SSRF search vulnerabilities exploitation extended.

Overview

Extended ssrf search

This tool search for SSRF using predefined settings in different parts of a request (path, host, headers, post and get parameters).

First step

Rename example.app-settings.conf to app-settings.conf and adjust settings. The most important setting is the callback url. I recommend to use burp collaborator. Then you can add your urls to config/url-to-test.txt. Here the script accepts domains as well as urls with path and query parameters. If you like you can add your own cookies to config/cookie-jar.txt and add additional headers for your requests. The brute force list which is used in post and get requests is currently small, I dont thing adding 2000 parameters is smart. We should focus on those which have the highest possibility to be vulnerable. If you don't think so: just add your own!

Execution

This tool does not expect any argument via CLI, so just type:

python3 extended-ssrf-search.py

Configuration

Its possible to set a lot of options and settings, so here are some explanations.

Files

The main config file is the "app-settings.conf", everything has to be done in that file! Besides that, there are some other files which allow to set more complex data like headers, urls and cookies.

config/cookie-jar.txt

Use this file to add a cookie string. I usually copy the one which you can see in every burp request. Please just copy the value of the "Cookie:"-header. A sample input is in the default file.

config/http-headers.txt

This file defines the http headers which are added to the request and manipulated (payload is added to each one). The most important ones are already in the file. But feel free to add more.

config/parameters.txt

The tool has the option to brute force get and post parameters. In that case those parameters (+ those in the query string) will be used. Each parameter gets the payload as value. Most important are already in that file.

config/static-request-headers.txt

Those headers are added to every request, but they won't get manipulated. They are static. Thats the best place to add authorization or bearer cookies. One (Key: Value) per line!

config/urls-to-test.txt

Thats the file you need! Please add here your links to scan. The following formats are allowed:

When the last case is detected an "http://" is prepended. This tool is intended to work with a good list of urls. A good way to get one is to just export it using burp. Then you have a valid list of urls. All you need to do ist to just add your cookies.

Settings

The app-settings.conf defines the program workflow. Its the most important file, you can activate/deactivate different modules there.

Basic settings

CallbackHost

The url/host which all dns and http requests are send back - I mostly use burp collaborator here, but DNSBin or you own server is also perfect.

HTTPMethod

Defines the request method. Valid options are: GET, POST, PUT, DELETE, PATCH, GET, OPTIONS Invalid values will produce massiv errors since http.client disallows other methods! I dont check if you did something wrong here ;)

HTTPTimeout

Some requests can take long. Here you can define the max. execution time of one request. I recommend values between 2 and 6 seconds.

MaxThreads

The more threads, the faster the script is - but since we are dealing with a lot of connections I usually keep this below 10 on my personal computer and around 30 on my VPS.

ShuffleTests

Especially when dealing with a BIG list of urls having this set to "true" will shuffle all created tests. That way the same host will not get hit that much. If you scan just one host, than it doesn't matter.

GetChunkSize

When working with bigger param lists this might be handy and prevent 400 too large entity errors.

Insertion points

Each insertion point can be activated (set to true/1) or deactivated (set to false/0)

InPath

The example shows a GET request, but depending on your settings, this could also be POST, PUT, DELETE, ...

GET [INJECT HERE PAYLOAD] HTTP/1.1
...

InHost

The example shows a GET request, but depending on your settings, this could also be POST, PUT, DELETE, ...

GET /path HTTP/1.1
Host: [INJECT HERE PAYLOAD]
...

InAdditionalHeaders

The example shows a GET request, but depending on your settings, this could also be POST, PUT, DELETE, ...

GET /path HTTP/1.1
...
X-Forwarded-For: [INJECT HERE PAYLOAD]

InParamsGet

Here the Method is fixed to GET.

GET /path?[INJECT HERE PAYLOAD] HTTP/1.1
...

InParamsPost

Here the Method is fixed to POST.

POST /path HTTP/1.1
...
Content-Type: application/x-www-form-urlencoded
Content-Length: XXX

[INJECT HERE PAYLOAD]

InParamsPostAsJson

Here the Method is fixed to POST.

