INFRA - Handling JSON in request + example SSRF2 (json data)
parent
378901a948
commit
bea0fc8a1a
|
@ -47,6 +47,7 @@ Feel free to add any feature listed below or a new service.
|
||||||
- networkscan - same a portscan, we want to discover machines in the same network
|
- networkscan - same a portscan, we want to discover machines in the same network
|
||||||
- aws and other cloud providers - extract sensitive data from http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy and more
|
- aws and other cloud providers - extract sensitive data from http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy and more
|
||||||
- sockserver - SSRF SOCK proxy server - https://github.com/iamultra/ssrfsocks
|
- sockserver - SSRF SOCK proxy server - https://github.com/iamultra/ssrfsocks
|
||||||
|
- handle request with file in requester
|
||||||
|
|
||||||
The following code is a template if you wish to add a module interacting with a service.
|
The following code is a template if you wish to add a module interacting with a service.
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
import re
|
import re
|
||||||
|
import json
|
||||||
import requests
|
import requests
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
|
@ -37,10 +38,17 @@ class Requester(object):
|
||||||
|
|
||||||
def data_to_dict(self, data):
|
def data_to_dict(self, data):
|
||||||
if self.method == "POST":
|
if self.method == "POST":
|
||||||
for arg in data.split("&"):
|
|
||||||
regex = re.compile('(.*)=(.*)')
|
# Handle JSON data
|
||||||
for name,value in regex.findall(arg):
|
if self.headers['Content-Type'] and self.headers['Content-Type'] == "application/json":
|
||||||
self.data[name] = value
|
self.data = json.loads(data)
|
||||||
|
|
||||||
|
# Handle FORM data
|
||||||
|
else:
|
||||||
|
for arg in data.split("&"):
|
||||||
|
regex = re.compile('(.*)=(.*)')
|
||||||
|
for name,value in regex.findall(arg):
|
||||||
|
self.data[name] = value
|
||||||
|
|
||||||
|
|
||||||
def do_request(self, param, value):
|
def do_request(self, param, value):
|
||||||
|
@ -51,12 +59,24 @@ class Requester(object):
|
||||||
if param in data_injected:
|
if param in data_injected:
|
||||||
data_injected[param] = value
|
data_injected[param] = value
|
||||||
|
|
||||||
r = requests.post(
|
|
||||||
"http://" + self.host + self.action,
|
# Handle JSON data
|
||||||
headers=self.headers,
|
if self.headers['Content-Type'] and self.headers['Content-Type'] == "application/json":
|
||||||
data=data_injected,
|
r = requests.post(
|
||||||
timeout=3
|
"http://" + self.host + self.action,
|
||||||
)
|
headers=self.headers,
|
||||||
|
json=data_injected,
|
||||||
|
timeout=3
|
||||||
|
)
|
||||||
|
|
||||||
|
# Handle FORM data
|
||||||
|
else:
|
||||||
|
r = requests.post(
|
||||||
|
"http://" + self.host + self.action,
|
||||||
|
headers=self.headers,
|
||||||
|
data=data_injected,
|
||||||
|
timeout=3
|
||||||
|
)
|
||||||
else:
|
else:
|
||||||
# String is immutable, we don't have to do a "forced" copy
|
# String is immutable, we don't have to do a "forced" copy
|
||||||
regex = re.compile(param+"=(\w+)")
|
regex = re.compile(param+"=(\w+)")
|
||||||
|
|
|
@ -9,14 +9,23 @@ def hello():
|
||||||
return "SSRF Example!"
|
return "SSRF Example!"
|
||||||
|
|
||||||
# do not try this at home - highly vulnerable ! (SSRF and RCE)
|
# do not try this at home - highly vulnerable ! (SSRF and RCE)
|
||||||
|
# curl -i -X POST -d 'url=http://example.com' http://localhost:5000/ssrf
|
||||||
@app.route("/ssrf", methods=['POST'])
|
@app.route("/ssrf", methods=['POST'])
|
||||||
def ssrf():
|
def ssrf():
|
||||||
data = request.values
|
data = request.values
|
||||||
|
content = command("curl {}".format(data.get('url')))
|
||||||
|
return content
|
||||||
|
|
||||||
|
# curl -i -H "Content-Type: application/json" -X POST -d '{"url": "http://example.com"}' http://localhost:5000/ssrf
|
||||||
|
@app.route("/ssrf2", methods=['POST'])
|
||||||
|
def ssrf2():
|
||||||
|
data = request.json
|
||||||
print(data)
|
print(data)
|
||||||
print(data.get('url'))
|
print(data.get('url'))
|
||||||
content = command("curl {}".format(data.get('url')))
|
content = command("curl {}".format(data.get('url')))
|
||||||
return content
|
return content
|
||||||
|
|
||||||
|
|
||||||
def command(cmd):
|
def command(cmd):
|
||||||
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
|
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
|
||||||
(out, err) = proc.communicate()
|
(out, err) = proc.communicate()
|
||||||
|
@ -25,5 +34,4 @@ def command(cmd):
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
app.run(host='127.0.0.1', port=5000, debug=True)
|
app.run(host='127.0.0.1', port=5000, debug=True)
|
||||||
# FLASK_APP=example.py flask run
|
# FLASK_APP=example.py flask run
|
||||||
# NOTE: this file should become a simple ssrf example in order to test SSRFmap
|
# NOTE: this file should become a simple ssrf example in order to test SSRFmap
|
||||||
# curl -i -X POST -d 'url=http://example.com' http://localhost:5000/ssrf
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
POST /ssrf2 HTTP/1.1
|
||||||
|
Host: 127.0.0.1:5000
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Referer: http://127.0.0.1:5000/
|
||||||
|
Content-Type: application/json
|
||||||
|
Content-Length: 43
|
||||||
|
Connection: close
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
{"userId":"1", "url": "http://example.com"}
|
Loading…
Reference in New Issue