SearchSploit漏洞查找工具使用指南 *SearchSploit *官网文档
详细参数 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 Usage: searchsploit [options] term1 [term2] ... [termN] ========== Examples ========== searchsploit afd windows local searchsploit -t oracle windows searchsploit -p 39446 searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/" For more examples, see the manual: https://www.exploit-db.com/searchsploit/ ========= Options ========= -c, --case [Term] 区分大小写(默认不区分大小写) -e, --exact [Term] 对exploit标题进行EXACT匹配 (默认为 AND) [Implies "-t" ]. -h, --help 显示帮助 -j, --json [Term] 以JSON格式显示结果 -m, --mirror [EDB-ID] 把一个exp拷贝到当前工作目录,参数后加目标id -o, --overflow [Term] Exploit标题被允许溢出其列 -p, --path [EDB-ID] 显示漏洞利用的完整路径(如果可能,还将路径复制到剪贴板),后面跟漏洞ID号 -t, --title [Term] 仅仅搜索漏洞标题(默认是标题和文件的路径) -u, --update 检查并安装任何exploitdb软件包更新(deb或git) -w, --www [Term] 显示Exploit-DB.com的URL而不是本地路径(在线搜索) -x, --examine [EDB-ID] 使用$ PAGER检查(副本)Exp --colour 搜索结果不高亮显示关键词 --id 显示EDB-ID --nmap [file.xml] 使用服务版本检查Nmap XML输出中的所有结果(例如:nmap -sV -oX file.xml) 使用“-v”(详细)来尝试更多的组合 --exclude="term" 从结果中删除值。通过使用“|”分隔多个值 例如--exclude=“term1 | term2 | term3”。 ======= Notes ======= * 你可以使用任意数量的搜索词。 * Search terms are not case-sensitive (by default), and ordering is irrelevant. * 搜索术语不区分大小写(默认情况下),而排序则无关紧要。 * 如果你想用精确的匹配来过滤结果,请使用用 -e 参数 * 使用' - t ' 将文件的路径排除,以过滤搜索结果 * 删除误报(特别是在搜索使用数字时 - i.e. 版本). * 当更新或显示帮助时,搜索项将被忽略。
使用实例 基本搜索 基本搜索会同时匹配标题和路径中的内容
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ┌─[✗]─[parrot@parrot]─[~] └──╼ $searchsploit smb windows remote --------------------------------------------- ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms/) --------------------------------------------- ---------------------------------- Microsoft DNS RPC Service - 'extractQuotedCh | windows/remote/16366.rb Microsoft Windows - 'srv2.sys' SMB Code Exec | windows/remote/40280.py Microsoft Windows - 'srv2.sys' SMB Negotiate | windows/remote/14674.txt Microsoft Windows - 'srv2.sys' SMB Negotiate | windows/remote/16363.rb Microsoft Windows - SMB Authentication Remot | windows/remote/20.txt Microsoft Windows - SMB Relay Code Execution | windows/remote/16360.rb Microsoft Windows - SmbRelay3 NTLM Replay Ex | windows/remote/7125.txt Microsoft Windows - Unauthenticated SMB Remo | windows/dos/41891.rb Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' | windows/remote/41929.py Microsoft Windows 95/WfW - smbclient Directo | windows/remote/20371.txt Microsoft Windows NT 4.0 SP5 / Terminal Serv | windows/remote/19197.txt Microsoft Windows Server 2008 R2 (x64) - 'Sr | windows/remote/41987.py Microsoft Windows Vista/7 - SMB2.0 Negotiate | windows/dos/9594.txt Microsoft Windows Windows 7/2008 R2 (x64) - | win_x86-64/remote/42031.py Microsoft Windows Windows 7/8.1/2008 R2/2012 | windows/remote/42315.py Microsoft Windows Windows 8/8.1/2012 R2 (x64 | win_x86-64/remote/42030.py VideoLAN VLC Media Player 0.8.6f - 'smb://' | windows/remote/9303.c VideoLAN VLC Media Player 0.8.6f - 'smb://' | windows/remote/9318.py VideoLAN VLC Media Player 1.0.2 - 'smb://' U | windows/remote/9816.py VideoLAN VLC Media Player 1.0.3 - 'smb://' U | windows/dos/10333.py VideoLAN VLC Media Player < 1.1.4 - '.xspf' | windows/dos/14892.py --------------------------------------------- ----------------------------------
注意 :SearchSploit使用AND运算符,而不是OR运算符。使用的术语越多,滤除的结果越多。Tip :如果你没有收到预期的结果,可以使用更通用的术语进行更广泛的搜索。Kernel 2.6.25 - >Kernel 2.6 / / Kernel 2.x。Tip :不要使用缩写SQLi -> SQL Injection。
标题搜索 标题搜索只匹配标题,不会对路径中的关键词进行匹配
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ┌─[parrot@parrot]─[~] └──╼ $searchsploit -t smb windows remote ------------------------------------------------------------------------------------------------ ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms/) ------------------------------------------------------------------------------------------------ ---------------------------------- Microsoft Windows - SMB Authentication Remote Exploit | windows/remote/20.txt Microsoft Windows - Unauthenticated SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution | windows/remote/41929.py Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows/remote/41987.py Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07 | windows/dos/9594.txt Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | win_x86-64/remote/42031.py Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Executi | windows/remote/42315.py Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-0 | win_x86-64/remote/42030.py ------------------------------------------------------------------------------------------------ ----------------------------------
