SSRFire - an automated SSRF finder

Mar 4, 2022

An automated SSRF finder. Just give the domain name and your server and chill! ;) It also has options to find XSS and open redirects.

SSRFIRE

Syntax

./ssrfire.sh -d domain.com -s yourserver.com -f custom_file.txt -c cookies

domain.com ---> The domain for which you want to test

yourserver.com ---> Your server which detects SSRF. Eg. Burp collaborator

custom_file.txt ---> Optional argument. You give your own custom URLs instead of using gau

cookies ---> Optional argument. To send requests as an authenticated user

If you don't have burpsuite professional, you can use interact sh by the awesome projectdiscovery team as your server.

Requirements

Since this uses GAU, FFUF, qsreplace and OpenRedirex, you need GO and python 3.7+. You need not have the tools installed, as the script setup.sh will install everything. You just need to install python and GO. Even if you have the tools installed I would highly recommend you to install them again so that there no conflicts while setting the paths.

If you don't want to install the tools again, paste this code in your .profile in your home directory and source .profile them. Also, you have to make a small change in the ssrfire.sh....

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023