swisskyrepo / ssrfmap Goto Github PK

function "wrapper_https" in utils.py returns "http://" and not "https://" as it should.

when run tool i have problem

Hello,

Currently the Redis module won't work if the size of SERVER_HOST or SERVER_PORT differs from the hardcoded values.

This is because the current payload has a hardcoded value of 64 inside.

You can check how it's done in Gopherus if you want to fix this issue: https://github.com/tarunkant/Gopherus/blob/master/scripts/Redis.py

First, excellent work on the tool.

Just wondering if there's a way to get SSRFmap to automatically generate a request and crawl params by just giving it a hostname or URL, or something approximating that. Then SSRFmap could use that data to be fully automatic and not require any manual input at all. Manual mode would still be useful in case of params that are not easily found of course.

Is this possible as of now with the options and just overlooked, or would be a good new feature?

ZAP has a reasonable script that demonstrates the idea that could be made use of: https://github.com/bugcrowd/HUNT/blob/master/ZAP/scripts/passive/SSRF.py

@xyzkab @swisskyrepo

when using the memecache module I don't get an error but no data is being sent. If I switch to any other module with the same request I see data being sent out.

python3 ssrfmap.py -r data/request6.txt -p l -m memecache --lhost=10.10.X.X --lport=4443 -v --level 5

/ / | ___ \ |
\ --.\ --.| |/ / | _ __ ___ __ _ _ __
--. \--. \ /| | ' _ \ / _ | ' \
/_/ /_/ / |\ | | | | | | | | (| | |) |
_/_/_| __| || || ||_,| .__/
| |
||
static@pancake ~/T/SSRFmap (master)>

GET HTTP/1.1
Host:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-None-Match: "5e9f475f-13e5"
If-Modified-Since: Tue, 21 Apr 2020 19:19:59 GMT
Connection: close

POST /fetch HTTP/1.1
Host: somehost.local:8008
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain;charset=UTF-8
Content-Length: 16
Connection: keep-alive

http://127.0.0.1

It's not currently possible to fuzz in a POST body without a parameter.

$ ssrfmap -r $(pwd)/req.txt -m portscan
 _____ _________________                     
/  ___/  ___| ___ \  ___|                    
\ `--.\ `--.| |_/ / |_ _ __ ___   __ _ _ __  
 `--. \`--. \    /|  _| '_ ` _ \ / _` | '_ \ 
/\__/ /\__/ / |\ \| | | | | | | | (_| | |_) |
\____/\____/\_| \_\_| |_| |_| |_|\__,_| .__/ 
                                      | |    
                                      |_|    
[WARNING]:No parameter (-p) defined, nothing will be tested!
[INFO]:Module 'portscan' launched !

Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory:

https://inventory.rawsec.ml/tools.html#SSRFmap

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

• Open source: Every information is available and up to date. If an information is missing or deprecated, you are invited to (help us).
• Practical: Content is categorized and table formatted, allowing to search, browse, sort and filter.
• Fast: Using static and client side technologies resulting in fast browsing.
• Rich tables: search, sort, browse, filter, clear
• Fancy informational popups
• Badges / Shields
• Static API
• Twitter bot

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why?

• Specialized websites: Some websites are referencing tools but additional information is not available or browsable. Make additional searches take time.
• Curated lists: Curated lists are not very exhaustive, up to date or browsable and are very topic related.
• Search engines: Search engines sometimes does find nothing, some tools or resources are too unknown or non-referenced. These is where crowdsourcing is better than robots.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.

Badges

The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.

Want to thank us?

If you want to thank us, you can help make the project better known by tweeting about it! For example:

So what?

