sqlmap/extra/multipart/multipartpost.py

109 lines
3.6 KiB
Python
Raw Normal View History

2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
2008-10-15 19:56:32 +04:00
$Id$
2008-10-15 19:38:22 +04:00
02/2006 Will Holcomb <wholcomb@gmail.com>
Reference: http://odin.himinbi.org/MultipartPostHandler.py
2008-10-15 19:38:22 +04:00
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
2008-10-15 19:38:22 +04:00
"""
import mimetools
import mimetypes
import os
import stat
import sys
import urllib
import urllib2
from lib.core.exception import sqlmapDataException
class Callable:
def __init__(self, anycallable):
self.__call__ = anycallable
# Controls how sequences are uncoded. If true, elements may be given
# multiple values by assigning a sequence.
doseq = 1
class MultipartPostHandler(urllib2.BaseHandler):
handler_order = urllib2.HTTPHandler.handler_order - 10 # needs to run first
def http_request(self, request):
data = request.get_data()
2008-10-15 19:38:22 +04:00
if data is not None and type(data) != str:
v_files = []
v_vars = []
2008-10-15 19:38:22 +04:00
try:
for(key, value) in data.items():
2010-01-27 19:01:50 +03:00
if type(value) == file or hasattr(value, 'file'):
v_files.append((key, value))
else:
v_vars.append((key, value))
2008-10-15 19:38:22 +04:00
except TypeError:
systype, value, traceback = sys.exc_info()
raise sqlmapDataException, "not a valid non-string sequence or mapping object", traceback
if len(v_files) == 0:
data = urllib.urlencode(v_vars, doseq)
else:
boundary, data = self.multipart_encode(v_vars, v_files)
contenttype = 'multipart/form-data; boundary=%s' % boundary
#if (request.has_header('Content-Type') and request.get_header('Content-Type').find('multipart/form-data') != 0):
# print "Replacing %s with %s" % (request.get_header('content-type'), 'multipart/form-data')
request.add_unredirected_header('Content-Type', contenttype)
request.add_data(data)
return request
def multipart_encode(vars, files, boundary = None, buf = None):
2008-10-15 19:38:22 +04:00
if boundary is None:
boundary = mimetools.choose_boundary()
if buf is None:
buf = ''
for (key, value) in vars:
buf += '--%s\r\n' % boundary
buf += 'Content-Disposition: form-data; name="%s"' % key
buf += '\r\n\r\n' + value + '\r\n'
for (key, fd) in files:
2008-10-15 19:38:22 +04:00
file_size = os.fstat(fd.fileno())[stat.ST_SIZE]
filename = fd.name.split('/')[-1]
contenttype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
buf += '--%s\r\n' % boundary
buf += 'Content-Disposition: form-data; name="%s"; filename="%s"\r\n' % (key, filename)
buf += 'Content-Type: %s\r\n' % contenttype
# buf += 'Content-Length: %s\r\n' % file_size
2008-10-15 19:38:22 +04:00
fd.seek(0)
buf = str(buf)
buf += '\r\n%s\r\n' % fd.read()
buf += '--%s--\r\n\r\n' % boundary
return boundary, buf
2008-10-15 19:38:22 +04:00
multipart_encode = Callable(multipart_encode)
https_request = http_request