ssrf_proxy 0.0.2 → 0.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +15 -0
- data/LICENSE.md +22 -0
- data/README.md +222 -0
- data/bin/console +24 -0
- data/bin/setup +6 -0
- data/bin/ssrf-proxy +170 -153
- data/lib/ssrf_proxy/http.rb +911 -1227
- data/lib/ssrf_proxy/server.rb +298 -118
- data/lib/ssrf_proxy/version.rb +12 -4
- data/lib/ssrf_proxy.rb +37 -10
- metadata +162 -39
- data/bin/ssrf-scan +0 -452
checksums.yaml
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
---
|
2
|
+
!binary "U0hBMQ==":
|
3
|
+
metadata.gz: !binary |-
|
4
|
+
OWNjNWNkNjA2ZjI0NjQ4MWNkMzhhMTM2ZWIxZDQzNTFiMjg1ZmNhZg==
|
5
|
+
data.tar.gz: !binary |-
|
6
|
+
MThiZTIzYzZjOGZlMDMzNzdhZjFiYWEzNGMyZDVlNjBhYTM5MTVhYg==
|
7
|
+
SHA512:
|
8
|
+
metadata.gz: !binary |-
|
9
|
+
YTY0N2I2YWFhNjUzODYyODQzN2QyOTliMjZlN2Y1YjJmYzQ4ZTZhNjQxNmNh
|
10
|
+
MGM2Y2RiZThmY2I5YzBlOTE4Nzk2ZWU5YTI1YzViOGNhMTE4YjUzMjYwOTc5
|
11
|
+
NjVmOGVjYTJhYThmYjZkZDYxNmIzYzk5N2I2NTVhMzhiZDcxMjA=
|
12
|
+
data.tar.gz: !binary |-
|
13
|
+
NWY4ZjI4NTllZTViYzZlYzZmNDhjNzMzYzgxNjY1YjU1OWUyNzcwMmM3OWFi
|
14
|
+
N2FjZGU4ZTc2OGUxOWVlYWNlMjlmY2I1ZmI4YzBlMjZkZThlZjkxMzIwYTli
|
15
|
+
ZWU4YzIxYzI4MDAyNGFjYmNiOWFhNDIxZTJjYTE4YjlmN2NjMGE=
|
data/LICENSE.md
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2015-2016 Brendan Coles <bcoles@gmail.com>
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
13
|
+
copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
21
|
+
SOFTWARE.
|
22
|
+
|
data/README.md
ADDED
@@ -0,0 +1,222 @@
|
|
1
|
+
# SSRF Proxy
|
2
|
+
|
3
|
+
<a href="https://github.com/bcoles/ssrf_proxy" target="_blank">
|
4
|
+
<img src="https://img.shields.io/badge/version-0.0.3-brightgreen.svg"/>
|
5
|
+
</a>
|
6
|
+
<a href="https://travis-ci.org/bcoles-ci/ssrf_proxy" target="_blank">
|
7
|
+
<img src="https://api.travis-ci.org/bcoles-ci/ssrf_proxy.svg?branch=master"/>
|
8
|
+
</a>
|
9
|
+
<a href="https://www.versioneye.com/ruby/ssrf_proxy/" target="_blank">
|
10
|
+
<img src="https://img.shields.io/versioneye/d/ruby/ssrf_proxy.svg"/>
|
11
|
+
</a>
|
12
|
+
<a href="https://hakiri.io/github/bcoles-ci/ssrf_proxy/master/" target="_blank">
|
13
|
+
<img src="https://hakiri.io/github/bcoles-ci/ssrf_proxy/master.svg"/>
|
14
|
+
</a>
|
15
|
+
<a href="https://codeclimate.com/github/bcoles/ssrf_proxy" target="_blank">
|
16
|
+
<img src="https://codeclimate.com/github/bcoles/ssrf_proxy/badges/gpa.svg"/>
|
17
|
+
</a>
|
18
|
+
<a href="https://coveralls.io/github/bcoles-ci/ssrf_proxy?branch=master" target="_blank">
|
19
|
+
<img src="https://coveralls.io/repos/github/bcoles-ci/ssrf_proxy/badge.svg?branch=master"/>
|
20
|
+
</a>
|
21
|
+
<a href="https://inch-ci.org/github/bcoles/ssrf_proxy" target="_blank">
|
22
|
+
<img src="https://inch-ci.org/github/bcoles/ssrf_proxy.svg?branch=master"/>
|
23
|
+
</a>
|
24
|
+
<a href="https://github.com/bcoles/ssrf_proxy/blob/master/LICENSE.md" target="_blank">
|
25
|
+
<img src="https://img.shields.io/badge/license-MIT-brightgreen.svg"/>
|
26
|
+
</a>
|
27
|
+
|
28
|
+
**SSRF Proxy** is a multi-threaded HTTP proxy server designed
|
29
|
+
to tunnel client HTTP traffic through HTTP servers vulnerable
|
30
|
+
to HTTP Server-Side Request Forgery (SSRF).