That's all, this message is just to notify you if you care.

python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan

Traceback (most recent call last):
File "ssrfmap.py", line 3, in
from core.ssrf import SSRF
ImportError: No module named core.ssrf

CAN YOU PLEASE ADD PROXY MODULE
SO THAT ALL REQUEST FROM SSRFMAP CAN BE PROXIED

/ / | ___ \ |
\ --.\ --.| |/ / | _ __ ___ __ _ _ __
--. \--. \ /| | ' _ \ / _ | '
/_/ /_/ / |\ | | | | | | | | (| | |) |
_/_/_| __| || || ||_,| .__/
| |
||
[INFO]:Module 'readfiles' launched !
[INFO]:Reading file : /etc/passwd
window.randomToken = "xxxxxxxxxxxxxxxxxxxxxxx"

while using readfile function recieving output window.random.token

is isssume by the tool or site

I would like to check the requests send to the target. I'm pretty sure I'm getting a lot of false positives.

The -v option doesn't do anything to the output of the command.

My command:

python3 ssrfmap.py -v -r data/request.txt -p url -m networkscan

The output is the same as running it without the -v flag.

Hi,

I have the following request saved from burp to a file:

And I am running the tool as follows:
python3 ssrfmap.py -r /home/user/Desktop/ssrfmap2.txt -p file_url -m portscan --ssl

I get the following error:
[ERROR]:No injection point found ! (use -p)

For some reason, it cannot parse parameter from the request file.

Hi,

I'm using this script but it seems this is not reading properly JSON POST parameters.
When I write down a request and set the -p parameter, the script tells the [ERROR]:No injection point found ! (use -p) error:

Request file:

Error:

Sometimes it might be needed to have an injection point after a specific place in the saved request. Such as vulnparam=test;

If you we're to define -p vulnparam using SSRFMap it would likely scrub the parameter value. It would be nice to have a bit more control over where the SSRF payload is placed if you wanted.

By convention, in python, each class name should start by an uppercase.

the tool is great, but i want to test a SSRF i got withing a header and the only option i have is the -p of parameter and isn't working... if i try portscan or networkscan it just says everything is open, same with a nonexistent header/parameter.

Can we have Adminer SSRF module for this tool? CVE-2021-21311 https://ine.com/blog/adminer-ssrf-vulnerability-cve-202121311

Here is the output of my error

Traceback (most recent call last):
File "ssrfmap.py", line 58, in
ssrf = SSRF(args)
File "/root/SSRFmap/core/ssrf.py", line 38, in init
module.exploit(self.requester, args)
File "./modules/readfiles.py", line 32, in init
print(diff)
UnicodeEncodeError: 'ascii' codec can't encode character '\xf1' in position 3839: ordinal not in ran

On running python ssrfmap.py -h, I am seeing the following error:

Traceback (most recent call last):
  File "ssrfmap.py", line 3, in <module>
    from core.ssrf import SSRF
ImportError: No module named core.ssrf

Apologies but not super familiar with how Python import works, but any help on how to get this working is greatly appreciated.

[ERROR]:Bad Format
[INFO]:Module 'portscan' launched !
Traceback (most recent call last):
File "ssrfmap.py", line 42, in
ssrf = SSRF(args)
File "/usr/share/ssrfmap/core/ssrf.py", line 38, in init
module.exploit(self.requester, args)
File "./modules/portscan.py", line 15, in init
r = requester.do_request(args.param, "")
File "/usr/share/ssrfmap/core/requester.py", line 96, in do_request
return r
UnboundLocalError: local variable 'r' referenced before assignment

I used all possibles variables like -r and --level or anything else.

Hi, thanks for this tool first. Because if I do the test on my 127.0.0.1:5000 server everything works, while if I create a request with burp suite of an X site, it doesn't work well for me? For example the portscan gives me all the open ports .. Surely I'm wrong something, but I don't understand what ...
As parameter -p I enter what Burp suite tells me for example:
Host: testphp.vulnweb.com
...
...
...
Referer: http://testphp.vulnweb.com/login.php
...
uname=&pass=

Burp gives me uname=&pass=
as a parameter and I enter this note...
-p uname=&pass=
It's right?

The library urllib is old. The library requests is more convenient and easier to read and understand than urllib.