Security and Technology


From XSS to RCE 2.5 – Black Hat Europe Arsenal 2016Demo

Version 2.0 – 2015:

Version 2.5 – 2016:


Python (2.7.*, version 2.7.11 was used for development and demo)



Msfconsole (accessible via environment variables)

Netcat (nc)

cURL (curl) [NEW]

PyGame (apt-get install python-pygame) [NEW]

Payload Compatibility

Chrome (14 Nov 2015) – This should still work.

Firefox (04 Nov 2016) – Tested live at Black Hat Arsenal 2016

WordPress Lab


Better WP Security 3.5.3

Optional: WPSEO

WordPress Exploit

Joomla Lab


SecurityCheck 2.8.9

Joomla Exploit


Audio: Contains remixed audio notifications.

Exploits: Contains DirtyCow (DCOW) privilege escalation exploits.

Joomla_Backdoor: Contains a sample Joomla extension backdoor which can be uploaded as an administrator and subsequently used to execute arbitrary commands on the system with system($_GET[‘c’]).

Payloads/javascript: Contains the JavaScript payloads. Contains a new “add new admin” payload for Joomla.

Shells: Contains the PHP shells to inject, including a slightly modified version of pentestmonkey’s shell that connects back via wget.

Developed By

Hans-Michael Varbaek

Sense of Security


MaXe / InterN0T

Download XSSER

Deixe uma resposta

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do

Você está comentando utilizando sua conta Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s