简单的子域名爆破代码

#! /usr/bin/env python3

import requests
from select import error

# 提取代理API接口，获取1个代理IP
api_url = "https://dps.kdlapi.com/api/getdps/?secret_id=o1fjh1re9o28876h7c08&signature=xxxxx&num=1&pt=1&sep=1"

# 获取API接口返回的代理IP
proxy_ip = requests.get(api_url).text

#隧道域名:端口号
tunnel = "xxx.xxx:xxxx"

#用户名密码
username = "username"
password = "password"
proxies = {
    "http": "http://%(user)s:%(pwd)s@%(proxy)s/" % {"user": username, "pwd": password, "proxy": proxy_ip},
    "https": "http://%(user)s:%(pwd)s@%(proxy)s/" % {"user": username, "pwd": password, "proxy": proxy_ip}
}

def domain_scan(domain_name,sub_names):
    for sub in sub_names:
        headers = {
            "User-Agent": "Mozilla / 5.0(Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/130.0.0.0Safari/537.36QuarkPC/2.7.0.328"
        }
        url = f"https://{sub}.{domain_name}"
        try:
            requests.head = headers
            requests.get(url,proxies=proxies)
            print(f"[*]{url}")
        except requests.ConnectionError:
            print(error)

if __name__ == '__main__':
    dom_name = input("请输入主域名 : ")

    with open("目录.txt") as file:
        sub_name = file.read()
        sub_dom = sub_name.splitlines()
        print("爆破数量:{}".format(len(sub_dom)))
        print("文件子域名列表")
        print(sub_dom)
    domain_scan(dom_name,sub_dom)

需要配置代理,若不配置代理,则将 requests.get(url,proxies=proxies) 改成requests.get(url)即可,注意使用的字典

更新细节上进行优化,使用多进程加快爆破速度

#! /usr/bin/env python3

import requests
from multiprocessing import Pool, cpu_count

# 提取代理API接口，获取1个代理IP
api_url = "https://dps.kdlapi.com/api/getdps/?secret_id=o1fjh1re9o28876h7c08&signature=xxxxx&num=1&pt=1&sep=1"

# 隧道域名:端口号
tunnel = "xxx.xxx:xxxx"

# 用户名密码
username = "username"
password = "password"

proxy_ip = requests.get(api_url).text.strip()
proxies = {
    "http": f"http://{username}:{password}@{proxy_ip}/",
    "https": f"http://{username}:{password}@{proxy_ip}/"
}


def check_subdomain(args):
    """ 检查单个子域名的任务函数 """
    domain_name, sub = args
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 QuarkPC/2.7.0.328"
    }
    url = f"https://{sub}.{domain_name}"
    try:
        response = requests.head(url, headers=headers, proxies=proxies, timeout=5)
        if response.status_code < 400:
            print(f"[*] Found: {url}")
    except:
        pass


if __name__ == '__main__':


    dom_name = input("请输入主域名 : ").strip()

    with open("目录.txt") as file:
        sub_dom = file.read().splitlines()

    print(f"爆破数量: {len(sub_dom)}")

    # 创建进程池
    with Pool(processes=cpu_count() * 2) as pool:
        # 生成任务参数列表
        task_args = [(dom_name, sub) for sub in sub_dom]
        # 使用map_async非阻塞执行
        pool.map_async(check_subdomain, task_args)
        # 等待所有任务完成
        pool.close()
        pool.join()