SearchSploit
在我们的GitHub上的Exploit Database存储库中包含一个名为"searchsploit"的Exploit-DB的命令行搜索工具,该工具还允许您在任何地方随身携带一个Exploit Database的副本。SearchSploit使您可以通过本地签出的存储库副本执行详细的脱机搜索。这种能力对于没有互联网接入的隔离或空隙网络的安全评估特别有用。
上面说的是在没有互联网接入的情况下特别有用,其实更多的是刷了半天刷不出验证码的时候,于是就转向SearchSploit。
SearchSploit简单来说就是Exploit Database的离线版本,我们可以在本机保存这样一份漏洞数据库,可以通过SearchSploit进行检索,就不用刷验证码了。
本文就简单介绍一下SearchSploit的一些常用使用示例,可以在官方文档看到。
可以在kali的命令行下直接输入:searchsploit -h ,查看帮助文档:
root@kali:~# searchsploit -h
Usage: searchsploit [options] term1 [term2] ... [termN] ==========
Examples
==========
searchsploit afd windows local
searchsploit -t oracle windows
searchsploit -p
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/" For more examples, see the manual: https://www.exploit-db.com/searchsploit/ =========
Options
=========
-c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe).
-e, --exact [Term] Perform an EXACT match on exploit title (Default is AND) [Implies "-t"].
-h, --help Show this help screen.
-j, --json [Term] Show result in JSON format.
-m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory.
-o, --overflow [Term] Exploit titles are allowed to overflow their columns.
-p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible).
-t, --title [Term] Search JUST the exploit title (Default is title AND the file's path).
-u, --update Check for and install any exploitdb package updates (deb or git).
-w, --www [Term] Show URLs to Exploit-DB.com rather than the local path.
-x, --examine [EDB-ID] Examine (aka opens) the exploit using $PAGER.
--colour Disable colour highlighting in search results.
--id Display the EDB-ID value rather than local path.
--nmap [file.xml] Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
Use "-v" (verbose) to try even more combinations
--exclude="term" Remove values from results. By using "|" to separated you can chain multiple values.
e.g. --exclude="term1|term2|term3". =======
Notes
=======
* You can use any number of search terms.
* Search terms are not case-sensitive (by default), and ordering is irrelevant.
* Use '-c' if you wish to reduce results by case-sensitive searching.
* And/Or '-e' if you wish to filter results by using an exact match.
* Use '-t' to exclude the file's path to filter the search results.
* Remove false positives (especially when searching using numbers - i.e. versions).
* When updating or displaying help, search terms will be ignored.
更新
使用"-u"选项,将exploit-db更新到最新状态:
root@kali:~# searchsploit -u
基本搜索
比如,要搜索squirrelmail历史上出现过的漏洞:
root@kali:~# searchsploit squirrelmail
---------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------- ----------------------------------
SquirrelMail - 'chpasswd' Buffer Overflow | linux/local/.c
SquirrelMail - 'chpasswd' Local Privilege Escalation (Brute Force) | linux/local/.c
SquirrelMail 1.2. - 'move_messages.php' Arbitrary File Moving | php/webapps/.txt
SquirrelMail 1.2. - Exploit | php/webapps/.txt
SquirrelMail 1.2. Administrator Plugin - 'options.php' Arbitrary Ad | php/webapps/.txt
SquirrelMail 1.2./1.2. - Cross-Site Scripting Multiple Vulnerabilit | php/webapps/.txt
SquirrelMail 1.2.x - From Email Header HTML Injection | php/webapps/.txt
SquirrelMail 1.2.x - Theme Remote Command Execution | php/webapps/.sh
SquirrelMail 1.4. Address Add Plugin - 'add.php' Cross-Site Scriptin | php/webapps/.txt
SquirrelMail 1.4.x - Folder Name Cross-Site Scripting | php/webapps/.txt
SquirrelMail .x - Email Header HTML Injection | linux/remote/.txt
SquirrelMail 3.1 - Change Passwd Plugin Local Buffer Overflow | linux/local/.c
SquirrelMail < 1.4. - Remote Code Execution | linux/remote/.sh
SquirrelMail G/PGP Encryption Plugin - 'deletekey()' Command Injectio | php/webapps/.rb
SquirrelMail G/PGP Encryption Plugin 2.0 - Command Execution | php/webapps/.txt
SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Access Validation / In | php/webapps/.txt
SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Multiple Unspecified R | php/webapps/.txt
SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit) | linux/remote/.rb
