INFRA - Handling JSON in request + example SSRF2 (json data)

README.md

@@ -47,6 +47,7 @@ Feel free to add any feature listed below or a new service.
 - networkscan - same a portscan, we want to discover machines in the same network
 - aws and other cloud providers - extract sensitive data from http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy and more
 - sockserver  - SSRF SOCK proxy server - https://github.com/iamultra/ssrfsocks
+- handle request with file in requester
 
 The following code is a template if you wish to add a module interacting with a service.
 

core/requester.py

@@ -1,4 +1,5 @@
 import re
+import json
 import requests
 import logging
     
@@ -37,6 +38,13 @@ class Requester(object):
 
     def data_to_dict(self, data):
         if self.method == "POST":
+
+            # Handle JSON data
+            if self.headers['Content-Type'] and self.headers['Content-Type'] == "application/json":
+                self.data = json.loads(data)
+
+            # Handle FORM data
+            else:
                 for arg in data.split("&"):
                     regex = re.compile('(.*)=(.*)')
                     for name,value in regex.findall(arg):
@@ -51,6 +59,18 @@ class Requester(object):
                 if param in data_injected:
                     data_injected[param] = value
             
+
+                    # Handle JSON data
+                    if self.headers['Content-Type'] and self.headers['Content-Type'] == "application/json":
+                        r = requests.post(
+                            "http://" + self.host + self.action, 
+                            headers=self.headers, 
+                            json=data_injected,
+                            timeout=3
+                        )
+
+                    # Handle FORM data
+                    else:
                         r = requests.post(
                             "http://" + self.host + self.action, 
                             headers=self.headers, 

data/example.py

@@ -9,14 +9,23 @@ def hello():
     return "SSRF Example!"
 
 # do not try this at home - highly vulnerable ! (SSRF and RCE)
+# curl -i -X POST -d 'url=http://example.com' http://localhost:5000/ssrf
 @app.route("/ssrf", methods=['POST'])
 def ssrf():
     data = request.values
+    content = command("curl {}".format(data.get('url')))
+    return content
+
+# curl -i -H "Content-Type: application/json" -X POST -d '{"url": "http://example.com"}' http://localhost:5000/ssrf
+@app.route("/ssrf2", methods=['POST'])
+def ssrf2():
+    data = request.json
     print(data)
     print(data.get('url'))
     content = command("curl {}".format(data.get('url')))
     return content
 
+
 def command(cmd):
 	proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
 	(out, err) = proc.communicate()
@@ -26,4 +35,3 @@ if __name__ == '__main__':
     app.run(host='127.0.0.1', port=5000, debug=True)
 # FLASK_APP=example.py flask run
 # NOTE: this file should become a simple ssrf example in order to test SSRFmap
-# curl -i -X POST -d 'url=http://example.com' http://localhost:5000/ssrf

data/request2.txt

@@ -0,0 +1,13 @@
+POST /ssrf2 HTTP/1.1
+Host: 127.0.0.1:5000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1:5000/
+Content-Type: application/json
+Content-Length: 43
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+{"userId":"1", "url": "http://example.com"}