ssrf_proxy 0.0.2 → 0.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +15 -0
- data/LICENSE.md +22 -0
- data/README.md +222 -0
- data/bin/console +24 -0
- data/bin/setup +6 -0
- data/bin/ssrf-proxy +170 -153
- data/lib/ssrf_proxy/http.rb +911 -1227
- data/lib/ssrf_proxy/server.rb +298 -118
- data/lib/ssrf_proxy/version.rb +12 -4
- data/lib/ssrf_proxy.rb +37 -10
- metadata +162 -39
- data/bin/ssrf-scan +0 -452
checksums.yaml
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
---
|
2
|
+
!binary "U0hBMQ==":
|
3
|
+
metadata.gz: !binary |-
|
4
|
+
OWNjNWNkNjA2ZjI0NjQ4MWNkMzhhMTM2ZWIxZDQzNTFiMjg1ZmNhZg==
|
5
|
+
data.tar.gz: !binary |-
|
6
|
+
MThiZTIzYzZjOGZlMDMzNzdhZjFiYWEzNGMyZDVlNjBhYTM5MTVhYg==
|
7
|
+
SHA512:
|
8
|
+
metadata.gz: !binary |-
|
9
|
+
YTY0N2I2YWFhNjUzODYyODQzN2QyOTliMjZlN2Y1YjJmYzQ4ZTZhNjQxNmNh
|
10
|
+
MGM2Y2RiZThmY2I5YzBlOTE4Nzk2ZWU5YTI1YzViOGNhMTE4YjUzMjYwOTc5
|
11
|
+
NjVmOGVjYTJhYThmYjZkZDYxNmIzYzk5N2I2NTVhMzhiZDcxMjA=
|
12
|
+
data.tar.gz: !binary |-
|
13
|
+
NWY4ZjI4NTllZTViYzZlYzZmNDhjNzMzYzgxNjY1YjU1OWUyNzcwMmM3OWFi
|
14
|
+
N2FjZGU4ZTc2OGUxOWVlYWNlMjlmY2I1ZmI4YzBlMjZkZThlZjkxMzIwYTli
|
15
|
+
ZWU4YzIxYzI4MDAyNGFjYmNiOWFhNDIxZTJjYTE4YjlmN2NjMGE=
|
data/LICENSE.md
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2015-2016 Brendan Coles <bcoles@gmail.com>
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
13
|
+
copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
21
|
+
SOFTWARE.
|
22
|
+
|
data/README.md
ADDED
@@ -0,0 +1,222 @@
|
|
1
|
+
# SSRF Proxy
|
2
|
+
|
3
|
+
<a href="https://github.com/bcoles/ssrf_proxy" target="_blank">
|
4
|
+
<img src="https://img.shields.io/badge/version-0.0.3-brightgreen.svg"/>
|
5
|
+
</a>
|
6
|
+
<a href="https://travis-ci.org/bcoles-ci/ssrf_proxy" target="_blank">
|
7
|
+
<img src="https://api.travis-ci.org/bcoles-ci/ssrf_proxy.svg?branch=master"/>
|
8
|
+
</a>
|
9
|
+
<a href="https://www.versioneye.com/ruby/ssrf_proxy/" target="_blank">
|
10
|
+
<img src="https://img.shields.io/versioneye/d/ruby/ssrf_proxy.svg"/>
|
11
|
+
</a>
|
12
|
+
<a href="https://hakiri.io/github/bcoles-ci/ssrf_proxy/master/" target="_blank">
|
13
|
+
<img src="https://hakiri.io/github/bcoles-ci/ssrf_proxy/master.svg"/>
|
14
|
+
</a>
|
15
|
+
<a href="https://codeclimate.com/github/bcoles/ssrf_proxy" target="_blank">
|
16
|
+
<img src="https://codeclimate.com/github/bcoles/ssrf_proxy/badges/gpa.svg"/>
|
17
|
+
</a>
|
18
|
+
<a href="https://coveralls.io/github/bcoles-ci/ssrf_proxy?branch=master" target="_blank">
|
19
|
+
<img src="https://coveralls.io/repos/github/bcoles-ci/ssrf_proxy/badge.svg?branch=master"/>
|
20
|
+
</a>
|
21
|
+
<a href="https://inch-ci.org/github/bcoles/ssrf_proxy" target="_blank">
|
22
|
+
<img src="https://inch-ci.org/github/bcoles/ssrf_proxy.svg?branch=master"/>
|
23
|
+
</a>
|
24
|
+
<a href="https://github.com/bcoles/ssrf_proxy/blob/master/LICENSE.md" target="_blank">
|
25
|
+
<img src="https://img.shields.io/badge/license-MIT-brightgreen.svg"/>
|
26
|
+
</a>
|
27
|
+
|
28
|
+
**SSRF Proxy** is a multi-threaded HTTP proxy server designed
|
29
|
+
to tunnel client HTTP traffic through HTTP servers vulnerable
|
30
|
+
to HTTP Server-Side Request Forgery (SSRF).
