来源:【exploit-db】
Table of Contents
- What is SearchSploit?
- How to Install SearchSploit
- Keeping SearchSploit Up-to-Date
- Using SearchSploit
Last Updated: 15-June-2017 (Offline PDF version)
What is SearchSploit?
Included in our Exploit Database repository on GitHub is “searchsploit”, a command line search tool for Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go. SearchSploit gives you the power to perform detailed off-line searches through your locally checked-out copy of the repository. This capability is particularly useful for security assessments on segregated or air-gapped networks without Internet access.
Many exploits contain links to binary files that are not included in the standard repository but can be found in our Exploit Database Binary Exploits repository instead. If you anticipate you will be without Internet access on an assessment, ensure you check out both repositories for the most complete set of data.
Note, The name of this utility is SearchSploit and as its name indicates, it will search for all exploits and shellcode. It will not include any results for Papers and Google Hacking Database.
我们GitHub上的漏洞数据库仓库中包含有“searchsploit”,一个Exploit-DB的命令行搜索工具,利用这个工具你可以在任何地方把漏洞利用数据库拷贝下来。searchsploit能让你通过本地检出的仓库副本进行详细的离线搜索。这种能力在没有网络接口的隔离或者气隙网络(用不联网)环境下的安全评估非常有用。 许多漏洞包含了二进制文件的链接,这些文件在标准仓库中没有,但是在我们的漏洞数据库二进制漏洞仓库中可以找到。如果你预料到你将会在没有网络接口的环境下做评估,请确保检查两个数据仓库,以获得最完整的数据。 注意,这个实用工具的名字是SearchSploit ,就像它名字暗示的(顾名思义),它将搜索所有的漏洞和利用代码。它不包含任何论文或者Google Hacking Database的结果。
How to Install SearchSploit
Linux
Kali Linux:
If you are using the standard GNOME build of Kali Linux, the “exploitdb” package is already included by default! However, if you are using the Kali Light variant or your own custom-built ISO, you can install the package manually as follows:
如果你使用的是标准GNOME生成的Kali Linux,那么已经默认包含了“exploitdb”包。但是,如果你使用的是轻量级变体版本的Kali或者是自己定制版的ISO, 你可以像下面这样手动安装包:
apt update && apt -y install exploitdb
Linux
If you are not using Kali Linux, the exploitdb package may not be available through the package manager in which case, you can continue by following the ‘git‘ section below.
如果你不使用Kali Linux,在这种情况下,exploitdb 包可能无法通过软件包管理器使用,你可以参考下面git部分:
Apple OS X/macOS
If you have homebrew (package) installed, running the following will get you setup:
brew update && brew install exploitdb
Alternatively, if you do not have brew installed, you can still continue by following the ‘git‘ section below.
如果你安装了homebrew包,执行下面的命令就可以设置完成: brew update && brew install exploitdb 或者,如果你没有安装brew包,你仍然可以参考下面git部分。
Windows
At this time, there is no easy or straightforward way to use searchsploit… Sorry, not sorry.
The best alternative we can suggest would be to use Kali Linux in a virtual machine.
在这里,没有简单或者直接的方式使用searchsploit,不好意思。 我们建议最好的选择是在虚拟机中使用Kali Linux
Git
On Unix systems, all you really need is either “CoreUtils” or “utilities” (e.g. bash, sed, grep, awk, etc.), as well as “git”. These are installed by default on many different Linux distributions, including OS X/macOS.
You can easily check out the git repository by running the following:
在Unix系统中,你需要 “CoreUtils” 或者 “utilities”(例如bash, sed, grep, awk等),以及git。这些都被许多不同的Linux发行版上默认安装,包括OS X/macOS。
你可以运行如下命令轻松的检查git仓库:
git clone https://github.com/offensive-security/exploit-database.git /opt/exploit-database
An optional step that will make using SearchSploit easier is to include it into your $PATH.
