XSSER XSSER -  From XSS to RCE Technology

From XSS to RCE 2.5 – Black Hat Europe Arsenal 2016



  • Python (2.7.*, model 2.7.11 was once used for construction and demo)
  • Gnome
  • Bash
  • Msfconsole (available by the use of setting variables)
  • Netcat (nc)
  • cURL (curl) [NEW]
  • PyGame (apt-get set up python-pygame) [NEW]

Payload Compatibility

  • Chrome (14 Nov 2015) – This must nonetheless paintings.
  • Firefox (04 Nov 2016) – Examined are living at Black Hat Arsenal 2016

WordPress Lab

WordPress Exploit

Joomla Lab

Joomla Exploit


  • Audio: Incorporates remixed audio notifications.
  • Exploits: Incorporates DirtyCow (DCOW) privilege escalation exploits.
  • Joomla_Backdoor: Incorporates a pattern Joomla extension backdoor which may also be uploaded as an administrator and therefore used to execute arbitrary instructions at the gadget with gadget($_GET[‘c’]).
  • Payloads/javascript: Incorporates the JavaScript payloads. Incorporates a brand new “upload new admin” payload for Joomla.
  • Shells: Incorporates the PHP shells to inject, together with a reasonably changed model of pentestmonkey’s shell that connects again by the use of wget.

Evolved By means of

  • Hans-Michael Varbaek
  • Sense of Safety


  • MaXe / InterN0T

yWz4fri42hA XSSER -  From XSS to RCE Technology


Marshmallow Man, AppMarsh.com blog spiritual leader, has strived to make AppMarsh an independent and free blog from world monetary system. He and his followers are exiled by Google monster.