Creates a SOCK proxy server that transmits data over an SSRF vulnerability
Switch branches/tags
Nothing to show
Clone or download
Latest commit b028d5b Aug 8, 2012
Failed to load latest commit information. small update to readme Aug 8, 2012 initial commit Aug 8, 2012

ssrfsocks: SOCKS-based SSRF tunneling proxy

ssrfsocks utilizes an existing Server-Side Request Forgercy vulnerability to tunnel traffic through it. This code acts as a SOCKS4 proxy server, and relays traffic through the SSRF vuln and returns the result. This concept is based on the Blackhat 2012 presentation by Polyakov & Chastukhin on SSRF and XXE tunneling.


Due to the nature of SSRF vulnerabilities, only one response is made from a request. This means that it is not possible to run an interactive session. We can however send single-shot messages to internal services. This means it's possible to, for example, send an email via SMTP, and grab the banner of most services. This will tend to be most useful with simple protocols like SMTP and HTTP, and ineffective with protocols such as SSH and TLS.


$ ./ssrfproxy ""
listener ready on port 65432

$ echo -e "HELO localhost\nMAIL\nRCPT TO:\nDATA\nSubject: test\n\nthis is a test\n.\nQUIT\n" \
  | proxychains nc 25

In the above scenario, it's necessary to configure proxychains.conf:

socks4 65432


Currently, the SOCKS4A code is untested, as proxychains doesn't seem to support it. I found limited success with running nmap over this proxy, as nmap reports closed ports as open, and some open ports as closed.

This script was tested against a vulnerable app that passed a user-controlled value to code that treated the value as a URI, fetched it, and returned the result. It's likely not usable against XXE vulnerabilities without some modification.