From XSS to RCE: XSSer

ID N0WHERE:136099
Type n0where
Reporter N0where
Modified 2016-11-21T05:27:36


From XSS to RCE

This demonstrates how an attacker can utilize XSS to execute arbitrary code on the web server when an administrative user inadvertently triggers a hidden XSS payload. Custom tools and payloads integrated with Metasploit’s Meterpreter in a highly automated approach will be demonstrated live, including post-exploitation scenarios and interesting data that can be obtained from compromised web applications. This version includes cool notifications and new attack vectors!

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting security vulnerabilities may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner. The ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution.


  • Python (2.7.*, version 2.7.11 was used for development and demo)
  • Gnome
  • Bash
  • Msfconsole (accessible via environment variables)
  • Netcat (nc)
  • cURL (curl) [NEW]
  • PyGame (apt-get install python-pygame) [NEW]

Payload Compatibility

  • Chrome (14 Nov 2015) – This should still work.
  • Firefox (04 Nov 2016) – Tested live at Black Hat Arsenal 2016


  • Audio: Contains remixed audio notifications.
  • Exploits: Contains DirtyCow (DCOW) privilege escalation exploits.
  • Joomla_Backdoor: Contains a sample Joomla extension backdoor which can be uploaded as an administrator and subsequently used to execute arbitrary commands on the system with system($_GET[‘c’]).
  • Payloads/javascript: Contains the JavaScript payloads. Contains a new “add new admin” payload for Joomla.
  • Shells: Contains the PHP shells to inject, including a slightly modified version of pentestmonkey’s shell that connects back via wget.

From XSS to RCE: XSSer Download