1.socket

端到端的交互

  1. socket协议--套接字:(ipport);//socket模块可以用来模拟客户端服务端之间端到端的交互
  2. 反查域名->ip;端口爆破;子域名查询;

1.反查域名

  1. def function1(url,port):
  2. ip=socket.getaddrinfo(url,port)
  3. print(ip)
  4. url=input("请输入url:")
  5. port1=int(input("端口:"))
  6. function1(url,port1)
  7. #getaddinfo把url转换成IP地址
  8. def function2(url):
  9. ip=socket.gethostbyname(url)#不需要端口
  10. print(ip)
  11. url=input("域名:")
  12. function2(url)

2.端口爆破

  1. ip=input("ip:")
  2. ports={21,22,135,443,445,80,1443}
  3. server=socket.socket(socket.AF_INET,socket.SOCK_STREAM)#初始化对象;建立tcp连接
  4. #socket.AF_INET//使用ipv4 socket.SOCK_STREAM使用tcp
  5. for x in ports:
  6. try:
  7. port=server.connect_ex((ip,x))#connext_ex模块连接成功返回0
  8. if port==False:
  9. print(ip+":"+str(x)+"|open")
  10. else:
  11. print (ip + ":" + str (x) + "|close")
  12. except Exception as err:
  13. print(err)

3.子域名查询

  1. def zym_check(url):
  2. url=url.replace('www','')
  3. for zym in open('dic.txt'):
  4. zym=zym.replace('\n','')
  5. zym_url=zym+url
  6. try:
  7. ip=socket.gethostbyname(zym_url)
  8. print(+"->"+ip)
  9. except Exception as e:
  10. print(zym_url+"->error")
  11. zym_check('www.baidu.com')

2.sys模块

sys模块—>获得用户的输入模块;获取用户的输入参数

  1. def Dns_Check(url):
  2. return os.system('nslookup '+url)
  3. def Port_Fuzz(url):
  4. ip = socket.gethostbyname (url)
  5. #print(ip)
  6. ports = [21, 22, 135, 443, 445, 80, 1443]
  7. server = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
  8. for x in ports:
  9. try:
  10. port = server.connect_ex ((ip, x))
  11. if port==False:
  12. print(ip+":"+str(x)+"-->open")
  13. else:
  14. continue
  15. except Exception as err:
  16. print (err)
  17. def Zym_Check(url,dic=''):
  18. print(dic)
  19. if dic=='':
  20. dic='fuzz.txt'
  21. url=url.replace('www','')
  22. for zym in open(dic):
  23. zym=zym.replace('\n','')
  24. zym_list=zym+url
  25. try:
  26. ip=socket.gethostbyname(zym_list)
  27. print(zym_list+"->"+ip)
  28. except Exception as e:
  29. pass
  30. if __name__ == '__main__':
  31. if (sys.argv[1]).lower() == '-all':
  32. Dns_Check(sys.argv[2])
  33. Zym_Check(sys.argv[2])
  34. elif (sys.argv[1]).lower() == '-sdn':
  35. Dns_Check(sys.argv[2])
  36. elif (sys.argv[1]).lower() == '-url':
  37. Zym_Check(sys.argv[2])

