SSRFmap/data/example.py

# NOTE: do not try this at home - highly vulnerable ! (SSRF and RCE)
# NOTE: this file should become a simple ssrf example in order to test SSRFmap
# FLASK_APP=example.py flask run

from flask import Flask, abort, request 
import json
import re
import subprocess

app = Flask(__name__)

@app.route("/")
def hello():
    return "SSRF Example!"

# curl -i -X POST -d 'url=http://example.com' http://localhost:5000/ssrf
@app.route("/ssrf", methods=['POST'])
def ssrf():
    data = request.values
    content = command("curl {}".format(data.get('url')))
    return content

# curl -i -H "Content-Type: application/json" -X POST -d '{"url": "http://example.com"}' http://localhost:5000/ssrf2
@app.route("/ssrf2", methods=['POST'])
def ssrf2():
    data = request.json
    print(data)
    print(data.get('url'))
    content = command("curl {}".format(data.get('url')))
    return content

# curl -v "http://127.0.0.1:5000/ssrf3?url=http://example.com" 
@app.route("/ssrf3", methods=['GET'])
def ssrf3():
    data = request.values
    content = command("curl {}".format(data.get('url')))
    return content

# curl -X POST -H "Content-Type: application/xml" -d '<run><log encoding="hexBinary">4142430A</log><result>0</result><url>http://google.com</url></run>' http://127.0.0.1:5000/ssrf4
@app.route("/ssrf4", methods=['POST'])
def ssrf4():
    data = request.data
    print(data.decode())
    regex = re.compile("url>(.*?)</url")
    try:
        url = regex.findall(data.decode())[0]
        content = command("curl {}".format(url))
        return content
    except Exception as e:
        return e

def command(cmd):
	proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
	(out, err) = proc.communicate()
	return out

if __name__ == '__main__':
    app.run(host='127.0.0.1', port=5000, debug=True)
MODULE - smbhash : force an SMB auth via UNC path 2018-10-18 11:37:28 +00:00			`# NOTE: do not try this at home - highly vulnerable ! (SSRF and RCE)`
			`# NOTE: this file should become a simple ssrf example in order to test SSRFmap`
			`# FLASK_APP=example.py flask run`

MODULE - github enterprise + ssrf example service 2018-10-15 23:08:08 +00:00			`from flask import Flask, abort, request`
			`import json`
INFRA - XML requests + ssrf4 endpoint 2019-02-18 10:53:57 +00:00			`import re`
MODULE - github enterprise + ssrf example service 2018-10-15 23:08:08 +00:00			`import subprocess`

MODULE - core + redis + fastcgi + portscan + readfile 2018-10-15 19:22:04 +00:00			`app = Flask(__name__)`

			`@app.route("/")`
			`def hello():`
			`return "SSRF Example!"`

INFRA - Handling JSON in request + example SSRF2 (json data) 2018-10-16 10:18:00 +00:00			`# curl -i -X POST -d 'url=http://example.com' http://localhost:5000/ssrf`
MODULE - github enterprise + ssrf example service 2018-10-15 23:08:08 +00:00			`@app.route("/ssrf", methods=['POST'])`
MODULE - core + redis + fastcgi + portscan + readfile 2018-10-15 19:22:04 +00:00			`def ssrf():`
MODULE - github enterprise + ssrf example service 2018-10-15 23:08:08 +00:00			`data = request.values`
INFRA - Handling JSON in request + example SSRF2 (json data) 2018-10-16 10:18:00 +00:00			`content = command("curl {}".format(data.get('url')))`
			`return content`

Fixed curl examples for ssrf2/ssrf3 2019-01-30 19:54:10 +00:00			`# curl -i -H "Content-Type: application/json" -X POST -d '{"url": "http://example.com"}' http://localhost:5000/ssrf2`
INFRA - Handling JSON in request + example SSRF2 (json data) 2018-10-16 10:18:00 +00:00			`@app.route("/ssrf2", methods=['POST'])`
			`def ssrf2():`
			`data = request.json`
MODULE - github enterprise + ssrf example service 2018-10-15 23:08:08 +00:00			`print(data)`
			`print(data.get('url'))`
			`content = command("curl {}".format(data.get('url')))`
			`return content`

Fixed curl examples for ssrf2/ssrf3 2019-01-30 19:54:10 +00:00			`# curl -v "http://127.0.0.1:5000/ssrf3?url=http://example.com"`
INFRA - example.py with a GET SSRF 2018-10-17 15:12:08 +00:00			`@app.route("/ssrf3", methods=['GET'])`
			`def ssrf3():`
			`data = request.values`
			`content = command("curl {}".format(data.get('url')))`
			`return content`
INFRA - Handling JSON in request + example SSRF2 (json data) 2018-10-16 10:18:00 +00:00
INFRA - XML requests + ssrf4 endpoint 2019-02-18 10:53:57 +00:00			`# curl -X POST -H "Content-Type: application/xml" -d '<run><log encoding="hexBinary">4142430A</log><result>0</result><url>http://google.com</url></run>' http://127.0.0.1:5000/ssrf4`
			`@app.route("/ssrf4", methods=['POST'])`
			`def ssrf4():`
			`data = request.data`
			`print(data.decode())`
			`regex = re.compile("url>(.*?)</url")`
			`try:`
			`url = regex.findall(data.decode())[0]`
			`content = command("curl {}".format(url))`
			`return content`
			`except Exception as e:`
			`return e`

MODULE - github enterprise + ssrf example service 2018-10-15 23:08:08 +00:00			`def command(cmd):`
			`proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)`
			`(out, err) = proc.communicate()`
			`return out`
MODULE - core + redis + fastcgi + portscan + readfile 2018-10-15 19:22:04 +00:00
MODULE - github enterprise + ssrf example service 2018-10-15 23:08:08 +00:00			`if __name__ == '__main__':`
			`app.run(host='127.0.0.1', port=5000, debug=True)`