0x00
之前验收waf模块webshell效果,组网pc--waf--webserver,收集网络上的webshell样本,进行上传测试。由于数量较多8000+个样本,
只好写了个工具进行验收。
webshell下载地址https://github.com/tennc/webshell.git
0x01
客户端实现
使用python的requests_toolbelt 库进文件上传,这里有个坑,不能用requests库,requests上传文件只post一个数据包,在文件较大情况下,上传文件不全。
# -*- coding: utf-8 -*-
#@Time :2018/7/14 9:39
#@Author :cui0x01
#@file :webshell_send.py
from requests_toolbelt import MultipartEncoder
import requests
import time
import os
import sys
import getopt
global logdate
logdate = time.strftime(\'%Y%m%d%H%M%S\',time.localtime())
def w_log(data):
\'\'\'
:return:
\'\'\'
if not os.path.exists(\'log\'):
os.mkdir(\'log\')
log_name=os.path.join(\'log\',logdate)
with open(log_name,\'a+\') as f:
f.write(data)
def send_url(url,folder):
\'\'\'
:return:
\'\'\'
abs_path = os.path.abspath(os.path.dirname(__file__))
folder_path=os.path.join(abs_path,folder)
try:
file_list= os.listdir(folder_path)
except BaseException as re:
print(\'\'\'
%s is not exist, please check your folder.
\'\'\'%folder)
os._exit(0)
for filename in file_list:
#print(filename)
#print(url)
m = MultipartEncoder(
fields={\'uploaded\': (filename, open(os.path.join(folder_path,filename), \'rb\'), \'text/plain\')}
)
\'\'\'
Content-Disposition: form-data; name="uploaded"; filename="aa.php"
这里的files里uploaded 就是multipart协议name字段里面的uploaded
服务端也是根据isset( $_FILES[ \'uploaded\' ],multipart协议name字段里面的uploaded接收文件。
如果修改,要保持一致。
\'\'\'
#print(len(files))
time.sleep(1)
#file=os.path.join(folder_path,filename)
#new_url=url+filename
try:
r = requests.post(url, data=m,headers={\'Content-Type\': m.content_type})
except BaseException as re:
print(\'waf reject: filename %s\'%filename)
data=\'waf reject: filename %s \n\'%filename
w_log(data)
else:
print("waf allow: filename: %s"%filename)
data="waf allow: filename: %s \n"%filename
w_log(data)
if __name__ == "__main__":
try:
opts,args=getopt.getopt(sys.argv[1:],\'u:f:\')
u=opts[0][1]
f=opts[1][1]
#print(u,f)
except Exception as e:
print(\'\'\'
******************************************************************
ex:python3 xx.py -u http://33.33.35.20/upload/upload.php -f white
-u: target url
-f: local folder
******************************************************************
\'\'\')
os._exit(0)
send_url(u,f)
0x02
服务端实现
用php接收,环境xp+phpstudy
<?php
if( isset( $_FILES[ \'uploaded\' ] ) ) {
$target_path = "uploads/".basename( $_FILES[ \'uploaded\' ][ \'name\' ] );
if( !move_uploaded_file( $_FILES[ \'uploaded\' ][ \'tmp_name\' ], $target_path ) ) {
echo \'<pre>Your image was not uploaded.</pre>\';
}
else {
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
0x03
效果演示
服务端
客户端
抓包查看
文件上传成功
下载地址:https://github.com/cui0x01/python_daily/tree/master/upload_fuzz_tool