Supported Tools - bcoles/ssrf_proxy GitHub Wiki

The tools in this section are known to work with SSRF Proxy.

SSRF Proxy supports the HTTP CONNECT verb. SSL tunneling is not supported.

For best results, ensure SSRF Proxy is configured with the following options, where possible:

  • --match=REGEX
  • --guess-status
  • --guess-mine
  • --forward-method
  • --forward-headers
  • --forward-body
  • --forward-cookies
  • --body-to-uri
  • --auth-to-uri
  • --cookies-to-uri

curl

$ curl -isk -x http://127.0.0.1:8081/ http://127.0.0.1/

$ curl -isk -x http://127.0.0.1:8081/ http://127.0.0.1/ --proxytunnel

Note the trailing / slash is required for old versions of cURL.

proxychains

Set SSRF Proxy as the proxy in proxychains.conf :

[ProxyList]
http 127.0.0.1 8081

Also disable DNS lookups in proxychains.conf :

# Proxy DNS requests - no leak for DNS data
#proxy_dns

Preface commands with proxychains :

$ proxychains curl -isk http://127.0.0.1/

Web Browser

Set the web browser proxy to SSRF Proxy as a HTTP proxy.

Note that rendering of application assets within a browser (such as images, stylesheets, JavaScript, etc) will likely fail unless the server returns the response headers from the destination server, or the sniff-mime or --guess-mime options are supplied. Additionally, an accurate regex must be supplied to the --match option, else the asset will be corrupted.

Additionally, stripping unwanted headers such as content-disposition is often desirable - --strip "content-disposition"

wget

$ export http_proxy=http://127.0.0.1:8081/
$ wget --mirror --no-check-certificate --convert-links --adjust-extension --page-requisites --no-parent http://127.0.0.1/bWAPP/

sqlmap

sqlmap can be used to exploit SQL injection vulnerabilities through SSRF Proxy.

$ sqlmap -u "http://sqli.example/?query=test" --proxy "http://127.0.0.1:8081" --dbms mysql -p query --banner

In some instances, using --hex and --technique BT (blind time-based) may provide better results.

Note that tweaking the --timeout option (default: 10 seconds) for SSRF Proxy may be necessary if a large number of timeouts are encountered during time-based scanning.

nmap

Some servers vulnerable to SSRF may allow TCP port scanning with nmap using the TCP connect() scan technique (-sT) in combination with proxychains.

$ proxychains nmap -sT -PO -p <PORTS> 127.0.0.1

The --fail-no-content option can be useful for port scanning through the proxy. This option returns a 502 HTTP status code if the response body is empty. When used in combination with an accurate --match, this option allows accurate port scanning through some SSRF servers.

nmap's version detection using probes is not supported, however the HTTP scripts are supported to some extent. Again, this depends on the vulnerable SSRF functionality.

$ proxychains nmap -sT -PO -p 80,443,8080 127.0.0.1 -sC

For some SSRF vulnerabilities, false negatives are likely if the remote service does not hang-up immediately upon receiving invalid input, resulting in a timeout. Check the SSRF Proxy output for Timeout errors to verify. In these instances, the --timeout-ok option may be useful.

Note that your mileage may vary attempting to port scan through a SSRF, depending on the SSRF and your configuration options.

nmap OS detection and UDP scanning does not work through HTTP proxies and will not work through SSRF Proxy.

dirb

SSRF Proxy supports content discovery tools such as dirb in combination with proxychains.

proxychains dirb http://127.0.0.1/ -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt

Metasploit

Select the module of choice and ensure the proxies option is set.

> use auxiliary/scanner/http/title 
> set proxies http:127.0.0.1:8081 
> set rhosts 127.0.0.1
> set targeturi /server-status
> run

Arachni

$ arachni --http-proxy 127.0.0.1:8081 "http://127.0.0.2/"

Note that Arachni cannot scan 127.0.0.1; instead 127.0.0.2 is used.

nikto

Set SSRF Proxy as the proxy in nikto.conf :

# Proxy settings -- still must be enabled by -useproxy
PROXYHOST=127.0.0.1
PROXYPORT=8081

Run nikto :

$ nikto.pl -host 127.0.0.1 -useproxy

Note that nikto may identify a large number of false positives. For example, if the SSRF does not support --guess-status, a large amount of 200 OK responses will be identified. Also, if the SSRF server has PHP errors enabled, nikto will report a large number of pages containing PHP errors.

WhatWeb

WhatWeb can be used to fingerprint web servers and applications.

$ whatweb --proxy 127.0.0.1:8081 http://127.0.0.1/

Shocker

Shocker can be used to exploit servers vulnerable to ShellShock if the SSRF allows forwarding HTTP headers, specifically the Content-Type header.

$ ./shocker.py --proxy 127.0.0.1:8081 -H 127.0.0.1
⚠️ **GitHub.com Fallback** ⚠️