exploit-db
https://www.exploit-db.com/ can help to find vulnerabilities and provide code for teaching you how to use these weaks.
vulns scan
you can also use searchsploit on kali linux
root@kali:/usr/share/nmap/scripts# searchsploit tomcat
------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------- ----------------------------------------
4D WebSTAR 5.3/5.4 Tomcat Plugin - Remote Buffer Overflow | exploits/osx/remote/25626.c
AWStats 6.x - Apache Tomcat Configuration File Arbitrary Command Execution | exploits/cgi/webapps/35035.txt
Apache 1.3.x + Tomcat 4.0.x/4.1.x mod_jk - Chunked Encoding Denial of Service | exploits/unix/dos/22068.pl
Apache Commons FileUpload and Apache Tomcat - Denial of Service | exploits/multiple/dos/31615.rb
Apache Tomcat (Windows) - 'runtime.getRuntime().exec()' Local Privilege Escalation | exploits/windows/local/7264.txt
Apache Tomcat - 'WebDAV' Remote File Disclosure | exploits/multiple/remote/4530.pl
Apache Tomcat - Account Scanner / 'PUT' Request Command Execution | exploits/multiple/remote/18619.txt
Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit) | exploits/windows/remote/47073.rb
Apache Tomcat - Cookie Quote Handling Remote Information Disclosure | exploits/multiple/remote/9994.txt
Apache Tomcat - Form Authentication 'Username' Enumeration | exploits/multiple/remote/9995.txt
Apache Tomcat - WebDAV SSL Remote File Disclosure | exploits/linux/remote/4552.pl
Apache Tomcat / Geronimo 1.0 - 'Sample Script cal2.jsp?time' Cross-Site Scripting | exploits/multiple/remote/27095.txt
Apache Tomcat 3.0 - Directory Traversal | exploits/windows/remote/20716.txt
Apache Tomcat 3.1 - Path Revealing | exploits/multiple/remote/20131.txt
Apache Tomcat 3.2 - 404 Error Page Cross-Site Scripting | exploits/multiple/remote/33379.txt
Apache Tomcat 3.2 - Directory Disclosure | exploits/unix/remote/21882.txt
Apache Tomcat 3.2.1 - 404 Error Page Cross-Site Scripting | exploits/multiple/webapps/10292.txt
Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree | exploits/multiple/remote/21492.txt
Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Information Disclosure | exploits/multiple/remote/21490.txt
Apache Tomcat 3.2.3/3.2.4 - Example Files Web Root Full Path Disclosure | exploits/multiple/remote/21491.txt
Apache Tomcat 3.x - Null Byte Directory / File Disclosure | exploits/linux/remote/22205.txt
Apache Tomcat 3/4 - 'DefaultServlet' File Disclosure | exploits/unix/remote/21853.txt
Apache Tomcat 3/4 - JSP Engine Denial of Service | exploits/linux/dos/21534.jsp
Apache Tomcat 4.0.3 - Denial of Service 'Device Name' / Cross-Site Scripting | exploits/windows/remote/21605.txt
Apache Tomcat 4.0.3 - Requests Containing MS-DOS Device Names Information Disclosure | exploits/multiple/remote/31551.txt
Apache Tomcat 4.0.3 - Servlet Mapping Cross-Site Scripting | exploits/linux/remote/21604.txt
Apache Tomcat 4.0.x - Non-HTTP Request Denial of Service | exploits/linux/dos/23245.pl
Apache Tomcat 4.0/4.1 - Servlet Full Path Disclosure | exploits/unix/remote/21412.txt
Apache Tomcat 4.1 - JSP Request Cross-Site Scripting | exploits/unix/remote/21734.txt
Apache Tomcat 5 - Information Disclosure | exploits/multiple/remote/28254.txt
Apache Tomcat 5.5.0 < 5.5.29 / 6.0.0 < 6.0.26 - Information Disclosure | exploits/multiple/remote/12343.txt
Apache Tomcat 5.5.15 - cal2.jsp Cross-Site Scripting | exploits/jsp/webapps/30563.txt
Apache Tomcat 5.5.25 - Cross-Site Request Forgery | exploits/multiple/webapps/29435.txt
Apache Tomcat 5.x/6.0.x - Directory Traversal | exploits/linux/remote/29739.txt
Apache Tomcat 6.0.10 - Documentation Sample Application Multiple Cross-Site Scripting Vulnerabilities | exploits/multiple/remote/30052.txt
Apache Tomcat 6.0.13 - Host Manager Servlet Cross-Site Scripting | exploits/multiple/remote/30495.html
Apache Tomcat 6.0.13 - Insecure Cookie Handling Quote Delimiter Session ID Disclosure | exploits/multiple/remote/30496.txt
Apache Tomcat 6.0.13 - JSP Example Web Applications Cross-Site Scripting | exploits/jsp/webapps/30189.txt
Apache Tomcat 6.0.15 - Cookie Quote Handling Remote Information Disclosure | exploits/multiple/remote/31130.txt
Apache Tomcat 6.0.16 - 'HttpServletResponse.sendError()' Cross-Site Scripting | exploits/multiple/remote/32138.txt
Apache Tomcat 6.0.16 - 'RequestDispatcher' Information Disclosure | exploits/multiple/remote/32137.txt
Apache Tomcat 6.0.18 - Form Authentication Existing/Non-Existing 'Username' Enumeration | exploits/multiple/remote/33023.txt
Apache Tomcat 6/7/8/9 - Information Disclosure | exploits/multiple/remote/41783.txt
Apache Tomcat 7.0.4 - 'sort' / 'orderBy' Cross-Site Scripting | exploits/linux/remote/35011.txt
Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation | exploits/linux/local/40450.txt
Apache Tomcat 8/7/6 (RedHat Based Distros) - Local Privilege Escalation | exploits/linux/local/40488.txt
Disclosure | exploits/multiple/remote/20719.txt
------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Common Vulnerability Scoring System(CVSS)
refer to https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf
Common Vulnerabilities and Exposures(CVE)
https://cve.mitre.org/ can be utilized to find the description of vulns
.
