SearchSploit漏洞查找工具使用指南

SearchSploit漏洞查找工具使用指南

SearchSploit官网文档


详细参数

Usage: searchsploit [options] term1 [term2] ... [termN]

==========
 Examples
==========
  searchsploit afd windows local
  searchsploit -t oracle windows
  searchsploit -p 39446
  searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"

  For more examples, see the manual: https://www.exploit-db.com/searchsploit/

=========
 Options
=========
   -c, --case     [Term]      区分大小写(默认不区分大小写)
   -e, --exact    [Term]      对exploit标题进行EXACT匹配 (默认为 AND) [Implies "-t"].
   -h, --help                 显示帮助
   -j, --json     [Term]      以JSON格式显示结果
   -m, --mirror   [EDB-ID]    把一个exp拷贝到当前工作目录,参数后加目标id
   -o, --overflow [Term]      Exploit标题被允许溢出其列
   -p, --path     [EDB-ID]    显示漏洞利用的完整路径(如果可能,还将路径复制到剪贴板),后面跟漏洞ID号
   -t, --title    [Term]      仅仅搜索漏洞标题(默认是标题和文件的路径)
   -u, --update               检查并安装任何exploitdb软件包更新(deb或git)
   -w, --www      [Term]      显示Exploit-DB.com的URL而不是本地路径(在线搜索)
   -x, --examine  [EDB-ID]    使用$ PAGER检查(副本)Exp
       --colour               搜索结果不高亮显示关键词
       --id                   显示EDB-ID
       --nmap     [file.xml]  使用服务版本检查Nmap XML输出中的所有结果(例如:nmap -sV -oX file.xml)
                                使用“-v”(详细)来尝试更多的组合
       --exclude="term"       从结果中删除值。通过使用“|”分隔多个值
                              例如--exclude=“term1 | term2 | term3”。


=======
 Notes
=======
 * 你可以使用任意数量的搜索词。
 * Search terms are not case-sensitive (by default), and ordering is irrelevant.
   * 搜索术语不区分大小写(默认情况下),而排序则无关紧要。
   * 如果你想用精确的匹配来过滤结果,请使用用 -e 参数
 * 使用' - t '将文件的路径排除,以过滤搜索结果
   * 删除误报(特别是在搜索使用数字时 - i.e. 版本).
 * 当更新或显示帮助时,搜索项将被忽略。

使用实例

基本搜索

基本搜索会同时匹配标题和路径中的内容

┌─[✗]─[[email protected]]─[~]
└──╼ $searchsploit smb windows remote
--------------------------------------------- ----------------------------------
 Exploit Title                               |  Path
                                             | (/usr/share/exploitdb/platforms/)
--------------------------------------------- ----------------------------------
Microsoft DNS RPC Service - 'extractQuotedCh | windows/remote/16366.rb
Microsoft Windows - 'srv2.sys' SMB Code Exec | windows/remote/40280.py
Microsoft Windows - 'srv2.sys' SMB Negotiate | windows/remote/14674.txt
Microsoft Windows - 'srv2.sys' SMB Negotiate | windows/remote/16363.rb
Microsoft Windows - SMB Authentication Remot | windows/remote/20.txt
Microsoft Windows - SMB Relay Code Execution | windows/remote/16360.rb
Microsoft Windows - SmbRelay3 NTLM Replay Ex | windows/remote/7125.txt
Microsoft Windows - Unauthenticated SMB Remo | windows/dos/41891.rb
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' | windows/remote/41929.py
Microsoft Windows 95/WfW - smbclient Directo | windows/remote/20371.txt
Microsoft Windows NT 4.0 SP5 / Terminal Serv | windows/remote/19197.txt
Microsoft Windows Server 2008 R2 (x64) - 'Sr | windows/remote/41987.py
Microsoft Windows Vista/7 - SMB2.0 Negotiate | windows/dos/9594.txt
Microsoft Windows Windows 7/2008 R2 (x64) -  | win_x86-64/remote/42031.py
Microsoft Windows Windows 7/8.1/2008 R2/2012 | windows/remote/42315.py
Microsoft Windows Windows 8/8.1/2012 R2 (x64 | win_x86-64/remote/42030.py
VideoLAN VLC Media Player 0.8.6f - 'smb://'  | windows/remote/9303.c
VideoLAN VLC Media Player 0.8.6f - 'smb://'  | windows/remote/9318.py
VideoLAN VLC Media Player 1.0.2 - 'smb://' U | windows/remote/9816.py
VideoLAN VLC Media Player 1.0.3 - 'smb://' U | windows/dos/10333.py
VideoLAN VLC Media Player < 1.1.4 - '.xspf'  | windows/dos/14892.py
--------------------------------------------- ----------------------------------

注意:SearchSploit使用AND运算符,而不是OR运算符。使用的术语越多,滤除的结果越多。
Tip:如果你没有收到预期的结果,可以使用更通用的术语进行更广泛的搜索。
如:Kernel 2.6.25 - >Kernel 2.6 / / Kernel 2.x
Tip:不要使用缩写
如:SQLi -> SQL Injection

