السلام عليكم متابعين قناة ومدونة شادو هكر , في هذا المقال سوف استعرض معكم اداة رائعه Upload_Bypass v2 تفيد من هم مهتمين في أختبار الأختراق الأخلاقي وايضاً Bug Hunters فمن خلال هذه الأداة الرائعه تمكنك من تحديد الثغرة في تطبيقات الويب الخاصة في ثغرة Upload وايضاً استغلال الثغرة في الموقع كما انها تعطيك تقرير شامل حول ثغرة الموجودة في الموقع كما يمكنك الأستفادة منها في الحماية ايضاً.
Upload_Bypass v2 |
Upload_Bypass v2
تهدف أداة Upload_Bypass v2 لمساعدة مختبري الأختراق وصائدي الثغرات Bug Hunters في ايجاد ثغرة upload لإي تطبيقات الويب ومساعدة في كتابة التقارير.
تحميل أداة
https://github.com/sAjibuu/Upload_Bypass
pip install -r requirements.txt
طريقة الأستخدام
show this help message and exit
-b BURP_FILE, --burp-file BURP_FILE
Required - Read from a Burp Suite file
Usage: -b / --burp-file ~/Desktop/output
-s SUCCESS_MESSAGE, --success SUCCESS_MESSAGE
Required if -f is not set - Provide the success message when a file is uploaded
Usage: -s /--success 'File uploaded successfully.'
-f FAILURE_MESSAGE, --failure FAILURE_MESSAGE
Required if -s is not set - Provide a failure message when a file is uploaded
Usage: -f /--failure 'File is not allowed!'
-e FILE_EXTENSION, --extension FILE_EXTENSION
Required - Provide server backend extension
Usage: -e / --extension php (Supported extensions: php,asp,jsp,perl,coldfusion)
-a ALLOWED_EXTENSIONS, --allowed ALLOWED_EXTENSIONS
Required - Provide allowed extensions to be uploaded
Usage: -a /--allowed jpeg, png, zip, etc'
-l WEBSHELL_LOCATION, --location WEBSHELL_LOCATION
Provide a state file from which to resume a partially complete scan.
Usage: --resume example.com_state.json
--resume RESUME_STATE
Provide a state file from which to resume a partially complete scan.
Usage: --resume example.com_state.json
-o OUTPUT_DIRECTORY, --output OUTPUT_DIRECTORY
Provide an output directory (not a file) to save the results in - Default is the current directory.
Usage: -o / --output ~/Desktop/example.com
-rl NUMBER, --rate-limit NUMBER
Set rate-limiting with milliseconds between each request.
Usage: -r / --rate-limit 700
-p PROXY_NUM, --proxy PROXY_NUM
Channel the HTTP requests via a proxy client (i.e Burp Suite).
Usage: -p / --proxy http://127.0.0.1:8080
-S, --insecure
If set, the tool will not validate TLS/SSL certificate.
Usage: -S / --insecure
-c, --continue
If set, the brute force will continue even if one of the methods gets a hit!
Usage: -C /--continue
-E, --eicar
If set, an Eicar file(Anti Malware Testfile) will be uploaded only. WebShells will not be uploaded (Suitable for real environments).
Usage: -E / --eicar
-v, --verbose
If set, details about the test will be printed on the screen
Usage: -v / --verbose
-r, --response
If set, the HTTP response will be printed on the screen
Usage: -r / --response
--version
Print the current version of the tool.
--update
Checks for new updates. If there is a new update, it will be downloaded and updated automatically.
مثال
python upload_bypass.py -b ~/Desktop/burp_output -s 'file upload successfully!' -e php -a jpeg --response -v --eicar --continue