POST /path HTTP/1.1
...
Content-Type: application/json
Content-Length: XXX

[INJECT HERE JSON-PAYLOAD]

Attacks

In the default settings this tool just tries to trigger http requests via SSRF. But its also possible to exfiltrate data using DNS, when an OS command is injected. The most common payload is "$(hostname)". There are some options which allow to use this kind of attack additionally.

UseExecPayload

Using this setting you can activate/deactivate that behaviour.

ExecPayload

Here you can define your own payload, e.g. $(uname -a)

Identifier

To make the identification a little bit easier a combination of current host and method (in short form, see Tests.py) is appended or prepended to the payload.

Position

Valid options are "append" and "prepend"!

If "append" is chosen, the payloads look like this:

....burpcollaborator.net/www.attacked-domain.com-testmethod
http://....burpcollaborator.net/www.attacked-domain.com-testmethod

If "prepend" is chosen, the payloads look like this:

www.attacked-domain.com-testmethod.burpcollaborator.net
http://www.attacked-domain.com-testmethod.burpcollaborator.net/

Tunneling

Its also possible to use a tunnel, e.g. "127.0.0.1:8080" (Burp Proxy), to monitor all traffic within Burp.

Active

Setting this to "true" will force the script to use a tunneled connection.

Tunnel

Set here your proxy server "ip:port".

The result is the following one, when you open Burp you can watch your http history:

Screen

Screenshot

Screen

Feature requests

Please just create an issue and tag it as a feature request.

Please just create an issue and tag it as a feature request.

Support

Do you like that tool? Did it help you to get a bounty? Want to give something back/support me? Why not!

Donate via PayPal: CLICK

You might also like...
A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF.
A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF.

TProxer A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF. How • Install • Todo • Join Discord How it works

Safety checks your installed dependencies for known security vulnerabilities
Safety checks your installed dependencies for known security vulnerabilities

Safety checks your installed dependencies for known security vulnerabilities. By default it uses the open Python vulnerability database Safety DB, but

A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

This project is no longer maintained March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulne

An open-source post-exploitation framework for students, researchers and developers.
An open-source post-exploitation framework for students, researchers and developers.

Questions? Join the Discord support server Disclaimer: This project should be used for authorized testing or educational purposes only. BYOB is an ope

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy Installation Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to u

 Crowbar - A windows post exploitation tool
Crowbar - A windows post exploitation tool

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

Proof-of-concept obfuscation toolkit for C# post-exploitation tools
Proof-of-concept obfuscation toolkit for C# post-exploitation tools

InvisibilityCloak Proof-of-concept obfuscation toolkit for C# post-exploitation tools. This will perform the below actions for a C# visual studio proj

SCodeScanner stands for Source Code scanner where the user can scans the source code for finding the Critical Vulnerabilities.

The SCodeScanner stands for Source Code Scanner, where you can scan your source code files like PHP and get identify the vulnerabilities inside it. The tool can use by Pentester, Developer to quickly identify the weakness.

CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

Releases(ssrfmain)
Owner
Andri Wahyudi
@Hacker0x01 @Zerocopter
Andri Wahyudi
PwdGen is a Python Tkinter tool for generating secure 16 digit passwords.

PwdGen ( Password Generator ) is a Python Tkinter tool for generating secure 16 digit passwords. Installation Simply install requirements pip install

zJairO 7 Jul 14, 2022
Python DNS Lookup: The Domain Name System (DNS) is basically the phonebook of the Internet

-Python-DNS-Lookup- ✨ 🌟 Python DNS Lookup ✨ 🌟 The Domain Name System (DNS) is

Ronnie Atuhaire 2 Feb 14, 2022
Show apps recorded storage files by jailbreak

0x101 Show registered storage files of apps by jailbreak Legal disclaimer: Usage of insTof for attacking targets without prior mutual consent is illeg

0x 4 Oct 24, 2022
A secure way of storing your passwords.

