0

I'm trying to use requests python to create a post request together with the submit form data. Here it is the HTML form:

<form action="" method="POST" enctype="multipart/form-data">
    <div class="dropzone">
        <div class="content">
            <img src="https://100dayscss.com/codepen/upload.svg" class="upload">
            <span class="filename"></span>
            <input type="file" class="input" name="image">
        </div>
    </div>
    <input class="upload-btn" type="submit" value="Upload Image" name="submit">
</form>

Here it is an image of the original request (which works) using BurpSuite: Working request

Then made this request in python:

payload_img = make_payload_img()    # Creates an image and returns the name of it
post_url = f"{target}/upload.php"   # Target is the ip of who we are sending the request to
files = {
    'image': (payload_img, open(payload_img, 'rb'), "image/png"),
}
headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://10.10.10.185", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://10.10.10.185/upload.php"}
# The proxies are just to intercept the request on BurpSuite
proxies = {
    "http": "http://127.0.0.1:8080",
    "https": "http://127.0.0.1:8080",
}

upload_file = s.post(post_url,files=files,headers=headers,proxies=proxies)

However in the intercepted request on BurpSuite is missing Content-Disposition: form-data; name="submit" at the end:

Not working

Is it possible to add it manually or python requests multipart doesn't allow you to do so?

Improve this question
2
  • Does the code of python work? Commented Jul 21, 2020 at 14:02
  • @JIZHIHAOSAMA Yes, the last image from burpsuite is the request generated by the python script Commented Jul 21, 2020 at 14:06

1 Answer 1

Reset to default
2

You don't need to add it in python-requests.This is not the request header of it. form-data represents the enctype way.Except form-data, there also have form-urlencoded, text/plain(less common).Get more information on wiki.

Content-Disposition : Because you used files=file. it would send by form-data normally.

name="image" : The name in the form.(In your circumstance, they are image).

name="submit" : This usually means the submit button of the form.When you click the button on the page,it would take this.(Mostly you don't need to add it).

If you really like to post it on the first way:

files = {
    'image': (payload_img, open(payload_img, 'rb'), "image/png"),
}
data = {
    "submit": "Upload Image".
}

requests.post(url, files=files, data=data, headers=headers .... )
...
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

The point is that the manual way works and ends up uploading the file (first burpsuite image), and the second one doesn't. Used BurpSuite Comparer and those lines at the end were the only difference
@itasahobby So just pass data parameter in the post function.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.