标题搜索

标题搜索只匹配标题,不会对路径中的关键词进行匹配

┌─[[email protected]]─[~]
└──╼ $searchsploit -t smb windows remote
------------------------------------------------------------------------------------------------ ----------------------------------
 Exploit Title                                                                                  |  Path
                                                                                                | (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------------------------------------ ----------------------------------
Microsoft Windows - SMB Authentication Remote Exploit                                           | windows/remote/20.txt
Microsoft Windows - Unauthenticated SMB Remote Code Execution Scanner (MS17-010) (Metasploit)   | windows/dos/41891.rb
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution                          | windows/remote/41929.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)   | windows/remote/41987.py
Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07 | windows/dos/9594.txt
Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)  | win_x86-64/remote/42031.py
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Executi | windows/remote/42315.py
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-0 | win_x86-64/remote/42030.py
------------------------------------------------------------------------------------------------ ----------------------------------

删除不想要的结果

使用--exclude=选项删除不想要的结果

┌─[[email protected]]─[~]
└──╼ $searchsploit  smb windows remote --exclude="(POC)|txt"
------------------------------------------------------------------------------------------------ ----------------------------------
 Exploit Title                                                                                  |  Path
                                                                                                | (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------------------------------------ ----------------------------------
Microsoft DNS RPC Service - 'extractQuotedChar()' Overflow 'SMB' (MS07-029) (Metasploit)        | windows/remote/16366.rb
Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)                           | windows/remote/40280.py
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (M | windows/remote/16363.rb
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit)                            | windows/remote/16360.rb
Microsoft Windows - Unauthenticated SMB Remote Code Execution Scanner (MS17-010) (Metasploit)   | windows/dos/41891.rb
Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution                          | windows/remote/41929.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)   | windows/remote/41987.py
Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)  | win_x86-64/remote/42031.py
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Executi | windows/remote/42315.py
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-0 | win_x86-64/remote/42030.py
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow                 | windows/remote/9303.c
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow (Universal)     | windows/remote/9318.py
------------------------------------------------------------------------------------------------ ----------------------------------

利用管道输出(删除不想要的结果的另一种方法)

┌─[[email protected]]─[~]
└──╼ $searchsploit  smb windows remote | grep rb
Microsoft DNS RPC Service - 'extractQuotedChar()' Overflow 'SMB' (MS07-029) (Metasploit)        | windows/remote/16366.rb
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (M | windows/remote/16363.rb
Microsoft Windows - SMB Relay Code Execution (MS08-068) (Metasploit)                            | windows/remote/16360.rb
Microsoft Windows - Unauthenticated SMB Remote Code Execution Scanner (MS17-010) (Metasploit)   | windows/dos/41891.rb

Pro Tip:建议使用grep而不是“dos”

复制到剪贴板

-p参数可以获取更多关于该漏洞的信息,以及将完整的路径复制到剪贴板上(如果可能的话)

┌─[[email protected]]─[~]
└──╼ $searchsploit eternalblue
------------------------------------------------------------------------------------------------ ----------------------------------
 Exploit Title                                                                                  |  Path
                                                                                                | (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------------------------------------ ----------------------------------
Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)  | win_x86-64/remote/42031.py
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Executi | windows/remote/42315.py
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-0 | win_x86-64/remote/42030.py
------------------------------------------------------------------------------------------------ ----------------------------------
┌─[[email protected]]─[~]
└──╼ $searchsploit -p 42315.py
Exploit: Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
    URL: https://www.exploit-db.com/exploits/42315/
   Path: /usr/share/exploitdb/platforms/windows/remote/42315.py

复制到文件夹

不建议在本地的漏洞数据库中修改exp,建议使用-m参数复制那些有用的到当前的工作目录

┌─[[email protected]]─[/tmp]
└──╼ $searchsploit -m 42315.py
Exploit: Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
    URL: https://www.exploit-db.com/exploits/42315/
   Path: /usr/share/exploitdb/platforms/windows/remote/42315.py

Copied to '/tmp/'


┌─[[email protected]]─[/tmp]
└──╼ $ls
42315.py                   sogou-qimpanelparrot

联网搜索

一些开发的元数据没有保存在本地,如果要访问他们,需要联网搜索

┌─[[email protected]]─[/tmp]
└──╼ $searchsploit eternalblue -w
-------------------------------------------------------------------------------------- --------------------------------------------
 Exploit Title                                                                        |  URL
-------------------------------------------------------------------------------------- --------------------------------------------
Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution ( | https://www.exploit-db.com/exploits/42031/
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Co | https://www.exploit-db.com/exploits/42315/
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Executi | https://www.exploit-db.com/exploits/42030/
-------------------------------------------------------------------------------------- --------------------------------------------

*转载请注明来自AresX’s Blog

本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.转载请注明出处
本文链接:https://ares-x.com/2017/08/30/SearchSploit漏洞查找工具使用指南/