haxormad

so, you can read WEB-INF/web.xml. how can you escalate this issue?

[step 1]. try to read other common Java files such as WEB-INF/web-jetty.xml. 

use a specialized wordlist such as the following (from 	Sergey Bobrov/BlackFan):
https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf.txt
with time you can build your own wordlist adding files you've discovered over time.
use Burp Intruder for this, it's perfect for this job.
sort Intruder results by status code so you can see instantly which files were found.

haxormad

import re
from urllib.parse import unquote


FLAGS = re.IGNORECASE | re.DOTALL
ESC_DOLLAR = r'(?:\$|\\u0024||\\x24|\\0?44|%24)'
ESC_LCURLY = r'(?:\{|\\u007B|\\x7B|\\173|%7B)'
ESC_RCURLY = r'(?:\}|\\u007D|\\x7D|\\175|%7D)'
_BACKSLASH_ESCAPE_RE = re.compile(r'\\(?:u[0-9af]{4}|x[0-9af]{2}|[0-7]{,3})')
_PERCENT_ESCAPE_RE = re.compile(r'%[0-9af]{2}')

haxormad

redUrl() {  gau -subs $1 | grep "redirect" >> $1_redirectall.txt |  gau -subs $1 | grep "redirect=" >> $1_redirectequal.txt |  gau -subs $1 | grep "url" >> $1_urlall.txt |  gau -subs $1 | grep "url=" >> $1_urlequal.txt |  gau -subs $1 | grep "next=" >> $1_next.txt |  gau -subs $1 | grep "dest=" >> $1_dest.txt |  gau -subs $1 | grep "destination" >> $1_destination.txt |  gau -subs $1 | grep "return" >> $1_return.txt |  gau -subs $1 | grep "go=" >> $1_go.txt |  gau -subs $1 | grep "redirect_uri" >> $1_redirecturi.txt |  gau -subs $1 | grep "continue=" >> $1_continue.txt |  gau -subs $1 | grep "return_path=" >> $1_path.txt |  gau -subs $1 | grep "externalLink=" >> $1_link.txt |  gau -subs $1 | grep "URL=" >> $1_URL.txt 
}