Gain adfly SMTP access with SSRF via Gopher Protocol

Jun 27 · 2 min read
Adfly Logo

Hi guys, My name is Rafli pasya. Today i want to share my story about SSRF on adfly, this bug i found 4 days ago and already Fixed.

Two month ago i found IDOR on adfly, and 4 days ago i found SSRF on adfly, using this vulnerability i able to send an email using adfly SMTP. it’s absolutely Dangerous if another hacker using this to attack Adfly Client.


i prepared this tool :
1. Gopherus
2. Server to upload php file

First of all i tried to short a Gopher:// url but it’s blocked by server. so i make a php file contains Gopherus Payload and it’s actually work.

i opened a CMD and type : —exploit fastcgi
this is used to exploit fastcgi and gain RCE, unfortunally because i unable to see response body (only able to see <title> tag) this exploit not work.

So i tried to use SMTP exploit : — exploit smtp
From Mail : adf@ly
To Mail : [myemail@.x.y]
Subject: PoCSSRF
Text: [empty]

Payload :

Now i make a php file :

header(‘location: gopher://’);

and i upload it to my server.

then i visit adfly site and short

after 1–5 minutes i check my Inbox and see an email from

i quickly Report this bug to their team. it’s fixed 1 day after i reported the bug.

Thx for Reading, soory for bad English btw.

Original WriteUp :

Timeline :

- Sunday 23 June 2019 23:35 GMT+7 = Bug Found & Reported

- Monday 24 June 2019 17:16 GMT+7 = Triaged

- Monday 24 June 2019 22:34 GMT+7 = Bug Fixed


Written by


Blogg :