![Z12O~%TVQLF%BFZUG1XW3K.png

3.requests模块

平台网站:https://xie1997.blog.csdn.net/article/details/82951408
链接

  1. import requests
  2. url='http://www.baidu.com/'
  3. proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
  4. """
  5. 1get-->请求数据-->发起请求,获取完整的数据,速度慢-->获取网页的内容,爬虫,poc编写
  6. 2psot-->发送数据-->主动服务器提交数据,返回获取完整的数据-->提交数据,获取网页返回的结果,爬虫,poc编写
  7. 3head-->头请求-->很少网络流量获得概要信息,获取请求头,状态码,速度极快-->敏感目录扫描
  8. """
  9. requests_url=requests.get(url=url,proxies=proxies,verify=False)
  10. print(requests_url.text)
  11. '''
  12. proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
  13. requests_url=requests.get(url=url,proxies=proxies,verify=False)
  14. print(requests_url.text)
  15. GET / HTTP/1.1
  16. Host: www.baidu.com
  17. User-Agent: python-requests/2.24.0
  18. Accept-Encoding: gzip, deflate
  19. Accept: */*
  20. Connection: close
  21. 构造的请求数据包;
  22. '''
  23. #修改数据包特征
  24. header={
  25. 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36'
  26. }
  27. #重新请求数据包
  28. requests_url=requests.get(url=url,proxies=proxies,verify=False,headers=header)
  29. print(requests_url.status_code)
  30. """
  31. GET / HTTP/1.1
  32. Host: www.baidu.com
  33. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
  34. Accept-Encoding: gzip, deflate
  35. Accept: */*
  36. Connection: close
  37. """

Z32O6{HMMFQ]HX)6BPZ369N.png

  1. #设置URL
  2. url=r"http://www.hnyysyz.com/Site_admin/login.aspx"
  3. #url支持参数格式化http://www.langzi.fun/ge?key2=value2&key1=value1
  4. #print(requests_url.text) #返回Unicode格式的数据(str)
  5. #print(requests_url.content)# 打印出网页的内容--bytes格式
  6. print(r.content.decode('utf-8'))
  7. # 请求的网页的内容--字符串格式,自动转换成中文,不同网站编码不同
  8. print(r.url)
  9. # 请求的网址,字符串类型
  10. print(r.headers)
  11. # 请求头,字典类型
  12. print(r.status_code)
  13. # 状态吗,整数类型
  14. print(r.encoding)
  15. # 网页的编码,字符串类型
  16. print(r.cookies)
  17. # 保存的cookie
  18. #get
  19. 1payload = {'key1': 'value1', 'key2': 'value2'}
  20. 2r = requests.get("http://langzi.fun/ge", params=payload)
  21. 3# 这里的网址自动转变成了 http://www.langzi.fun/ge?key2=value2&key1=value1
  22. #POST
  23. 1d = {'user':'admin','password':'123456'}
  24. 2r = requests.post(url='http://www.langzi.fun/admin.php',data=d)
  25. 还可以上传文件,格式也需要是字典格式
  26. 1files = {'file': open('report.xls', 'rb')}
  27. 2r = requests.post(url='http://www.langzi.fun/upload', files=files)

get-post-参数

  1. import requests
  2. ##设置请求头
  3. headers = {
  4. 'Connection': 'close',
  5. 'Cache-Control': 'max-age=0',
  6. 'Upgrade-Insecure-Requests': '1',
  7. 'Content-Type': 'application/x-www-form-urlencoded',
  8. 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36',
  9. 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
  10. 'Sec-Fetch-Mode': 'navigate',
  11. 'Sec-Fetch-Site': 'same-origin',
  12. 'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
  13. }
  14. ##设置cookie
  15. cookies = {
  16. 'route': '1af52316d573a0b09a54b621dc835a33',
  17. 'JSESSIONID': '0775F27EA4A55DF9C43471A52A9F7FC4'
  18. }
  19. ##设置提交的数据
  20. values = {'name': 'Tom',
  21. 'sex' : 'Man',
  22. 'id' : '10' }
  23. ##设置代理
  24. proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
  25. ##请求的url
  26. requrl="http://www.baidu.com"
  27. #使用session保持会话请求
  28. sess=requests.session()
  29. regu=sess.get("https://www.baidu.com")
  30. #GET请求
  31. response=requests.get(url=requrl,params=values,headers=headed,proxies=None,timeout=0.1,verify=False,cookies=cookies)
  32. url:要访问的链接
  33. paramsurl后面的参数
  34. headers:请求头
  35. proxies:代理,无的话填 None
  36. timeout:超时
  37. verifyhttps的认证,True是启用,False是不启用
  38. cookies:请求的cookie
  39. #POST请求
  40. response=requests.post(url=requrl,data=values,headers=headertimeout=0.1,proxies=proxy,verify=False,cookies=cookies)
  41. url:要访问的链接
  42. dataPOST提交的参数
  43. headers:请求头
  44. proxies:代理,无的话填 None
  45. timeout:超时
  46. verifyhttps的认证,True是启用,False是不启用

