python 后端WEB 上传漏洞 代码

昨天没事写了一个python的后端代码。作为任意上传的socket的连接

地址如下： http://good.o2oxy.cn

后端代码如下

import tornado.ioloop
import tornado.web
import hashlib
import os
import re
list2=[]
class MainHandler(tornado.web.RequestHandler):
    def get(self,*args,**kwargs):
        self.write("你好")
    def post(self,*args,**kwargs):
        file_metas = self.request.files["fff"]
        print(file_metas)
        for meta in file_metas:
            m = hashlib.md5()
            file_name2=os.path.basename(meta['filename'])
            file = re.findall(r'[^\\/:*?"<>|\r\n]+$',file_name2)
            file_name2=file[0]
            m.update(file_name2.encode(encoding="utf-8"))
            md5_file=m.hexdigest()
            print(md5_file)
            file_name = (m.hexdigest() + '.txt')
            if md5_file=='5a10cc4eadfbec9beb41e4201f8e8d2b':
                print(meta['body'])
                with open("/www/wwwroot/good.o2oxy.cn/%s"%file_name2,'wb') as up:
                    if str('@eval') in  str(meta['body']):
                        self.write("your is hacker this is IP ")
                        continue
                    if str('$_POST') in str(meta['body']):
                        self.write('your is hacker this is IP ')
                        continue
                    if str('phpinfo') in str(meta['body']):
                        self.write("phpinfo")
                    else:
                        up.write(meta['body'])
                        self.write(" is file name good.o2oxy.cn/%s"%file_name)
            else:
                with open("/www/wwwroot/good.o2oxy.cn/%s"%file_name,'wb') as up:
                    up.write(meta['body'])
                    self.write("OK good.o2oxy.cn/%s"%file_name)


application = tornado.web.Application([
    (r"/index.html", MainHandler),
])

if __name__ == "__main__":
    application.listen(1234)
    tornado.ioloop.IOLoop.instance().start()