Example: In the following output, you can see that the directory “/usr/local/bin” is included in the $PATH environment variable:
有一个方法可以使你的SearchSploit 用起来更方便,就是他它加入到你的$PATH中。 例如:在下面的输出中,你可以看到路径“/usr/local/bin”被加入到了$PATH环境变量中。
user@lab:~$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin user@lab:~$
With this in mind, you can then create a symbolic link in the “/usr/local/bin” directory that points to searchsploit, allowing you to run it without providing the full path:
考虑到这点,你可以在“/usr/local/bin” 目录中新建一个符号链接指向searchsploit,让你可以在不提供完整路径的情况下运行它:
user@lab:~$ ln -sf /opt/exploit-database/searchsploit /usr/local/bin/searchsploit
user@lab:~$
Keeping SearchSploit Up-to-Date
If you are using Kali Linux, you can expect the exploitdb package to be updated weekly. If you are using homebrew or Git, you can expect daily updates (at 05:05 UTC).
Regardless of how you installed SearchSploit, all you need to do in order to update it is run the following:
如果你使用Kali Linux,则像你期望的那样exploitdb包会每周更新一次。如果你使用homebrew 或者 Git,你可以每天在5:05(UTC时间)更新。 不管你如何安装SearchSploit,你更新它只需要执行如下命令:
searchsploit -u
If you are using the Kali Linux package and haven’t updated since before 20 September 2016, you will first need to update the package in the traditional manner:
如果你使用的Kali Linux软件包,并且没有在2016年9月20号之前更新,你第一步应该使用传统的方式更新软件包:
apt update && apt -y dist-upgrade
Please note, we do not recommend you use the GithHub’s .zip or the legacy archive.tar.bz2 package to update.
情注意,我么不建议你使用GithHub的压缩文件或者遗留的archive.tar.bz2包更新。
Using SearchSploit
Help Screen
By using “-h“, you can see all the features and options which are available to you:
通过使用“-h“,你可以看到所有你可用的特性和选项:
root@kali:~# searchsploit -h Usage: searchsploit [options] term1 [term2] ... [termN] ========== Examples ========== searchsploit afd windows local searchsploit -t oracle windows searchsploit -p 39446 searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/" For more examples, see the manual: https://www.exploit-db.com/searchsploit/ ========= Options ========= -c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe). -e, --exact [Term] Perform an EXACT match on exploit title (Default is AND) [Implies "-t"]. -h, --help Show this help screen. -j, --json [Term] Show result in JSON format. -m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory. -o, --overflow [Term] Exploit titles are allowed to overflow their columns. -p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible). -t, --title [Term] Search JUST the exploit title (Default is title AND the file's path). -u, --update Check for and install any exploitdb package updates (deb or git). -w, --www [Term] Show URLs to Exploit-DB.com rather than the local path. -x, --examine [EDB-ID] Examine (aka opens) the exploit using $PAGER. --colour Disable colour highlighting in search results. --id Display the EDB-ID value rather than local path. --nmap [file.xml] Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml). Use "-v" (verbose) to try even more combinations --exclude="term" Remove values from results. By using "|" to separated you can chain multiple values. e.g. --exclude="term1|term2|term3". ======= Notes ======= * You can use any number of search terms. * Search terms are not case-sensitive (by default), and ordering is irrelevant. * Use '-c' if you wish to reduce results by case-sensitive searching. * And/Or '-e' if you wish to filter results by using an exact match. * Use '-t' to exclude the file's path to filter the search results. * Remove false positives (especially when searching using numbers - i.e. versions). * When updating or displaying help, search terms will be ignored. root@kali:~#
Basic Search
Simply add any number of search terms you wish to look for:
简单的添加几个任何你希望查询的搜索项:
root@kali:~# searchsploit afd windows local --------------------------------------------------------------------------------------- ---------------------------------- Exploit Title | URL | (/usr/share/exploitdb/platforms) --------------------------------------------------------------------------------------- ---------------------------------- Microsoft Windows XP - 'afd.sys' Local Kernel Denial of Service | windows/dos/17133.c Microsoft Windows - 'afd.sys' Local Kernel Exploit (PoC) (MS11-046) | windows/dos/18755.c Microsoft Windows XP/2003 - 'afd.sys' Privilege Escalation (K-plugin) (MS08-066) | windows/local/6757.txt Microsoft Windows XP/2003 - 'afd.sys' Privilege Escalation (MS11-080) | windows/local/18176.py Microsoft Windows - 'AfdJoinLeaf' Privilege Escalation (MS11-080) (Metasploit) | windows/local/21844.rb Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) | win_x86/local/39446.py Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) | win_x86-64/local/39525.py Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046) | win_x86/local/40564.c --------------------------------------------------------------------------------------- ---------------------------------- root@kali:~#
Note, SearchSploit uses an AND operator, not an OR operator. The more terms that are used, the more results will be filtered out.
