在我們的GitHub上的Exploit Database存儲庫中包含一個名為"searchsploit"的Exploit-DB的命令行搜索工具,該工具還允許您在任何地方隨身攜帶一個Exploit Database的副本。SearchSploit使您可以通過本地簽出的存儲庫副本執行詳細的脫機搜索。這種能力對於沒有互聯網接入的隔離或空隙網絡的安全評估特別有用。
上面說的是在沒有互聯網接入的情況下特別有用,其實更多的是刷了半天刷不出驗證碼的時候,於是就轉向SearchSploit。
SearchSploit簡單來說就是Exploit Database的離線版本,我們可以在本機保存這樣一份漏洞數據庫,可以通過SearchSploit進行檢索,就不用刷驗證碼了。
本文就簡單介紹一下SearchSploit的一些常用使用示例,可以在官方文檔看到。
可以在kali的命令行下直接輸入:searchsploit -h ,查看幫助文檔:
root@kali:~# searchsploit -h Usage: searchsploit [options] term1 [term2] ... [termN] ========== Examples ========== searchsploit afd windows local searchsploit -t oracle windows searchsploit -p 39446 searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/" For more examples, see the manual: https://www.exploit-db.com/searchsploit/ ========= Options ========= -c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe). -e, --exact [Term] Perform an EXACT match on exploit title (Default is AND) [Implies "-t"]. -h, --help Show this help screen. -j, --json [Term] Show result in JSON format. -m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory. -o, --overflow [Term] Exploit titles are allowed to overflow their columns. -p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible). -t, --title [Term] Search JUST the exploit title (Default is title AND the file's path). -u, --update Check for and install any exploitdb package updates (deb or git). -w, --www [Term] Show URLs to Exploit-DB.com rather than the local path. -x, --examine [EDB-ID] Examine (aka opens) the exploit using $PAGER. --colour Disable colour highlighting in search results. --id Display the EDB-ID value rather than local path. --nmap [file.xml] Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml). Use "-v" (verbose) to try even more combinations --exclude="term" Remove values from results. By using "|" to separated you can chain multiple values. e.g. --exclude="term1|term2|term3". ======= Notes ======= * You can use any number of search terms. * Search terms are not case-sensitive (by default), and ordering is irrelevant. * Use '-c' if you wish to reduce results by case-sensitive searching. * And/Or '-e' if you wish to filter results by using an exact match. * Use '-t' to exclude the file's path to filter the search results. * Remove false positives (especially when searching using numbers - i.e. versions). * When updating or displaying help, search terms will be ignored.
更新
使用"-u"選項,將exploit-db更新到最新狀態:
root@kali:~# searchsploit -u
基本搜索
比如,要搜索squirrelmail歷史上出現過的漏洞:
root@kali:~# searchsploit squirrelmail ---------------------------------------------------------------------- ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms/) ---------------------------------------------------------------------- ---------------------------------- SquirrelMail - 'chpasswd' Buffer Overflow | linux/local/273.c SquirrelMail - 'chpasswd' Local Privilege Escalation (Brute Force) | linux/local/417.c SquirrelMail 1.2.11 - 'move_messages.php' Arbitrary File Moving | php/webapps/22791.txt SquirrelMail 1.2.11 - Exploit | php/webapps/22793.txt SquirrelMail 1.2.11 Administrator Plugin - 'options.php' Arbitrary Ad | php/webapps/22792.txt SquirrelMail 1.2.6/1.2.7 - Cross-Site Scripting Multiple Vulnerabilit | php/webapps/21811.txt SquirrelMail 1.2.x - From Email Header HTML Injection | php/webapps/24167.txt SquirrelMail 1.2.x - Theme Remote Command Execution | php/webapps/21358.sh SquirrelMail 1.4.2 Address Add Plugin - 'add.php' Cross-Site Scriptin | php/webapps/26305.txt SquirrelMail 1.4.x - Folder Name Cross-Site Scripting | php/webapps/24068.txt SquirrelMail 1.x - Email Header HTML Injection | linux/remote/24160.txt SquirrelMail 3.1 - Change Passwd Plugin Local Buffer Overflow | linux/local/1449.c SquirrelMail < 1.4.22 - Remote Code Execution | linux/remote/41910.sh SquirrelMail G/PGP Encryption Plugin - 'deletekey()' Command Injectio | php/webapps/4718.rb SquirrelMail G/PGP Encryption Plugin 2.0 - Command Execution | php/webapps/4173.txt SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Access Validation / In | php/webapps/30859.txt SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Multiple Unspecified R | php/webapps/30283.txt SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit) | linux/remote/16888.rb SquirrelMail Virtual Keyboard Plugin - 'vkeyboard.php' Cross-Site Scr | php/webapps/34814.txt Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion | php/webapps/27948.txt ---------------------------------------------------------------------- ----------------------------------
