shell Generator (ASP,PHP,JSP,JSPX)
• Payload Encoder and Decoder
• Custom Web Requester (GET/POST)
• Web Herd (HTTP Bot tool to manage web shells)
• Client Side Obfuscator
• String Tools
• Whois

Please contribute to this project.

Licensing

The OWASP Mth3l3m3nt Framework is free to use. Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.

The OWASP Mth3l3m3nt Framework is licensed under the GNU AGPL v3 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

What is the OWASP Mth3l3m3nt Framework Project

It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.

Project Leader

• Munir Njiru

Related Projects

• [ZAP]

Openhub

• OWASP Mth3l3m3nt Framework

Presentations

• Mth3l3m3nt Framework in Africahackon 2015 CTF

Documentation

• User Guide

Quick Download

The home of the OWASP Mth3l3m3nt Framework is on GitHub. You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.

However, if you like you may also download the master repository from the following links:

• .zip file.
• .tgz file.

Updates

• Aug-13-2015: Added Developer Documentation to the project.
• Nov-18-2015: Added CVE-2015-7254 Exploit to the framework.
• Nov-19-2015: Added User Guide to the Git Repository

Classifications