SquirrelMail Virtual Keyboard Plugin - 'vkeyboard.php' Cross-Site Scr | php/webapps/.txt
Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion | php/webapps/.txt
---------------------------------------------------------------------- ----------------------------------
searchsploit的搜索语句是 and 的关系,条件越多,得到的搜索结果也就越少,有时要注意放宽搜索条件。
比如要搜索squirrelmail 爆出的远程代码执行漏洞:'squirrelmail remote code execution'
root@kali:~# searchsploit squirrelmail remote code execution
---------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------- ----------------------------------
SquirrelMail < 1.4. - Remote Code Execution | linux/remote/.sh
---------------------------------------------------------------------- ----------------------------------
root@kali:~#
按标题搜索
默认情况下,searchsploit将检查漏洞的标题以及路径。根据搜索条件,这可能会有误报(尤其是在搜索与平台和版本号匹配时)。可以使用"-t"选项将搜索限制在标题中:
root@kali:~# searchsploit -t oracle windows
---------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------- ----------------------------------
Oracle 10g (Windows x86) - 'PROCESS_DUP_HANDLE' Local Privilege Escal | win_x86/local/.c
Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit) | win_x86/remote/.rb
Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit) | win_x86/remote/.rb
Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit) | win_x86/remote/.rb
Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit) | windows/remote/.rb
Oracle MySQL (Windows) - MOF Execution (Metasploit) | windows/remote/.rb
Oracle MySQL for Microsoft Windows - Payload Execution (Metasploit) | windows/remote/.rb
Oracle VM VirtualBox 5.0. r112930 (x64) - Windows Process COM Injec | win_x86-/local/.txt
Oracle VirtualBox Guest Additions 5.1. - Unprivileged Windows User- | multiple/dos/.cpp
---------------------------------------------------------------------- ----------------------------------
复制到剪贴板
现在我们已经找到了我们正在寻找的漏洞,有很多方法可以快速访问它。通过使用"-p",我们可以获得更多关于漏洞利用的信息,以及将利用漏洞的完整路径复制到剪贴板上,以上面的squirrelmail RCE为例,其编号是41910:
root@kali:~# searchsploit
---------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------- ----------------------------------
SquirrelMail < 1.4. - Remote Code Execution | linux/remote/.sh
---------------------------------------------------------------------- ----------------------------------
root@kali:~# searchsploit -p .sh
Exploit: SquirrelMail < 1.4. - Remote Code Execution
URL: https://www.exploit-db.com/exploits/41910/
Path: /usr/share/exploitdb/platforms/linux/remote/.sh Copied EDB-ID #'s path to the clipboard.
显示网址
我们用searchsploit进行搜索的时候,显示的有两列:标题和路径,我们可以使用"-w" 选项,让路径那一列显示为URL地址,这样就能通过浏览器打开:
root@kali:~# searchsploit -w phpmailer
------------------------------------------------------------ --------------------------------------------
Exploit Title | URL
------------------------------------------------------------ --------------------------------------------
PHPMailer 1.7 - 'Data()' Remote Denial of Service | https://www.exploit-db.com/exploits/25752/
PHPMailer < 5.2. - Remote Code Execution (Bash) | https://www.exploit-db.com/exploits/40968/
PHPMailer < 5.2. - Remote Code Execution (PHP) | https://www.exploit-db.com/exploits/40970/
PHPMailer < 5.2. - Remote Code Execution (Python) | https://www.exploit-db.com/exploits/40974/
PHPMailer < 5.2. - Sendmail Argument Injection (Metasploi | https://www.exploit-db.com/exploits/41688/
PHPMailer < 5.2. - Remote Code Execution | https://www.exploit-db.com/exploits/40969/
PHPMailer < 5.2. / SwiftMailer < 5.4.-DEV / Zend Framewo | https://www.exploit-db.com/exploits/40986/
PHPMailer < 5.2. with Exim MTA - Remote Code Execution | https://www.exploit-db.com/exploits/42221/
PHPMailer < 5.2. - Local File Disclosure | https://www.exploit-db.com/exploits/43056/
WordPress PHPMailer 4.6 - Host Header Command Injection (Me | https://www.exploit-db.com/exploits/42024/
------------------------------------------------------------ --------------------------------------------
简要介绍如上。
SearchSploit的更多相关文章
- 如何使用kali的Searchsploit查找软件漏洞
Searchsploit Searchsploit会通过本地的exploit-db, 查找软件漏洞信息 打开kali的命令行, 输入: searchsploit 查看系统帮助 查找mssql的漏洞 如 ...