searchsploit的搜索語句是 and 的關系,條件越多,得到的搜索結果也就越少,有時要注意放寬搜索條件。
比如要搜索squirrelmail 爆出的遠程代碼執行漏洞:'squirrelmail remote code execution'
root@kali:~# searchsploit squirrelmail remote code execution ---------------------------------------------------------------------- ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms/) ---------------------------------------------------------------------- ---------------------------------- SquirrelMail < 1.4.22 - Remote Code Execution | linux/remote/41910.sh ---------------------------------------------------------------------- ---------------------------------- root@kali:~#
按標題搜索
默認情況下,searchsploit將檢查漏洞的標題以及路徑。根據搜索條件,這可能會有誤報(尤其是在搜索與平台和版本號匹配時)。可以使用"-t"選項將搜索限制在標題中:
root@kali:~# searchsploit -t oracle windows ---------------------------------------------------------------------- ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms/) ---------------------------------------------------------------------- ---------------------------------- Oracle 10g (Windows x86) - 'PROCESS_DUP_HANDLE' Local Privilege Escal | win_x86/local/3451.c Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit) | win_x86/remote/16731.rb Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit) | win_x86/remote/16714.rb Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit) | win_x86/remote/16809.rb Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit) | windows/remote/35777.rb Oracle MySQL (Windows) - MOF Execution (Metasploit) | windows/remote/23179.rb Oracle MySQL for Microsoft Windows - Payload Execution (Metasploit) | windows/remote/16957.rb Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injec | win_x86-64/local/41908.txt Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User- | multiple/dos/41932.cpp ---------------------------------------------------------------------- ----------------------------------
復制到剪貼板
現在我們已經找到了我們正在尋找的漏洞,有很多方法可以快速訪問它。通過使用"-p",我們可以獲得更多關於漏洞利用的信息,以及將利用漏洞的完整路徑復制到剪貼板上,以上面的squirrelmail RCE為例,其編號是41910:
root@kali:~# searchsploit 41910 ---------------------------------------------------------------------- ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms/) ---------------------------------------------------------------------- ---------------------------------- SquirrelMail < 1.4.22 - Remote Code Execution | linux/remote/41910.sh ---------------------------------------------------------------------- ---------------------------------- root@kali:~# searchsploit -p 41910.sh Exploit: SquirrelMail < 1.4.22 - Remote Code Execution URL: https://www.exploit-db.com/exploits/41910/ Path: /usr/share/exploitdb/platforms/linux/remote/41910.sh Copied EDB-ID #41910's path to the clipboard.
顯示網址
我們用searchsploit進行搜索的時候,顯示的有兩列:標題和路徑,我們可以使用"-w" 選項,讓路徑那一列顯示為URL地址,這樣就能通過瀏覽器打開:
root@kali:~# searchsploit -w phpmailer ------------------------------------------------------------ -------------------------------------------- Exploit Title | URL ------------------------------------------------------------ -------------------------------------------- PHPMailer 1.7 - 'Data()' Remote Denial of Service | https://www.exploit-db.com/exploits/25752/ PHPMailer < 5.2.18 - Remote Code Execution (Bash) | https://www.exploit-db.com/exploits/40968/ PHPMailer < 5.2.18 - Remote Code Execution (PHP) | https://www.exploit-db.com/exploits/40970/ PHPMailer < 5.2.18 - Remote Code Execution (Python) | https://www.exploit-db.com/exploits/40974/ PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploi | https://www.exploit-db.com/exploits/41688/ PHPMailer < 5.2.20 - Remote Code Execution | https://www.exploit-db.com/exploits/40969/ PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framewo | https://www.exploit-db.com/exploits/40986/ PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | https://www.exploit-db.com/exploits/42221/ PHPMailer < 5.2.21 - Local File Disclosure | https://www.exploit-db.com/exploits/43056/ WordPress PHPMailer 4.6 - Host Header Command Injection (Me | https://www.exploit-db.com/exploits/42024/ ------------------------------------------------------------ --------------------------------------------
簡要介紹如上。