// the find
tarunkant/Gopherus
This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
Gopherus generates gopher:// protocol payloads for turning SSRF vulnerabilities into RCE against common internal services: MySQL, PostgreSQL, Redis, FastCGI, Memcached, Zabbix, and SMTP. It's a CTF staple and a useful reference for pentesters who hit SSRF during an engagement and need to quickly probe what's reachable internally.
Covers the most common internal services you'll actually find behind an SSRF — Redis and FastCGI in particular are realistic attack paths that show up in real bug bounties. Each exploit is a standalone script, so the code is easy to read and learn from rather than buried in framework abstractions. The Memcached deserialization payloads for Python Pickle, Ruby Marshal, and PHP are genuinely useful and not something you'll find pre-packaged elsewhere. Good starting point for understanding how gopher:// can be weaponized as a raw TCP proxy.
Dead since April 2023 — no updates in over three years, and the gopher SSRF landscape has moved on (curl restrictions, SSRF filters, cloud metadata endpoints). No support for URL encoding variations needed to bypass common WAF/filter patterns, which is table stakes for real engagements. The install script runs as root and blindly pip-installs into the system Python, which is sloppy. No tests at all — if a payload format breaks for a specific server version, you won't know until it silently fails during a real assessment.