在提权过程中需要通过掌握的信息来对系统、软件等存在的漏洞进行搜索,获取其利用的poc,通过编译后,实施提权。searchsploit提供漏洞本地和在线查询,是渗透测试中提权的重要武器。
Exploit Database 这是 Offensive Security 赞助的一个项目。存储了大量的漏洞利用程序,可以帮助安全研究者和渗透测试工程师更好的进行安全测试工作,目前是世界上公开收集漏洞最全的数据库,该仓库每天都会更新,exploit-db提供searchsploit利用files.csv进行搜索离线漏洞库文件的位置。
安装
使用命令关联searchsploit:
ln -sf /opt/exploit-database/searchsploit /usr/local/bin/searchsploit
更新
searchsploit –u
用法
searchsploit [选线] term1 [term2] ... [termN]
选项:
$ ./searchsploit -h
Usage: searchsploit [options] term1 [term2] ... [termN]
==========
Examples
==========
searchsploit afd windows local
searchsploit -t oracle windows
searchsploit -p 39446
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
searchsploit -s Apache Struts 2.0.0
searchsploit linux reverse password
searchsploit -j 55555 | json_pp
For more examples, see the manual: https://www.exploit-db.com/searchsploit
=========
Options
=========
## Search Terms
-c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe)
-e, --exact [Term] Perform an EXACT & order match on exploit title (Default is an AND match on each term) [Implies "-t"]
e.g. "WordPress 4.1" would not be detect "WordPress Core 4.1")
-s, --strict Perform a strict search, so input values must exist, disabling fuzzy search for version range
e.g. "1.1" would not be detected in "1.0 < 1.3")
-t, --title [Term] Search JUST the exploit title (Default is title AND the file's path)
--exclude="term" Remove values from results. By using "|" to separate, you can chain multiple values
e.g. --exclude="term1|term2|term3"
## Output
-j, --json [Term] Show result in JSON format
-o, --overflow [Term] Exploit titles are allowed to overflow their columns
-p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible)
-v, --verbose Display more information in output
-w, --www [Term] Show URLs to Exploit-DB.com rather than the local path
--id Display the EDB-ID value rather than local path
--colour Disable colour highlighting in search results
## Non-Searching
-m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory
-x, --examine [EDB-ID] Examine (aka opens) the exploit using $PAGER
## Non-Searching
-h, --help Show this help screen
-u, --update Check for and install any exploitdb package updates (brew, deb & git)
## Automation
--nmap [file.xml] Checks all results in Nmap's XML output with service version
e.g.: nmap [host] -sV -oX file.xml
=======
Notes
=======
* You can use any number of search terms
* By default, search terms are not case-sensitive, ordering is irrelevant, and will search between version ranges
* Use '-c' if you wish to reduce results by case-sensitive searching
* And/Or '-e' if you wish to filter results by using an exact match
* And/Or '-s' if you wish to look for an exact version match
* Use '-t' to exclude the file's path to filter the search results
* Remove false positives (especially when searching using numbers - i.e. versions)
* When using '--nmap', adding '-v' (verbose), it will search for even more combinations
* When updating or displaying help, search terms will be ignored
$ ./searchsploit afd windows local
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11- | windows_x86/local/40564.c
Microsoft Windows - 'afd.sys' Local Kernel (PoC) (MS11-046) | windows/dos/18755.c
Microsoft Windows - 'AfdJoinLeaf' Local Privilege Escalation (MS11-08 | windows/local/21844.rb
Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Esca | windows_x86-64/local/39525.py
Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Esca | windows_x86/local/39446.py
Microsoft Windows XP - 'afd.sys' Local Kernel Denial of Service | windows/dos/17133.c
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (K-p | windows/local/6757.txt
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS1 | windows/local/18176.py
---------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
$ ./searchsploit -t oracle windows
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Oracle 10g (Windows x86) - 'PROCESS_DUP_HANDLE' Local Privilege Escal | windows_x86/local/3451.c
Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit) | windows_x86/remote/16731.rb
Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit) | windows_x86/remote/16714.rb
Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit) | windows_x86/remote/16809.rb
Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit) | windows/remote/35777.rb
Oracle MySQL (Windows) - MOF Execution (Metasploit) | windows/remote/23179.rb
Oracle MySQL for Microsoft Windows - Payload Execution (Metasploit) | windows/remote/16957.rb
Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User- | multiple/dos/41932.cpp
Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injec | windows_x86-64/local/41908.txt
---------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
$ ./searchsploit -p 39446
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
Exploit: Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
URL: https://www.exploit-db.com/exploits/39446
Path: /root/exploitdb-master/exploits/windows_x86/local/39446.py
File Type: Python script, ASCII text executable
$ ./searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escala | solaris/local/15962.c
Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation | linux/local/50135.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Conditio | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condit | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition | linux/local/40611.c
Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' | linux/local/18411.c
Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege | linux/local/35161.c
Linux Kernel 3.0 < 3.3.5 - 'CLONE_NEWUSER|CLONE_FS' Local Privilege E | linux/local/38390.c
Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condi | linux_x86-64/local/33516.c
Linux Kernel 3.2.0-23/3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - ' | linux_x86-64/local/33589.c
Linux Kernel 3.2.x - 'uname()' System Call Local Information Disclosu | linux/local/37937.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32= | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary | linux/local/31346.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c
Linux Kernel < 3.16.1 - 'Remount FUSE' Local Privilege Escalation | linux/local/34923.c
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Esc | linux_x86-64/local/44302.c
Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Pr | linux_x86-64/local/34134.c
Linux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escala | arm/local/31574.c
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypas | linux_x86-64/local/44299.c
Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Local Privilege E | linux_x86-64/local/26131.c
Linux Kernel < 3.8.x - open-time Capability 'file_ns_capable()' Local | linux/local/25450.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privileg | linux/local/45553.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Es | linux/local/45010.c
Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak | linux/local/44325.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalatio | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Pri | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 | linux/local/47169.c
---------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
$ ./searchsploit mssql
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------ADODB 4.6/4.7 - 'Tmssql.php' Cross-Site Scripting | php/webapps/28104.txt
ADODB < 4.70 - 'tmssql.php' Denial of Service | php/dos/1651.php
AutoDealer 1.0/2.0 - MSSQL Injection | php/webapps/12462.txt
MSSQL 7.0 - Remote Denial of Service | windows/dos/562.c
PHP 4.4.6 - 'mssql_[p]connect()' Local Buffer Overflow | windows/local/3417.php
XAMPP for Windows 1.6.0a - 'mssql_connect()' Remote Buffer Overflow | windows/remote/3738.php
---------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
$ ./searchsploit /xp
[i] Found (#2): ./files_exploits.csv
[i] To remove this message, please edit "./.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#2): ./files_shellcodes.csv
[i] To remove this message, please edit "./.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------Apple QuickTime 7.2/7.3 (Windows Vista/XP) - RSTP Response Code Execu | windows/remote/4651.cpp
Microsoft Office 2000/2003/2004/XP - File Memory Corruption | windows/dos/31361.txt
Microsoft Windows 2000/XP - SMB Authentication Remote Overflow | windows/remote/20.txt
Microsoft Windows 98/XP/ME - UPnP NOTIFY Buffer Overflow (1) | windows/remote/21188.c
Microsoft Windows 98/XP/ME - UPnP NOTIFY Buffer Overflow (2) | windows/remote/21189.c
Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode | windows/local/11199.txt
Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local R | windows/local/25912.c
Mozilla Firefox 1.5.0.2 - 'js320.dll/xpcom_core.dll' Denial of Servic | multiple/dos/1716.html
Novell Client for Windows 2000/XP - ActiveX Remote Denial of Service | windows/dos/9516.txt
PSOProxy 0.91 (Windows 2000/XP) - Remote Buffer Overflow | windows/remote/156.c
---------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------- --------------------------------- Shellcode Title | Path
---------------------------------------------------------------------- ---------------------------------Windows (2000/XP/7) - URLDownloadToFile(http://bflow.security-portal. | windows/24318.c
Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes) | windows_x86/13525.c
Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes) | windows_x86/13526.c
Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes) | windows_x86/13527.c
Windows (9x/NT/2000/XP) - Reverse Generic Without Loader (192.168.1.1 | windows_x86/13524.txt
Windows (NT/2000/XP) (Russian) - Add Administartor User (slim/shady) | windows_x86/13523.c
Windows/x86 (NT/XP) - IsDebuggerPresent Shellcode (39 bytes) | windows_x86/13518.c
Windows/x86 (NT/XP/2000/2003) - Bind (8721/TCP) Shell Shellcode (356 | windows_x86/43759.asm
---------------------------------------------------------------------- ---------------------------------
$ ./searchsploit apple
[i] Found (#2): ./files_exploits.csv
[i] To remove this message, please edit "./.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#2): ./files_shellcodes.csv
[i] To remove this message, please edit "./.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Apple 2.0.4 - Safari Local Cross-Site Scripting | osx/local/29950.js
Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) | hardware/dos/2700.rb
Apple At Ease 5.0 - Information Disclosure | osx/local/19427.txt
Apple Bonjour for Windows 1.0.4 - mDNSResponder Null Pointer Derefere | windows/dos/32350.txt
Apple CFNetwork - HTTP Response Denial of Service | osx/dos/3200.rb
Apple Directory Services - Memory Corruption | osx/dos/15491.txt
..................
