It was a hassle setting up my own https server for it and couldn't use self signed certs because it did not have insecure option enabled on the vulnerable webserver.
Was able to get YAML deserialization with this php redirect to get the SSRF and exploit working:
from scapy.all import *
import sys
#take in file name from argument
file = sys.argv[1]
#open file
f = open(file, "r")
# Define the source and destination IP addresses
source_ip = "192.168.245.129"
destination_ip = "192.168.1.7"
# Define an array to store the data bytes
data_array = []
packets = rdpcap(file)
def process_packet(packet):
# find all UDP packets from 192.168.245.129 to 192.168.1.7 and get the data byte and add to array and print array
if packet.haslayer(IP) and packet.haslayer(UDP) and packet[IP].src == source_ip and packet[IP].dst == destination_ip:
data = packet[Raw].load
data_array.append(data)
# Process each packet in the pcap file
for packet in packets:
process_packet(packet)
# merge the array and print
data = b''.join(data_array)
print(str(data, 'utf-8'))