在渗透测试和安全研究领域,寻找和利用已知的漏洞是日常工作的重要组成部分。为了有效地进行这些工作,安全研究者和渗透测试工程师需要有一个可靠且功能强大的资源库。今天,我们将介绍这样一个工具——Searchsploit,它能够帮助我们快速找到并利用Exploit-DB中的漏洞信息
一、Searchsploit简介
Searchsploit是一款基于命令行的搜索工具,专为Exploit-DB设计。Exploit-DB是一个由Offensive Security赞助的开源漏洞利用程序数据库,包含了大量的漏洞信息和渗透脚本。Searchsploit允许用户通过简单的命令,在Exploit-DB中快速搜索和定位所需的漏洞信息。
二、Searchsploit的安装
在Kali Linux系统中,Searchsploit已经作为默认工具集成在内,无需额外安装。如果你使用的是其他Linux发行版或Windows系统,可以通过Git仓库克隆Searchsploit的代码并安装。
三、Searchsploit的基本使用
1、搜索漏洞信息
使用Searchsploit进行搜索的基本语法是:searchsploit [options] term1 [term2] … [termN]。其中,[options]表示可选的搜索选项,term1、term2等表示搜索的关键词。
例如,要搜索与“Apache Struts”相关的漏洞信息,可以输入命令:searchsploit apache struts。Searchsploit将返回与这些关键词相关的所有漏洞信息和渗透脚本
┌──(root㉿kali)-[~]
└─# searchsploit apache struts
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache Struts - 'ParametersInterceptor' Remote Code Execution (Metasploit) | multiple/remote/24874.rb
Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit) | multiple/remote/33142.rb
Apache Struts - Developer Mode OGNL Execution (Metasploit) | java/remote/31434.rb
Apache Struts - Dynamic Method Invocation Remote Code Execution (Metasploit) | linux/remote/39756.rb
Apache Struts - includeParams Remote Code Execution (Metasploit) | multiple/remote/25980.rb
Apache Struts - Multiple Persistent Cross-Site Scripting Vulnerabilities | multiple/webapps/18452.txt
Apache Struts - OGNL Expression Injection | multiple/remote/38549.txt
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution | multiple/remote/43382.py
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution (Metasploit) | multiple/remote/39919.rb
Apache Struts 1.2.7 - Error Response Cross-Site Scripting | multiple/remote/26542.txt
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution | java/webapps/48917.py
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution (Metasploit) | multiple/remote/27135.rb
Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit) | multiple/remote/45367.rb
Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit) | multiple/remote/45367.rb
Apache Struts 2 - Skill Name Remote Code Execution | multiple/remote/37647.txt
Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit) | multiple/remote/44643.rb
Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit) | multiple/remote/44643.rb
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities | multiple/webapps/18329.txt
Apache Struts 2.0 - 'XSLTResult.java' Arbitrary File Upload | java/webapps/37009.xml
Apache Struts 2.0.0 < 2.2.1.1 - XWork 's:submit' HTML Tag Cross-Site Scripting | multiple/remote/35735.txt
Apache Struts 2.0.1 < 2.3.33 / 2.5 < 2.5.10 - Arbitrary Code Execution | multiple/remote/44556.py
Apache Struts 2.0.9/2.1.8 - Session Tampering Security Bypass | multiple/remote/36426.txt
Apache Struts 2.2.1.1 - Remote Command Execution (Metasploit) | multiple/remote/18984.rb
Apache Struts 2.2.3 - Multiple Open Redirections | multiple/remote/38666.txt
Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1) | linux/remote/45260.py
Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2) | multiple/remote/45262.py
Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit) | multiple/remote/41614.rb
Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution | linux/webapps/41570.py
Apache Struts 2.3.x Showcase - Remote Code Execution | multiple/webapps/42324.py
Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution | linux/remote/42627.py
Apache Struts 2.5.20 - Double OGNL evaluation | multiple/remote/49068.py
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit) | multiple/remote/41690.rb
Apache Struts < 2.2.0 - Remote Command Execution (Metasploit) | multiple/remote/17691.rb
Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection | multiple/webapps/44583.txt
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
2、标题搜索
如果你只想搜索标题中包含特定关键词的漏洞信息,可以使用-t选项。例如:searchsploit -t smb windows remote将只返回标题中带有“smb”、“windows”和“remote”关键词的漏洞信息。
┌──(root㉿kali)-[~]
└─# searchsploit -t smb windows remote