|
31
|
+
|
32
|
+
Once configured, SSRF Proxy attempts to format client HTTP
|
33
|
+
requests appropriately for the vulnerable server. Likewise,
|
34
|
+
the server's response is parsed and formatted for the client.
|
35
|
+
|
36
|
+
By correctly formatting the client request and stripping
|
37
|
+
unwanted junk from the response it is possible to use
|
38
|
+
SSRF Proxy as a HTTP proxy for web browsers and scanning
|
39
|
+
tools such as sqlmap and nikto.
|
40
|
+
|
41
|
+
SSRF Proxy also assists with leveraging blind SSRF
|
42
|
+
vulnerabilities to perform time-based attacks, such
|
43
|
+
as blind time-based SQL injection with sqlmap.
|
44
|
+
|
45
|
+
<table>
|
46
|
+
<tr>
|
47
|
+
<th>Version</th>
|
48
|
+
<td>0.0.3</td>
|
49
|
+
</tr>
|
50
|
+
<tr>
|
51
|
+
<th>Github</th>
|
52
|
+
<td>
|
53
|
+
<a href="https://github.com/bcoles/ssrf_proxy">https://github.com/bcoles/ssrf_proxy</a>
|
54
|
+
</td>
|
55
|
+
</tr>
|
56
|
+
<tr>
|
57
|
+
<th>Wiki</th>
|
58
|
+
<td><a href="https://github.com/bcoles/ssrf_proxy/wiki">https://github.com/bcoles/ssrf_proxy/wiki</a></td>
|
59
|
+
</tr>
|
60
|
+
<tr>
|
61
|
+
<th>Documentation</th>
|
62
|
+
<td>
|
63
|
+
<a href="http://www.rubydoc.info/github/bcoles/ssrf_proxy" target="_blank">http://www.rubydoc.info/github/bcoles/ssrf_proxy</a>
|
64
|
+
</td>
|
65
|
+
</tr>
|
66
|
+
<tr>
|
67
|
+
<th>Author</th>
|
68
|
+
<td>Brendan Coles</td>
|
69
|
+
</tr>
|
70
|
+
<tr>
|
71
|
+
<th>Copyright</th>
|
72
|
+
<td>2015-2016 Brendan Coles</td>
|
73
|
+
</tr>
|
74
|
+
<tr>
|
75
|
+
<th>License</th>
|
76
|
+
<td>MIT - (see <a href="https://github.com/bcoles/ssrf_proxy/blob/master/LICENSE.md">LICENSE.md</a> file)</td>
|
77
|
+
</tr>
|
78
|
+
</table>
|
79
|
+
|
80
|
+
|
81
|
+
## Requirements
|
82
|
+
|
83
|
+
Ruby 1.9.3 or newer
|
84
|
+
|
85
|
+
Ruby Gems:
|
86
|
+
|
87
|
+
- celluloid-io
|
88
|
+
- webrick
|
89
|
+
- logger
|
90
|
+
- colorize
|
91
|
+
- ipaddress
|
92
|
+
- base32
|
93
|
+
- htmlentities
|
94
|
+
- socksify
|
95
|
+
|
96
|
+
## Installation
|
97
|
+
|
98
|
+
```
|
99
|
+
$ gem install ssrf_proxy
|
100
|
+
```
|
101
|
+
|
102
|
+
## Usage (command line)
|
103
|
+
|
104
|
+
```
|
105
|
+
Usage: ssrf-proxy [options] -u <SSRF URL>
|
106
|
+
Example: ssrf-proxy -u http://target/?url=xxURLxx
|
107
|
+
Options:
|
108
|
