Uploading files in web applications iw nowadays a common feature. Being able to automate this steps using Burp, Curl, Python & Co. doesn’t seem to be an easy task. Basically the automation involves following steps:

In Burp you’re allowed to copy a certain request as curl command which simplifies things. Given a POST request Burp will convert it to a valid curl command like:

1
2
3
4
5
curl -i -X 'POST' \
	-H <Header 1> \
	-H <Header 2> \
    --data-binary $'-----------------------------12271989442246301301198248013\x0d\x0aContent-Disposition: form-data; name=\"name\"\x0d\x0a\x0d\x0a<name of file>\x0d\x0a-----------------------------12271989442246301301198248013\x0d\x0aContent-Disposition: form-data; name=\"attachment\"; filename=\"<NAME OF FILE>\"\x0d\x0aContent-Type: image/jpeg\x0d\x0a\x0d\x0a\<CONTENT OF FILE>\x0d\x0a-----------------------------12271989442246301301198248013--\x0d\x0a
	<target url> 

Having tried this neat Burp feature, I can tell you that the curl commands won’t trigger the same requests as in Burp. I don’t know why nor I have not investigated this further. Modifying the curl script will definitely cause you some headaches. Using Python and requests will help you automate your file uploads in a easy way. Here is my gist:

import requests
import pandas as pd
import os
# Config stuff
url="https://www.yourapp.com/add/new/file"
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0'
# Add here more headers
}
# You may want to see the requests in some proxy (burp)
proxies = {
'http': 'http://192.168.0.1:8080',
'https': 'http://192.168.0.1:8081',
}
# For a given path, iterate through files and repeat the request
def do_fuzz(path):
from glob import glob
for f in glob(path):
# Create attachment
files = {
'attachment': ("petter.jpg", open(f, 'rb'), 'image/jpeg'),
'name': "image.jpg"
}
# Send attachment
r = requests.post(
url,
headers=headers,
proxies=proxies,
verify=False,
files=files
)
# Here do whatever with the response
# Do fuzzing
do_fuzz("/home/victor/fuzz/Pictures/*")
view raw file-upload.py hosted with ❤ by GitHub