Error running
h0nus opened this issue · comments
[ERROR]:Bad Format
[INFO]:Module 'portscan' launched !
Traceback (most recent call last):
File "ssrfmap.py", line 42, in
ssrf = SSRF(args)
File "/usr/share/ssrfmap/core/ssrf.py", line 38, in init
module.exploit(self.requester, args)
File "./modules/portscan.py", line 15, in init
r = requester.do_request(args.param, "")
File "/usr/share/ssrfmap/core/requester.py", line 96, in do_request
return r
UnboundLocalError: local variable 'r' referenced before assignment
I used all possibles variables like -r and --level or anything else.
Hello,
Can you provide the request you used with SSRFmap or an anonymised one ?
The input is a POST in XML, maybe it's for it?
Like:
POST /X HTTP/1.1
Authorization: Basic Y
User-Agent: User-agent
Host: secure.host.com
Connection: close
Accept-Encoding: gzip, deflate
Content-type: application/xml
Content-Length: 189
<?xml version="1.0"?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM "//my.host.net"> ]> <change-log> <text>&systemEntity;</text>; </change-log>
This is my request of vulnerable and working SSRF via XXE
I might be a missing else for the condition in L60 https://github.com/swisskyrepo/SSRFmap/blob/master/core/requester.py#L60
If the parameter isn't found in the request then the variable r is returned by the function but it doesn't exist
Oh ok, so i'll need to write it or you'll do?
I'll try to do it by the end of the week, but you can do it before and submit a Pull Request :)
You were also right XML isn't handled by SSRFmap at the moment, this can be implemented in the same function. Something like the following should do the work.
if param in data_injected:
...
else
# find the injection point in the request data
# verify it's xml "Content-type: application/xml"
# replace the injection point with value in r.data
# return r
All right then, I can try to do something for you.
Only parameter handling is needed or more?
XML is not really a parameter like id=something, in order to make things easy let's force the injection point with "*FUZZ*" in the request.
<?xml version="1.0"?> <!DOCTYPE change-log [ <!ENTITY systemEntity SYSTEM "*FUZZ*"> ]> <change-log> <text>&systemEntity;</text>; </change-log>
Oh ok, I'll try something and let you know!
I just pushed some features that were missing including HTTPS handling and XML requests.
It might resolve the issue, let me know :)
Hi, I've tried it a little, but it seems that without -p option it fails.
But XML input at the moment doesn't request a parameter and just fuzz into the file.
When I'll be back home I'll check again, btw great job!
Hi, now I'm back.
Actually i put FUZZ into the the request file, but it ask anyway the -p parameter and seems to not detect the SSRF. Any hints?
Screen of error:
Screen of request:
I might be a simple display issue, is the module portscan working for your case ?
I see it gives to me a bad format or raw data error. But the request is good.
Actually it doesn't give any output
As you can see here:
I don't know why the request doesn't work.
Can you check the content of self.data['__xml__'] both at L60 and data_xml at L106.
They should contains the XML data
https://github.com/swisskyrepo/SSRFmap/blob/master/core/requester.py#L60
https://github.com/swisskyrepo/SSRFmap/blob/master/core/requester.py#L106
Also can you provide the content of the error raised in L47 (print(e))
https://github.com/swisskyrepo/SSRFmap/blob/master/core/requester.py#L47
Since the code used is "self.data_to_dict(content[-1])", the parsing may break if there is an empty new line in the end of the request file
Mhh i'll try my best to figure it out! 👍
Encountered this error.
Fixed in the last commit. Thank you :)
Closing issue :)