sc0tfree / updog Goto Github PK
View Code? Open in Web Editor NEWUpdog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.
License: MIT License
Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.
License: MIT License
Assume you are in the directory ~/cwd
and you do updog -d $(readlink -f ~/www)
. A POST to /upload
with an empty path
parameter will upload the file to ~/cwd
instead of ~/www
~% mkdir ~/www ~/cwd
~% cd ~/cwd
~/cwd% ~/.local/bin/updog -d $(readlink -f ~/www) &
[1] 4124
~/cwd]% [+] Serving /home/justin/www...
* Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)
~/cwd% ls issue
ls: cannot access 'issue': No such file or directory
~/cwd% curl -v http://127.0.0.1:9090/upload -F 'file=@/etc/issue' -F 'path='
* Expire in 0 ms for 6 (transfer 0x5585447baf90)
* Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5585447baf90)
* Connected to 127.0.0.1 (127.0.0.1) port 9090 (#0)
> POST /upload HTTP/1.1
> Host: 127.0.0.1:9090
> User-Agent: curl/7.64.0
> Accept: */*
> Content-Length: 317
> Content-Type: multipart/form-data; boundary=------------------------286bd5dc6119e79d
>
127.0.0.1 - - [19/Feb/2020 12:22:22] "POST /upload HTTP/1.1" 302 -
* HTTP 1.0, assume close after body
< HTTP/1.0 302 FOUND
< Content-Type: text/html; charset=utf-8
< Content-Length: 207
< Location: http://127.0.0.1:9090/None
< Server: Werkzeug/1.0.0 Python/3.7.6
< Date: Wed, 19 Feb 2020 01:22:22 GMT
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
* Closing connection 0
<p>You should be redirected automatically to target URL: <a href=""></a>. If not click the link.
~/cwd% ls issue
issue
~/cwd% cat issue
Debian GNU/Linux 10 \n \l
If the user is in ~
or another interesting directory at the time of doing updog -d /some/other/directory
then a remote attacker can overwrite interesting files such as .ssh/authorized_keys
I suggest to add a command-line option to allow setting a custom SSL-certificate.
ssl_context
can be set with a touple of (certificate.pem, key.pem)
.
When using Let's Encrypt you are provided with fullchain.pem
and privkey.pem
.
I suggest a command-line option like this:
updog --ssl-cert fullchain.pem --ssl-key privkey.pem
title
what's updog?
How can I specify a different interface on a system with multiple network interfaces?
Hi! As name suggests, I think it would be nice to have a --read-only
/--no-upload
/... switch that disables the upload functionality. What do you think?
hope add drag upload function.
I get a NET::ERR_CERT_AUTHORITY_INVALID
on Chrome.
Command used: updog -d . -p 8000 --ssl
Do I need to generate the SSL certificate and set it somewhere manually? If so, can you give me the steps on how to do that so it'll work with updog? Or is it the same as how you would do it with SimpleHTTPServer
? (I've never used SSL on SimpleHTTPServer
)
Dear Sc0tfree,
updog project is really great and can replace python's http simple server.
What it missed is the support of video streaming when I click view in browser.
May I ask if it is related to the conditional option of flask's send_file functions used in updog?
https://flask.palletsprojects.com/en/1.1.x/api/#flask.send_file
If the video seek function is included,sc0tfree will be more prefect.
Thanks again.
I tried before there can't upload over 1Mb files size
My VPS is dual stack with both ipv4&ipv6, while i successfully deployed updog,it turns out that updog is accessible only with IPv4,any attemption of acessing with IPv6 will end up with the alert says:ERR_CONNECTION_REFUSED.
And I checked netstat -tunlp,which confirms the problem,the process is only listening on 0.0.0.0,not on :: so it won't on ipv6.
Hopefully you can work this out,thanks.
Win10 python 3.7 X64
Both these could not get in D:\Test
updog -d D:\\ -p 1920
updog -d D:\ -p 1921
In chrome if get http://127.0.0.1:1920/Test
will hit http://127.0.0.1:1920/est
But this work
cd /d D:\
updog -p 1922
is it possible to make sharex config for it?
Hi there,
This may be an issue with me rather than updog so maybe some guidance would be great. When I upgrade Kali all of a sudden when I try to run updog I get this issue pictured. It also happens with other python tools like Autorecon so it is not entirely an Updog problem. Have you any guidance on how best to install it to avoid this issue? Maybe clone the repository and just call a python file directly every time rather than expect it to run by just typing updog or something although to be honest I like that simplicity.....
Thanks
Error: Internal Server Error when browsing to http://127.0.0.1:9090/ . Changed port, same. python ./setup install completed without issues.