|
31
|
+
|
32
|
+
Once configured, SSRF Proxy attempts to format client HTTP
|
33
|
+
requests appropriately for the vulnerable server. Likewise,
|
34
|
+
the server's response is parsed and formatted for the client.
|
35
|
+
|
36
|
+
By correctly formatting the client request and stripping
|
37
|
+
unwanted junk from the response it is possible to use
|
38
|
+
SSRF Proxy as a HTTP proxy for web browsers and scanning
|
39
|
+
tools such as sqlmap and nikto.
|
40
|
+
|
41
|
+
SSRF Proxy also assists with leveraging blind SSRF
|
42
|
+
vulnerabilities to perform time-based attacks, such
|
43
|
+
as blind time-based SQL injection with sqlmap.
|
44
|
+
|
45
|
+
<table>
|
46
|
+
<tr>
|
47
|
+
<th>Version</th>
|
48
|
+
<td>0.0.3</td>
|
49
|
+
</tr>
|
50
|
+
<tr>
|
51
|
+
<th>Github</th>
|
52
|
+
<td>
|
53
|
+
<a href="https://github.com/bcoles/ssrf_proxy">https://github.com/bcoles/ssrf_proxy</a>
|
54
|
+
</td>
|
55
|
+
</tr>
|
56
|
+
<tr>
|
57
|
+
<th>Wiki</th>
|
58
|
+
<td><a href="https://github.com/bcoles/ssrf_proxy/wiki">https://github.com/bcoles/ssrf_proxy/wiki</a></td>
|
59
|
+
</tr>
|
60
|
+
<tr>
|
61
|
+
<th>Documentation</th>
|
62
|
+
<td>
|
63
|
+
<a href="http://www.rubydoc.info/github/bcoles/ssrf_proxy" target="_blank">http://www.rubydoc.info/github/bcoles/ssrf_proxy</a>
|
64
|
+
</td>
|
65
|
+
</tr>
|
66
|
+
<tr>
|
67
|
+
<th>Author</th>
|
68
|
+
<td>Brendan Coles</td>
|
69
|
+
</tr>
|
70
|
+
<tr>
|
71
|
+
<th>Copyright</th>
|
72
|
+
<td>2015-2016 Brendan Coles</td>
|
73
|
+
</tr>
|
74
|
+
<tr>
|
75
|
+
<th>License</th>
|
76
|
+
<td>MIT - (see <a href="https://github.com/bcoles/ssrf_proxy/blob/master/LICENSE.md">LICENSE.md</a> file)</td>
|
77
|
+
</tr>
|
78
|
+
</table>
|
79
|
+
|
80
|
+
|
81
|
+
## Requirements
|
82
|
+
|
83
|
+
Ruby 1.9.3 or newer
|
84
|
+
|
85
|
+
Ruby Gems:
|
86
|
+
|
87
|
+
- celluloid-io
|
88
|
+
- webrick
|
89
|
+
- logger
|
90
|
+
- colorize
|
91
|
+
- ipaddress
|
92
|
+
- base32
|
93
|
+
- htmlentities
|
94
|
+
- socksify
|
95
|
+
|
96
|
+
## Installation
|
97
|
+
|
98
|
+
```
|
99
|
+
$ gem install ssrf_proxy
|
100
|
+
```
|
101
|
+
|
102
|
+
## Usage (command line)
|
103
|
+
|
104
|
+
```
|
105
|
+
Usage: ssrf-proxy [options] -u <SSRF URL>
|
106
|
+
Example: ssrf-proxy -u http://target/?url=xxURLxx
|
107
|
+
Options:
|
108
|
