python文件上传工具实现

0x00

之前验收waf模块webshell效果，组网pc--waf--webserver，收集网络上的webshell样本，进行上传测试。由于数量较多8000+个样本，

只好写了个工具进行验收。

webshell下载地址https://github.com/tennc/webshell.git

0x01

客户端实现

使用python的requests_toolbelt 库进文件上传，这里有个坑，不能用requests库，requests上传文件只post一个数据包，在文件较大情况下，上传文件不全。

# -*- coding: utf-8 -*-
#@Time      :2018/7/14 9:39
#@Author    :cui0x01
#@file      :webshell_send.py


from requests_toolbelt import MultipartEncoder
import requests
import time
import os
import sys
import getopt

global logdate
logdate = time.strftime('%Y%m%d%H%M%S',time.localtime())
def w_log(data):
    '''

    :return:
    '''
    if not os.path.exists('log'):
        os.mkdir('log')
    log_name=os.path.join('log',logdate)
    with open(log_name,'a+') as f:
        f.write(data)

def send_url(url,folder):
    '''

    :return:
    '''
    abs_path = os.path.abspath(os.path.dirname(__file__))
    folder_path=os.path.join(abs_path,folder)
    try:
        file_list= os.listdir(folder_path)
    except BaseException as re:
        print('''
        %s is not exist, please check your folder.
        '''%folder)
        os._exit(0)
    for filename in file_list:
        #print(filename)
        #print(url)
        m = MultipartEncoder(
            fields={'uploaded': (filename, open(os.path.join(folder_path,filename), 'rb'), 'text/plain')}
        )
        '''
        Content-Disposition: form-data; name="uploaded"; filename="aa.php"
        这里的files里uploaded   就是multipart协议name字段里面的uploaded
        服务端也是根据isset( $_FILES[ 'uploaded' ]，multipart协议name字段里面的uploaded接收文件。
        如果修改，要保持一致。
        '''
        #print(len(files))
        time.sleep(1)
        #file=os.path.join(folder_path,filename)
        #new_url=url+filename
        try:
            r = requests.post(url, data=m,headers={'Content-Type': m.content_type})
        except BaseException as re:
            print('waf reject: filename %s'%filename)
            data='waf reject: filename %s \n'%filename
            w_log(data)

        else:
            print("waf allow: filename: %s"%filename)
            data="waf allow: filename: %s \n"%filename
            w_log(data)



if __name__ == "__main__":

    try:
        opts,args=getopt.getopt(sys.argv[1:],'u:f:')
        u=opts[0][1]
        f=opts[1][1]
        #print(u,f)
    except Exception as e:
        print('''
        ******************************************************************
        ex:python3 xx.py -u http://33.33.35.20/upload/upload.php -f white
        -u: target url                                                   
        -f: local folder                                                 
        ******************************************************************
        ''')
        os._exit(0)
    send_url(u,f)

 0x02

服务端实现

用php接收，环境xp+phpstudy

<?php

if( isset( $_FILES[ 'uploaded' ] ) ) {
	
	$target_path  = "uploads/".basename( $_FILES[ 'uploaded' ][ 'name' ] );

    if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {

        echo '<pre>Your image was not uploaded.</pre>';
    }
    else {

        echo "<pre>{$target_path} succesfully uploaded!</pre>";
    }
}

?> 

 0x03

效果演示

服务端

客户端

抓包查看

 

文件上传成功

 

下载地址：https://github.com/cui0x01/python_daily/tree/master/upload_fuzz_tool