Pro Tip: If you are not receiving the expected results, try searching more broadly by using more general terms.
– Example: Kernel 2.6.25 -> Kernel 2.6 // Kernel 2.x
Pro Tip: Do not use abbreviations.
– Example: SQLi -> SQL Injection
注意,SearchSploit 使用了AND操作符而非OR操作符。用的选项越多,结果就会被过滤掉越多。如果你没有收到预期的结果,尝试使用更通用的术语进行更广泛的搜索。 -例如:Kernel 2.6.25 -> Kernel 2.6 // Kernel 2.x 专业提示:不要使用缩写 – Example: SQLi -> SQL Injection
Title Searching
By default, searchsploit will check BOTH the title of the exploit as well as the path. Depending on the search criteria, this may bring up false positives (especially when searching for terms that match platforms and version numbers). Searches can be restricted to the titles by using the “-t” option:
默认情况下,searchsploit 将检查漏洞的标题和路径。根据条件,这可能会带来误报(尤其是搜索那些匹配平台和版本号的术语时)。可以使用 “-t”选项把搜索限定在标题中:
root@kali:~# searchsploit -t oracle windows ------------------------------------------------------------------------------------------------- ---------------------------------- Exploit Title | URL | (/usr/share/exploitdb/platforms) ------------------------------------------------------------------------------------------------- ---------------------------------- Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User-Mode Guest Code Double-Free | multiple/dos/41932.cpp Oracle 10g (Windows x86) - (PROCESS_DUP_HANDLE) Local Privilege Escalation | win_x86/local/3451.c Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Escalation | win_x86-64/local/41908.txt Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit) | win_x86/remote/16714.rb Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit) | win_x86/remote/16731.rb Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit) | win_x86/remote/16809.rb Oracle MySQL for Microsoft Windows - Payload Execution (Metasploit) | windows/remote/16957.rb Oracle MySQL (Windows) - MOF Execution (Metasploit) | windows/remote/23179.rb Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit) | windows/remote/35777.rb ------------------------------------------------------------------------------------------------- ---------------------------------- root@kali:~# root@kali:~# searchsploit oracle windows | wc -l 90 root@kali:~#
If we did not use “-t”, we would have 85 (5 lines are in the heading/footer) results, rather than 7.
如果我们不使用“-t”的话,可以得到85条结果(5行在标题/页脚)而不是7条。
Removing Unwanted Results
We can remove unwanted results by using the “–exclude=”” option. We are also to remove multiple terms by separating the value with a “|” (pipe). This can be demonstrated by the following:
我们可以通过选项--exclude=” ”来删除不想要的结果。我们还可以通过使用“|”管道来分离多个值,实现删除多个术语。如下所示:
root@kali:~# searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/" --------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms) --------------------------------------------------------------------------------------------------------------- --------------------------------- Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Privilege Escalation (1) | linux/local/18411.c Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write Exploit (2) | linux/local/31346.c Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Privilege Escalation (3) | lin_x86-64/local/31347.c Linux Kernel 3.2.0-23 / 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Privilege Escalation | lin_x86-64/local/33589.c Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Privilege Escalation | lin_x86-64/local/34134.c Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Privilege Escalation (2) | linux/local/35161.c Linux Kernel 3.2.x - 'uname()' System Call Local Information Disclosure | linux/local/37937.c --------------------------------------------------------------------------------------------------------------- --------------------------------- root@kali:~# root@kali:~# searchsploit linux kernel 3.2 | wc -l 17 root@kali:~#
By doing this, we slim the results down to 7 rather than 12 (5 lines are for the heading/footer)!
