|
1 | | -# upload_forge |
| 1 | +# Upload Forge 🛡️ |
| 2 | + |
| 3 | +**Professional File Upload Vulnerability Scanner** |
| 4 | + |
| 5 | +   |
| 6 | + |
2 | 7 | Upload Forge is a powerful, production-grade security tool designed to detect and exploit file upload vulnerabilities in web applications. Built for penetration testers and security researchers, it automates the process of testing file upload forms against a wide variety of bypass techniques. |
| 8 | + |
| 9 | +## ✨ Key Features |
| 10 | + |
| 11 | +- **🚀 Async Scanning**: High-performance scanning engine powered by `httpx` and `asyncio`. |
| 12 | +- **🕵️ Advanced Detection Logic**: |
| 13 | + - **Extension Bypasses**: Double extensions (`.php.jpg`), case sensitivity (`.pHp`), and rare extensions (`.phtml`, `.php5`). |
| 14 | + - **Magic Byte Spoofing**: Generates payloads with fake headers (e.g., PNG, GIF89a) to bypass content inspection. |
| 15 | + - **Null Byte Injection**: Detects older backend vulnerabilities (`shell.php%00.jpg`). |
| 16 | + - **Polyglots**: Creates valid image files that also contain executable code. |
| 17 | +- **🖥️ Modern GUI**: A beautiful, dark-themed graphical interface built with PySide6 for easy configuration and real-time monitoring. |
| 18 | +- **💻 Rich CLI**: A feature-packed command-line interface with progress bars, tables, and detailed logging. |
| 19 | +- **📊 Reporting**: Generates professional HTML and JSON reports. |
| 20 | +- **🛡️ Verification**: Automatically verifies vulnerabilities by attempting to access and execute uploaded files. |
| 21 | + |
| 22 | +## 📦 Installation |
| 23 | + |
| 24 | +1. **Clone the repository**: |
| 25 | + ```bash |
| 26 | + git clone https://github.com/errorfiathck/upload-forge.git |
| 27 | + cd upload-forge |
| 28 | + ``` |
| 29 | + |
| 30 | +2. **Install dependencies**: |
| 31 | + ```bash |
| 32 | + pip install -r requirements.txt |
| 33 | + ``` |
| 34 | + |
| 35 | +## 🚀 Usage |
| 36 | + |
| 37 | +### Graphical Interface (GUI) |
| 38 | +Launch the modern dashboard: |
| 39 | +```bash |
| 40 | +python upload_forge.py gui |
| 41 | +``` |
| 42 | + |
| 43 | +### Command Line Interface (CLI) |
| 44 | +Run a scan directly from your terminal: |
| 45 | + |
| 46 | +```bash |
| 47 | +python upload_forge.py scan --url http://target.com/upload --param file --upload-dir http://target.com/uploads/ |
| 48 | +``` |
| 49 | + |
| 50 | +**Options:** |
| 51 | +- `--url`: Target upload URL (Required). |
| 52 | +- `--param`: Name of the file input parameter (Default: `file`). |
| 53 | +- `--upload-dir`: URL where uploaded files are stored (for verification). |
| 54 | +- `--proxies`: Proxy string (e.g., `http://127.0.0.1:8080`). |
| 55 | + |
| 56 | +## 🧪 Testing |
| 57 | + |
| 58 | +A vulnerable Flask application is included for testing purposes. |
| 59 | + |
| 60 | +1. Start the vulnerable server: |
| 61 | + ```bash |
| 62 | + python vulnerable_app.py |
| 63 | + ``` |
| 64 | +2. Run the scanner against it: |
| 65 | + ```bash |
| 66 | + python upload_forge.py scan --url http://127.0.0.1:5000/upload --upload-dir http://127.0.0.1:5000/uploads/ |
| 67 | + ``` |
| 68 | + |
| 69 | +## ⚠️ Disclaimer |
| 70 | + |
| 71 | +This tool is for **educational and authorized testing purposes only**. Do not use it on systems you do not have explicit permission to test. The authors are not responsible for any misuse. |
| 72 | + |
| 73 | +## 🤝 Contribution |
| 74 | + |
| 75 | +Contributions are welcome! Please submit a Pull Request or open an Issue. |
| 76 | + |
| 77 | +--- |
| 78 | +*Built with ❤️ by ErrorFiat* |
0 commit comments