SearchSploit

　　在我们的GitHub上的Exploit Database存储库中包含一个名为"searchsploit"的Exploit-DB的命令行搜索工具，该工具还允许您在任何地方随身携带一个Exploit Database的副本。SearchSploit使您可以通过本地签出的存储库副本执行详细的脱机搜索。这种能力对于没有互联网接入的隔离或空隙网络的安全评估特别有用。

　　

　　上面说的是在没有互联网接入的情况下特别有用，其实更多的是刷了半天刷不出验证码的时候，于是就转向SearchSploit。

　　SearchSploit简单来说就是Exploit Database的离线版本，我们可以在本机保存这样一份漏洞数据库，可以通过SearchSploit进行检索，就不用刷验证码了。

　　本文就简单介绍一下SearchSploit的一些常用使用示例，可以在官方文档看到。

　　可以在kali的命令行下直接输入：searchsploit -h ，查看帮助文档：

root@kali:~# searchsploit -h
  Usage: searchsploit [options] term1 [term2] ... [termN]

==========
 Examples
==========
  searchsploit afd windows local
  searchsploit -t oracle windows
  searchsploit -p
  searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"

  For more examples, see the manual: https://www.exploit-db.com/searchsploit/

=========
 Options
=========
   -c, --case     [Term]      Perform a case-sensitive search (Default is inSEnsITiVe).
   -e, --exact    [Term]      Perform an EXACT match on exploit title (Default is AND) [Implies "-t"].
   -h, --help                 Show this help screen.
   -j, --json     [Term]      Show result in JSON format.
   -m, --mirror   [EDB-ID]    Mirror (aka copies) an exploit to the current working directory.
   -o, --overflow [Term]      Exploit titles are allowed to overflow their columns.
   -p, --path     [EDB-ID]    Show the full path to an exploit (and also copies the path to the clipboard if possible).
   -t, --title    [Term]      Search JUST the exploit title (Default is title AND the file's path).
   -u, --update               Check for and install any exploitdb package updates (deb or git).
   -w, --www      [Term]      Show URLs to Exploit-DB.com rather than the local path.
   -x, --examine  [EDB-ID]    Examine (aka opens) the exploit using $PAGER.
       --colour               Disable colour highlighting in search results.
       --id                   Display the EDB-ID value rather than local path.
       --nmap     [file.xml]  Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
                                Use "-v" (verbose) to try even more combinations
       --exclude="term"       Remove values from results. By using "|" to separated you can chain multiple values.
                                e.g. --exclude="term1|term2|term3".

=======
 Notes
=======
 * You can use any number of search terms.
 * Search terms are not case-sensitive (by default), and ordering is irrelevant.
   * Use '-c' if you wish to reduce results by case-sensitive searching.
   * And/Or '-e' if you wish to filter results by using an exact match.
 * Use '-t' to exclude the file's path to filter the search results.
   * Remove false positives (especially when searching using numbers - i.e. versions).
 * When updating or displaying help, search terms will be ignored.

更新

　　使用"-u"选项，将exploit-db更新到最新状态：

root@kali:~# searchsploit -u

基本搜索

　　比如，要搜索squirrelmail历史上出现过的漏洞：

root@kali:~# searchsploit squirrelmail
---------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                        |  Path
                                                                      | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------- ----------------------------------
SquirrelMail - 'chpasswd' Buffer Overflow                             | linux/local/.c
SquirrelMail - 'chpasswd' Local Privilege Escalation (Brute Force)    | linux/local/.c
SquirrelMail 1.2. - 'move_messages.php' Arbitrary File Moving       | php/webapps/.txt
SquirrelMail 1.2. - Exploit                                         | php/webapps/.txt
SquirrelMail 1.2. Administrator Plugin - 'options.php' Arbitrary Ad | php/webapps/.txt
SquirrelMail 1.2./1.2. - Cross-Site Scripting Multiple Vulnerabilit | php/webapps/.txt
SquirrelMail 1.2.x - From Email Header HTML Injection                 | php/webapps/.txt
SquirrelMail 1.2.x - Theme Remote Command Execution                   | php/webapps/.sh
SquirrelMail 1.4. Address Add Plugin - 'add.php' Cross-Site Scriptin | php/webapps/.txt
SquirrelMail 1.4.x - Folder Name Cross-Site Scripting                 | php/webapps/.txt
SquirrelMail .x - Email Header HTML Injection                        | linux/remote/.txt
SquirrelMail 3.1 - Change Passwd Plugin Local Buffer Overflow         | linux/local/.c
SquirrelMail < 1.4. - Remote Code Execution                         | linux/remote/.sh
SquirrelMail G/PGP Encryption Plugin - 'deletekey()' Command Injectio | php/webapps/.rb
SquirrelMail G/PGP Encryption Plugin 2.0 - Command Execution          | php/webapps/.txt
SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Access Validation / In | php/webapps/.txt
SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Multiple Unspecified R | php/webapps/.txt
SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit)       | linux/remote/.rb
SquirrelMail Virtual Keyboard Plugin - 'vkeyboard.php' Cross-Site Scr | php/webapps/.txt
Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion              | php/webapps/.txt
---------------------------------------------------------------------- ----------------------------------

