XSSER – From XSS to RCE
Version 2.0 – 2015: https://www.youtube.com/playlist?list=PLIjb28IYMQgqqqApoGRCZ_O40vP-eKsgf
Version 2.5 – 2016: https://www.youtube.com/playlist?list=PLRic6PgcrsWGkgacL6WFnSQKVRZIoofRj
Python (2.7.*, version 2.7.11 was used for development and demo)
Msfconsole (accessible via environment variables)
cURL (curl) [NEW]
PyGame (apt-get install python-pygame) [NEW]
Chrome (14 Nov 2015) – This should still work.
Firefox (04 Nov 2016) – Tested live at Black Hat Arsenal 2016
Better WP Security 3.5.3 http://ift.tt/2fD3Ob2
Optional: WPSEO http://ift.tt/1blM6kR
SecurityCheck 2.8.9 http://ift.tt/2fD3rNY
Audio: Contains remixed audio notifications.
Exploits: Contains DirtyCow (DCOW) privilege escalation exploits.
Joomla_Backdoor: Contains a sample Joomla extension backdoor which can be uploaded as an administrator and subsequently used to execute arbitrary commands on the system with system($_GET[‘c’]).
Shells: Contains the PHP shells to inject, including a slightly modified version of pentestmonkey’s shell that connects back via wget.
Sense of Security
MaXe / InterN0T