原项目地址:https://github.com/c0ny1/upload-fuzz-dic-builder
原项目为python2的版本,本项目仅将他转换成python3的版本
一下为原项目的README
$ python upload-fuzz-dic-builder.py -h
usage: upload-fuzz-dic-builder [-h] [-n] [-a] [-l] [-m] [--os] [-d] [-o]
optional arguments:
-h, --help show this help message and exit
-n , --upload-filename
Upload file name
-a , --allow-suffix Allowable upload suffix
-l , --language Uploaded script language
-m , --middleware Middleware used in Web System
--os Target operating system type
-d, --double-suffix Is it possible to generate double suffix?
-o , --output Output file
生成适合全语言,全部中间件,全部操作系统的fuzz字典
python upload-fuzz-dic-builder.py
生成适合后端语言为asp
的fuzz字典
python upload-fuzz-dic-builder.py -l asp
上传文件名为:test
,可以上传后缀为jpg
,后端语言为php
,中间件为apache
,操作系统为Windows
,输出字典名为upload_filename.txt
的fuzz字典
python upload-fuzz-dic-builder.py -n test -a jpg -l php -m apache --os win -o upload_file.txt
- 生成时给的上传点相关信息越详细,生成的字典越精确!
- 在使用burp的Intruder模块进行fuzz时将Payload面板中
Payload Encoding
一栏的URL-encode these characters
选项设置为未选中状态。