SearchSploit漏洞查找工具使用指南
*SearchSploit*官网文档
详细参数
Usage: searchsploit [options] term1 [term2] ... [termN]
==========
Examples
==========
searchsploit afd windows local
searchsploit -t oracle windows
searchsploit -p 39446
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
For more examples, see the manual: https://www.exploit-db.com/searchsploit/
=========
Options
=========
-c, --case [Term] 区分大小写(默认不区分大小写)
-e, --exact [Term] 对exploit标题进行EXACT匹配 (默认为 AND) [Implies "-t"].
-h, --help 显示帮助
-j, --json [Term] 以JSON格式显示结果
-m, --mirror [EDB-ID] 把一个exp拷贝到当前工作目录,参数后加目标id
-o, --overflow [Term] Exploit标题被允许溢出其列
-p, --path [EDB-ID] 显示漏洞利用的完整路径(如果可能,还将路径复制到剪贴板),后面跟漏洞ID号
-t, --title [Term] 仅仅搜索漏洞标题(默认是标题和文件的路径)
-u, --update 检查并安装任何exploitdb软件包更新(deb或git)
-w, --www [Term] 显示Exploit-DB.com的URL而不是本地路径(在线搜索)
-x, --examine [EDB-ID] 使用$ PAGER检查(副本)Exp
--colour 搜索结果不高亮显示关键词
--id 显示EDB-ID
--nmap [file.xml] 使用服务版本检查Nmap XML输出中的所有结果(例如:nmap -sV -oX file.xml)
使用“-v”(详细)来尝试更多的组合
--exclude="term" 从结果中删除值。通过使用“|”分隔多个值
例如--exclude=“term1 | term2 | term3”。
=======
Notes
=======
* 你可以使用任意数量的搜索词。
* Search terms are not case-sensitive (by default), and ordering is irrelevant.
* 搜索术语不区分大小写(默认情况下),而排序则无关紧要。
* 如果你想用精确的匹配来过滤结果,请使用用 -e 参数
* 使用' - t '将文件的路径排除,以过滤搜索结果
* 删除误报(特别是在搜索使用数字时 - i.e. 版本).
* 当更新或显示帮助时,搜索项将被忽略。
使用实例
基本搜索
基本搜索会同时匹配标题和路径中的内容
┌─[✗]─[parrot@parrot]─[~]
└──╼ $searchsploit smb windows remote
--------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
--------------------------------------------- ----------------------------------
Microsoft DNS RPC Service - 'extractQuotedCh | windows/remote/16366.rb
Microsoft Windows - 'srv2.sys' SMB Code Exec | windows/remote/40280.py
Microsoft Windows - 'srv2.sys' SMB Negotiate | windows/remote/14674.txt
Microsoft Windows - 'srv2.sys' SMB Negotiate | windows/remote/16363.rb
Microsoft Windows - SMB Authentication Remot | windows/remote/20.txt
Microsoft Windows - SMB Relay Code Execution | windows/remote/16360.rb
Microsoft Windows - SmbRelay3 NTLM Replay Ex | windows/remote/7125.txt
Microsoft Windows - Unauthenticated SMB Remo | windows/dos/41891.rb
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' | windows/remote/41929.py
Microsoft Windows 95/WfW - smbclient Directo | windows/remote/20371.txt
Microsoft Windows NT 4.0 SP5 / Terminal Serv | windows/remote/19197.txt
Microsoft Windows Server 2008 R2 (x64) - 'Sr | windows/remote/41987.py
Microsoft Windows Vista/7 - SMB2.0 Negotiate | windows/dos/9594.txt
Microsoft Windows Windows 7/2008 R2 (x64) - | win_x86-64/remote/42031.py
Microsoft Windows Windows 7/8.1/2008 R2/2012 | windows/remote/42315.py
Microsoft Windows Windows 8/8.1/2012 R2 (x64 | win_x86-64/remote/42030.py
VideoLAN VLC Media Player 0.8.6f - 'smb://' | windows/remote/9303.c
VideoLAN VLC Media Player 0.8.6f - 'smb://' | windows/remote/9318.py
VideoLAN VLC Media Player 1.0.2 - 'smb://' U | windows/remote/9816.py
VideoLAN VLC Media Player 1.0.3 - 'smb://' U | windows/dos/10333.py
VideoLAN VLC Media Player < 1.1.4 - '.xspf' | windows/dos/14892.py
--------------------------------------------- ----------------------------------
注意:SearchSploit使用AND运算符,而不是OR运算符。使用的术语越多,滤除的结果越多。
Tip:如果你没有收到预期的结果,可以使用更通用的术语进行更广泛的搜索。
如:Kernel 2.6.25 - >Kernel 2.6 / / Kernel 2.x。
Tip:不要使用缩写
如:SQLi -> SQL Injection。
标题搜索
标题搜索只匹配标题,不会对路径中的关键词进行匹配
┌─[parrot@parrot]─[~]
└──╼ $searchsploit -t smb windows remote
------------------------------------------------------------------------------------------------ ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------------------------------------ ----------------------------------
Microsoft Windows - SMB Authentication Remote Exploit | windows/remote/20.txt
Microsoft Windows - Unauthenticated SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution | windows/remote/41929.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows/remote/41987.py
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07 | windows/dos/9594.txt
Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | win_x86-64/remote/42031.py
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Executi | windows/remote/42315.py
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-0 | win_x86-64/remote/42030.py
