在提权过程中需要通过掌握的信息来对系统、软件等存在的漏洞进行搜索,获取其利用的poc,通过编译后,实施提权。searchsploit提供漏洞本地和在线查询,是渗透测试中提权的重要武器。
Exploit Database 这是 Offensive Security 赞助的一个项目。存储了大量的漏洞利用程序,可以帮助安全研究者和渗透测试工程师更好的进行安全测试工作,目前是世界上公开收集漏洞最全的数据库,该仓库每天都会更新,exploit-db提供searchsploit利用files.csv进行搜索离线漏洞库文件的位置。
安装
使用命令关联searchsploit:
ln -sf /opt/exploit-database/searchsploit /usr/local/bin/searchsploit
更新
searchsploit –u
用法
searchsploit [选线] term1 [term2] ... [termN]
选项:
$ ./searchsploit -h
Usage: searchsploit [options] term1 [term2] ... [termN]
==========
Examples
==========
searchsploit afd windows local
searchsploit -t oracle windows
searchsploit -p 39446
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
searchsploit -s Apache Struts 2.0.0
searchsploit linux reverse password
searchsploit -j 55555 | json_pp
For more examples, see the manual: https://www.exploit-db.com/searchsploit
=========
Options
=========
## Search Terms
-c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe)
-e, --exact [Term] Perform an EXACT & order match on exploit title (Default is an AND match on each term) [Implies "-t"]
e.g. "WordPress 4.1" would not be detect "WordPress Core 4.1")
-s, --strict Perform a strict search, so input values must exist, disabling fuzzy search for version range
e.g. "1.1" would not be detected in "1.0 < 1.3")
-t, --title [Term] Search JUST the exploit title (Default is title AND the file's path)
--exclude="term" Remove values from results. By using "|" to separate, you can chain multiple values
e.g. --exclude="term1|term2|term3"
## Output
-j, --json [Term] Show result in JSON format
-o, --overflow [Term] Exploit titles are allowed to overflow their columns
-p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible)
-v, --verbose Display more information in output
-w, --www [Term] Show URLs to Exploit-DB.com rather than the local path
--id Display the EDB-ID value rather than local path
--colour Disable colour highlighting in search results
## Non-Searching
-m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory
-x, --examine [EDB-ID] Examine (aka opens) the exploit using $PAGER
## Non-Searching
-h, --help Show this help screen
-u, --update Check for and install any exploitdb package updates (brew, deb & git)
## Automation
--nmap [file.xml] Checks all results in Nmap's XML output with service version
e.g.: nmap [host] -sV -oX file.xml
=======
Notes
=======
* You can use any number of search terms
* By default, search terms are not case-sensitive, ordering is irrelevant, and will search between version ranges
* Use '-c' if you wish to reduce results by case-sensitive searching
* And/Or '-e' if you wish to filter results by using an exact match
* And/Or '-s' if you wish to look for an exact version match
* Use '-t' to exclude the file's path to filter the search results
* Remove false positives (especially when searching using numbers - i.e. versions)
* When using '--nmap', adding '-v' (verbose), it will search for even more combinations
* When updating or displaying help, search terms will be ignored
$ ./searchsploit afd windows local
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11- | windows_x86/local/40564.c
Microsoft Windows - 'afd.sys' Local Kernel (PoC) (MS11-046) | windows/dos/18755.c
Microsoft Windows - 'AfdJoinLeaf' Local Privilege Escalation (MS11-08 | windows/local/21844.rb
Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Esca | windows_x86-64/local/39525.py
Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Esca | windows_x86/local/39446.py