+
|
109
|
+
-h, --help Help
|
110
|
+
-v, --verbose Verbose output
|
111
|
+
-d, --debug Debugging output
|
112
|
+
|
113
|
+
Server options:
|
114
|
+
-p, --port=PORT Listen port (Default: 8081)
|
115
|
+
--interface=IP Listen interface (Default: 127.0.0.1)
|
116
|
+
|
117
|
+
SSRF request options:
|
118
|
+
-u, --url=URL SSRF URL with 'xxURLxx' placeholder
|
119
|
+
--method=METHOD HTTP method (GET/HEAD/DELETE/POST/PUT)
|
120
|
+
(Default: GET)
|
121
|
+
--post-data=DATA HTTP post data
|
122
|
+
--cookie=COOKIE HTTP cookies (separated by ';')
|
123
|
+
--user-agent=AGENT HTTP user-agent (Default: Mozilla/5.0)
|
124
|
+
--rules=RULES Rules for parsing client request for xxURLxx
|
125
|
+
(separated by ',') (Default: none)
|
126
|
+
|
127
|
+
SSRF connection options:
|
128
|
+
--proxy=PROXY Use a proxy to connect to the server.
|
129
|
+
(Supported proxies: http, https, socks)
|
130
|
+
--insecure Skip server SSL certificate validation.
|
131
|
+
--timeout=SECONDS Connection timeout in seconds (Default: 10)
|
132
|
+
|
133
|
+
HTTP response modification:
|
134
|
+
--match=REGEX Regex to match response body content.
|
135
|
+
(Default: \A(.*)\z)
|
136
|
+
--strip=HEADERS Headers to remove from the response.
|
137
|
+
(separated by ',') (Default: none)
|
138
|
+
--decode-html Decode HTML entities in response body.
|
139
|
+
--guess-status Replaces response status code and message
|
140
|
+
headers (determined by common strings in the
|
141
|
+
response body, such as 404 Not Found.)
|
142
|
+
--guess-mime Replaces response content-type header with the
|
143
|
+
appropriate mime type (determined by the file
|
144
|
+
extension of the requested resource.)
|
145
|
+
--ask-password Prompt for password on authentication failure.
|
146
|
+
Adds a 'WWW-Authenticate' HTTP header to the
|
147
|
+
response if the response code is 401.
|
148
|
+
|
149
|
+
Client request modification:
|
150
|
+
--forward-cookies Forward client HTTP cookies through proxy to
|
151
|
+
SSRF server.
|
152
|
+
--cookies-to-uri Add client request cookies to URI query.
|
153
|
+
--body-to-uri Add client request body to URI query.
|
154
|
+
--auth-to-uri Use client request basic authentication
|
155
|
+
credentials in request URI.
|
156
|
+
--ip-encoding=MODE Encode client request host IP address.