响应内容处理

  1. import requests
  2. headers={
  3. 'Host': 'www.hnyysyz.com',
  4. 'User-Agent': r'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36',
  5. 'Referer': 'http://www.hnyysyz.com/Site_admin/login.aspx',
  6. 'Accept-Encoding': 'gzip, deflate',
  7. 'Accept-Language': "zh-CN,zh;q=0.9",
  8. 'Cookie': 'ASP.NET_SessionId=lhuoqi5iu54r1uvjl1t2mjod; Hm_lvt_cf6eaaea0b81e4d87a73486c1305e01c=1632224564; Hm_lpvt_cf6eaaea0b81e4d87a73486c1305e01c=1632224570; CheckCode=6J66N; code=6J66N',
  9. 'Connection': 'close'
  10. }
  11. #构造请求头header
  12. url='http://www.hnyysyz.com/Site_admin/checkcode.aspx?rn=1'
  13. requests_url=requests.get(url=url,headers=headers)
  14. print(requests_url.status_code)
  15. print(requests_url.headers)#返回体信息-->字典类型
  16. Set_Cookie=requests_url.headers['Set-Cookie']
  17. print(Set_Cookie)
  18. print(type(Set_Cookie))
  19. #字符串切片
  20. print(Set_Cookie[10:15])
  21. print(requests_url.cookies)
  22. """"
  23. 200
  24. {'Cache-Control': 'private', 'Content-Length': '1591', 'Content-Type': 'image/Gif', 'Server': 'Microsoft-IIS/7.5', 'X-AspNet-Version': '4.0.30319', 'Set-Cookie': 'CheckCode=B0226; path=/, code=B0226; path=/', 'Date': 'Tue, 21 Sep 2021 15:04:03 GMT', 'Connection': 'close'}
  25. CheckCode=B0226; path=/, code=B0226; path=/
  26. <class 'str'>
  27. B0226
  28. <RequestsCookieJar[<Cookie CheckCode=B0226 for www.hnyysyz.com/>, <Cookie code=B0226 for www.hnyysyz.com/>]>
  29. """
  30. //实现对验证码的截取
  1. import requests
  2. import urllib
  3. value={'username':'admin',
  4. 'password':'123' }
  5. res=requests.get("http://www.baidu.com"params=value) //Get形式提交参数
  6. data=urllib.parse.urlencode(value)
  7. res=requests.get("http://www.baidu.com"data=data) //post形式提交参数
  8. res.encoding="utf-8" #设置编码
  9. res.status_code #状态码
  10. res.url #请求的url
  11. res.request.headers #请求头信息,返回的是一个字典对象,不修改的话,默认是python的请求头
  12. res.headers #响应头信息,返回的是一个字典对象
  13. res.headers['Content-Type'] #响应头的具体的某个属性的信息
  14. res.headers['Content-Length'] #响应包的长度
  15. res.cookies #cookie信息,返回的是一个字典对象
  16. print(';'.join(['='.join(item)for item in cookies.items()])) #打印出具体的cookies信息
  17. res.text #响应内容的字符串形式,即返回的页面内容
  18. res.content #响应内容的二进制形式
  19. res.apparent_encoding #从内容中分析出的响应内容编码方式(备选编码方式)
  20. #响应时间,可用于时间盲注
  21. print(res.elapsed)
  22. print(res.elapsed.total_seconds())
  23. print(res.elapsed.seconds)
  24. print(res.elapsed.microseconds)
  25. 0:00:00.007282
  26. 0.007282
  27. 0
  28. 7282
  29. #响应时间的比较
  30. time=res.elapsed.total_seconds()
  31. if time < float(2.000000):
  32. print("true")
  33. else:
  34. print("false")

