在提权过程中需要通过掌握的信息来对系统、软件等存在的漏洞进行搜索,获取其利用的poc,通过编译后,实施提权。searchsploit提供漏洞本地和在线查询,是渗透测试中提权的重要武器。
Exploit Database 这是 Offensive Security 赞助的一个项目。存储了大量的漏洞利用程序,可以帮助安全研究者和渗透测试工程师更好的进行安全测试工作,目前是世界上公开收集漏洞最全的数据库,该仓库每天都会更新,exploit-db提供searchsploit利用files.csv进行搜索离线漏洞库文件的位置。
安装
使用命令关联searchsploit:
ln -sf /opt/exploit-database/searchsploit /usr/local/bin/searchsploit
更新
searchsploit –u
用法
searchsploit [选线] term1 [term2] ... [termN]
选项:
$ ./searchsploit -h
Usage: searchsploit [options] term1 [term2] ... [termN]
==========
Examples
==========
searchsploit afd windows local
searchsploit -t oracle windows
searchsploit -p 39446
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
searchsploit -s Apache Struts 2.0.0
searchsploit linux reverse password
searchsploit -j 55555 | json_pp
For more examples, see the manual: https://www.exploit-db.com/searchsploit
=========
Options
=========
## Search Terms
-c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe)
-e, --exact [Term] Perform an EXACT & order match on exploit title (Default is an AND match on each term) [Implies "-t"]
e.g. "WordPress 4.1" would not be detect "WordPress Core 4.1")
-s, --strict Perform a strict search, so input values must exist, disabling fuzzy search for version range
e.g. "1.1" would not be detected in "1.0 < 1.3")
-t, --title [Term] Search JUST the exploit title (Default is title AND the file's path)
--exclude="term" Remove values from results. By using "|" to separate, you can chain multiple values
e.g. --exclude="term1|term2|term3"
## Output
-j, --json [Term] Show result in JSON format
-o, --overflow [Term] Exploit titles are allowed to overflow their columns
-p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible)
-v, --verbose Display more information in output
-w, --www [Term] Show URLs to Exploit-DB.com rather than the local path
--id Display the EDB-ID value rather than local path
--colour Disable colour highlighting in search results
## Non-Searching
-m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory
-x, --examine [EDB-ID] Examine (aka opens) the exploit using $PAGER
## Non-Searching
-h, --help Show this help screen
-u, --update Check for and install any exploitdb package updates (brew, deb & git)
## Automation
--nmap [file.xml] Checks all results in Nmap's XML output with service version
e.g.: nmap [host] -sV -oX file.xml
=======
Notes
=======
* You can use any number of search terms
* By default, search terms are not case-sensitive, ordering is irrelevant, and will search between version ranges
* Use '-c' if you wish to reduce results by case-sensitive searching
* And/Or '-e' if you wish to filter results by using an exact match
* And/Or '-s' if you wish to look for an exact version match
* Use '-t' to exclude the file's path to filter the search results
* Remove false positives (especially when searching using numbers - i.e. versions)
* When using '--nmap', adding '-v' (verbose), it will search for even more combinations
* When updating or displaying help, search terms will be ignored
$ ./searchsploit afd windows local
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11- | windows_x86/local/40564.c
Microsoft Windows - 'afd.sys' Local Kernel (PoC) (MS11-046) | windows/dos/18755.c
Microsoft Windows - 'AfdJoinLeaf' Local Privilege Escalation (MS11-08 | windows/local/21844.rb
Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Esca | windows_x86-64/local/39525.py
Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Esca | windows_x86/local/39446.py
Microsoft Windows XP - 'afd.sys' Local Kernel Denial of Service | windows/dos/17133.c
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (K-p | windows/local/6757.txt
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS1 | windows/local/18176.py
---------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
$ ./searchsploit -t oracle windows
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Oracle 10g (Windows x86) - 'PROCESS_DUP_HANDLE' Local Privilege Escal | windows_x86/local/3451.c
Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit) | windows_x86/remote/16731.rb
Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit) | windows_x86/remote/16714.rb
Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit) | windows_x86/remote/16809.rb
Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit) | windows/remote/35777.rb
Oracle MySQL (Windows) - MOF Execution (Metasploit) | windows/remote/23179.rb
Oracle MySQL for Microsoft Windows - Payload Execution (Metasploit) | windows/remote/16957.rb
Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User- | multiple/dos/41932.cpp
Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injec | windows_x86-64/local/41908.txt
---------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
$ ./searchsploit -p 39446
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
Exploit: Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
URL: https://www.exploit-db.com/exploits/39446
Path: /root/exploitdb-master/exploits/windows_x86/local/39446.py
File Type: Python script, ASCII text executable
$ ./searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escala | solaris/local/15962.c
Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation | linux/local/50135.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Conditio | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condit | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition | linux/local/40611.c
Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' | linux/local/18411.c
Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege | linux/local/35161.c
Linux Kernel 3.0 < 3.3.5 - 'CLONE_NEWUSER|CLONE_FS' Local Privilege E | linux/local/38390.c
Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condi | linux_x86-64/local/33516.c
Linux Kernel 3.2.0-23/3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - ' | linux_x86-64/local/33589.c
Linux Kernel 3.2.x - 'uname()' System Call Local Information Disclosu | linux/local/37937.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32= | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary | linux/local/31346.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c
Linux Kernel < 3.16.1 - 'Remount FUSE' Local Privilege Escalation | linux/local/34923.c
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Esc | linux_x86-64/local/44302.c
Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Pr | linux_x86-64/local/34134.c
Linux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escala | arm/local/31574.c
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypas | linux_x86-64/local/44299.c
Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Local Privilege E | linux_x86-64/local/26131.c
Linux Kernel < 3.8.x - open-time Capability 'file_ns_capable()' Local | linux/local/25450.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privileg | linux/local/45553.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Es | linux/local/45010.c
Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak | linux/local/44325.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalatio | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Pri | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 | linux/local/47169.c
---------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
$ ./searchsploit mssql
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------ADODB 4.6/4.7 - 'Tmssql.php' Cross-Site Scripting | php/webapps/28104.txt
ADODB < 4.70 - 'tmssql.php' Denial of Service | php/dos/1651.php
AutoDealer 1.0/2.0 - MSSQL Injection | php/webapps/12462.txt
MSSQL 7.0 - Remote Denial of Service | windows/dos/562.c
PHP 4.4.6 - 'mssql_[p]connect()' Local Buffer Overflow | windows/local/3417.php
XAMPP for Windows 1.6.0a - 'mssql_connect()' Remote Buffer Overflow | windows/remote/3738.php
---------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
$ ./searchsploit /xp
[i] Found (#2): ./files_exploits.csv
[i] To remove this message, please edit "./.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#2): ./files_shellcodes.csv
[i] To remove this message, please edit "./.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------Apple QuickTime 7.2/7.3 (Windows Vista/XP) - RSTP Response Code Execu | windows/remote/4651.cpp
Microsoft Office 2000/2003/2004/XP - File Memory Corruption | windows/dos/31361.txt
Microsoft Windows 2000/XP - SMB Authentication Remote Overflow | windows/remote/20.txt
Microsoft Windows 98/XP/ME - UPnP NOTIFY Buffer Overflow (1) | windows/remote/21188.c
Microsoft Windows 98/XP/ME - UPnP NOTIFY Buffer Overflow (2) | windows/remote/21189.c
Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode | windows/local/11199.txt
Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local R | windows/local/25912.c
Mozilla Firefox 1.5.0.2 - 'js320.dll/xpcom_core.dll' Denial of Servic | multiple/dos/1716.html
Novell Client for Windows 2000/XP - ActiveX Remote Denial of Service | windows/dos/9516.txt
PSOProxy 0.91 (Windows 2000/XP) - Remote Buffer Overflow | windows/remote/156.c
---------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------- --------------------------------- Shellcode Title | Path
---------------------------------------------------------------------- ---------------------------------Windows (2000/XP/7) - URLDownloadToFile(http://bflow.security-portal. | windows/24318.c
Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes) | windows_x86/13525.c
Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes) | windows_x86/13526.c
Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes) | windows_x86/13527.c
Windows (9x/NT/2000/XP) - Reverse Generic Without Loader (192.168.1.1 | windows_x86/13524.txt
Windows (NT/2000/XP) (Russian) - Add Administartor User (slim/shady) | windows_x86/13523.c
Windows/x86 (NT/XP) - IsDebuggerPresent Shellcode (39 bytes) | windows_x86/13518.c
Windows/x86 (NT/XP/2000/2003) - Bind (8721/TCP) Shell Shellcode (356 | windows_x86/43759.asm
---------------------------------------------------------------------- ---------------------------------
$ ./searchsploit apple
[i] Found (#2): ./files_exploits.csv
[i] To remove this message, please edit "./.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#2): ./files_shellcodes.csv
[i] To remove this message, please edit "./.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Apple 2.0.4 - Safari Local Cross-Site Scripting | osx/local/29950.js
Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) | hardware/dos/2700.rb
Apple At Ease 5.0 - Information Disclosure | osx/local/19427.txt
Apple Bonjour for Windows 1.0.4 - mDNSResponder Null Pointer Derefere | windows/dos/32350.txt
Apple CFNetwork - HTTP Response Denial of Service | osx/dos/3200.rb
Apple Directory Services - Memory Corruption | osx/dos/15491.txt
..................