|
157
|
+
(Modes: int, ipv6, oct, hex, dotted_hex)
|
158
|
+
|
159
|
+
|
160
|
+
```
|
161
|
+
|
162
|
+
|
163
|
+
## Usage (ruby)
|
164
|
+
|
165
|
+
First, create a new SSRFProxy::HTTP object:
|
166
|
+
|
167
|
+
```
|
168
|
+
# SSRF URL with 'xxURLxx' placeholder
|
169
|
+
url = 'http://example.local/index.php?url=xxURLxx'
|
170
|
+
# options
|
171
|
+
opts = {
|
172
|
+
'proxy' => '',
|
173
|
+
'method' => 'GET',
|
174
|
+
'post_data' => '',
|
175
|
+
'rules' => '',
|
176
|
+
'ip_encoding' => '',
|
177
|
+
'match' => "\\A(.+)\\z",
|
178
|
+
'strip' => '',
|
179
|
+
'decode_html' => false,
|
180
|
+
'guess_mime' => false,
|
181
|
+
'guess_status' => false,
|
182
|
+
'ask_password' => false,
|
183
|
+
'forward_cookies'=> false,
|
184
|
+
'body_to_uri' => false,
|
185
|
+
'auth_to_uri' => false,
|
186
|
+
'cookies_to_uri' => false,
|
187
|
+
'cookie' => '',
|
188
|
+
'timeout' => 10,
|
189
|
+
'user_agent' => 'Mozilla/5.0',
|
190
|
+
'insecure' => false
|
191
|
+
}
|
192
|
+
# create SSRFProxy::HTTP object
|
193
|
+
ssrf = SSRFProxy::HTTP.new(url, opts)
|
194
|
+
# set log level (optional)
|
195
|
+
ssrf.logger.level = Logger::DEBUG
|
196
|
+
```
|
197
|
+
|
198
|
+
Then send HTTP requests via the SSRF:
|
199
|
+
|
200
|
+
```
|
201
|
+
# fetch http://127.0.0.1/ via SSRF by String
|
202
|
+
uri = 'http://127.0.0.1/'
|
203
|
+
ssrf.send_uri(uri)
|
204
|
+
|
205
|
+
|
206
|
+
# fetch http://127.0.0.1/ via SSRF by URI
|
207
|
+
uri = URI.parse('http://127.0.0.1/')
|
208
|
+
ssrf.send_uri(uri)
|
209
|
+
|
210
|
+
|
211
|
+
# fetch http://127.0.0.1/ via SSRF using a raw HTTP request
|
212
|
+
http = "GET http://127.0.0.1/ HTTP/1.1\n\n"
|
213
|
+
ssrf.send_request(http)
|
214
|
+
```
|
215
|
+
|
216
|
+
## Documentation
|
217
|
+
|
218
|
+
Refer to the wiki for more information and example usage:
|
219
|
+
https://github.com/bcoles/ssrf_proxy/wiki
|
220
|
+
|
221
|
+
Refer to RubyDoc for code documentation:
|
222
|
+
http://www.rubydoc.info/github/bcoles/ssrf_proxy
|
data/bin/console
ADDED
@@ -0,0 +1,24 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
#
|
3
|
+
# Copyright (c) 2015-2016 Brendan Coles <bcoles@gmail.com>
|
4
|
+
# SSRF Proxy - https://github.com/bcoles/ssrf_proxy
|
5
|
+
# See the file 'LICENSE.md' for copying permission
|
6
|
+
#
|
7
|
+
|
8
|
+
require 'irb'
|
9
|
+
require 'irb/completion'
|
10
|
+
|
11
|
+
begin
|
12
|
+
puts "\n_________________________________________________________\n"
|
13
|
+
puts SSRFProxy::BANNER
|
14
|
+
puts "\n SSRF Proxy v#{SSRFProxy::VERSION}"
|
15
|
+
puts " https://github.com/bcoles/ssrf_proxy\n"
|
16
|
+
puts "\n_________________________________________________________\n\n"
|
17
|
+
|
18
|
+
puts "SSRFProxy[#{SSRFProxy::VERSION}], " \
|
19
|
+
"Ruby[#{RUBY_VERSION}], " \
|
20
|
+
"Platform[#{RUBY_PLATFORM}]"
|
21
|
+
rescue => e
|
22
|
+
puts "Error: Could not load SSRFProxy: #{e.message}"
|
23
|
+
end
|
24
|
+
IRB.start
|