Microsoft Windows XP - 'afd.sys' Local Kernel Denial of Service | windows/dos/17133.c
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (K-p | windows/local/6757.txt
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS1 | windows/local/18176.py
---------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
$ ./searchsploit -t oracle windows
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Oracle 10g (Windows x86) - 'PROCESS_DUP_HANDLE' Local Privilege Escal | windows_x86/local/3451.c
Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit) | windows_x86/remote/16731.rb
Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit) | windows_x86/remote/16714.rb
Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit) | windows_x86/remote/16809.rb
Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit) | windows/remote/35777.rb
Oracle MySQL (Windows) - MOF Execution (Metasploit) | windows/remote/23179.rb
Oracle MySQL for Microsoft Windows - Payload Execution (Metasploit) | windows/remote/16957.rb
Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User- | multiple/dos/41932.cpp
Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injec | windows_x86-64/local/41908.txt
---------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
$ ./searchsploit -p 39446
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
Exploit: Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
URL: https://www.exploit-db.com/exploits/39446
Path: /root/exploitdb-master/exploits/windows_x86/local/39446.py
File Type: Python script, ASCII text executable
$ ./searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escala | solaris/local/15962.c
Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation | linux/local/50135.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Conditio | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condit | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition | linux/local/40611.c
Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' | linux/local/18411.c
Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege | linux/local/35161.c
Linux Kernel 3.0 < 3.3.5 - 'CLONE_NEWUSER|CLONE_FS' Local Privilege E | linux/local/38390.c
Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condi | linux_x86-64/local/33516.c
Linux Kernel 3.2.0-23/3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - ' | linux_x86-64/local/33589.c
Linux Kernel 3.2.x - 'uname()' System Call Local Information Disclosu | linux/local/37937.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32= | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary | linux/local/31346.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c
Linux Kernel < 3.16.1 - 'Remount FUSE' Local Privilege Escalation | linux/local/34923.c
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Esc | linux_x86-64/local/44302.c
Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Pr | linux_x86-64/local/34134.c
Linux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escala | arm/local/31574.c
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypas | linux_x86-64/local/44299.c
Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Local Privilege E | linux_x86-64/local/26131.c
Linux Kernel < 3.8.x - open-time Capability 'file_ns_capable()' Local | linux/local/25450.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privileg | linux/local/45553.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Es | linux/local/45010.c
Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak | linux/local/44325.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalatio | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Pri | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 | linux/local/47169.c
---------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
$ ./searchsploit mssql
[i] Found (#1): /root/exploitdb-master/files_exploits.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /root/exploitdb-master/files_shellcodes.csv
[i] To remove this message, please edit "/root/exploitdb-master/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------ADODB 4.6/4.7 - 'Tmssql.php' Cross-Site Scripting | php/webapps/28104.txt
ADODB < 4.70 - 'tmssql.php' Denial of Service | php/dos/1651.php
AutoDealer 1.0/2.0 - MSSQL Injection | php/webapps/12462.txt
MSSQL 7.0 - Remote Denial of Service | windows/dos/562.c
PHP 4.4.6 - 'mssql_[p]connect()' Local Buffer Overflow | windows/local/3417.php
XAMPP for Windows 1.6.0a - 'mssql_connect()' Remote Buffer Overflow | windows/remote/3738.php
---------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
$ ./searchsploit /xp
[i] Found (#2): ./files_exploits.csv
[i] To remove this message, please edit "./.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#2): ./files_shellcodes.csv
[i] To remove this message, please edit "./.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------Apple QuickTime 7.2/7.3 (Windows Vista/XP) - RSTP Response Code Execu | windows/remote/4651.cpp
Microsoft Office 2000/2003/2004/XP - File Memory Corruption | windows/dos/31361.txt
Microsoft Windows 2000/XP - SMB Authentication Remote Overflow | windows/remote/20.txt
Microsoft Windows 98/XP/ME - UPnP NOTIFY Buffer Overflow (1) | windows/remote/21188.c
Microsoft Windows 98/XP/ME - UPnP NOTIFY Buffer Overflow (2) | windows/remote/21189.c
Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode | windows/local/11199.txt
Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local R | windows/local/25912.c
Mozilla Firefox 1.5.0.2 - 'js320.dll/xpcom_core.dll' Denial of Servic | multiple/dos/1716.html
Novell Client for Windows 2000/XP - ActiveX Remote Denial of Service | windows/dos/9516.txt
PSOProxy 0.91 (Windows 2000/XP) - Remote Buffer Overflow | windows/remote/156.c
---------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------- --------------------------------- Shellcode Title | Path
---------------------------------------------------------------------- ---------------------------------Windows (2000/XP/7) - URLDownloadToFile(http://bflow.security-portal. | windows/24318.c
Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes) | windows_x86/13525.c
Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes) | windows_x86/13526.c
Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes) | windows_x86/13527.c
Windows (9x/NT/2000/XP) - Reverse Generic Without Loader (192.168.1.1 | windows_x86/13524.txt
Windows (NT/2000/XP) (Russian) - Add Administartor User (slim/shady) | windows_x86/13523.c
Windows/x86 (NT/XP) - IsDebuggerPresent Shellcode (39 bytes) | windows_x86/13518.c
Windows/x86 (NT/XP/2000/2003) - Bind (8721/TCP) Shell Shellcode (356 | windows_x86/43759.asm
---------------------------------------------------------------------- ---------------------------------
$ ./searchsploit apple
[i] Found (#2): ./files_exploits.csv
