Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
43 lines (38 sloc) 1.64 KB
# Proof of concept of a SSRF vulnerability, written in Python
# using Windows's WinHTTP.WinHTTPRequest native methods
# to demonstrate how Windows will give out hashes when asked
# to authenticate using NTLM.
# written by Julio Cesar Fort, Wildfire Labs /// Blaze Information Security
# Copyright 2016-2017, Blaze Information Security
from flask import Flask, Response, request
import win32com.client
app = Flask(__name__)
@app.route('/', methods=['GET'])
def index():
error_msg = '''<html><title>Blaze Information Security</title>
<p>Proof of concept of SSRF using Windows native HTTP request COM object.</p>
<p>Navigate to http://%s/?url=http://ip to exploit the SSRF.</p>
<p>This is a PoC to demonstrate that when HTTP requests using Windows HTTP native API are sent to Responder, NTLM hashes can be harvested.</p>
<p>Copyright 2016-2017, Blaze Information Security -</p>
''' %
if request.method == 'GET':
if request.args.get('url'):
URL = request.args.get('url')
COM_OBJ = win32com.client.Dispatch('WinHTTP.WinHTTPRequest.5.1')
COM_OBJ.Open('GET', URL, False)
return COM_OBJ.ResponseText
except Exception, err:
return "<p>Error: %s</p>" % str(err)
return error_msg
return "Method not supported."
if __name__ == '__main__':'', port=8000)