Server itself outputs: "127.0.0.1 - - [03/Dec/2020 09:43:48] "GET / HTTP/1.1" 500 -"
In a fresh Ubuntu env i installed pip3, then pip3 install updog (which succeeded without errors) and then when i try and run "updog" i get command not found :(
Hi there,
I couldn't find a SECURITY.md
in your repository and so am not sure how to best contact you privately to disclose the security issue.
Can you add a SECURITY.md
file with your e-mail to your repository, so that I know who to contact? GitHub suggests that a security policy is the best way to make sure security issues are responsibly disclosed.
Once you've done that, please let me know so I can ping you the info.
Thanks! (cc @JamieSlome)
Starting the server with "updog" allows stopping the server with CTRL+C. However, after navigation and subsequent console output, the terminal hangs when attempting to capture CTRL+C event. The delay seems to be coupled with some internal I/O block and does not properly listen for the stop signal.
Open text files such as txt directly in the browser. For scenarios where you only need to view the contents of the file, you can avoid downloading the file
Updog listing explodes if its asked to list a directory containing a dead symlink.
To reproduce:
ln -s super-dead dead-link
)I would appreciate a upload-only mode. Just like https://github.com/stackp/Droopy. But don't make it the default (like Droopy does). I guess default should be #3.
So two new flags:
--allow-upload
--upload-only
Thanks for the great tool, btw. ;)
First of all thanks for the great tool being a really nice replacement for http.server
on steroids ๐
One thing I'd love to have is the support for CORS headers / enabling CORS for the server.
Background:
In some places I'd like to maybe serve a small script or similar to a web page (e.g. to inject some arbitrary code). However, browsers will block loading the resource if the server does not send appropriate CORS headers.
Potential solution:
Since updog
uses Flask it might be as easy as to bring in https://github.com/corydolphin/flask-cors and add an additional command line argument, e.g. --cors
to enable this behavior (as an opt-in).
If you in general agree on this being a good idea I could come up with a PR.
Downside:
It would increase the list of dependencies of updog to include flask-cors
and make the installation bigger.
Steps to reproduce:
I wrote one already, it works for me, maybe it will help others ๐
FROM python:3.8-alpine
WORKDIR /uploads
VOLUME /uploads
RUN apk add gcc musl-dev libffi-dev openssl-dev
RUN pip install updog
EXPOSE 9090
CMD ["updog"]
I think it should be better if instead of pip installing it installed the requirements.txt, but I wrote it this way and it works ๐
As above.
I think it would be useful to disable leaking the full directory path in the upper label.
if the server's owner decides to point updog
to a certain folder, that should be the root of the webserver, full stop.
e.g. in the main example:
Directory: /home/sc0tfree
vs. something like:
Directory: /
I will never want to disclose the real path of the folder in which updog
operates, but if somebody else believes otherwise, then this could be an option, rather than a hardcoded change.
EDIT: also, this "chrooted" behavior is more in line with python's http.server
than displaying the full directory listing.
If I were to use this as an upload/download file server, I don't necessarily want everyone I share the link with to be able to see all files.
A simple --no-listing
would be great :)
Updog is functional on 3.11 but when trying to run on 3.10.x, I receive the following error
> updog
Traceback (most recent call last):
File "C:\Users\consultant\.pyenv\pyenv-win\versions\3.10.5\lib\runpy.py", line 196, in _run_module_as_main
return _run_code(code, main_globals, None,
File "C:\Users\consultant\.pyenv\pyenv-win\versions\3.10.5\lib\runpy.py", line 86, in _run_code
exec(code, run_globals)
File "C:\Users\consultant\.pyenv\pyenv-win\versions\3.10.5\Scripts\updog.exe\__main__.py", line 4, in <module>
File "C:\Users\consultant\.pyenv\pyenv-win\versions\3.10.5\lib\site-packages\updog\__main__.py", line 5, in <module>
from flask import Flask, render_template, send_file, redirect, request, send_from_directory, url_for, abort
File "C:\Users\consultant\.pyenv\pyenv-win\versions\3.10.5\lib\site-packages\flask\__init__.py", line 19, in <module>
from jinja2 import Markup, escape
ImportError: cannot import name 'Markup' from 'jinja2' (C:\Users\consultant\AppData\Roaming\Python\Python310\site-packages\jinja2\__init__.py)
Less an issue more a feature request: I would love to see WebDAV be added to updog so versatility goes up the wall!
I love the tool!
Would it be possible to add functionality to download directories as zip archives. As of now we have to zip the directory on the host and then run updog one level higher. It would be nice to run updog in a directory and be able to download all the contents of the given directory.
The Updog listing 403's if given a directory with a symbolic link to an inaccessible file.
To reproduce:
/etc
directory, which had a symlink to something walled off to my user in /boot
.Expected behavior is that only the affected path should be be affected, not the parent directory with the link.