　　searchsploit的搜索语句是 and 的关系，条件越多，得到的搜索结果也就越少，有时要注意放宽搜索条件。

　　比如要搜索squirrelmail 爆出的远程代码执行漏洞：'squirrelmail remote code execution'

root@kali:~# searchsploit squirrelmail remote code execution
---------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                        |  Path
                                                                      | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------- ----------------------------------
SquirrelMail < 1.4. - Remote Code Execution                         | linux/remote/.sh
---------------------------------------------------------------------- ----------------------------------
root@kali:~# 

按标题搜索

　　默认情况下，searchsploit将检查漏洞的标题以及路径。根据搜索条件，这可能会有误报（尤其是在搜索与平台和版本号匹配时）。可以使用"-t"选项将搜索限制在标题中：

root@kali:~# searchsploit -t oracle windows
---------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                        |  Path
                                                                      | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------- ----------------------------------
Oracle 10g (Windows x86) - 'PROCESS_DUP_HANDLE' Local Privilege Escal | win_x86/local/.c
Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit)          | win_x86/remote/.rb
Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)        | win_x86/remote/.rb
Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit)         | win_x86/remote/.rb
Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit)            | windows/remote/.rb
Oracle MySQL (Windows) - MOF Execution (Metasploit)                   | windows/remote/.rb
Oracle MySQL for Microsoft Windows - Payload Execution (Metasploit)   | windows/remote/.rb
Oracle VM VirtualBox 5.0. r112930 (x64) - Windows Process COM Injec | win_x86-/local/.txt
Oracle VirtualBox Guest Additions 5.1. - Unprivileged Windows User- | multiple/dos/.cpp
---------------------------------------------------------------------- ----------------------------------

复制到剪贴板

　　现在我们已经找到了我们正在寻找的漏洞，有很多方法可以快速访问它。通过使用"-p"，我们可以获得更多关于漏洞利用的信息，以及将利用漏洞的完整路径复制到剪贴板上，以上面的squirrelmail RCE为例，其编号是41910：

root@kali:~# searchsploit 
---------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                        |  Path
                                                                      | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------------------- ----------------------------------
SquirrelMail < 1.4. - Remote Code Execution                         | linux/remote/.sh
---------------------------------------------------------------------- ----------------------------------
root@kali:~# searchsploit -p .sh
Exploit: SquirrelMail < 1.4. - Remote Code Execution
    URL: https://www.exploit-db.com/exploits/41910/
   Path: /usr/share/exploitdb/platforms/linux/remote/.sh

Copied EDB-ID #'s path to the clipboard.

显示网址

　　我们用searchsploit进行搜索的时候，显示的有两列：标题和路径，我们可以使用"-w" 选项，让路径那一列显示为URL地址，这样就能通过浏览器打开：

root@kali:~# searchsploit -w phpmailer
------------------------------------------------------------ --------------------------------------------
 Exploit Title                                              |  URL
------------------------------------------------------------ --------------------------------------------
PHPMailer 1.7 - 'Data()' Remote Denial of Service           | https://www.exploit-db.com/exploits/25752/
PHPMailer < 5.2. - Remote Code Execution (Bash)           | https://www.exploit-db.com/exploits/40968/
PHPMailer < 5.2. - Remote Code Execution (PHP)            | https://www.exploit-db.com/exploits/40970/
PHPMailer < 5.2. - Remote Code Execution (Python)         | https://www.exploit-db.com/exploits/40974/
PHPMailer < 5.2. - Sendmail Argument Injection (Metasploi | https://www.exploit-db.com/exploits/41688/
PHPMailer < 5.2. - Remote Code Execution                  | https://www.exploit-db.com/exploits/40969/
PHPMailer < 5.2. / SwiftMailer < 5.4.-DEV / Zend Framewo | https://www.exploit-db.com/exploits/40986/
PHPMailer < 5.2. with Exim MTA - Remote Code Execution    | https://www.exploit-db.com/exploits/42221/
PHPMailer < 5.2. - Local File Disclosure                  | https://www.exploit-db.com/exploits/43056/
WordPress PHPMailer 4.6 - Host Header Command Injection (Me | https://www.exploit-db.com/exploits/42024/
------------------------------------------------------------ --------------------------------------------

　　简要介绍如上。