Pro Tip: By doing: 'searchsploit linux kernel --exclude="(PoC)|/dos/" | grep ' 3.2' | sort', you'll get even "cleaner" output (sorted based on version without any heading/footers).
通过这些,我们把结果从12条压缩到了7条(5行在标题/页脚)! 专业提示:通过使用'searchsploit linux kernel --exclude="(PoC)|/dos/" | grep ' 3.2' | sort',你将得到更简洁的输出(基于版本的排序,不包含任何标题/页脚)。
Piping Output (Alternative Method of Removing Unwanted Results)
The output from searchsploit can be piped into any other program, which is especially useful when outputting the results in JSON format (using the "-j" option). With this, it is possible to remove any unwanted exploits by using grep. In the following example, we use grep to filter out any "Denial of Service (DoS)" results.
管道输出(可以替代功能-去除不想要的结果) searchsploit 的输出可以被管道输出至任何其他项目,这在把结果输出成Jason格式时非常有用(使用选项“-j”)。通过这种方式,可以使用grep去除任何不想要的漏洞。如下的例子中,我们使用grep过滤任何“拒绝服务(DoS)”的结果。
root@kali:~# searchsploit XnView | grep -v '/dos/' --------------------------------------------------------------------------------- ---------------------------------- Exploit Title | URL | (/usr/share/exploitdb/platforms) --------------------------------------------------------------------------------- ---------------------------------- XnView 1.90.3 - '.xpm' Local Buffer Overflow | windows/local/3777.c XnView 1.92.1 - (FontName) Slideshow Buffer Overflow | windows/local/5346.pl XnView 1.93.6 - '.taac' Local Buffer Overflow (PoC) | windows/local/5951.c XnView 1.92.1 - Command-Line Arguments Buffer Overflow | windows/remote/31405.c XnView 1.97.4 - '.MBM' File Remote Heap Buffer Overflow | windows/remote/34143.txt --------------------------------------------------------------------------------- ---------------------------------- root@kali:~# root@kali:~# searchsploit XnView | wc -l 22 root@kali:~#
By piping the search results into grep, we managed to filter the results down to 5 rather than 17 (5 lines are in the heading/footer)!
Pro Tip: We recommend using "/dos/" with grep rather than "dos" so the filter is applied to the path, rather than the title. Although denial of service entries may not include "dos" in their title, they will nevertheless have "dos" in the path. Removing results based on the path will also ensure you don't inadvertently filter out results that legitimately contain "dos" in their title (i.e.: EDB-ID #24623).
把搜索结果管道输出至grep中,我们设法把结果过滤到5条,而不是17条(有5行在标题/页脚): 专业提示:我们建议grep和"/dos/"使用,而不是"dos",这样过滤器会作用在路径上,而不是标题上。尽管拒绝服务攻击的标题中可能不包含"dos",但它的路径中包含"dos"。基于路径删除结果也能确保你不会无意中过滤掉标题中合法包含"dos"的结果(即:EDB-ID #24623)。 i.e. 是拉丁文 id est 的缩写,意思就是“那就是说,换句话说”,等同于“that is,in otherwords” ,目的是用来进一步解释前面所说的观点。 e.g. 是拉丁文 exempli gratia 的缩写,它的意思是“举个例子,比如”,等同与“for example”,目的就是用几个例子来说明前面的观点。
Colour Output
By default, searchsploit highlights the search terms in the results when they are displayed to the user. This works by inserting invisible characters into the output before and after the colour changes.
Now, if you were to pipe the output (for example, into grep) and try to match a phrase of both highlighted and non-highlighted text in the output, it would not be successful. This can be solved by using the "--colour" option (--color works as well).
默认情况下,searchsploit会在展现给用户的结果中高亮显示搜索选项。这是通过把不可见的字符插入到颜色改变前后的输出中实现的。 现在,如果你使用管道输出(例如输出到grep),并且试图在输出中匹配高亮和非高亮的文本字段,那么不会成功。这可以通过 "--colour"参数解决("--color"也可以)。
Copy To Clipboard
So now that we have found the exploit we are looking for, there are various ways to access it quickly.
