标签:web os.path and load 攻击 文件上传 利用 tip xxxxxx
1直接form提交给后台处理
1 <!DOCTYPE html> 2 <html lang="en"> 3 <head> 4 <meta charset="UTF-8"> 5 <title>form-upload</title> 6 </head> 7 <body>
注意form的enctype类型"multipart/form-data"
8 <form action="/form_upload" method="post" enctype="multipart/form-data"> 9 <input type="file" name="file"/> 10 <input type="submit", value="上传"/> 11 </form> 12 </body> 13 </html>
后台post方法统一处理代码如下:
class FormRequest_handle(tornado.web.RequestHandler):
def get(self, *args, **kwargs):
self.render(‘iframe_upload.html‘, status=‘‘)
def post(self, *args, **kwargs):
print(‘post‘)
file_data = self.request.files[‘file‘]#读出了的文件是数组里面的是字典形式[{‘filename‘:‘xxx‘,‘body‘:‘xxxxxxxxxxxxx‘}]
for meta in file_data:
filename = meta[‘filename‘]
print(filename, file_data)
with open(os.path.join(‘static‘, filename), ‘wb‘) as up:
up.write(meta[‘body‘])
self.write(‘upload success‘)
settings = {
‘template_path‘:‘views‘,
‘static_path‘:‘static‘,
# ‘xsrf_cookies‘:True,此处测试csrf跨站伪造请求攻击请忽略
}
if __name__ == ‘__main__‘:
application = tornado.web.Application([
# (r‘/index‘, Indexhandle),
# (r‘/manager‘, Managerdhandle),
# (r‘/csrf‘, Csrf_handle),
# (r‘/xml‘, XmlHttpRequest_handle),
(r‘/iframe‘,FormRequest_handle),
], **settings)
application.listen(8089)
tornado.ioloop.IOLoop.instance().start()
2.伪ajax(iframe) 此方法发送请求不刷新页面,利用iframe 的局部刷新特性,对浏览器兼容性更好
1 <body> 2 <form id="myform" action="/iframe" method="post" enctype="multipart/form-data"> 3 <input type="file" name="file"/> 4 <input type="button" value="上传" onclick="redirect()"/> 5 <iframe id="myiframe" name="my_iframe"></iframe> 6 </form> 7 <script src="{{static_url(‘jquery-3.2.1.js‘)}}"></script> 8 <script> 9 function redirect() { 10 // document.getElementById(‘myiframe‘).onload = test;#执行完iframe立即执行test函数 11 $(‘#myiframe‘).onload = test; 12 document.getElementById(‘myform‘).target = ‘my_iframe‘;//此处等于IDmyframe会有不同 13 document.getElementById(‘myform‘).submit(); 14 // $(‘#myform‘).submit(); 15 } 16 function test() { 17 var t = $(‘#myiframe‘).contents().find(‘body‘).text(); 18 console.log(t) 19 } 20 </script> 21 </body>
tornado之文件上传的几种形式form,伪ajax(iframe)
标签:web os.path and load 攻击 文件上传 利用 tip xxxxxx
原文地址:http://www.cnblogs.com/wangwei916797941/p/6853017.html
