xsshell: XSS reverse shell framework

by do son · March 21, 2019

XSShell

XSShell is a cross-site-scripting reverse shell… Okay, well maybe it’s not a true reverse shell, but it will allow you to interact in real time with an XSS victim’s browser.

Just run the xsshell binary to set up your listener endpoint, do your XSS thing to get the exploit js onto the victim’s browser, and as soon as they run it you should see something like this pop up in your console:

====== start socket: 1, header: AmaaKrM= ======

socket connected: 1

    user agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134 

    page url:   http://example.com/ 

    referrer:   http://google.com/

    cookies:    phpsessid=abababababababab

======   end socket: 1, header: AmaaKrM= ======

Once you have a connection you can execute any javascript file you want on the browser, and have that script return data to your console. This may not seem very useful at first, but it allows you to be more tactical and react in real time to the environment that the script is running on. Environments like say… an admin page used to approve and manage orders placed on a retail site 🙂

XSShell also comes with a number of premade XSS payloads to use:

\alert – send a js alert message
\cs – get cookies and any updates to the cookies
\gi – download all images on the page
\kl – key logger
\ll – list all links on the page
\src – download the current page source
\pfl – show the user a modal and prompt them to login
\xhr – make xhr requests in the context of the victim’s browser
\ct – crash the victim’s browser tab
\wcs – attempt to take a snapshot from the victim’s webcam (WARNING: most modern browsers will prompt for access to webcams)