
Gopherus
If you know a place which is SSRF vulnerable then, this tool will help you to generate Gopher payload for exploiting SSRF (Server Side Request Forgery) and gaining RCE (Remote Code Execution). And also it will help you to get the Reverse shell on the victim server. If you want to brute forcing SSRF parameter you can use the tool called Lorsrf
Payloads
This tool can generate payload for following:
- MySQL (Port-3306)
- PostgreSQL(Port-5432)
- FastCGI (Port-9000)
- Memcached (Port-11211)
- If stored data is getting De-serialized by:
- Python
- Ruby
- PHP
- If stored data is getting De-serialized by:
- Redis (Port-6379)
- Zabbix (Port-10050)
- SMTP (Port-25)
Installation
git clone https://github.com/tarunkant/Gopherus.git
cd Gopherus
chmod +x install.sh
sudo ./install.sh
Usage
Command | Description |
---|---|
gopherus –help | Help |
gopherus –exploit | Arguments can be : |
–exploit mysql | |
–exploit postgresql | |
–exploit fastcgi | |
–exploit redis | |
–exploit zabbix | |
–exploit pymemcache | |
–exploit rbmemcache | |
–exploit phpmemcache | |
–exploit dmpmemcache | |
–exploit smtp |

Examples
- MySQL: If the user is not protected with password you can dump his database and also you can put malicious files in his system.
gopherus --exploit mysql
It only asks username of the MySQL user and it will provide you gopher link.
- PostgreSQL: If the user is not protected with password you can dump his database and also you can put malicious files in his system.
gopherus --exploit postgresql
It only asks username of the Postgres user and database name then it will provide you gopher link.
- Redis: If redis port is open then we can overwrite the file in the system which is too dangerous.
So here is two things you can get:
a. Reverse Shell
b. PHP Shellgopherus --exploit redis
- SMTP: If port 25 is open and we can access it then, we can send message to anyone as victim user, So this tool will generate gopher payload for sending mail.
gopherus --exploit smtp
Author
Tarunkant Gupta (SpyD3r)
- Website: https://spyclub.tech
- Email: [email protected]
- Twitter: https://twitter.com/TarunkantG
- Linkedin: https://linkedin.com/in/tarunkant-g-215830129/