Jsshell - An Interactive Multi-User Spider Web Js Shell
An interactive multi-user spider web based javascript shell. It was initially created inward social club to debug remote esoteric browsers during experiments in addition to research. This tool tin last easily attached to XSS (Cross Site Scripting) payload to accomplish browser remote code execution (similar to the BeeF framework).
Version 2.0 is created only from scratch, introducing novel exciting features, stability in addition to maintainability.
Author
Daniel Abeles.
Shell Video
Features
Installation & Setup
Config File
In the
Docker
This novel version instructed installing in addition to running via
This will:
Regular
If you lot nevertheless wish to purpose the sometime fashion method of installing, only brand certain you lot accept a
I recommend using a virtual environs amongst
Or using
Then, install the requirements:
Running
If you lot used the
Web Server
Otherwise, 1 time nosotros accept the database setup, nosotros withdraw to initiatory off the spider web API server. To do, run:
This volition practise in addition to run a spider web server that listens to incoming connections in addition to serves our JSShell code.
Shell
Now to initiatory off the JSShell CLI, run the same script but at 1 time amongst the
Usage
After setup in addition to running the required components, larn into the
Flow
JSShell supports two methods of operation:
Injectable Shell
Similar to other XSS command frameworks (like BeeF), JSShell is capable of managing successful XSS exploitations. In example, if you lot tin inject a
Hosted Shell
If you lot wish to debug exotic in addition to esoteric browsers, you lot tin only navigate to
Credits
Canop for JSON.prune
use it at your ain responsibleness in addition to risk.
Version 2.0 is created only from scratch, introducing novel exciting features, stability in addition to maintainability.
Author
Daniel Abeles.
Shell Video
Features
- Multi customer support
- Cyclic DOM objects support
- Pre flying scripts
- Command Queue & Context
- Extensible amongst Plugins
- Injectable via
tags
- Dumping command output to file
- Shell pagination
Installation & Setup
Config File
In the
resources
directory, update the config.json
file amongst your desired configuration:- Database host - if running amongst the
docker
deployment method, pick out the database host every bitdb
(which is the internal host name). - Return URL - the URL which the requests volition follow. The
shell.js
file does about AJAX calls to register in addition to poll for novel commands. Usually it volition lasthttp://{YOUR_SERVER_IP}:{PORT}
. - Startup script - a script that runs automatically when the JSShell CLI customer is spawned.
- It is also possible to indicate at a remote database if desired.
Docker
This novel version instructed installing in addition to running via
docker
in addition to docker-compose
. Now, to install in addition to run the entire JSShell framework, only run:$ ./start_docker_shell.sh
- Start in addition to practise the database inward the background
- Start the spider web API server that handles incoming connections inward the background
- Spawn a novel event of the
JSShell
command line interface container
Regular
If you lot nevertheless wish to purpose the sometime fashion method of installing, only brand certain you lot accept a
MongoDB
database upward in addition to running, in addition to update the config.json
file residing inward the resources
directory.I recommend using a virtual environs amongst
pyenv
:$ pyenv virtualenv -p python3.6 venv $ pyenv activate venv
virtualenv
:$ virtualenv -p python3.6 venv $ source venv/bin/activate
$ pip install -r requirements.txt
Running
If you lot used the
docker
method, there's no withdraw to run the next procedure.Web Server
Otherwise, 1 time nosotros accept the database setup, nosotros withdraw to initiatory off the spider web API server. To do, run:
$ python manage.py web
Shell
Now to initiatory off the JSShell CLI, run the same script but at 1 time amongst the
shell
flag:$ python manage.py shell
Usage
After setup in addition to running the required components, larn into the
help
command to encounter the available commands: ╦╔═╗┌─┐┬ ┬┌─┐┬ ┬ ║╚═╗└─┐├─┤├┤ │ │ ╚╝╚═╝└─┘┴ ┴└─┘┴─┘┴─┘ 2.0 yesteryear @Daniel_Abeles >> attention Documented commands (type attention ): General Commands -------------------------------------------------------------------------------- edit Edit a file inward a text editor attention List available commands or supply detailed attention for a specific command history View, run, edit, save, or clear previously entered commands ipy Enter an interactive IPython rhythm py Invoke Python command or rhythm quit Exit this application Shell Based Operations -------------------------------------------------------------------------------- dorsum Un-select the electrical flow selected customer clients List in addition to command the clients that accept registered to our organization commands Show the executed commands on the selected customer dump Dumps a command to the disk execute Execute commands on the selected customer select Select a customer every bit the electrical flow customer >>
Flow
JSShell supports two methods of operation:
- Injectable Shell (similar to BeeF framework)
- Hosted Shell (for debugging)
Injectable Shell
Similar to other XSS command frameworks (like BeeF), JSShell is capable of managing successful XSS exploitations. In example, if you lot tin inject a
script
tag, inject the next resources to your payload, in addition to a novel customer volition seem inward your console:
Hosted Shell
If you lot wish to debug exotic in addition to esoteric browsers, you lot tin only navigate to
http://{YOUR_SERVER_IP}:{PORT}/
in addition to a novel customer volition popular upward into your JSShell CLI client. Now it is debuggable via our JSShell console.Credits
Canop for JSON.prune
use it at your ain responsibleness in addition to risk.