- linux提权 searchsploit 使用规范
使用 searchsploit 时,要把整个控制台最大化,这样才能显示完整的漏洞信息. 查看漏洞帮助文件:
- 小白日记24:kali渗透测试之提权(四)--利用漏洞提权
利用漏洞提权实例 前提:已渗透进一个XP或2003系统 一.实验目标漏洞:Ms11-080 补丁:Kb2592799 漏洞信息:https://technet.microsoft.com/librar ...
- 小白日记19:kali渗透测试之选择和修改EXP
EXP 目的:学会选择和修改网上公开的漏洞利用代码[EXP(python\perl\ruby\c\c++....)] 方法: 1.Exploit-db[kali官方维护的漏洞利用代码库] 2.Secu ...
- 小白日记15:kali渗透测试之弱点扫描-漏扫三招、漏洞管理、CVE、CVSS、NVD
发现漏洞 弱点发现方法: 1.基于端口服务扫描结果版本信息,比对其是否为最新版本,若不是则去其 官网查看其补丁列表,然后去逐个尝试,但是此法弊端很大,因为各种端口应用比较多,造成耗时大. 2.搜索已公 ...
- sqlmap命令
-u #注入点 -f #指纹判别数据库类型 -b #获取数据库版本信息 -p #指定可测试的参数(?page=1&id=2 -p "page,id") -D "& ...
- Basic Linux Privilege Escalation
(Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...
- 无需sendmail:巧用LD_PRELOAD突破disable_functions
*本文原创作者:yangyangwithgnu,本文属FreeBuf原创奖励计划,未经许可禁止转载 摘要:千辛万苦拿到的 webshell 居然无法执行系统命令,怀疑服务端 disable_funct ...
- Hacking Box Droopy: v0.2
概述: 目标:get flag 下载链接: https://www.vulnhub.com/entry/droopy-v02,143/ 工具: kail linux 开工 1)扫描开道: # netd ...
随机推荐
- python response.text和response.content的区别
1.重点理解 response.text返回的类型是str response.content返回的类型是bytes,可以通过decode()方法将bytes类型转为str类型 推荐使用:respo ...
- ubuntu16.04 关闭防火墙的方法
开启防火墙 ufw enable 关闭防火墙 ufw disable
- Java-JDBC.mysql 工具类 读取本地文件配置
引用 mysql-connector-jav 的jar 配置文件为 database.propertties . 格式如下 driverClass=com.mysql.jdbc.Driver ur ...
- 高性能页面加载技术--BigPipe设计原理及Java简单实现
1.技术背景 动态web网站的历史可以追溯到万维网初期,相比于静态网站,动态网站提供了强大的可交互功能.经过几十年的发展,动态网站在互动性和页面显示效果上有了很大的提升,但是对于网站动态网站的整体页面 ...
- c++11 右尖括号>改进
c++11 右尖括号>改进 #define _CRT_SECURE_NO_WARNINGS #include <iostream> #include <string> # ...
- Timing wheel心跳机制
在web服务中,断开空闲连接是一种减少资源浪费的一种手段,由此就有了心跳机制来判断一个连接是否空闲. 一种简单粗暴的方式: 1. 服务端每个连接保存一个最后一次操作的时间戳,每次这个连接对应fd可读时 ...
- 初探Java 9 的的模块化
Java 9中最重要的功能,毫无疑问就是模块化(Module),它将自己长期依赖JRE的结构,转变成以Module为基础的组件,当然这在使用Java 9 开发也和以前有着很大的不同. Java8或更加 ...
- Alpha 完结撒花 —— 事后诸葛亮
写在前面 林燊大哥 一路走来,好不容易,终于完结了. 设想和目标 我们的软件要解决什么问题?是否定义得很清楚?是否对典型用户和典型场景有清晰的描述? 解决的问题 用户在进店之前无法得知店铺的优劣,通过 ...
- linux内核分析综合总结
linux内核分析综合总结 zl + <Linux内核分析>MOOC课程http://mooc.study.163.com/course/USTC-1000029000 Linux内核分析 ...
- Java之Junit和反射
Junit,反射 Junit 1.测试的分类: 黑盒测试 : 不需要写代码,给输入值,看程序是否能够输出期望的值. 白盒测试 : 需要进行代码的编写,关注的是程序的具体流程. 2.使用步骤(方法类的命 ...