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) | windows/remote/43970.rb
Microsoft Windows - 'SMBGhost' Remote Code Execution | windows/remote/48537.py
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows 2000/XP - SMB Authentication Remote Overflow | windows/remote/20.txt
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution | windows/remote/41929.py
Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution | windows/remote/44616.py
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/41987.py
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063) | windows/dos/9594.txt
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
3、复制漏洞利用脚本
当你找到一个感兴趣的漏洞利用脚本时,可以使用-m选项将其复制到当前工作目录。例如:searchsploit -m 42031.py将把编号为42031的漏洞利用脚本复制到当前目录。
┌──(root㉿kali)-[~]
└─# searchsploit -m 42031.py
Exploit: Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
URL: https://www.exploit-db.com/exploits/42031
Path: /usr/share/exploitdb/exploits/windows/remote/42031.py
Codes: CVE-2017-0144
Verified: True
File Type: Python script, ASCII text executable
Copied to: /root/42031.py
四、Searchsploit的高级用法
除了基本的搜索和复制功能外,Searchsploit还提供了一些高级用法,如:
- 使用-p选项搜索特定平台的漏洞信息(如Windows、Linux等)。
- 使用-x选项搜索包含特定类型文件(如Python脚本、Shell脚本等)的漏洞信息。
- 使用-c选项搜索具有CVE编号的漏洞信息
详情使用帮助如下:
Usage: searchsploit [options] term1 [term2] ... [termN]
==========
Examples
==========
searchsploit afd windows local
searchsploit -t oracle windows
searchsploit -p 39446
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
searchsploit -s Apache Struts 2.0.0
searchsploit linux reverse password
searchsploit -j 55555 | jq
searchsploit --cve 2021-44228
For more examples, see the manual: https://www.exploit-db.com/searchsploit
=========
Options
=========
## Search Terms
-c, --case [term] Perform a case-sensitive search (Default is inSEnsITiVe)
-e, --exact [term] Perform an EXACT & order match on exploit title (Default is an AND match on each term) [Implies "-t"]
e.g. "WordPress 4.1" would not be detect "WordPress Core 4.1")
-s, --strict Perform a strict search, so input values must exist, disabling fuzzy search for version range
e.g. "1.1" would not be detected in "1.0 < 1.3")
-t, --title [term] Search JUST the exploit title (Default is title AND the file's path)
--exclude="term" Remove values from results. By using "|" to separate, you can chain multiple values
e.g. --exclude="term1|term2|term3"
--cve [CVE] Search for Common Vulnerabilities and Exposures (CVE) value
## Output
-j, --json [term] Show result in JSON format
-o, --overflow [term] Exploit titles are allowed to overflow their columns
-p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible)
-v, --verbose Display more information in output
-w, --www [term] Show URLs to Exploit-DB.com rather than the local path
--id Display the EDB-ID value rather than local path
--disable-colour Disable colour highlighting in search results
## Non-Searching
-m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory
-x, --examine [EDB-ID] Examine (aka opens) the exploit using $PAGER
## Non-Searching
-h, --help Show this help screen
-u, --update Check for and install any exploitdb package updates (brew, deb & git)
## Automation
--nmap [file.xml] Checks all results in Nmap's XML output with service version
e.g.: nmap [host] -sV -oX file.xml
=======
Notes
=======
* You can use any number of search terms
* By default, search terms are not case-sensitive, ordering is irrelevant, and will search between version ranges
* Use '-c' if you wish to reduce results by case-sensitive searching
* And/Or '-e' if you wish to filter results by using an exact match
* And/Or '-s' if you wish to look for an exact version match
* Use '-t' to exclude the file's path to filter the search results
* Remove false positives (especially when searching using numbers - i.e. versions)
* When using '--nmap', adding '-v' (verbose), it will search for even more combinations
* When updating or displaying help, search terms will be ignored