Here is an awesome feature request that would add massive pentest value.
I would like to be able to to use use curl and wget to upload files from linux boxes to my updog web server. This is great for when you have shell but no browser access and want an easy way to transfer files. Curl and Wget both these methods just need updog to support receiving them.
when ever i start updog the interface is eth0 where i need tun0 how can i change it?
doing updog -d
with a relative path causes breakage in is_valid_subpath()
and hence nothing really works.
e.g.
Does not works:
% mkdir www
% echo "hello world" > www/hello.txt
% updog -d www &
[1] 4001
% [+] Serving www...
* Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)
% curl 127.0.0.1:9090/hello.txt
127.0.0.1 - - [19/Feb/2020 12:10:34] "GET /hello.txt HTTP/1.1" 200 -
<!DOCTYPE html>
<html lang="en">
<head>
<!-- Meta tags -->
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<!-- Title -->
<title>updog - www</title>
[... SNIP - home page is returned ...]
Works:
% kill %1
[1] + terminated ~/.local/bin/updog -d www
% ~/.local/bin/updog -d $(readlink -f www) &
[1] 4019
% [+] Serving /home/justin/www...
* Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)
% curl 127.0.0.1:9090/hello.txt
127.0.0.1 - - [19/Feb/2020 12:12:06] "GET /hello.txt HTTP/1.1" 200 -
hello world
Hi,
every time i'm trying to upload:
curl -F '[email protected];filename=header.cap' http://127.0.0.1:9090/ -v
* Trying 127.0.0.1:9090...
* Connected to 127.0.0.1 (127.0.0.1) port 9090 (#0)
> POST / HTTP/1.1
> Host: 127.0.0.1:9090
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Length: 804
> Content-Type: multipart/form-data; boundary=------------------------3c87d2a52649c76a
>
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 405 METHOD NOT ALLOWED
< Content-Type: text/html; charset=utf-8
< Allow: GET, HEAD, OPTIONS
< Content-Length: 178
< Server: Werkzeug/1.0.1 Python/3.9.2
< Date: Sat, 20 Mar 2021 14:29:35 GMT
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>405 Method Not Allowed</title>
<h1>Method Not Allowed</h1>
<p>The method is not allowed for the requested URL.</p>
* Closing connection 0
and from server side i get:
updog -p 9090
[+] Serving /home...
* Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)
127.0.0.1 - - [20/Mar/2021 10:29:35] "POST / HTTP/1.1" 405 -
What im doing wrong?
I can get the files just fine using wget http://myip:port/filename. But, accessing remote files on my local pc doesn't really seem to be working for me. Can you please let me know how to best access the remote files?
Hello ๐
I just wanted to let you know that we received multiple vulnerability disclosures against your repository through our disclosure program. I tried looking for a contactable e-mail on your repository and for a security process, but could not find either - hence the issue.
You can view the details for each:
https://huntr.dev/bounties/1-sc0tfree/updog/
https://huntr.dev/bounties/2-sc0tfree/updog/
https://huntr.dev/bounties/3-sc0tfree/updog/
https://huntr.dev/bounties/4-sc0tfree/updog/
https://huntr.dev/bounties/5-sc0tfree/updog/
The reports are private to you and the reporter. If you would prefer not to sign-up, let me know a preferred method to deliver the contents of the disclosures, and I will be happy to send them over to you.
-- Jamie from huntr.dev
Nice project, I'm just not sure the current description is really the best for it.
Because that's true I sometimes use "python3 -m http.server" to download files from another PC but more than half of my recent usages are for quickly serving my hugo powered blog static files.
I tried with updog to serve a folder including an index.html file but by default it's always showing listing view, and if "View in Browser" button is rendering correctly the HTML, click a link is showing again the default view. That's not really what I'm expecting from a SimpleHTTPServer replacement.
Also another quick feedback: have to provide -d for overriding default folder is annoying, better promote it as an optional positional argument.
Is there a way to upload/download files directly from the command line?
Hi,
First of all I love this tool and I use it daily. There is probably a simple "fix" for this question but I thought you could help me out.
I notice that when a file is grabbed succesfully with a 200 response the font is white and when it fails with a 302 response it is green.
I find this confusing so I want green for the succesful 200 responses and red for the 302 responses indicating they require attention.
How is this achieved please?
Thanks again
Hello!
This is a great tool. But if there was a feature to change the directory from the web front end that would be great i guess.
Hi,
Just seen this as a tool and would love to use it. However, when I start it, the default is my host IP. When I use HTB and THM, there is obviously a VPN link and a new address. From the help I could not see a way of engaging options to have that IP used instead.
Any pointers appreciated.
K
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.