作者:zusheng
参考:https://www.exploit-db.com/searchsploit/
SearchSploit是一个用于搜索Exploit-DB漏洞数据的命令行工具,它可以允许你离线Exploit数据库,这样你就可以在本地执行离线搜索,这对于有时候不能联网的渗透工作非常的有用。
项目地址:https://github.com/offensive-security/exploit-database
Kali Linux的标准GNOME版本,默认情况下已经安装完成了,如果你使用的是Kali Light variant或者自己定制的ISO,就需要自己手动安装了。
apt update && apt -y install exploitdb
brew update && brew install exploitdb
获取:
git clone https://github.com/offensive-security/exploit-database.git /opt/exploit-database
更容易的使用,添加进$PATH环境变量中:
root@zusheng:~# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
root@zusheng:~#
当然你也可以在你的主目录下建立一个软链接方便使用
root@zusheng:~# ln -sf /opt/exploit-database/searchsploit /root/searchsploit
root@zusheng:~#
searchsploit -u
root@kali:~# searchsploit -h
Usage: searchsploit [options] term1 [term2] ... [termN]
Example:
searchsploit afd windows local
searchsploit -t oracle windows
=========
Options
=========
-c, --case 执行区分大小写的搜索(默认为不区分大小写)。
-e, --exact 对漏洞标题执行EXACT匹配(默认为AND)[Implies“-t”]。
-h, --help 显示帮助。
-j, --json 以JSON格式显示结果。
-m, --mirrorMirror 复制exploit到当前路径。
-o, --overflow 漏洞标题允许溢出他们的列。
-p, --path 显示漏洞的完整路径(如果可能,请将路径复制到剪贴板)。
-t, --title 只搜索利用标题(默认是标题和文件的路径)。
-w, --www 显示Exploit-DB.com的URL而不是本地路径。
-x, --examine 检查终端分页器中的exploit。
--colourDisable 颜色突出。
--idDisplay EDB-ID值,而不是本地路径。
=======
Notes
=======
* Use any number of search terms.
* Search terms are not case sensitive, and order is irrelevant.
* Use '-c' if you wish to reduce results by case-sensitive searching.
* And/Or '-e' if you wish to filter results by using an exact match.
* Use '-t' to exclude the file's path to filter the search results.
* Remove false positives (especially when searching numbers/major versions).
* When updating from git or displaying help, search terms will be ignored.
root@kali:~#
查找特定词的漏洞:
root@kali:~# searchsploit afd windows local
------------------------------------------------------------------------------------------ ------------------------------
Exploit Title| Path
| (/usr/share/exploitdb/platforms)
------------------------------------------------------------------------------------------ ------------------------------
Microsoft Windows 2003/XP - 'afd.sys' Privilege Escalation (K-plugin) | ./windows/local/6757.txt
Microsoft Windows XP - afd.sys Local Kernel Denial of Service | ./windows/dos/17133.c
Microsoft Windows XP/2003 - 'afd.sys' Privilege Escalation (MS11-080) | ./windows/local/18176.py
Microsoft Windows - 'AfdJoinLeaf' Privilege Escalation (MS11-080) | ./windows/local/21844.rb
Microsoft Windows - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)| ./win_x86/local/39446.py
Microsoft Windows 7 (x64) - 'afd.sys' Privilege Escalation (MS14-040) | ./win_x86-64/local/39525.py
-------------------------------------------------------------------------------------- ----------------------------------
root@kali:~#
注意,SearchSploit使用AND运算符,而不是OR运算符。 使用的术语越多,将滤除的结果越多。
专家提示:如果您没有收到预期的结果,请尝试使用更一般的术语进行更广泛的搜索。
例如:Kernel 2.6.25 -> Kernel 2.6 // Kernel 2.x
提示:请不要使用缩写
例如:SQLi -> SQL Injection
默认情况下,searchsploit将检查漏洞的标题以及路径。 根据不同的搜索条件,这可能会弹出误报。可以使用“-t”选项将搜索限制为标题:
root@kali:~# searchsploit -t oracle windows
---------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title| Path
| (/usr/share/exploitdb/platforms)
---------------------------------------------------------------------------------------------- ----------------------------------
Oracle 10g (Windows/x86) - (PROCESS_DUP_HANDLE) Local Privilege Elevation | ./windows/local/3451.c
Oracle 9i XDB (Windows/x86) - FTP UNLOCK Overflow | ./windows/remote/16714.rb
Oracle 9i XDB (Windows/x86) - FTP PASS Overflow | ./win_x86/remote/16731.rb
Oracle 9i XDB (Windows/x86) - HTTP PASS Overflow | ./win_x86/remote/16809.rb
Oracle MySQL for Microsoft Windows - Payload Execution| ./windows/remote/16957.rb
Oracle MySQL for Microsoft Windows - MOF Execution| ./windows/remote/23179.rb
Oracle MySQL for Microsoft Windows - FILE Privilege Abuse | ./windows/remote/35777.rb