------------------------------------------------------------------------------------------------ ----------------------------------
删除不想要的结果
使用--exclude=选项删除不想要的结果
┌─[parrot@parrot]─[~]
└──╼ $searchsploit smb windows remote --exclude="(POC)|txt"
------------------------------------------------------------------------------------------------ ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------------------------------------ ----------------------------------
Microsoft DNS RPC Service - 'extractQuotedChar()' Overflow 'SMB' (MS07-029) (Metasploit) | windows/remote/16366.rb
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) | windows/remote/40280.py
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (M | windows/remote/16363.rb
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit) | windows/remote/16360.rb
Microsoft Windows - Unauthenticated SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution | windows/remote/41929.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows/remote/41987.py
Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | win_x86-64/remote/42031.py
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Executi | windows/remote/42315.py
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-0 | win_x86-64/remote/42030.py
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow | windows/remote/9303.c
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow (Universal) | windows/remote/9318.py
------------------------------------------------------------------------------------------------ ----------------------------------
利用管道输出(删除不想要的结果的另一种方法)
┌─[parrot@parrot]─[~]
└──╼ $searchsploit smb windows remote | grep rb
Microsoft DNS RPC Service - 'extractQuotedChar()' Overflow 'SMB' (MS07-029) (Metasploit) | windows/remote/16366.rb
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (M | windows/remote/16363.rb
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit) | windows/remote/16360.rb
Microsoft Windows - Unauthenticated SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Pro Tip:建议使用grep而不是“dos”
复制到剪贴板
-p参数可以获取更多关于该漏洞的信息,以及将完整的路径复制到剪贴板上(如果可能的话)
┌─[parrot@parrot]─[~]
└──╼ $searchsploit eternalblue
------------------------------------------------------------------------------------------------ ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------------------------------------ ----------------------------------
Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | win_x86-64/remote/42031.py
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Executi | windows/remote/42315.py
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-0 | win_x86-64/remote/42030.py
------------------------------------------------------------------------------------------------ ----------------------------------
┌─[parrot@parrot]─[~]
└──╼ $searchsploit -p 42315.py
Exploit: Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
URL: https://www.exploit-db.com/exploits/42315/
Path: /usr/share/exploitdb/platforms/windows/remote/42315.py
复制到文件夹
不建议在本地的漏洞数据库中修改exp,建议使用-m参数复制那些有用的到当前的工作目录
┌─[parrot@parrot]─[/tmp]
└──╼ $searchsploit -m 42315.py
Exploit: Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
URL: https://www.exploit-db.com/exploits/42315/
Path: /usr/share/exploitdb/platforms/windows/remote/42315.py
Copied to '/tmp/'
┌─[parrot@parrot]─[/tmp]
└──╼ $ls
42315.py sogou-qimpanelparrot
联网搜索
一些开发的元数据没有保存在本地,如果要访问他们,需要联网搜索
┌─[parrot@parrot]─[/tmp]
└──╼ $searchsploit eternalblue -w
-------------------------------------------------------------------------------------- --------------------------------------------
Exploit Title | URL
-------------------------------------------------------------------------------------- --------------------------------------------
Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution ( | https://www.exploit-db.com/exploits/42031/
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Co | https://www.exploit-db.com/exploits/42315/
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Executi | https://www.exploit-db.com/exploits/42030/
-------------------------------------------------------------------------------------- --------------------------------------------
*转载请注明来自AresX’s Blog