swisskyrepo / ssrfmap Goto Github PK
View Code? Open in Web Editor NEWAutomatic SSRF fuzzer and exploitation tool
License: MIT License
Automatic SSRF fuzzer and exploitation tool
License: MIT License
function "wrapper_https" in utils.py returns "http://" and not "https://" as it should.
Hello,
Currently the Redis module won't work if the size of SERVER_HOST
or SERVER_PORT
differs from the hardcoded values.
This is because the current payload has a hardcoded value of 64 inside.
You can check how it's done in Gopherus if you want to fix this issue: https://github.com/tarunkant/Gopherus/blob/master/scripts/Redis.py
First, excellent work on the tool.
Just wondering if there's a way to get SSRFmap to automatically generate a request and crawl params by just giving it a hostname or URL, or something approximating that. Then SSRFmap could use that data to be fully automatic and not require any manual input at all. Manual mode would still be useful in case of params that are not easily found of course.
Is this possible as of now with the options and just overlooked, or would be a good new feature?
ZAP has a reasonable script that demonstrates the idea that could be made use of: https://github.com/bugcrowd/HUNT/blob/master/ZAP/scripts/passive/SSRF.py
when using the memecache module I don't get an error but no data is being sent. If I switch to any other module with the same request I see data being sent out.
python3 ssrfmap.py -r data/request6.txt -p l -m memecache --lhost=10.10.X.X --lport=4443 -v --level 5
/ / | ___ \ |
\ --.\
--.| |/ / | _ __ ___ __ _ _ __
--. \
--. \ /| | ' _ \ / _
| ' \
/_/ /_/ / |\ | | | | | | | | (| | |) |
_/_/_| __| || || ||_,| .__/
| |
||
static@pancake ~/T/SSRFmap (master)>
GET HTTP/1.1
Host:
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-None-Match: "5e9f475f-13e5"
If-Modified-Since: Tue, 21 Apr 2020 19:19:59 GMT
Connection: close
POST /fetch HTTP/1.1
Host: somehost.local:8008
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain;charset=UTF-8
Content-Length: 16
Connection: keep-alive
http://127.0.0.1
It's not currently possible to fuzz in a POST body without a parameter.
$ ssrfmap -r $(pwd)/req.txt -m portscan
_____ _________________
/ ___/ ___| ___ \ ___|
\ `--.\ `--.| |_/ / |_ _ __ ___ __ _ _ __
`--. \`--. \ /| _| '_ ` _ \ / _` | '_ \
/\__/ /\__/ / |\ \| | | | | | | | (_| | |_) |
\____/\____/\_| \_\_| |_| |_| |_|\__,_| .__/
| |
|_|
[WARNING]:No parameter (-p) defined, nothing will be tested!
[INFO]:Module 'portscan' launched !
Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory:
https://inventory.rawsec.ml/tools.html#SSRFmap
An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.
More details about features here.
Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.
Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.
The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.
Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.
If you want to thank us, you can help make the project better known by tweeting about it! For example:
That's all, this message is just to notify you if you care.
python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan
Traceback (most recent call last):
File "ssrfmap.py", line 3, in
from core.ssrf import SSRF
ImportError: No module named core.ssrf
CAN YOU PLEASE ADD PROXY MODULE
SO THAT ALL REQUEST FROM SSRFMAP CAN BE PROXIED
/ / | ___ \ |
\ --.\
--.| |/ / | _ __ ___ __ _ _ __
--. \
--. \ /| | ' _ \ / _
| '
/_/ /_/ / |\ | | | | | | | | (| | |) |
_/_/_| __| || || ||_,| .__/
| |
||
[INFO]:Module 'readfiles' launched !
[INFO]:Reading file : /etc/passwd
window.randomToken = "xxxxxxxxxxxxxxxxxxxxxxx"
while using readfile function recieving output window.random.token
is isssume by the tool or site
I would like to check the requests send to the target. I'm pretty sure I'm getting a lot of false positives.
The -v option doesn't do anything to the output of the command.
My command:
python3 ssrfmap.py -v -r data/request.txt -p url -m networkscan
The output is the same as running it without the -v flag.
Hi,
I have the following request saved from burp to a file:
And I am running the tool as follows:
python3 ssrfmap.py -r /home/user/Desktop/ssrfmap2.txt -p file_url -m portscan --ssl
I get the following error:
[ERROR]:No injection point found ! (use -p)
For some reason, it cannot parse parameter from the request file.
Sometimes it might be needed to have an injection point after a specific place in the saved request. Such as vulnparam=test;
If you we're to define -p vulnparam using SSRFMap it would likely scrub the parameter value. It would be nice to have a bit more control over where the SSRF payload is placed if you wanted.
By convention, in python, each class name should start by an uppercase.
the tool is great, but i want to test a SSRF i got withing a header and the only option i have is the -p of parameter and isn't working... if i try portscan or networkscan it just says everything is open, same with a nonexistent header/parameter.
Can we have Adminer SSRF module for this tool? CVE-2021-21311 https://ine.com/blog/adminer-ssrf-vulnerability-cve-202121311
Here is the output of my error
Traceback (most recent call last):
File "ssrfmap.py", line 58, in
ssrf = SSRF(args)
File "/root/SSRFmap/core/ssrf.py", line 38, in init
module.exploit(self.requester, args)
File "./modules/readfiles.py", line 32, in init
print(diff)
UnicodeEncodeError: 'ascii' codec can't encode character '\xf1' in position 3839: ordinal not in ran
On running python ssrfmap.py -h
, I am seeing the following error:
Traceback (most recent call last):
File "ssrfmap.py", line 3, in <module>
from core.ssrf import SSRF
ImportError: No module named core.ssrf
Apologies but not super familiar with how Python import works, but any help on how to get this working is greatly appreciated.
[ERROR]:Bad Format
[INFO]:Module 'portscan' launched !
Traceback (most recent call last):
File "ssrfmap.py", line 42, in
ssrf = SSRF(args)
File "/usr/share/ssrfmap/core/ssrf.py", line 38, in init
module.exploit(self.requester, args)
File "./modules/portscan.py", line 15, in init
r = requester.do_request(args.param, "")
File "/usr/share/ssrfmap/core/requester.py", line 96, in do_request
return r
UnboundLocalError: local variable 'r' referenced before assignment
I used all possibles variables like -r and --level or anything else.
Hi, thanks for this tool first. Because if I do the test on my 127.0.0.1:5000 server everything works, while if I create a request with burp suite of an X site, it doesn't work well for me? For example the portscan gives me all the open ports .. Surely I'm wrong something, but I don't understand what ...
As parameter -p I enter what Burp suite tells me for example:
Host: testphp.vulnweb.com
...
...
...
Referer: http://testphp.vulnweb.com/login.php
...
uname=&pass=
Burp gives me uname=&pass=
as a parameter and I enter this note...
-p uname=&pass=
It's right?
The library urllib is old. The library requests is more convenient and easier to read and understand than urllib.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.