+
|
109
|
+
-h, --help Help
|
110
|
+
-v, --verbose Verbose output
|
111
|
+
-d, --debug Debugging output
|
112
|
+
|
113
|
+
Server options:
|
114
|
+
-p, --port=PORT Listen port (Default: 8081)
|
115
|
+
--interface=IP Listen interface (Default: 127.0.0.1)
|
116
|
+
|
117
|
+
SSRF request options:
|
118
|
+
-u, --url=URL SSRF URL with 'xxURLxx' placeholder
|
119
|
+
--method=METHOD HTTP method (GET/HEAD/DELETE/POST/PUT)
|
120
|
+
(Default: GET)
|
121
|
+
--post-data=DATA HTTP post data
|
122
|
+
--cookie=COOKIE HTTP cookies (separated by ';')
|
123
|
+
--user-agent=AGENT HTTP user-agent (Default: Mozilla/5.0)
|
124
|
+
--rules=RULES Rules for parsing client request for xxURLxx
|
125
|
+
(separated by ',') (Default: none)
|
126
|
+
|
127
|
+
SSRF connection options:
|
128
|
+
--proxy=PROXY Use a proxy to connect to the server.
|
129
|
+
(Supported proxies: http, https, socks)
|
130
|
+
--insecure Skip server SSL certificate validation.
|
131
|
+
--timeout=SECONDS Connection timeout in seconds (Default: 10)
|
132
|
+
|
133
|
+
HTTP response modification:
|
134
|
+
--match=REGEX Regex to match response body content.
|
135
|
+
(Default: \A(.*)\z)
|
136
|
+
--strip=HEADERS Headers to remove from the response.
|
137
|
+
(separated by ',') (Default: none)
|
138
|
+
--decode-html Decode HTML entities in response body.
|
139
|
+
--guess-status Replaces response status code and message
|
140
|
+
headers (determined by common strings in the
|
141
|
+
response body, such as 404 Not Found.)
|
142
|
+
--guess-mime Replaces response content-type header with the
|
143
|
+
appropriate mime type (determined by the file
|
144
|
+
extension of the requested resource.)
|
145
|
+
--ask-password Prompt for password on authentication failure.
|
146
|
+
Adds a 'WWW-Authenticate' HTTP header to the
|
147
|
+
response if the response code is 401.
|
148
|
+
|
149
|
+
Client request modification:
|
150
|
+
--forward-cookies Forward client HTTP cookies through proxy to
|
151
|
+
SSRF server.
|
152
|
+
--cookies-to-uri Add client request cookies to URI query.
|
153
|
+
--body-to-uri Add client request body to URI query.
|
154
|
+
--auth-to-uri Use client request basic authentication
|
155
|
+
credentials in request URI.
|
156
|
+
--ip-encoding=MODE Encode client request host IP address.
