adminlzzs'blog

利用Zoomeye来进行批量漏洞的挖掘（一）

今天有空玩了下Zoomeye，了解后深深感觉知道创宇的牛逼，和shodan有点像，是基于网络空间的扫描，按理论来说，只要是连上网的电子设备都可以扫得到。。。。在网上看到有人用python来调用Zoomeye的Api，我也玩了一下，加了点自己的东西进去。。。可以自己根据需求来改，看你想搜索什么，我的代码是搜索了dedecms（你也可以搜索其他一些漏洞），把搜到的所有IP主机和可以正常访问的IP主机分别保存在ip_list.txt和real.txt中（之后就可以批量嘿嘿嘿）。看代码。。。

#coding:utf-8

import os

import requests

import json

 

access_token = ''

ip_list = []

 

def login():

    """

        输入用户名和密码 进行登录操作

    :return: 访问口令 access_token

    """

    user = raw_input('[-] input : username :')

    passwd = raw_input('[-] input : password :')

    data = {

        'username' : user,

        'password' : passwd

    }

    data_encoded = json.dumps(data)  # dumps 将 python 对象转换成 json 字符串

    try:

        r = requests.post(url = 'https://api.zoomeye.org/user/login',data = data_encoded,verify=False)

        r_decoded = json.loads(r.text) # loads() 将 json 字符串转换成 python 对象

        global access_token

        access_token = r_decoded['access_token']

    except Exception,e:

        print '[-] info : username or password is wrong, please try again '

        exit()

 

def saveStrToFile(file,str):

    """

        将字符串写如文件中

    :return:

    """

    with open(file,'w') as output:

        output.write(str)

 

def saveListToFile(file,list):

    """

        将列表逐行写如文件中

    :return:

    """

    s = '\n'.join(list)

    with open(file,'w') as output:

        output.write(s)

 

def apiTest():

    """

        进行 api 使用测试

    :return:

    """

    page = 1

    global access_token

    with open('access_token.txt','r') as input:

        access_token = input.read()

    # 将 token 格式化并添加到 HTTP Header 中

    headers = {

        'Authorization' : 'JWT ' + access_token,

    }

    # print headers

    while(True):

        try:

             

            r = requests.get(url = 'https://api.zoomeye.org/host/search?query="dedecms"&facet=app,os&page=' + str(page),

                         headers = headers,verify=False)

            r_decoded = json.loads(r.text)

            #print r_decoded

            #print r_decoded['total']

            for x in r_decoded['matches']:

                #print x['ip']

                ip_list.append(x['ip'])

            #print '[-] info : count ' + str(page * 10)

 

        except Exception,e:

            # 若搜索请求超过 API 允许的最大条目限制 或者 全部搜索结束，则终止请求

            if str(e.message) == 'matches':

                print '[-] info : account was break, excceeding the max limitations'

                break

            else:

                print  '[-] info : ' + str(e.message)

        else:

            if page == 10:

                break

            page += 1

def ceshi():

    ip_list2=''

    f=open('ip_list.txt','r')

    ip_list2=f.read()

    f.close()

    ip_list2=ip_list2.strip().split('\n')

    real_ip=[]

    f1=open('real.txt','w+')

    headers={'Accept-Language':'zh-CN,zh;q=0.8',

            'User-Agent':'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36'}

    for each in ip_list2:

        try:

            res=requests.get('https://'+each,headers=headers)

            if(res.status_code==200):

                print each

                with open('real.txt','a+') as f1:

                    f1.write(each+'\n')

        except:

            pass

    

    

def main():

    # 访问口令文件不存在则进行登录操作

    if not os.path.isfile('access_token.txt'):

        print '[-] info : access_token file is not exist, please login'

        login()

        saveStrToFile('access_token.txt',access_token)

 

    apiTest()

    saveListToFile('ip_list.txt',ip_list)

    ceshi()

 

if __name__ == '__main__':

    main()