StrongBox 🔐 A secure way of storing your passwords. 🔑 Why to use StrongBox? StrongBox makes it possible to have a random generated strong password i

Dylan Tintenfich 5 Dec 25, 2021
compact and speedy hash cracker for md5, sha1, and sha256 hashes

hash-cracker hash cracker is a multi-functional and compact...hash cracking tool...that supports dictionary attacks against three kinds of hashes: md5

Abdullah Ansari 3 Feb 22, 2022
Fast Fb Cracking Tool

fb-brute Fast Fb Cracking Tool 🏆

Aryan 8 Jun 29, 2022
edgedressing leverages a Windows "feature" in order to force a target's Edge browser to open. This browser is then directed to a URL of choice.

edgedressing One day while experimenting with airpwn-ng, I noticed unexpected GET requests on the target node. The node in question happened to be a W

stryngs 43 Dec 23, 2022
A python script to bypass 403-forbidden.

4nought3 A python script to bypass 403-forbidden. It covers methods like Host-Header Injections, Changing HTTP Requests Methods and URL-Injections. Us

11 Aug 27, 2022
Code to do NF in HDR,HEVC,HPL,MPL

Netflix-DL 6.0 |HDR-HEVC-MPL-HPL NOT Working| ! Buy working netflix cdm from [em

4 Dec 28, 2021
A simple Outline Server Access Key Copy and Paste Web Interface

Outline Keychain A simple Outline Server Access Key Copy and Paste Web Interface Developed for key and password export and copy & paste for other Shad

Zhe 1 Dec 28, 2021
OpenPort scanner GUI tool (CNMAP)

CNMAP-GUI- OpenPort scanner GUI tool (CNMAP) as you know it is the advanced tool to find open port, firewalls and we also added here heartbleed scanni

9 Mar 05, 2022
Threat research and reporting from IronNet's Threat Research Teams

IronNet Threat Research 🕵️ Overview This repository contains IronNet's Threat Research. Research & Reporting 📝 Project Description Cobalt Strike Res

36 Dec 02, 2022
Generate malicious files using recently published bidi-attack (CVE-2021-42574)

CVE-2021-42574 - Code generator Generate malicious files using recently published bidi-attack vulnerability, which was discovered in Unicode Specifica

js-on 7 Nov 09, 2022
Microsoft Exchange Server SSRF漏洞(CVE-2021-26855)

Microsoft_Exchange_Server_SSRF_CVE-2021-26855 zoomeye dork:app:"Microsoft Exchange Server" 使用Seebug工具箱及pocsuite3编写的脚本Microsoft_Exchange_Server_SSRF_CV

conjojo 37 Nov 12, 2022
A simple password generator using Python Tkinter.

Password-Generator-using-Python A simple password generator that generates password for you. User can Copy the password to Clipboard. Project made usi

Prashant Agheda 1 Nov 02, 2022
Python exploit for vsftpd 2.3.4 - Backdoor Command Execution

CVE-2011-2523 - vsftpd 2.3.4 Exploit Discription vsftpd, which stands for Very Secure FTP Daemon,is an FTP server for Unix-like systems, including Lin

Padsala Tushal 5 Nov 08, 2022
wsvuls - website vulnerability scanner detect issues [ outdated server software and insecure HTTP headers.]

WSVuls Website vulnerability scanner detect issues [ outdated server software and insecure HTTP headers.] What's WSVuls? WSVuls is a simple and powerf

Anouar Ben Saad 47 Sep 22, 2022
An ARP Spoofer attacker for windows to block away devices from your network.

arp0_attacker An ARP Spoofer-attacker for Windows -OS to block away devices from your network. INFO Built in Python 3.8.2. arp0_attackerx.py is Upgrad

Wh0_ 15 Mar 17, 2022
Burp Suite extension for encoding/decoding EVM calldata

unblocker Burp Suite extension for encoding/decoding EVM calldata 0x00_prerequisites Burp Suite Java 8+ Python 2.7 0x01_installation clone this reposi

Halborn 16 Aug 30, 2022
Discord Region Swapping Exploit (VC Overload)

Discord-VC-Exploit Discord Region Swapping Exploit (VC Overload) aka VC Crasher How does this work? Discord has multiple servers that lets people arou

Rainn 11 Sep 10, 2022