---------------------------------------------------------------------------------------------- ----------------------------------
root@kali:~# searchsploit -t oracle windows | wc -l
12
root@kali:~# searchsploit oracle windows | wc -l
86
root@kali:~#
如果我们没有使用-t选项,我们将有81条结果,注意有五行不是结果。
searchsploit的输出可以通过管道传输到任何其他程序,这在以JSON格式为输出结果(使用“-j”选项)时特别有用。 有了这个,可以通过使用grep删除任何不必要的exploit。 在以下示例中,我们使用grep去掉目录为/dos/的结果:
root@kali:~# searchsploit XnView | grep -v '/dos/'
-------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title| Path
| (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------- ----------------------------------
XnView 1.90.3 - '.xpm' Local Buffer Overflow | ./windows/local/3777.c
XnView 1.92.1 - Slideshow (FontName) Buffer Overflow | ./windows/local/5346.pl
XnView 1.93.6 - '.taac' Local Buffer Overflow (PoC) | ./windows/local/5951.c
XnView 1.92.1 - Command-Line Arguments Buffer Overflow| ./windows/remote/31405.c
XnView 1.97.4 - MBM File Remote Heap Buffer Overflow | ./windows/remote/34143.txt
-------------------------------------------------------------------------------------------------- ----------------------------------
root@kali:~# searchsploit XnView | wc -l
22
root@kali:~# searchsploit XnView | grep -v '/dos/' | wc -l
10
root@kali:~#
现在我们已经找到了漏洞,现在我们可以通过-p选项快速复制路径。
root@kali:~# searchsploit 39446
-------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title| Path
| (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------- ----------------------------------
Microsoft Windows - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)| ./win_x86/local/39446.py
-------------------------------------------------------------------------------------------------- ----------------------------------
root@kali:~# searchsploit -p 39446
Exploit: Microsoft Windows - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
Path: /usr/share/exploitdb/platforms/win_x86/local/39446.py
Copied the file path to the clipboard.
root@kali:~# /usr/share/exploitdb/platforms/win_x86/local/39446.py
我们建议您不要更改数据库的本地副本中的漏洞利用。我们可以把脚本复制到一个文件夹中。
root@kali:~# searchsploit MS14-040
--------------------------------------------------------------------------------- ----------------------------------
Exploit Title| URL
| (/usr/share/exploitdb/platforms)
--------------------------------------------------------------------------------- ----------------------------------
Microsoft Windows - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) | /win_x86/local/39446.py
Microsoft Windows 7 (x64) - 'afd.sys' Privilege Escalation (MS14-040)| /win_x86-64/local/39525.py
--------------------------------------------------------------------------------- ----------------------------------
root@kali:~#
root@kali:~# searchsploit -m 39446 39525
Exploit: Microsoft Windows - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
URL: https://www.exploit-db.com/exploits/39446/
Path: /usr/share/exploitdb/platforms/win_x86/local/39446.py
Copied to '/root/'
Exploit: Microsoft Windows 7 (x64) - 'afd.sys' Privilege Escalation (MS14-040)
URL: https://www.exploit-db.com/exploits/39525/
Path: /usr/share/exploitdb/platforms/win_x86-64/local/39525.py
Copied to '/root/'
root@kali:~#
使用-w选项我们就可以看见exploit在Exploit-DB上的URL:
root@kali:~# searchsploit WarFTP 1.65 -w
---------------------------------------------------------------------------------------- --------------------------------------------
Exploit Title | URL
---------------------------------------------------------------------------------------- --------------------------------------------
WarFTP 1.65 (Windows 2000 SP4) - (USER) Remote Buffer Overflow | https://www.exploit-db.com/exploits/3474/
WarFTP 1.65 - (USER) Remote Buffer Overflow SEH Overflow| https://www.exploit-db.com/exploits/3482/
WarFTP 1.65 - (USER) Remote Buffer Overflow | https://www.exploit-db.com/exploits/3570/
---------------------------------------------------------------------------------------- --------------------------------------------
root@kali:~#
本篇工具文档介绍到这了,希望大家多多关注我的博客,本博客持续更新安全界内最新技术分析及基础教程。