swisskyrepo
/
SSRFmap
mirror of https://github.com/swisskyrepo/SSRFmap.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

INFRA - Handling JSON in request + example SSRF2 (json data)

pull/2/head
Swissky 2018-10-16 12:18:00 +02:00
parent 378901a948
commit bea0fc8a1a
4 changed files with 54 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -47,6 +47,7 @@ Feel free to add any feature listed below or a new service.
- networkscan - same a portscan, we want to discover machines in the same network
- aws and other cloud providers - extract sensitive data from http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy and more
- sockserver - SSRF SOCK proxy server - https://github.com/iamultra/ssrfsocks
- handle request with file in requester
The following code is a template if you wish to add a module interacting with a service.

40
core/requester.py
View File

@ -1,4 +1,5 @@
import re
import json
import requests
import logging
@ -37,10 +38,17 @@ class Requester(object):
def data_to_dict(self, data):
if self.method == "POST":
for arg in data.split("&"):
regex = re.compile('(.*)=(.*)')
for name,value in regex.findall(arg):
self.data[name] = value
# Handle JSON data
if self.headers['Content-Type'] and self.headers['Content-Type'] == "application/json":
self.data = json.loads(data)
# Handle FORM data
else:
for arg in data.split("&"):
regex = re.compile('(.*)=(.*)')
for name,value in regex.findall(arg):
self.data[name] = value
def do_request(self, param, value):
@ -51,12 +59,24 @@ class Requester(object):
if param in data_injected:
data_injected[param] = value
r = requests.post(
"http://" + self.host + self.action,
headers=self.headers,
data=data_injected,
timeout=3
)
# Handle JSON data
if self.headers['Content-Type'] and self.headers['Content-Type'] == "application/json":
r = requests.post(
"http://" + self.host + self.action,
headers=self.headers,
json=data_injected,
timeout=3
)
# Handle FORM data
else:
r = requests.post(
"http://" + self.host + self.action,
headers=self.headers,
data=data_injected,
timeout=3
)
else:
# String is immutable, we don't have to do a "forced" copy
regex = re.compile(param+"=(\w+)")

12
data/example.py
View File

@ -9,14 +9,23 @@ def hello():
return "SSRF Example!"
# do not try this at home - highly vulnerable ! (SSRF and RCE)
# curl -i -X POST -d 'url=http://example.com' http://localhost:5000/ssrf
@app.route("/ssrf", methods=['POST'])
def ssrf():
data = request.values
content = command("curl {}".format(data.get('url')))
return content
# curl -i -H "Content-Type: application/json" -X POST -d '{"url": "http://example.com"}' http://localhost:5000/ssrf
@app.route("/ssrf2", methods=['POST'])
def ssrf2():
data = request.json
print(data)
print(data.get('url'))
content = command("curl {}".format(data.get('url')))
return content
def command(cmd):
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
(out, err) = proc.communicate()
@ -25,5 +34,4 @@ def command(cmd):
if __name__ == '__main__':
app.run(host='127.0.0.1', port=5000, debug=True)
# FLASK_APP=example.py flask run
# NOTE: this file should become a simple ssrf example in order to test SSRFmap
# curl -i -X POST -d 'url=http://example.com' http://localhost:5000/ssrf
# NOTE: this file should become a simple ssrf example in order to test SSRFmap

13
data/request2.txt Normal file
View File

@ -0,0 +1,13 @@
POST /ssrf2 HTTP/1.1
Host: 127.0.0.1:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5000/
Content-Type: application/json
Content-Length: 43
Connection: close
Upgrade-Insecure-Requests: 1
{"userId":"1", "url": "http://example.com"}