Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/iamultra/ssrfsocks
Creates a SOCK proxy server that transmits data over an SSRF vulnerability
https://github.com/iamultra/ssrfsocks
Last synced: 21 days ago
JSON representation
Creates a SOCK proxy server that transmits data over an SSRF vulnerability
- Host: GitHub
- URL: https://github.com/iamultra/ssrfsocks
- Owner: iamultra
- Created: 2012-08-08T07:52:12.000Z (over 12 years ago)
- Default Branch: master
- Last Pushed: 2012-08-08T17:55:50.000Z (over 12 years ago)
- Last Synced: 2024-08-05T17:44:02.605Z (4 months ago)
- Language: Python
- Size: 162 KB
- Stars: 116
- Watchers: 6
- Forks: 34
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - iamultra/ssrfsocks - Creates a SOCK proxy server that transmits data over an SSRF vulnerability (Python)
README
ssrfsocks: SOCKS-based SSRF tunneling proxy
ssrfsocks utilizes an existing Server-Side Request Forgercy vulnerability to
tunnel traffic through it. This code acts as a SOCKS4 proxy server, and
relays traffic through the SSRF vuln and returns the result. This concept is
based on the Blackhat 2012 presentation by Polyakov & Chastukhin on SSRF and
XXE tunneling.Limitations:
Due to the nature of SSRF vulnerabilities, only one response is made from a
request. This means that it is not possible to run an interactive session. We
can however send single-shot messages to internal services. This means it's
possible to, for example, send an email via SMTP, and grab the banner of most
services. This will tend to be most useful with simple protocols like SMTP
and HTTP, and ineffective with protocols such as SSH and TLS.Example:
$ ./ssrfproxy "http://victim.com/openurl?url="
listener ready on port 65432$ echo -e "HELO localhost\nMAIL FROM:[email protected]\nRCPT TO: [email protected]\nDATA\nSubject: test\n\nthis is a test\n.\nQUIT\n" \
| proxychains nc 127.0.0.1 25In the above scenario, it's necessary to configure proxychains.conf:
[ProxyList]
socks4 127.0.0.1 65432Testing:
Currently, the SOCKS4A code is untested, as proxychains doesn't seem to
support it. I found limited success with running nmap over this proxy, as
nmap reports closed ports as open, and some open ports as closed.
This script was tested against a vulnerable app that passed a user-controlled
value to code that treated the value as a URI, fetched it, and returned the
result. It's likely not usable against XXE vulnerabilities without some
modification.