This presentation demonstrates how an attacker can utilise XSS to execute arbitrary code on the web server when an administrative user inadvertently triggers a hidden XSS payload.

Custom tools and payloads integrated with Metasploit’s Meterpreter in a highly automated approach will be demonstrated live, including post-exploitation scenarios and interesting data that can be obtained from compromised web applications. This version includes cool notifications and new attack vectors!




  • Python (2.7.*, version 2.7.11 was used for development and demo)
  • Gnome
  • Bash
  • Msfconsole (accessible via environment variables)
  • Netcat (nc)
  • cURL (curl) [NEW]
  • PyGame (apt-get install python-pygame) [NEW]

Payload Compatibility

  • Chrome (14 Nov 2015) – This should still work.
  • Firefox (04 Nov 2016) – Tested live at Black Hat Arsenal 2016

WordPress Lab

WordPress Exploit

Joomla Lab

Joomla Exploit


  • Audio: Contains remixed audio notifications.
  • Exploits: Contains DirtyCow (DCOW) privilege escalation exploits.
  • Joomla_Backdoor: Contains a sample Joomla extension backdoor which can be uploaded as an administrator and subsequently used to execute arbitrary commands on the system with system($_GET[‘c’]).
  • Payloads/javascript: Contains the JavaScript payloads. Contains a new “add new admin” payload for Joomla.
  • Shells: Contains the PHP shells to inject, including a slightly modified version of pentestmonkey’s shell that connects back via wget.


Download XSSER

Leave a Reply

Your email address will not be published. Required fields are marked *