1.查询关键字采取AND运算,SearchSploit使用AND运算符,而不是OR运算符。使用的术语越多,滤除的结果越多。
2.使用名称搜索时尽量使用全称
3.使用“-t”选项,默认情况下,searchsploit将检查该漏洞利用的标题以及该路径。根据搜索条件,这可能会导致误报(特别是在搜索与平台和版本号匹配的术语时),使用“-t”选项去掉多余数据。例如searchsploit -t oracle windows
显示7行数据而searchsploit oracle windows |wc –l
显示90行数据。
4.在线搜索exploit-db.com中的关键字漏洞:searchsploit WarFTP 1.65 -w
5.搜索微软漏洞,搜索微软2014年的所有漏洞,关键字可以ms14,ms15,ms16,ms17,searchsploit MS14
文章浏览阅读3.8k次,点赞9次,收藏28次。直接上一个工作中碰到的问题,另外一个系统开启多线程调用我这边的接口,然后我这边会开启多线程批量查询第三方接口并且返回给调用方。使用的是两三年前别人遗留下来的方法,放到线上后发现确实是可以正常取到结果,但是一旦调用,CPU占用就直接100%(部署环境是win server服务器)。因此查看了下相关的老代码并使用JProfiler查看发现是在某个while循环的时候有问题。具体项目代码就不贴了,类似于下面这段代码。while(flag) {//your code;}这里的flag._main函数使用while(1)循环cpu占用99
文章浏览阅读347次。idea shift f6 快捷键无效_idea shift +f6快捷键不生效
文章浏览阅读135次。Ecmacript 中没有DOM 和 BOM核心模块Node为JavaScript提供了很多服务器级别,这些API绝大多数都被包装到了一个具名和核心模块中了,例如文件操作的 fs 核心模块 ,http服务构建的http 模块 path 路径操作模块 os 操作系统信息模块// 用来获取机器信息的var os = require('os')// 用来操作路径的var path = require('path')// 获取当前机器的 CPU 信息console.log(os.cpus._node模块中有很多核心模块,以下不属于核心模块,使用时需下载的是
文章浏览阅读10w+次,点赞435次,收藏3.4k次。SPSS 22 下载安装过程7.6 方差分析与回归分析的SPSS实现7.6.1 SPSS软件概述1 SPSS版本与安装2 SPSS界面3 SPSS特点4 SPSS数据7.6.2 SPSS与方差分析1 单因素方差分析2 双因素方差分析7.6.3 SPSS与回归分析SPSS回归分析过程牙膏价格问题的回归分析_化工数学模型数据回归软件
文章浏览阅读7.5k次。如何利用hutool工具包实现邮件发送功能呢?1、首先引入hutool依赖<dependency> <groupId>cn.hutool</groupId> <artifactId>hutool-all</artifactId> <version>5.7.19</version></dependency>2、编写邮件发送工具类package com.pc.c..._hutool发送邮件
文章浏览阅读867次,点赞2次,收藏2次。docker安装elasticsearch,elasticsearch-head,kibana,ik分词器安装方式基本有两种,一种是pull的方式,一种是Dockerfile的方式,由于pull的方式pull下来后还需配置许多东西且不便于复用,个人比较喜欢使用Dockerfile的方式所有docker支持的镜像基本都在https://hub.docker.com/docker的官网上能找到合..._docker安装kibana连接elasticsearch并且elasticsearch有密码
文章浏览阅读1.3w次,点赞57次,收藏92次。整理 | 郑丽媛出品 | CSDN(ID:CSDNnews)近年来,随着机器学习的兴起,有一门编程语言逐渐变得火热——Python。得益于其针对机器学习提供了大量开源框架和第三方模块,内置..._beeware
文章浏览阅读7.9k次。//// ViewController.swift// Day_10_Timer//// Created by dongqiangfei on 2018/10/15.// Copyright 2018年 飞飞. All rights reserved.//import UIKitclass ViewController: UIViewController { ..._swift timer 暂停
文章浏览阅读986次,点赞2次,收藏2次。1.硬性等待让当前线程暂停执行,应用场景:代码执行速度太快了,但是UI元素没有立马加载出来,造成两者不同步,这时候就可以让代码等待一下,再去执行找元素的动作线程休眠,强制等待 Thread.sleep(long mills)package com.example.demo;import org.junit.jupiter.api.Test;import org.openqa.selenium.By;import org.openqa.selenium.firefox.Firefox.._元素三大等待
文章浏览阅读3k次,点赞4次,收藏14次。Java软件工程师职位分析_java岗位分析
文章浏览阅读2k次。Java:Unreachable code的解决方法_java unreachable code
文章浏览阅读1w次。1、html中设置标签data-*的值 标题 11111 222222、点击获取当前标签的data-url的值$('dd').on('click', function() { var urlVal = $(this).data('ur_如何根据data-*属性获取对应的标签对象