4.lxml模块

lxml库:获取html标签内的内容
https://www.cnblogs.com/zhangxinqi/p/9210211.html#_label1

  1. from lxml import etree
  2. text='''
  3. <div>
  4. <ul>
  5. <li class="item-0"><a href="link1.html">第一个</a></li>
  6. <li class="item-1"><a href="link2.html">second item</a></li>
  7. <li class="item-0"><a href="link5.html">a属性</a>
  8. </ul>
  9. </div>
  10. '''
  11. html=etree.HTML(text) #初始化生成一个XPath解析对象
  12. result=etree.tostring(html,encoding='utf-8')#解析对象输出代码;二进制对象
  13. print(type(html))#<class 'lxml.etree._Element'>
  14. print(type(result))#<class 'bytes'>
  15. print(result)#二进制
  16. print(result.decode('utf-8'))
  17. """
  18. <class 'lxml.etree._Element'>
  19. <class 'bytes'>
  20. b'<html><body><div>\n <ul>\n <li class="item-0"><a href="link1.html">\xe7\xac\xac\xe4\xb8\x80\xe4\xb8\xaa</a></li>\n <li class="item-1"><a href="link2.html">second item</a></li>\n <li class="item-0"><a href="link5.html">a\xe5\xb1\x9e\xe6\x80\xa7</a>\n </li></ul>\n </div>\n</body></html>'
  21. <html><body><div>
  22. <ul>
  23. <li class="item-0"><a href="link1.html">第一个</a></li>
  24. <li class="item-1"><a href="link2.html">second item</a></li>
  25. <li class="item-0"><a href="link5.html">a属性</a>
  26. </li></ul>
  27. </div>
  28. </body></html>
  29. """
  30. from lxml import etree
  31. Html= etree.parse('1.html',etree.HTMLParser())#加载本地文件
  32. result=etree.tostring(Html)
  33. from lxml import etree
  34. import requests
  35. url='https://fofa.so/result?qbase64=ImdsYXNzZmlzaCIgJiYgcG9ydD0iNDg0OCI%3D'
  36. requests_url=requests.get(url=url,verify=None).content.decode('utf-8')
  37. html=etree.HTML(requests_url)#初始化生成一个XPath解析对象;解析对象为HTML
  38. #result=etree.tostring(html)#解析对象输出代码;
  39. '''
  40. print(type(html))#<class 'lxml.etree._Element'>
  41. print(type(result))#<class 'bytes'>
  42. print(type(resultlist))#<class 'list'>
  43. '''
  44. #print(result.decode())
  45. #f=open("xml.txt","w",encoding='utf-8')
  46. result=result.decode('utf-8')
  47. #把这句话注释掉之后写进文件的是bytes字节;二进制数字;
  48. print(type(result))
  49. for i in result:
  50. f.write(i)
  51. f.close()
  52. #byte->str->decode()函数,如果没有对byte类型解码,写进文件的是二进制