1.查询关键字采取AND运算,SearchSploit使用AND运算符,而不是OR运算符。使用的术语越多,滤除的结果越多。
2.使用名称搜索时尽量使用全称
3.使用“-t”选项,默认情况下,searchsploit将检查该漏洞利用的标题以及该路径。根据搜索条件,这可能会导致误报(特别是在搜索与平台和版本号匹配的术语时),使用“-t”选项去掉多余数据。例如searchsploit -t oracle windows
显示7行数据而searchsploit oracle windows |wc –l
显示90行数据。
4.在线搜索exploit-db.com中的关键字漏洞:searchsploit WarFTP 1.65 -w
5.搜索微软漏洞,搜索微软2014年的所有漏洞,关键字可以ms14,ms15,ms16,ms17,searchsploit MS14
文章浏览阅读7.7k次,点赞6次,收藏61次。敏捷开发(scrum)是一种软件开发的流程,强调快速反应、快速迭代、价值驱动。Scrum的英文意思是橄榄球运动的一个专业术语,表示“争球”的动作;运用该流程,你就能看到你团队高效的工作。一、四大价值观(特点)敏捷开发的特点就是下面4句话:「个体与交互」胜过「过程与工具」「可以工作的软件」胜过「面面俱到的文挡」「客户协作」胜过「合同谈判」「响应变化」胜过「遵循计划」说明:(1)敏捷开发(scrum)适用于竞争激烈,快速变化的市场。 敏捷的客户协作观念,快速迭代能帮助团队以最小成本,最快速_敏捷开发
文章浏览阅读3.5k次。首先我们看一下man string 里面的内容:可见,strings 头文件中包含了部分函数,没有在 string.h 中出现的。上图的环境是 macOS Sierra 版本号为:10.12.6包括; index, rindex, strcasecmp, strncasecmp 这四个函数。为了一探这个头文件是不是只有macos 这种 Unix-like 系统中才出现。我在Linu..._strings.h
文章浏览阅读4.3k次,点赞21次,收藏48次。本文将带领大家了解 jQuery 的定义,它有什么作用,我们为什么要学它,以及如何使用它,它的语法是什么,最后对比了 jQuery 对象和 DOM 对象的区别。_jquery
文章浏览阅读2.7k次,点赞2次,收藏2次。关于SassError: expected selector报错 ::v-deep 替换 /deep/的正确替换方式_unexpected unknown pseudo-element selector "::v-deep
文章浏览阅读301次。0.1.0计算机本质计算机:接受用户输入的命令与数据,经由中央处理器的算术与逻辑单元运算处理后产生储存成有用的信息算术逻辑单元(Arithmetic&logical Unit:是中央处理器(CPU)的执行单元,是所有中央处理器的核心组成部分,由与门 和或门构成的算术逻辑单元,主要功能是进行二位元的算术运算,如加减乘(不包括整数除法)。基本上,在所有现代CPU体系结构中,二进制都以补码的..._字长 位宽
文章浏览阅读1.2k次,点赞3次,收藏3次。1. 引言对于Curve25519,其Field域内的module Fp = 2255-19。若采用常规的Montgomery reduce算法,其运算性能并不是最优的。如要求某整数 u mod (2^255-19),可将m整数用多项式做如下表示:u=∑iuixi,其中,ui=n∗2⌈25.5i⌉,n∈Nu=\sum_{i}^{}u_ix^i,其中,u_i=n*2^{\left \lce..._curve25519标量乘
文章浏览阅读464次。布局管理器提供相关的类对界面组件进行布局管理能够自动排布窗口中的界面组件窗口变化后自动更新界面组件的大小QLayoutQLayout 是Qt 中布局管理器的抽象基类通过继承QLayout实现了功能各异且互补的布局管理器Qt中可以根据需要自定义布局管理器布局管理器不是界面部件,而是界面部件的定位策略QBoxLayout 布局管理器以水平或者垂直的方式管理界面组件水平:QHBoxLayout 水平布局管理器垂直:QVBoxLayout 垂直布局管理器sizePolicy:QSize_qt layout可以嵌套layout吗
文章浏览阅读2.6k次。error MSB6006 rc exe 已退出,代码为 5_vs2010报警 error msb6006: “rc.exe”已退出,代码为 5。
文章浏览阅读6.2k次。对于人数不多的小型初创企业、工作室、SOHO人群来说,能够拥有自有的协同办公系统无疑是提高工作效率的好方法,同时将文件放在自己的服务器中,显然会更加安心,不用担心重要内容的泄露问题。因此,大家有没有这样想过,自己动手搭一套私有的、云端化的协同办公系统,搞定文件异地同步的同时,实现云端化的办公软件,并提升数据安全性。理想虽好,不过要亲手搞定这样的协同办公系统一定很困难吧?如果你真这样
文章浏览阅读33次。输出描述:一行,一个字符,A或B或E,输出A表示A得票数多,输出B表示B得票数多,输出E表示二人得票数相等。输入描述:一行,字符序列,包含A或B,输入以字符0结束。
文章浏览阅读2.2k次,点赞2次,收藏2次。BeanFactory和ApplicationContext有什么区别? BeanFactory和ApplicationContext是Spring的两大核心接口,都可以当做Spring的容器。其中ApplicationContext是BeanFactory的子接口。(1)BeanFactory:是Spring里面最底层的接口,包含了各种Bean的定义,读取bean配置文档,管理..._beanfactory和applicationcontext是干什么的
文章浏览阅读4.5k次。转贴:http://blog.csdn.net/shiqiang1234/archive/2006/10/12/1331725.aspxMaven简介Maven最初的目的是在Jakarta Turbine项目中使构建处理简单化。几个项目之间使用到的Ant build文件差异很小,各个JAR都存入CVS。因此希望有一个标准的方法构建各个工程,清晰的定义一个工程的组成,一个容易的方法去发布项目_apt fml fr