|
157
|
+
(Modes: int, ipv6, oct, hex, dotted_hex)
|
158
|
+
|
159
|
+
|
160
|
+
```
|
161
|
+
|
162
|
+
|
163
|
+
## Usage (ruby)
|
164
|
+
|
165
|
+
First, create a new SSRFProxy::HTTP object:
|
166
|
+
|
167
|
+
```
|
168
|
+
# SSRF URL with 'xxURLxx' placeholder
|
169
|
+
url = 'http://example.local/index.php?url=xxURLxx'
|
170
|
+
# options
|
171
|
+
opts = {
|
172
|
+
'proxy' => '',
|
173
|
+
'method' => 'GET',
|
174
|
+
'post_data' => '',
|
175
|
+
'rules' => '',
|
176
|
+
'ip_encoding' => '',
|
177
|
+
'match' => "\\A(.+)\\z",
|
178
|
+
'strip' => '',
|
179
|
+
'decode_html' => false,
|
180
|
+
'guess_mime' => false,
|
181
|
+
'guess_status' => false,
|
182
|
+
'ask_password' => false,
|
183
|
+
'forward_cookies'=> false,
|
184
|
+
'body_to_uri' => false,
|
185
|
+
'auth_to_uri' => false,
|
186
|
+
'cookies_to_uri' => false,
|
187
|
+
'cookie' => '',
|
188
|
+
'timeout' => 10,
|
189
|
+
'user_agent' => 'Mozilla/5.0',
|
190
|
+
'insecure' => false
|
191
|
+
}
|
192
|
+
# create SSRFProxy::HTTP object
|
193
|
+
ssrf = SSRFProxy::HTTP.new(url, opts)
|
194
|
+
# set log level (optional)
|
195
|
+
ssrf.logger.level = Logger::DEBUG
|
196
|
+
```
|
197
|
+
|
198
|
+
Then send HTTP requests via the SSRF:
|
199
|
+
|
200
|
+
```
|
201
|
+
# fetch http://127.0.0.1/ via SSRF by String
|
202
|
+
uri = 'http://127.0.0.1/'
|
203
|
+
ssrf.send_uri(uri)
|
204
|
+
|
205
|
+
|
206
|
+
# fetch http://127.0.0.1/ via SSRF by URI
|
207
|
+
uri = URI.parse('http://127.0.0.1/')
|
208
|
+
ssrf.send_uri(uri)
|
209
|
+
|
210
|
+
|
211
|
+
# fetch http://127.0.0.1/ via SSRF using a raw HTTP request
|
212
|
+
http = "GET http://127.0.0.1/ HTTP/1.1\n\n"
|
213
|
+
ssrf.send_request(http)
|
214
|
+
```
|
215
|
+
|
216
|
+
## Documentation
|
217
|
+
|
218
|
+
Refer to the wiki for more information and example usage:
|
219
|
+
https://github.com/bcoles/ssrf_proxy/wiki
|
220
|
+
|
221
|
+
Refer to RubyDoc for code documentation:
|
222
|
+
http://www.rubydoc.info/github/bcoles/ssrf_proxy
|
data/bin/console
ADDED
@@ -0,0 +1,24 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
#
|
3
|
+
# Copyright (c) 2015-2016 Brendan Coles <bcoles@gmail.com>
|
4
|
+
# SSRF Proxy - https://github.com/bcoles/ssrf_proxy
|
5
|
+
# See the file 'LICENSE.md' for copying permission
|
6
|
+
#
|
7
|
+
|
8
|
+
require 'irb'
|
9
|
+
require 'irb/completion'
|
10
|
+
|
11
|
+
begin
|
12
|
+
puts "\n_________________________________________________________\n"
|
13
|
+
puts SSRFProxy::BANNER
|
14
|
+
puts "\n SSRF Proxy v#{SSRFProxy::VERSION}"
|
15
|
+
puts " https://github.com/bcoles/ssrf_proxy\n"
|
16
|
+
puts "\n_________________________________________________________\n\n"
|
17
|
+
|
18
|
+
puts "SSRFProxy[#{SSRFProxy::VERSION}], " \
|
19
|
+
"Ruby[#{RUBY_VERSION}], " \
|
20
|
+
"Platform[#{RUBY_PLATFORM}]"
|
21
|
+
rescue => e
|
22
|
+
puts "Error: Could not load SSRFProxy: #{e.message}"
|
23
|
+
end
|
24
|
+
IRB.start
|