[i] To remove this message, please edit "./.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#2): ./files_shellcodes.csv
[i] To remove this message, please edit "./.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Apple 2.0.4 - Safari Local Cross-Site Scripting | osx/local/29950.js
Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) | hardware/dos/2700.rb
Apple At Ease 5.0 - Information Disclosure | osx/local/19427.txt
Apple Bonjour for Windows 1.0.4 - mDNSResponder Null Pointer Derefere | windows/dos/32350.txt
Apple CFNetwork - HTTP Response Denial of Service | osx/dos/3200.rb
Apple Directory Services - Memory Corruption | osx/dos/15491.txt
..................
1.查询关键字采取AND运算,SearchSploit使用AND运算符,而不是OR运算符。使用的术语越多,滤除的结果越多。
2.使用名称搜索时尽量使用全称
3.使用“-t”选项,默认情况下,searchsploit将检查该漏洞利用的标题以及该路径。根据搜索条件,这可能会导致误报(特别是在搜索与平台和版本号匹配的术语时),使用“-t”选项去掉多余数据。例如searchsploit -t oracle windows
显示7行数据而searchsploit oracle windows |wc –l
显示90行数据。
4.在线搜索exploit-db.com中的关键字漏洞:searchsploit WarFTP 1.65 -w
5.搜索微软漏洞,搜索微软2014年的所有漏洞,关键字可以ms14,ms15,ms16,ms17,searchsploit MS14
文章浏览阅读3.2k次。本文研究全球与中国市场分布式光纤传感器的发展现状及未来发展趋势,分别从生产和消费的角度分析分布式光纤传感器的主要生产地区、主要消费地区以及主要的生产商。重点分析全球与中国市场的主要厂商产品特点、产品规格、不同规格产品的价格、产量、产值及全球和中国市场主要生产商的市场份额。主要生产商包括:FISO TechnologiesBrugg KabelSensor HighwayOmnisensAFL GlobalQinetiQ GroupLockheed MartinOSENSA Innovati_预计2026年中国分布式传感器市场规模有多大
文章浏览阅读1.1k次,点赞2次,收藏12次。常用组合逻辑电路结构——为IC设计的延时估计铺垫学习目的:估计模块间的delay,确保写的代码的timing 综合能给到多少HZ,以满足需求!_基4布斯算法代码
文章浏览阅读3.3k次,点赞3次,收藏5次。OpenAI Manager助手(基于SpringBoot和Vue)_chatgpt网页版
文章浏览阅读2.2k次。USACO自1992年举办,到目前为止已经举办了27届,目的是为了帮助美国信息学国家队选拔IOI的队员,目前逐渐发展为全球热门的线上赛事,成为美国大学申请条件下,含金量相当高的官方竞赛。USACO的比赛成绩可以助力计算机专业留学,越来越多的学生进入了康奈尔,麻省理工,普林斯顿,哈佛和耶鲁等大学,这些同学的共同点是他们都参加了美国计算机科学竞赛(USACO),并且取得过非常好的成绩。适合参赛人群USACO适合国内在读学生有意向申请美国大学的或者想锻炼自己编程能力的同学,高三学生也可以参加12月的第_usaco可以多次提交吗
文章浏览阅读394次。1.1 存储程序1.2 创建存储过程1.3 创建自定义函数1.3.1 示例1.4 自定义函数和存储过程的区别1.5 变量的使用1.6 定义条件和处理程序1.6.1 定义条件1.6.1.1 示例1.6.2 定义处理程序1.6.2.1 示例1.7 光标的使用1.7.1 声明光标1.7.2 打开光标1.7.3 使用光标1.7.4 关闭光标1.8 流程控制的使用1.8.1 IF语句1.8.2 CASE语句1.8.3 LOOP语句1.8.4 LEAVE语句1.8.5 ITERATE语句1.8.6 REPEAT语句。_mysql自定义函数和存储过程
文章浏览阅读188次。半导体二极管——集成电路最小组成单元。_本征半导体电流为0
文章浏览阅读2.8k次,点赞3次,收藏18次。游戏水面特效实现方式太多。咱们这边介绍的是一最简单的UV动画(无顶点位移),整个mesh由4个顶点构成。实现了水面效果(左图),不动代码稍微修改下参数和贴图可以实现岩浆效果(右图)。有要思路是1,uv按时间去做正弦波移动2,在1的基础上加个凹凸图混合uv3,在1、2的基础上加个水流方向4,加上对雾效的支持,如没必要请自行删除雾效代码(把包含fog的几行代码删除)S..._unity 岩浆shader
文章浏览阅读5k次。广义线性模型是线性模型的扩展,它通过连接函数建立响应变量的数学期望值与线性组合的预测变量之间的关系。广义线性模型拟合的形式为:其中g(μY)是条件均值的函数(称为连接函数)。另外,你可放松Y为正态分布的假设,改为Y 服从指数分布族中的一种分布即可。设定好连接函数和概率分布后,便可以通过最大似然估计的多次迭代推导出各参数值。在大部分情况下,线性模型就可以通过一系列连续型或类别型预测变量来预测正态分布的响应变量的工作。但是,有时候我们要进行非正态因变量的分析,例如:(1)类别型.._广义线性回归模型
文章浏览阅读69次。环境保护、 保护地球、 校园环保、垃圾分类、绿色家园、等网站的设计与制作。 总结了一些学生网页制作的经验:一般的网页需要融入以下知识点:div+css布局、浮动、定位、高级css、表格、表单及验证、js轮播图、音频 视频 Flash的应用、ul li、下拉导航栏、鼠标划过效果等知识点,网页的风格主题也很全面:如爱好、风景、校园、美食、动漫、游戏、咖啡、音乐、家乡、电影、名人、商城以及个人主页等主题,学生、新手可参考下方页面的布局和设计和HTML源码(有用点赞△) 一套A+的网_垃圾分类网页设计目标怎么写
文章浏览阅读614次,点赞7次,收藏11次。之前找到一个修改 exe 中 DLL地址 的方法, 不太好使,虽然能正确启动, 但无法改变 exe 的工作目录,这就影响了.Net 中很多获取 exe 执行目录来拼接的地址 ( 相对路径 ),比如 wwwroot 和 代码中相对目录还有一些复制到目录的普通文件 等等,它们的地址都会指向原来 exe 的目录, 而不是自定义的 “lib” 目录,根本原因就是没有修改 exe 的工作目录这次来搞一个启动程序,把 .net 的所有东西都放在一个文件夹,在文件夹同级的目录制作一个 exe._.net dll 全局目录
文章浏览阅读1.5k次。本文为转载,原博客地址:http://blog.csdn.net/hujingshuang/article/details/46910259简介 BRIEF是2010年的一篇名为《BRIEF:Binary Robust Independent Elementary Features》的文章中提出,BRIEF是对已检测到的特征点进行描述,它是一种二进制编码的描述子,摈弃了利用区域灰度..._breif description calculation 特征点
文章浏览阅读4.1k次,点赞21次,收藏79次。本文是《基于SpringBoot的房屋租赁管理系统》的配套原创说明文档,可以给应届毕业生提供格式撰写参考,也可以给开发类似系统的朋友们提供功能业务设计思路。_基于spring boot的房屋租赁系统论文