I’m writing again after a year! It’s been an eventful one at that. Multiple conferences and two successful Xtreme Web Hacking trainings in that period.
As part of the XWH training that Akash and I did at nullcon 2015, I built an app to demo the functionality and usage of websockets. I went overboard and converted it into a full fledged web shell.
The client is a simple connect and send call to a websockets server:
if ("WebSocket" in window)
var server = "serverip_or_hostname:9998/server"
var ws = new WebSocket("ws://" + server);
ws.onopen = function()
ws.onmessage = function (evt)
var received_msg = evt.data;
ws.onclose = function(a)
alert("WebSocket NOT supported by your Browser!");
The websockets server is a pywebsocket instance. The server side code is a python script that handles the incoming connection and the text.
The text is then passed to a subprocess.Popen call to be executed on the server. The output is collected and sent back to the client via the websocket.
line = request.ws_stream.receive_message()
if line is None:
if isinstance(line, unicode):
proc = subprocess.Popen('cmd.exe /c ' + line, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
out = proc.stdout.read() + proc.stderr.read()
request.ws_stream.send_message('Send plain text only!', binary=True)
The code is available on Github: You can get it here
To run the server on port 9998 (default in the code, can be changed):
- Get pywebsocket
python pywebsocket\mod_pywebsocket\standalone.py -p 9998 -w ws_server
- Open index.html in any browser that supports websockets. Latest Chrome/Firefox is good enough.
- Enter a (Windows) command like ipconfig
- Hit the Execute! button.