https://github.com/bcoles/ssrf_proxy

SSRF Proxy facilitates tunneling HTTP communications through servers vulnerable to Server-Side Request Forgery.
https://github.com/bcoles/ssrf_proxy

magic proxy ssrf ssrf-proxy

Last synced: 26 days ago
JSON representation

SSRF Proxy facilitates tunneling HTTP communications through servers vulnerable to Server-Side Request Forgery.

• Host: GitHub
• URL: https://github.com/bcoles/ssrf_proxy
• Owner: bcoles
• License: mit
• Created: 2015-10-02T06:01:19.000Z (about 9 years ago)
• Default Branch: master
• Last Pushed: 2018-01-01T00:58:25.000Z (almost 7 years ago)
• Last Synced: 2024-11-07T03:18:21.596Z (about 1 month ago)
• Topics: magic, proxy, ssrf, ssrf-proxy
• Language: Ruby
• Homepage:
• Size: 452 KB
• Stars: 444
• Watchers: 10
• Forks: 73
• Open Issues: 4
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md

Awesome Lists containing this project

• awesome-network-stuff - **257**星 - Side Request Forgery. (<a id="01e6651181d405ecdcd92a452989e7e0"></a>工具 / <a id="ea4dfcd8f33ec1852180c6283b2c8516"></a>未分类)
• awesome-hacking-lists - bcoles/ssrf_proxy - SSRF Proxy facilitates tunneling HTTP communications through servers vulnerable to Server-Side Request Forgery. (Ruby)

README

        
# SSRF Proxy



  





  





  





  





  





  





  





  



**SSRF Proxy** is a multi-threaded HTTP proxy server designed

to tunnel client HTTP traffic through HTTP servers vulnerable

to Server-Side Request Forgery (SSRF).

Once configured, SSRF Proxy attempts to format client HTTP

requests appropriately for the vulnerable server. Likewise,

the server's response is parsed and formatted for the client.

By correctly formatting the client request and stripping

unwanted junk from the response it is possible to use

SSRF Proxy as a HTTP proxy for web browsers, proxychains,

and scanning tools such as sqlmap, nmap, dirb and nikto.

SSRF Proxy also assists with leveraging blind SSRF

vulnerabilities to perform time-based attacks, such

as blind time-based SQL injection with sqlmap.

  

    Version

    

      

        

      

    

  

  

    Github

    

      https://github.com/bcoles/ssrf_proxy

    

  

  

    Wiki

    

      https://github.com/bcoles/ssrf_proxy/wiki

    

  

  

    Documentation

    

      http://www.rubydoc.info/github/bcoles/ssrf_proxy

    

  

  

    Author

    Brendan Coles

  

  

    Copyright

    2015-2017 Brendan Coles

  

  

    License

    

      

        

      

    

  

## Requirements

Ruby 2.2.2 or newer.

Ruby Gems:

