A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF.

Last update: Nov 25, 2022

Related tags

Security related resources TProxer

Overview

TProxer

A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF.

How • Install • Todo • Join Discord

How it works

Attempts to gain access to internal APIs or files through a path based SSRF attack. For instance https://www.example.com/api/v1/users we try the payload /..;/..;/..;/..;/ hoping for a 400 Bad Request:
Then the Algorithm tries to find the potential internal API root with: https://www.example.com/api/v1/users/..;/..;/..;/ hoping for a 404 Not Found
Then, we try to discover content, if anything is found it performs additional test to see if it's 100% internal and worth investigating.
Supports manual activation through context menu.
Payloads are supplied by the user under dedicated tab, default values are stored under query payloads.txt
You can also select your own wordlist
Issues are added under the Issue Activity tab.

Install

$ git clone https://github.com/ethicalhackingplayground/TProxer

Download Jython from:

https://www.jython.org/download.html

Load burp, Extender -> Options
Go to Python Environment -> Select file -> Select jython.jar
Go to Extensions -> Add -> TProx.py

Todo

Make a better design
Add more customization.

License

TProxer is distributed under MIT License

Owner

Krypt0mux

I'm an ethical hacker researcher and love to help people learn about computer security.

Krypt0mux

GitHub Repository

Python exploit for vsftpd 2.3.4 - Backdoor Command Execution

CVE-2011-2523 - vsftpd 2.3.4 Exploit Discription vsftpd, which stands for Very Secure FTP Daemon,is an FTP server for Unix-like systems, including Lin

5 Nov 08, 2022

SSH Tool For OSINT and then Cracking.

sshmap SSH Tool For OSINT and then Cracking. Linux Systems Only Usage: Scanner Syntax: scanner start/stop/status - Sarts/stops/sho

5 Apr 04, 2022

the metasploit script(POC) about CVE-2021-36260

CVE-2021-36260-metasploit the metasploit script(POC) about CVE-2021-36260. A command injection vulnerability in the web server of some Hikvision produ

14 Nov 09, 2022

Multi Brute Force Facebook - Crack Facebook With Login - Free For Now

✭ SAKERA CRACK Made With ❤️ By Denventa, Araya, Dapunta Author: - Denventa - Araya Dev - Dapunta Khurayra X ⇨ Fitur Login [✯] Login Cookies ⇨ Ins

26 Jan 01, 2023

MongoDB-Injection - This challenge-script is custom-made for web-server running MongoDB which is vulnerable to No-SQL injection

MongoDB-Injection Cheesy Multi-threaded script for NoSQL Injection This challeng

2 Jun 06, 2022

Übersicht remote command execution 0day exploit

Übersicht RCE 0day Unauthenticated remote command execution 0day exploit for Übersicht. Description Übersicht is a desktop widget application for m

10 Dec 21, 2021

xkeysnail is yet another keyboard remapping tool for X environment written in Python

xkeysnail is yet another keyboard remapping tool for X environment written in Python. It's like xmodmap but allows more flexible remappings.

809 Dec 26, 2022

Wordlist attacks on Bitwarden data.json files

BitwardenDecryptBrute This is a slightly modified version of BitwardenDecrypt. In addition to the decryption this version can do wordlist attacks for

42 Nov 09, 2022

Kunyu, more efficient corporate asset collection

Kunyu(坤舆) - More efficient corporate asset collection English | 中文文档 0x00 Introduce Tool introduction Kunyu (kunyu), whose name is taken from , is act

772 Jan 05, 2023

version de mi tool de kali linux para miertuxzzzz digo, termux >:)

Msf-Tool 1.0 Termux apt install git -y apt install python apt install python3 apt install python3-pip apt install metasploit ---- ---- git clone ht

1 Feb 20, 2022

A token logger for discord + steals Brave/Chrome passwords and usernames

Backdoor Machine - ❗ For educational purposes only ❗ A program made in python for stealing passwords and usernames from Google Chrome/Brave and tokenl

36 Jul 18, 2021

RDP Stealer

RDP Stealer RDP Stealer by lamp Require Python How To Use Download This Source Extract The Zip File Change webhook url Convert to exe send to target I

14 Nov 26, 2022

Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1

CVE-2021-22911 Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1 The getPasswordPolicy method is vulnerable to NoS

47 Nov 09, 2022

Uma ferramenta de segurança da informação escrita em python3,capaz de dar acesso total ao computador de alguém!

shell-reverse Uma ferramenta de segurança da informação escrita em python3, capaz de dar acesso total ao computador de alguém! A cybersecurity tool wr

1 Nov 03, 2021

Fast and customizable vulnerability scanner For JIRA written in Python

Fast and customizable vulnerability scanner For JIRA. 🤔 What is this? Jira-Lens 🔍 is a Python Based vulnerability Scanner for JIRA. Jira is a propri

185 Dec 25, 2022

💣 Bomb Crypto Bot 💣

💣 Bomb Crypto Bot 💣 ⚠️ Warning I am not responsible for any penalties incurred by those who use the bot, use it at your own risk. 📄 Documentation -

4 Apr 27, 2022

A DOM-based G-Suite password sprayer and user enumerator

A DOM-based G-Suite password sprayer and user enumerator

1 Apr 07, 2022

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

26 Dec 26, 2022

MSDorkDump is a Google Dork File Finder that queries a specified domain name and variety of file extensions

MSDorkDump is a Google Dork File Finder that queries a specified domain name and variety of file extensions (pdf, doc, docx, etc), and downloads them.

150 Jan 03, 2023

Evil-stalker - A simple tool written in python, it is so simple that it is based on google dorks

evil-stalker How to run First of all, you must install the necessary libraries.

6 Nov 16, 2022