OWASP Mth3l3m3nt Framework

Posted on Posted in Tools

OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.


The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers:

  • Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)
  • LFI/RFI exploitation Module
  • Web Shell Generator (ASP,PHP,JSP,JSPX)
  • Payload Encoder and Decoder
  • Custom Web Requester (GET/POST)
  • Web Herd (HTTP Bot tool to manage web shells)

Modules Packed in so far are:

  • Payload Store
  • Shell Generator (PHP/ASP/JSP/JSPX)
  • Payload Encoder and Decoder (Base64/Rot13/Hex/Hexwith \x seperator/ Hex with 0x Prefix)
  • LFI Exploitation module (currently prepacked with: Koha Lib Lime LFI/ WordPress Aspose E-book generator LFI/ Zimbra Collaboration Server LFI)
  • HTTP Bot Herd to control web shells.
  • String Tools
  • Client Side Obfuscator


Copy all the files into your webroot except db_dump_optional. Ensure the Folders Below are writeable:

  • tmp
  • framework/data
  • framework/data/site_config.json

the login url is: /cnc  username:mth3l3m3nt password:mth3l3m3nt

Sample Apache2 Configuration

<Directory /var/www/>
    Options -Indexes +FollowSymLinks +Includes
    AllowOverride All
    Order allow,deny
    Allow from all
    Require all granted # This is required for apache 2.4.3 or higher if lower version remove this line

Sample Nginx Configuration

server {
    root /var/www/html;
    location / {
        index index.php index.html index.htm;
        try_files $uri /index.php?$query_string;
    location ~ \.php$ {
        fastcgi_pass ip_address:port;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;

Sample IIS Configuration

<?xml version="1.0" encoding="UTF-8"?>
        <rule name="Application" stopProcessing="true">
          <match url=".*" ignoreCase="false" />
          <conditions logicalGrouping="MatchAll">
            <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
          <action type="Rewrite" url="index.php" appendQueryString="true" />

Sample Lighttpd Configuration

$HTTP["host"] =~ "www\.example\.com$" {
    url.rewrite-once = ( "^/(.*?)(\?.+)?$"=>"/index.php/$1?$2" )
    server.error-handler-404 = "/index.php"


Quellen: GitHub and CyberPunk