OWASP Mth3l3m3nt Framework


This article is from  Open Source Hacking Tools edition, that you can download for free if you have an account on our website. 

OWASP Mth3l3m3nt (Modular Threat Handling Element) Framework is a simple and portable set of utilities designed to make the life of a penetration tester easy in verifying some key elements/artefacts on the go more easily. The main features are:

  • Multi-Database Support (JIG, SQLite, MySQL, MongoDB, PostgreSQL, MSSQL)
  • LFI/RFI exploitation Module
  • Web Shell Generator (ASP, PHP, JSP, JSPX, CFM)
  • Payload Encoder and Decoder
  • Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)
  • Web Herd (HTTP Bot tool to manage web shells)
  • Client Side Obfuscator
  • String Tools
  • Whois
  • Cookie Theft Database (CTDB)

Payload Store

This module was built to aid in a few things; during pentests, we mostly come up with payloads on the fly that we often lose sight of when re-performing or encountering similar targets. The elements that are stored here would help the penetration tester remember the elements below:

  • Payload itself.
  • What strategy was used to come up with the payload?  
  • What exactly affected the target.
  • How it affected the target.

Therefore, this module is simply a store of such precious artefacts that save us time on any given pentest.

Generic Requests

This module sought to be used to create proof of concept and try out requests especially when one has a very small command of cURL. The module comes with a twist of adaptability though and works in the following hierarchy:

  • Use cURL to make requests;
  • If cURL is not available, then perform the same requests using fsock (Internet or Unix domain socket connection);
  • If the above are not available, use raw TCP sockets.

Take as an example, a scanner has indicated that a server runs tomcat, or you need to see the version disclosure of the system; an easy proof instead of using command line would be to point mth3l3m3nt to the URL to get the full list of headers and use that to show the above.


Above, as we can see as an example, the Hakin9 portal has quite a number of headers set that tell us more about the nature of the platform.

Other than headers, we can also perform regular full web requests to check responses; this is particularly useful in testing REST and SOAP APIs as you can see output in its raw format.

Shell Generator

This module was made to make it a bit more painless to find and use web based backdoors by generating a minimal shell as finding and downloading shells is usually a challenge in some environments, makes it easier by generating a webshell by language and these web shells can be used in conjunction with another feature to be discussed later called webherd or in isolation. So we can say “be gone oh ye prophet of doom that says I have to code this to own this.”


Payload Encoder/Decoder

This is a small utility to enable one to encode and decode various elements of a payload simply instead of finding multiple encoders/decoders online, a simple and easy to use interface goes a long way.

In the example below, assume we were to do an SQL injection and needed to append the name hakin9 in our query as a mini-obfuscation or generally due to the fact that we want to avoid using quotes in our string. We simply select the hexadecimal value with a prefix of 0x to denote that it is hexadecimal and not a regular string.

The reverse can be done using the decoder element ☺


This is nothing big, just the basic reconnaissance feature of “whois” put in a graphical user interface, helps in gaining information about a particular asset, e.g. below is the information from exploit-db on one of the key assets on the internet for pentesters.

Client side Obfuscator

This is a simple utility that obfuscates client side code using JavaScript unescape function; it becomes particularly useful not only to pentesters in hiding their payloads on the client side but also to developers that would like to avoid hotlinking or people reading their code with ease.

LFI Exploiter

This module was written to ensure that penetration testers can develop working proof of concept exploits within seconds on a graphical user interface and utilize them over time. It currently supports two strategies of LFI that can be leveraged but more can be created over time as the tool morphs. The strategies are:

  • Append payload to the cookie header and do an injection via the cookie when it controls elements of the application, e.g. for Koha’s LibLime, it loaded the language templates via the cookie, allowing one to bypass this and invoke other elements other than language files.
  • Appending of a payload to the URL (most generic form of LFI) where you add a payload to the URL and it is built with the payload to attempt file extraction, e.g., on WordPress Plugin Membership Simplified v1.58 - Arbitrary File Download.

Cookie Theft Database

This module was built to give a little more potency in the attacks done via stored XSS (Cross Site Scripting) to move proof of concepts from the regular alert (1) exploits to something meaningful, ideally to enable one to steal cookies, possibly replay them and impersonate users or trick them into performing unintended actions, or annoy them :-D, and page contents then verify them as workable elements. It takes a number of items into consideration for a “campaign” (stored XSS instance against a page and its change of state). It considers:

  • Referring page that lead to the vulnerable page
  • Change in state and cookies on vulnerable page.

It does all this by appending a virtual iFrame on the page and populating with a form (not visible on page) that can monitor certain elements in the DOM as required and send them back to the C2 as a POST request.

Web Herd

Lastly, we have our little webherd, it is common when performing a pentest on a number of targets to have backdoors everywhere and lose sight of them, and this tool can work in conjunction with the Shell Generator function to give workable backdoors, but would ideally work with any minimal shell using POST. It gives a neat display of shells and allows you to control and run commands from the interface like a basic C2 server. This comes in quite handy when managing the shells and is even more helpful when you need to rm –rf backdooror del /q backdoor” before closing on a security assessment in order to not leave clients “bugged”.

No one likes an inflicted RCE ☺

Below is the simple dashboard of a new backdoor uploaded to the location shown.

Below is a sample showing how to run commands on the backdoor from Mth3l3m3nt and get responses; comes in quite handy, as is seen from our compromised windows target below.

These are just some simple applications of mth3l3m3nt in its various capacities and how red and blue teamers use them to solve day to day security problems whether offending or defending applications. To see some of the features in action, find a YouTube video of a demo of the same below:  

Did you liked the article? If you want to read more similar tutorials check the full free edition Open Source Hacking Tools

Related Magazine

August 12, 2019


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023