0x00
Prior to acceptance of the WAF module Webshell effects, network pc--waf--webserver, collect Webshell samples on the web for upload testing. Due to the large number of 8000+ of samples,
Had to write a tool for acceptance.
Webshellhttps://github.com/tennc/webshell.git
0x01
Client implementation
Using Python Requests_toolbelt library into the file upload, there is a pit, can not use the requests library, requests upload a file only post a packet, in larger cases, upload files are not complete.
#-*-Coding:utf-8-*-# @Time: 2018/7/14 9:39# @Author: cui0x01# @file: Webshell_send.pyfrom requests_toolbelt Import multipartencoderimport requestsimport timeimport osimport sysimport getoptglobal logdatelogdate = Time.strftime ( '%y%m%d%h%m%s ', Time.localtime ()) def w_log (data): "': return: ' If not os.path.exists (' log '): Os.mkdi R (' log ') Log_name=os.path.join (' log ', logdate) with open (Log_name, ' A + ') as F:f.write (data) def send_url (Url,fo Lder): "': return: ' Abs_path = Os.path.abspath (Os.path.dirname (__file__)) Folder_path=os.path.join (Abs_ Path,folder) try:file_list= Os.listdir (Folder_path) except baseexception as Re:print ("'%s I s not exist, please check your folder. "'%folder" os._exit (0) for the filename in file_list: #print (filename) #print (URL) m = Multipa Rtencoder (fields={' uploaded ': (FileName, open (Os.path.join (folder_path,filename), ' RB '), ' tExt/plain ')}) ' Content-disposition:form-data; Name= "uploaded"; Filename= "aa.php" here uploaded is the multipart Protocol name field uploaded server is also based on isset ($_files[' uploaded '],mul The Tipart protocol Name field inside the uploaded receives the file. If you modify it, keep it consistent. "' #print (len) time.sleep (1) #file =os.path.join (folder_path,filename) #new_url =url+fil ename try:r = requests.post (URL, data=m,headers={' Content-type ': M.content_type}) except Baseexc Eption as Re:print (' WAF reject:filename%s '%filename) data= ' WAF reject:filename%s \ n '%filename W_log (data) else:print ("WAF allow:filename:%s"%filename) data= "WAF Allow:filena Me:%s \ n "%filename w_log (data) if __name__ = =" __main__ ": Try:opts,args=getopt.getopt (sys.argv[1:], ' U:f: ') u=opts[0][1] f=opts[1][1] #print (u,f) except Exception as E:print ("******Ex:python3 xx.py-u http://33.33.35.20/upload/upload. Php-f white-u: Target url-f: Local folder ‘‘‘) Os._exit (0) send_url (u,f)
0x02
Service-Side implementation
Receive with PHP, Environment xp+phpstudy
<?phpif (Isset ($_files[' uploaded ')) {$target _path = "uploads/". BaseName ($_files[' uploaded ' [' name ']);
if (!move_uploaded_file ($_files[' uploaded ' [' Tmp_name '], $target _path)) { echo ' <pre>your image was no T uploaded.</pre> '; } else { echo "<pre>{$target _path} succesfully uploaded!</pre>";
0x03
Effect Demo
Service side
Client
Grab Bag View
File Upload Successful
: Https://github.com/cui0x01/python_daily/tree/master/upload_fuzz_tool
Python File Upload Tool implementation