Now you can tell the shit which file extensions you can't upload

2020-06-30 00:05:55 +02:00 · 2020-06-30 00:05:55 +02:00 · 430df19608
parent 4f70a9db11
commit 430df19608
2 changed files with 31 additions and 2 deletions
--- a/http/upload.cgi
+++ b/http/upload.cgi
@ -27,8 +27,9 @@ $size    = $ENV{CONTENT_LENGTH};

 # Configuration

-$MAX_SIZE = 1024*1024*10; # Change for your size
-$MAX_SIZE_MB = $MAX_SIZE / 1024 / 1024; # Don't change this
+our $MAX_SIZE = 1024*1024*10; # Change for your size
+our $MAX_SIZE_MB = $MAX_SIZE / 1024 / 1024; # Don't change this
+our @not_allowed_extensions = qw(sh out exe);

 if($filename eq "")
 {
@ -45,15 +46,32 @@ if($size > $MAX_SIZE)
 my $extension = $filename;
 $extension =~ s/.*\.//; # tar.gz sucks with this

+# Generate random string
 my @chars = ("A".."Z", "a".."z");
 my $string;
 $string .= $chars[rand @chars] for 1..8;
+
 my $upload_filehandle = $q->upload("file");

 $filename = $string . "." . $extension;
+my $allowed_extension = 1;

+foreach(@not_allowed_extensions)
+  {
+    if($filename =~ /\.$_$/i)
+      {
+	$allowed_extension = 0;
+	last;
+      }
+
+  }
+
+if($allowed_extension)
+  {
+    
 open(FILE,">$upload_dir/$filename");
 binmode(FILE);
+
 while(<$upload_filehandle>)
 {
    print FILE;
@ -62,3 +80,8 @@ while(<$upload_filehandle>)
 close FILE;

 print $ENV{HTTP_REFERER} . "$upload_dir$filename";
+}
+
+else {
+  print "The file extension .$extension is not allowed in this instance.";
+}
--- a/6
+++ b/6
@ -20,6 +20,7 @@

 use Getopt::Long;
 use LWP::UserAgent;
+
 use strict;
 use warnings;
 # variables
@ -113,4 +114,9 @@ $req = $ua->post($url_to_upload,


 print $ASCII_ART if $DISPLAY_ASCII;
+if($req->{_content} =~ /instance/) # If someone knows how to do it another way, I'm all ears
+{
+  print $req->{_content} . "\n";
+  exit;	
+}
 print $DEFAULT_SERVER . "/" . $req->{_content} . "\n";