A tool for injecting magic bytes of allowed files, and spoofing the mime type. In order to exploit vulnerable file upload forms that use these as the sole validation mechanism
expload.py [-h] -u URL -p PAYLOAD -e EXT -n NAME -f FILENAME [-d] [-h2] [-he HEADERS [HEADERS ...]] [-c COOKIES] [-r]
expload args
options:
-h, --help show this help message and exit
-u URL, --url URL url to upload to
-p PAYLOAD, --payload PAYLOAD
path to file to upload
-e EXT, --ext EXT extension to spoof
-n NAME, --name NAME field name for file upload
-f FILENAME, --filename FILENAME
file name to upload with
-d, --doubleextend spoofed extension inserted into filename
-h2, --http2 use http2 if supported
-he HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...]
headers and keys colon seperated
-c COOKIES, --cookies COOKIES
cookies seperated by ; and wrapped in quotes
-r, --response display the response from the target webapp