删除不想要的结果 使用--exclude=选项删除不想要的结果
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ┌─[parrot@parrot]─[~] └──╼ $searchsploit smb windows remote --exclude="(POC)|txt" ------------------------------------------------------------------------------------------------ ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms/) ------------------------------------------------------------------------------------------------ ---------------------------------- Microsoft DNS RPC Service - 'extractQuotedChar()' Overflow 'SMB' (MS07-029) (Metasploit) | windows/remote/16366.rb Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050) | windows/remote/40280.py Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (M | windows/remote/16363.rb Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit) | windows/remote/16360.rb Microsoft Windows - Unauthenticated SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution | windows/remote/41929.py Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows/remote/41987.py Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | win_x86-64/remote/42031.py Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Executi | windows/remote/42315.py Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-0 | win_x86-64/remote/42030.py VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow | windows/remote/9303.c VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow (Universal) | windows/remote/9318.py ------------------------------------------------------------------------------------------------ ----------------------------------
利用管道输出(删除不想要的结果的另一种方法) 1 2 3 4 5 6 7 ┌─[parrot@parrot]─[~] └──╼ $searchsploit smb windows remote | grep rb Microsoft DNS RPC Service - 'extractQuotedChar()' Overflow 'SMB' (MS07-029) (Metasploit) | windows/remote/16366.rb Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (M | windows/remote/16363.rb Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit) | windows/remote/16360.rb Microsoft Windows - Unauthenticated SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Pro Tip :建议使用grep而不是“dos”
复制到剪贴板 -p参数可以获取更多关于该漏洞的信息,以及将完整的路径复制到剪贴板上(如果可能的话)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ┌─[parrot@parrot]─[~] └──╼ $searchsploit eternalblue ------------------------------------------------------------------------------------------------ ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms/) ------------------------------------------------------------------------------------------------ ---------------------------------- Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | win_x86-64/remote/42031.py Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Executi | windows/remote/42315.py Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-0 | win_x86-64/remote/42030.py ------------------------------------------------------------------------------------------------ ---------------------------------- ┌─[parrot@parrot]─[~] └──╼ $searchsploit -p 42315.py Exploit: Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) URL: https://www.exploit-db.com/exploits/42315/ Path: /usr/share/exploitdb/platforms/windows/remote/42315.py
复制到文件夹 不建议在本地的漏洞数据库中修改exp,建议使用-m参数复制那些有用的到当前的工作目录
1 2 3 4 5 6 7 8 9 10 11 12 13 ┌─[parrot@parrot]─[/tmp] └──╼ $searchsploit -m 42315.py Exploit: Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) URL: https://www.exploit-db.com/exploits/42315/ Path: /usr/share/exploitdb/platforms/windows/remote/42315.py Copied to '/tmp/' ┌─[parrot@parrot]─[/tmp] └──╼ $ls 42315.py sogou-qimpanelparrot
联网搜索 一些开发的元数据没有保存在本地,如果要访问他们,需要联网搜索
1 2 3 4 5 6 7 8 9 ┌─[parrot@parrot]─[/tmp] └──╼ $searchsploit eternalblue -w -------------------------------------------------------------------------------------- -------------------------------------------- Exploit Title | URL -------------------------------------------------------------------------------------- -------------------------------------------- Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution ( | https://www.exploit-db.com/exploits/42031/ Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Co | https://www.exploit-db.com/exploits/42315/ Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Executi | https://www.exploit-db.com/exploits/42030/ -------------------------------------------------------------------------------------- --------------------------------------------