python实现fofa调用api批量查询子域

前言

在红蓝对抗的时候，需要频繁的使用fofa进行子域名的查找，如果一个一个域名去查找子域，那效率太低了且耗时，我们可以利用fofa提供的api批量的对一批主域进行子域名的查找！

fofa api参考文档：https://fofa.info/api

代码实现

主代码如下

http://fofa.info/api/v1/search/all?email=%s&key=%s&qbase64=%s&size=10000&fields=host,ip,port,title

• email和key：fofa会员的key
• qbase64：查询语法
• size：每页查询数量
• fields：查询显示的字段。默认host，ip，port，还可以加title等

fofa 调用api查询的结果为json格式，结果在result键值中且为列表形式。一条数据又为一个列表

fofa.py

import requests, base64, os, win32api
from colorama import init,Fore
init(autoreset=True)
from requests.packages import urllib3
urllib3.disable_warnings()

fofa_email = "xxx"
fofa_key = "xxxx"
headers = {
            'User-Agent': 'Mozilla/5.0 (Linux; Android 7.1.2; PCRT00 Build/N2G48H; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.158 Safari/537.36 fanwe_app_sdk sdk_type/android sdk_version_name/4.0.1 sdk_version/2020042901 screen_width/720 screen_height/1280',
        }
fofa_set = set()

def fofa(target):
    query = 'domain="%s"'%(target)    #fofa查询的语法
    query = (base64.b64encode(query.encode('utf-8'))).decode('utf-8')   #语法需要经过base64编码
    url_api = 'https://fofa.info/api/v1/search/all?email=%s&key=%s&qbase64=%s&size=10000&fields=host,ip,port&full=true'%(fofa_email,fofa_key,query)
    print(Fore.RED + "[INFO]开始调用fofa api查询%s子域..."%(target))
    for i in range(1,5):
        try:
            response = requests.get(url=url_api,headers=headers,timeout=15,verify=False,proxies={'https':'http://127.0.0.1:7890'}).json()
            #print(response)
            if response.get('error') != False:
                print("fofa查询失败\r"+response)
                return
            print('fofa查询成功!')
            subdomain = response.get("results") #查询的结果保留在列表中
            #print(subdomain)
            for list in subdomain:
                host = list[0]     #子域
                ip = list[1]       #子域所属ip
                port = list[2]     #开放端口
                if "https" in host:
                    url = host
                else:
                    url = "http://" + host
                print(url)
                fofa_set.add(url)
            break
        except Exception as e:
            print("请求出错，正在尝试重新请求...",e)
    
if __name__ == '__main__':
    #批量读取主域名
    for domain in open("domain.txt",'r'):
        fofa(domain.replace("\n",""))
    print("获取去重后子域名个数为：",len(fofa_set))

    #将结果进行保存
    if os.path.exists("fofa_subdomain.txt"):
        os.remove("fofa_subdomain.txt")
    for i in fofa_set:
        with open("fofa_subdomain.txt","a",encoding="utf-8") as f:
            f.write(i + "\n")
    print(Fore.GREEN + "结果保存完毕！")
    win32api.ShellExecute(0, 'open', 'fofa_subdomain.txt', '', '', 1)