use nmap
root@kali:/usr/share/nmap/scripts# cat script.db | grep vuln
Entry { filename = "afp-path-vuln.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "broadcast-avahi-dos.nse", categories = { "broadcast", "dos", "intrusive", "vuln", } }
Entry { filename = "clamav-exec.nse", categories = { "exploit", "vuln", } }
Entry { filename = "distcc-cve2004-2687.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "dns-update.nse", categories = { "intrusive", "vuln", } }
Entry { filename = "firewall-bypass.nse", categories = { "intrusive", "vuln", } }
Entry { filename = "ftp-libopie.nse", categories = { "intrusive", "vuln", } }
Entry { filename = "ftp-proftpd-backdoor.nse", categories = { "exploit", "intrusive", "malware", "vuln", } }
Entry { filename = "ftp-vsftpd-backdoor.nse", categories = { "exploit", "intrusive", "malware", "vuln", } }
Entry { filename = "ftp-vuln-cve2010-4221.nse", categories = { "intrusive", "vuln", } }
Entry { filename = "http-adobe-coldfusion-apsa1301.nse", categories = { "exploit", "vuln", } }
Entry { filename = "http-aspnet-debug.nse", categories = { "discovery", "vuln", } }
Entry { filename = "http-avaya-ipoffice-users.nse", categories = { "exploit", "vuln", } }
Entry { filename = "http-awstatstotals-exec.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-axis2-dir-traversal.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-cookie-flags.nse", categories = { "default", "safe", "vuln", } }
Entry { filename = "http-cross-domain-policy.nse", categories = { "external", "safe", "vuln", } }
Entry { filename = "http-csrf.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-dlink-backdoor.nse", categories = { "exploit", "vuln", } }
Entry { filename = "http-dombased-xss.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-enum.nse", categories = { "discovery", "intrusive", "vuln", } }
Entry { filename = "http-fileupload-exploiter.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-frontpage-login.nse", categories = { "safe", "vuln", } }
Entry { filename = "http-git.nse", categories = { "default", "safe", "vuln", } }
Entry { filename = "http-huawei-hg5xx-vuln.nse", categories = { "exploit", "vuln", } }
Entry { filename = "http-iis-webdav-vuln.nse", categories = { "intrusive", "vuln", } }
Entry { filename = "http-internal-ip-disclosure.nse", categories = { "discovery", "safe", "vuln", } }
Entry { filename = "http-jsonp-detection.nse", categories = { "discovery", "safe", "vuln", } }
Entry { filename = "http-litespeed-sourcecode-download.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-majordomo2-dir-traversal.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-method-tamper.nse", categories = { "auth", "vuln", } }
Entry { filename = "http-passwd.nse", categories = { "intrusive", "vuln", } }
Entry { filename = "http-phpmyadmin-dir-traversal.nse", categories = { "exploit", "vuln", } }
Entry { filename = "http-phpself-xss.nse", categories = { "fuzzer", "intrusive", "vuln", } }
Entry { filename = "http-shellshock.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-slowloris-check.nse", categories = { "safe", "vuln", } }
Entry { filename = "http-sql-injection.nse", categories = { "intrusive", "vuln", } }
Entry { filename = "http-stored-xss.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-tplink-dir-traversal.nse", categories = { "exploit", "vuln", } }
Entry { filename = "http-trace.nse", categories = { "discovery", "safe", "vuln", } }
Entry { filename = "http-vmware-path-vuln.nse", categories = { "safe", "vuln", } }
Entry { filename = "http-vuln-cve2006-3392.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-vuln-cve2009-3960.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-vuln-cve2010-0738.nse", categories = { "auth", "safe", "vuln", } }
Entry { filename = "http-vuln-cve2010-2861.nse", categories = { "intrusive", "vuln", } }
Entry { filename = "http-vuln-cve2011-3192.nse", categories = { "safe", "vuln", } }
Entry { filename = "http-vuln-cve2011-3368.nse", categories = { "intrusive", "vuln", } }
Entry { filename = "http-vuln-cve2012-1823.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-vuln-cve2013-0156.nse", categories = { "exploit", "vuln", } }
Entry { filename = "http-vuln-cve2013-6786.nse", categories = { "exploit", "vuln", } }
openvas
refer to https://www.kali.org/penetration-testing/openvas-vulnerability-scanning/
Vulnerability scanning is a crucial phase of a penetration test and having an updated vulnerability scanner in your security toolkit can often make a real difference by helping you discover overlooked vulnerable items. For this reason, we’ve manually packaged the latest and newly released OpenVAS 8.0 tool and libraries for Kali Linux. Although nothing major has changed in this release in terms of running the vulnerability scanner, we wanted to give a quick overview on how to get it up and running.
Figure 3: start to scan
Figure 4: scanning result
Nexpose
Nessus
View by yourself.
To sum up, scanner provides possibility or percentage of vulnerabilities but it is not able to assure it actually exists. In a words, it helps you identity whether it is a real vulnerability but you still need to verify it using tools like metaspoilt Framework.
Scanner only scans vulns. The work of verification should be handle by other tools(metaspoilt Framework).
扫一扫
297
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