By using "-p", we are able to get some more information about the exploit, as well as copy the complete path to the exploit onto the clipboard:
我们现在找到了我们要找的漏洞,这里有很多方法快速访问它。 通过使用“-p”参数,我们可以漏洞的很多信息,也可以复制完整的漏洞路径到剪切板:
root@kali:~# searchsploit 39446 --------------------------------------------------------------------------------------- ---------------------------------- Exploit Title | URL | (/usr/share/exploitdb/platforms) --------------------------------------------------------------------------------------- ---------------------------------- Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) | win_x86/local/39446.py --------------------------------------------------------------------------------------- ---------------------------------- root@kali:~# root@kali:~# searchsploit -p 39446 Exploit: Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) URL: https://www.exploit-db.com/exploits/39446/ Path: /Users/b/Projects/git/exploit-database/platforms/win_x86/local/39446.py Copied EDB-ID 39446's path to the clipboard. root@kali:~# root@kali:~# /usr/share/exploitdb/platforms/win_x86/local/39446.py
Copy To Folder
We recommend that you do not alter the exploits in your local copy of the database. Instead, make a copy of ones that are of interest and use them from a working directory. By using the "-m" option, we are able to select as many exploits we like to be copied into the same folder which we are currently in:
我们不建议你改变数据库的本地副本。相反的,复制那些你感兴趣的,在工作目录中使用它们。通过“-m”参数,可以选择很多我们感兴趣的漏洞,复制到当前的一个文件夹:
root@kali:~# searchsploit MS14-040 --------------------------------------------------------------------------------------- ---------------------------------- Exploit Title | URL | (/usr/share/exploitdb/platforms) --------------------------------------------------------------------------------------- ---------------------------------- Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) | win_x86/local/39446.py Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) | win_x86-64/local/39525.py --------------------------------------------------------------------------------------- ---------------------------------- root@kali:~# root@kali:~# searchsploit -m 39446 win_x86-64/local/39525.py Exploit: Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) URL: https://www.exploit-db.com/exploits/39446/ Path: /usr/share/exploitdb/platforms/win_x86/local/39446.py Copied to '/root/' Exploit: Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) URL: https://www.exploit-db.com/exploits/39525/ Path: /usr/share/exploitdb/platforms/win_x86-64/local/39525.py Copied to '/root/' root@kali:~#
You do not have to give the exact EDB-ID value (such as "39446"), SearchSploit is able to automatically extract it from a path given to it (such as "39525").
你不必给出确切的EDB-ID值(比如"39446"),SearchSploit 可以从给定的路径中自动获取到它(比如"39525")。
Exploit-DB Online
The Exploit Database repository is the main core of Exploit-DB, making SearchSploit efficient and easy to use. However, some of the exploit metadata (such as screenshots, setup files, tags, and vulnerability mappings) are not included. To access them, you will need to check the website.
You can quickly generate the links to exploits of interest by using the "-w" option:
漏洞数据仓库是Exploit-DB的核心部分,它使得SearchSploit高效便捷。但是它并不包含一些漏洞元数据(比如截屏,安装文件,标签和漏洞映射)。如果想要访问它们,你需要查看网站。 你可以使用"-w"选项对你感兴趣的漏洞快速生成链接:
root@kali:~# searchsploit WarFTP 1.65 -w --------------------------------------------------------------------------------- -------------------------------------------- Exploit Title | URL --------------------------------------------------------------------------------- -------------------------------------------- WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow (Python) | https://www.exploit-db.com/exploits/3474/ WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow (Perl) | https://www.exploit-db.com/exploits/3482/ WarFTP 1.65 - 'USER' Remote Buffer Overflow | https://www.exploit-db.com/exploits/3570/ --------------------------------------------------------------------------------- -------------------------------------------- root@kali:~#
If you have a commercial requirement for more data than is publicly available, an extended version of SearchSploit is available exclusively to EDB partners.
如果你有商业需求,需要的数据远超过可利用的公开数据,有个SearchSploit 的扩展版本是专门提供给教育部(或者防病毒技术?)合作伙伴的。