Xpath

  1. from lxml import etree
  2. text='''
  3. <div>
  4. <ul>
  5. <li class="item-0"><a href="link2.html">second item</a></li>
  6. <li class="item-1"><a href="link2.html">second item</a></li>
  7. <li class="item-0"><a href="link5.html">a属性</a>
  8. </ul>
  9. </div>
  10. '''
  11. html=etree.HTML(text)
  12. result=html.xpath('//div//ul')
  13. print(type(result))#<class 'list'>
  14. print(result[0].tag)#ul
  15. result2=html.xpath('//li[@class="item-0"]')
  16. print(type(result2))#<class 'list'>
  17. print(result2)#[<Element li at 0x20a714e4648>, <Element li at 0x20a714e4688>]
  18. print(result2[0].tag)#li
  19. print(result[0].attrib)#{}
  20. print(result[0].text)#NONE
  21. result3=html.xpath('//a/@href')#选择为该标签的属性
  22. print(result3)#['link2.html', 'link2.html', 'link5.html']
  1. import requests
  2. from lxml import etree
  3. '''f=open(file='edu.txt',mode='w',encoding='utf-8')
  4. for x in range(1,3):
  5. url='https://src.sjtu.edu.cn/list/'
  6. #print(url)
  7. params={'page':x}
  8. requests_url=requests.get(url=url,verify=None,params=params)
  9. html=requests_url.text
  10. f.write(html)
  11. f.close()
  12. '''
  13. etree_html=etree.parse('edu.txt',etree.HTMLParser())
  14. etree_dom=etree_html.xpath("//tr[@class='row']//td[@class='']//a/text()")
  15. f=open('eduR.txt',mode='w',encoding='utf-8')
  16. #print(etree_dom)
  17. for x in range(len(etree_dom)):
  18. etree_dom[x]=str(etree_dom[x])
  19. etree_dom[x]=(etree_dom[x].replace("\r\n \r\n ","")).strip()
  20. f.write(etree_dom[x]+'\n')
  21. print(etree_dom)
  22. #etree_dom=etree_html.xpath("//tr[@class='row']//td[@class='']//a/text()")选择的是文本就直接是文本列表
  23. #['北京交通大学存在命令执行漏洞', '清华大学存在敏感信息泄露', ...
  24. f.close()
  25. '''
  26. f=open(file='edu.txt',mode='w',encoding='utf-8')
  27. for x in range(1,3):
  28. url='https://src.sjtu.edu.cn/list/'
  29. #print(url)
  30. params={'page':x}
  31. requests_url=requests.get(url=url,verify=None,params=params)
  32. html=requests_url.text
  33. f.write(html)
  34. f.close()
  35. '''
  36. '''
  37. <tr class="row">
  38. <td class="am-text-center am-hide-sm-down">2021-09-24</td>
  39. <td class="">
  40. <a href="/post/108615/" >
  41. 北京交通大学存在命令执行漏洞
  42. </a>
  43. </td>
  44. <td class="am-text-center am-hide-sm-down"><span class="am-badge am-badge-warning">高危</span></td>
  45. <td class="am-text-center"><a href="/profile/7786/">全能小赵同学</a></td>
  46. </tr>
  47. '''
  48. '''
  49. etree_dom=etree_html.xpath("//tr[@class='row']//a")
  50. print(etree_dom)
  51. [<Element a at 0x21a57651e88>, <Element a at 0x21a57651ec8
  52. 类型为list类型
  53. 如果选择的是标签会直接显示<Element a at 0x21a57651e88>
  54. #对于标签
  55. Element类型是'lxml.etree._Element',某种意义来说同时是一个列表
  56. 列表的需要使用tag\attrib\text三个不同的属性来获取我们需要的东西
  57. 变量.tag获取到的是标签名是---字符串
  58. 变量.attrib获取到的是节点标签a的属性---字典
  59. 变量.text获取到的是标签文本--字符串
  60. etree_dom=etree_html.xpath("//tr[@class='row']/a")
  61. /从当前节点选取直接子节点;a为子孙节点;无法获得到a标签
  62. etree_dom=etree_html.xpath("//tr[@class='row']//a")
  63. //选择子孙节点
  64. #etree_dom=etree_html.xpath("//tr[@class='row']//td[@class='']//a/text()")选择的是文本就直接是文本列表
  65. #['北京交通大学存在命令执行漏洞', '清华大学存在敏感信息泄露', ...
  66. 定位法:
  67. 假设是要选择a标签的之间的文本:爷-父-自己;
  68. 找到自己的父根在找父根的父根;
  69. ("//tr[@class='row']//td[@class='']//a/text()")#文本列表
  70. ("//tr[@class='row']//td[@class='']//a/@href")#属性字典
  71. '''

tips-使用

  1. from lxml import etree
  2. html=etree.HTML(text)#HTML对象
  3. #etree_html=etree.parse('edu.txt',etree.HTMLParser())
  4. #xpath
  5. etree_dom=etree_html.xpath("//tr[@class='row']//a")#选节点
  6. 注意编码方式:二进制转str:encode(),decode()

base64

  1. import base64
  2. str1="abc"
  3. str1=str1.encode('utf-8')
  4. #对于base64加密的必须是二进制数;要先进行str->baty
  5. str1=base64.b64encode(str1)
  6. print(str1)#二进制数据
  7. print(type(str1))
  8. str1=str1.decode()#二进制->str
  9. print(str1)