- celluloid-io

- webrick

- logger

- colorize

- ipaddress

- base32

- htmlentities

- socksify

- mimemagic

## Installation

```

$ gem install ssrf_proxy

```

## Usage (command line)

```

Usage:   ssrf-proxy [options] -u 

Example: ssrf-proxy -u http://target/?url=xxURLxx

Options:

   -h, --help             Help

       --version          Display version

  Output options:

   -v, --verbose          Verbose output

   -d, --debug            Debugging output

       --no-color         Disable colored output

  Server options:

   -p, --port=PORT        Listen port (Default: 8081)

       --interface=IP     Listen interface (Default: 127.0.0.1)

  SSRF request options:

   -u, --url=URL          Target URL vulnerable to SSRF.

   -f, --file=FILE        Load HTTP request from a file.

       --placeholder=STR  Placeholder indicating SSRF insertion point.

                          (Default: xxURLxx)

       --method=METHOD    HTTP method (GET/HEAD/DELETE/POST/PUT/OPTIONS)

                          (Default: GET)

       --post-data=DATA   HTTP post data

       --cookie=COOKIE    HTTP cookies (separated by ';')

       --user=USER[:PASS] HTTP basic authentication credentials.

       --user-agent=AGENT HTTP user-agent (Default: none)

       --rules=RULES      Rules for parsing client request

                          (separated by ',') (Default: none)

       --no-urlencode     Do not URL encode client request

  SSRF connection options:

       --ssl              Connect using SSL/TLS.

       --proxy=PROXY      Use a proxy to connect to the server.

                          (Supported proxies: http, https, socks)

       --insecure         Skip server SSL certificate validation.

       --timeout=SECONDS  Connection timeout in seconds (Default: 10)

  HTTP response modification:

       --match=REGEX      Regex to match response body content.

                          (Default: \A(.*)\z)

       --strip=HEADERS    Headers to remove from the response.

                          (separated by ',') (Default: none)

       --decode-html      Decode HTML entities in response body.

       --unescape         Unescape special characters in response body.

       --guess-status     Replaces response status code and message

                          headers (determined by common strings in the

                          response body, such as 404 Not Found.)

       --guess-mime       Replaces response content-type header with the

                          appropriate mime type (determined by the file

                          extension of the requested resource.)

       --sniff-mime       Replaces response content-type header with the

                          appropriate mime type (determined by magic bytes

                          in the response body.)

       --timeout-ok       Replaces timeout HTTP status code 504 with 200.

       --detect-headers   Replaces response headers if response headers

                          are identified in the response body.

       --fail-no-content  Return HTTP status 502 if the response body

                          is empty.

       --cors             Adds a 'Access-Control-Allow-Origin: *' header.

  Client request modification:

       --forward-method   Forward client request method.

       --forward-headers  Forward all client request headers.

       --forward-body     Forward client request body.

       --forward-cookies  Forward client request cookies.

       --cookies-to-uri   Add client request cookies to URI query string.

       --body-to-uri      Add client request body to URI query string.

       --auth-to-uri      Use client request basic authentication

                          credentials in request URI.

       --ip-encoding=MODE Encode client request host IP address.

                          (Modes: int, ipv6, oct, hex, dotted_hex)

       --cache-buster     Append a random value to the client request

                          query string.

```

## Usage (ruby)

Load the ```ssrf_proxy``` library:

```ruby

  require 'ssrf_proxy'

```

Initialize the `SSRFProxy::HTTP` object:

```ruby

  # Initialize with a URL containing 'xxURLxx' placeholder

  ssrf = SSRFProxy::HTTP.new(url: 'http://example.local/?url=xxURLxx')

  # Or, provide the placeholder elsewhere in the request

  ssrf = SSRFProxy::HTTP.new(url: 'http://example.local/', method: 'POST', post_data: 'xxURLxx')

  # Alternatively, the object can be initialized

  # with a file containing a raw HTTP request:

  ssrf = SSRFProxy::HTTP.new(file: 'ssrf.txt')

  # Or, initialized with a StringIO object containing a raw HTTP request:

  http = StringIO.new("GET http://example.local/?url=xxURLxx HTTP/1.1\n\n")

  ssrf = SSRFProxy::HTTP.new(file: http)

```

Refer to the documentation for additional configuration options.

Once initialized, the `SSRFProxy::HTTP` object can be used to send HTTP

requests via the SSRF using the ```send_uri``` and ```send_request``` methods.

```ruby

  # GET via SSRF

  ssrf.send_uri('http://127.0.0.1/')

  # POST via SSRF

  ssrf.send_uri('http://127.0.0.1/', method: 'POST', headers: {}, body: '')

  # GET via SSRF (using a raw HTTP request)

  ssrf.send_request("GET http://127.0.0.1/ HTTP/1.1\n\n")

```

Refer to the documentation for additional request options.

## Documentation

Refer to the wiki for more information and example usage:

https://github.com/bcoles/ssrf_proxy/wiki

Refer to RubyDoc for code documentation:

http://www.rubydoc.info/github/bcoles/ssrf_proxy