Lorsrf | Tool to Bruteforce SSRF Parameter

Lorsrf has been added to scant3r with useful additions (multi http method , multi content-type (json , query , xml , speed , large worlist and more))

lorsrf

Bruteforcing on Hidden parameters to find SSRF vulnerability using GET and POST Methods

install

  • download it

➜ git clone https://github.com/knassar702/lorsrf ➜ cd lorsrf ➜ sudo pip3 install requests flask

Steps :

Ngrok

  • run your ngrok ./ngrok http 9090
  • run server.py script and add ngrok port python3 server.py 9090
  • run lorsrf.py and add ngrok host using -s option

requestbin.com

How can i use it .?

cat YOUR_LIST.txt | python3 lorsrf.py -t URL_TARGET -s YOUR_HOST -w wordlist.txt

Examples :

$ cat paramters.txt | python3 lorsrf.py -t http://target.com -s http://53252.ngrok.io

  • add threads

$ cat paramters.txt | python3 lorsrf.py -t http://target.com -s http://53252.ngrok.io --threads=50

  • add timeout

$ cat paramters.txt | python3 lorsrf.py -t http://target.com -s http://53252.ngrok.io --timeout=4

  • add cookies

$ cat paramters.txt | python3 lorsrf.py -t http://target.com -s http://53252.ngrok.io -c ‘user=5&PHPSESSION=5232’

  • add headers from text file

$ cat headers.txt Cookie: test=1 Auth: Basic TG9yU3JmCg== $ cat parameters.txt | python3 lorsrf.py -f headers.txt -s ‘http://myhost.com’ -t ‘http://ssrf.hack.com’ --------------------- GET /?parameter={YOUR_HOST} HTTP/1.1 Host: targer.com Cookie: test=1 Auth: Basic TG9yU3JmCg==

  • Follow redirects

$ cat paramters.txt | python3 lorsrf.py -t http://target.com -s http://53252.ngrok.io -r

Testing

python3 lorsrf.py -t ‘http://testphp.vulnweb.com/showimage.php’ -s ‘https://YOUR_HOST.com’ -w parameters.txt

GIF

GitHub:

3 Likes
Friendly Websites

https://igg-games.com/ https://pcgamestorrents.com/ https://pirateiro.com/ ettvdl.com https://dodi-repacks.site/ https://crackingpatching.com/ https://glodls.to/ https://prostylex.org/ https://haxnode.com/ https://freedownloadae.com/ https://www.novahax.com/ https://www.sadeempc.com/ freecoursesonline.me ftuapps.dev