2013-02-14 15:32:17 +04:00
|
|
|
#!/usr/bin/env python
|
2012-07-14 18:53:15 +04:00
|
|
|
|
|
|
|
"""
|
|
|
|
02/2006 Will Holcomb <wholcomb@gmail.com>
|
|
|
|
|
|
|
|
Reference: http://odin.himinbi.org/MultipartPostHandler.py
|
|
|
|
|
|
|
|
This library is free software; you can redistribute it and/or
|
|
|
|
modify it under the terms of the GNU Lesser General Public
|
|
|
|
License as published by the Free Software Foundation; either
|
|
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
|
|
|
This library is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
Lesser General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
|
|
License along with this library; if not, write to the Free Software
|
|
|
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
|
"""
|
|
|
|
|
|
|
|
import mimetools
|
|
|
|
import mimetypes
|
|
|
|
import os
|
|
|
|
import stat
|
2012-10-29 18:09:05 +04:00
|
|
|
import StringIO
|
2012-07-14 18:53:15 +04:00
|
|
|
import sys
|
|
|
|
import urllib
|
|
|
|
import urllib2
|
|
|
|
|
2012-12-06 17:14:19 +04:00
|
|
|
from lib.core.exception import SqlmapDataException
|
2012-07-14 18:53:15 +04:00
|
|
|
|
|
|
|
|
|
|
|
class Callable:
|
|
|
|
def __init__(self, anycallable):
|
|
|
|
self.__call__ = anycallable
|
|
|
|
|
|
|
|
# Controls how sequences are uncoded. If true, elements may be given
|
|
|
|
# multiple values by assigning a sequence.
|
|
|
|
doseq = 1
|
|
|
|
|
|
|
|
|
|
|
|
class MultipartPostHandler(urllib2.BaseHandler):
|
|
|
|
handler_order = urllib2.HTTPHandler.handler_order - 10 # needs to run first
|
|
|
|
|
|
|
|
def http_request(self, request):
|
|
|
|
data = request.get_data()
|
|
|
|
|
|
|
|
if data is not None and type(data) != str:
|
|
|
|
v_files = []
|
|
|
|
v_vars = []
|
|
|
|
|
|
|
|
try:
|
|
|
|
for(key, value) in data.items():
|
2012-10-29 18:09:05 +04:00
|
|
|
if isinstance(value, file) or hasattr(value, 'file') or isinstance(value, StringIO.StringIO):
|
2012-07-14 18:53:15 +04:00
|
|
|
v_files.append((key, value))
|
|
|
|
else:
|
|
|
|
v_vars.append((key, value))
|
|
|
|
except TypeError:
|
|
|
|
systype, value, traceback = sys.exc_info()
|
2012-12-06 17:14:19 +04:00
|
|
|
raise SqlmapDataException, "not a valid non-string sequence or mapping object", traceback
|
2012-07-14 18:53:15 +04:00
|
|
|
|
|
|
|
if len(v_files) == 0:
|
|
|
|
data = urllib.urlencode(v_vars, doseq)
|
|
|
|
else:
|
|
|
|
boundary, data = self.multipart_encode(v_vars, v_files)
|
|
|
|
contenttype = 'multipart/form-data; boundary=%s' % boundary
|
|
|
|
#if (request.has_header('Content-Type') and request.get_header('Content-Type').find('multipart/form-data') != 0):
|
|
|
|
# print "Replacing %s with %s" % (request.get_header('content-type'), 'multipart/form-data')
|
|
|
|
request.add_unredirected_header('Content-Type', contenttype)
|
|
|
|
|
|
|
|
request.add_data(data)
|
|
|
|
return request
|
|
|
|
|
2015-09-23 16:31:25 +03:00
|
|
|
def multipart_encode(vars, files, boundary=None, buf=None):
|
2012-07-14 18:53:15 +04:00
|
|
|
if boundary is None:
|
|
|
|
boundary = mimetools.choose_boundary()
|
|
|
|
|
|
|
|
if buf is None:
|
|
|
|
buf = ''
|
|
|
|
|
|
|
|
for (key, value) in vars:
|
2015-01-19 11:17:16 +03:00
|
|
|
if key is not None and value is not None:
|
|
|
|
buf += '--%s\r\n' % boundary
|
|
|
|
buf += 'Content-Disposition: form-data; name="%s"' % key
|
|
|
|
buf += '\r\n\r\n' + value + '\r\n'
|
2012-07-14 18:53:15 +04:00
|
|
|
|
|
|
|
for (key, fd) in files:
|
2012-10-29 18:09:05 +04:00
|
|
|
file_size = os.fstat(fd.fileno())[stat.ST_SIZE] if isinstance(fd, file) else fd.len
|
2012-12-13 16:19:47 +04:00
|
|
|
filename = fd.name.split('/')[-1] if '/' in fd.name else fd.name.split('\\')[-1]
|
2014-12-06 23:40:52 +03:00
|
|
|
try:
|
|
|
|
contenttype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
|
|
|
|
except:
|
|
|
|
# Reference: http://bugs.python.org/issue9291
|
|
|
|
contenttype = 'application/octet-stream'
|
2012-07-14 18:53:15 +04:00
|
|
|
buf += '--%s\r\n' % boundary
|
|
|
|
buf += 'Content-Disposition: form-data; name="%s"; filename="%s"\r\n' % (key, filename)
|
|
|
|
buf += 'Content-Type: %s\r\n' % contenttype
|
|
|
|
# buf += 'Content-Length: %s\r\n' % file_size
|
|
|
|
fd.seek(0)
|
|
|
|
|
2015-09-23 16:31:25 +03:00
|
|
|
buf = str(buf) if not isinstance(buf, unicode) else buf.encode("utf8")
|
2012-07-14 18:53:15 +04:00
|
|
|
buf += '\r\n%s\r\n' % fd.read()
|
|
|
|
|
|
|
|
buf += '--%s--\r\n\r\n' % boundary
|
|
|
|
|
|
|
|
return boundary, buf
|
|
|
|
|
|
|
|
multipart_encode = Callable(multipart_encode)
|
|
|
|
|
|
|
|
https_request = http_request
|