searchsploit (Exploit DB)

[실습] 칼리 리눅스 사용하기 8 (searchsploit CMD 대해서)

Exploit DB 사용하기(www.exploit-db.com)

 

 

■ searchsploit 실행 방법

Exploitation Tools > Explit Database > searchsploit

or

# searchsploit <검색단어> <검색단어> ...

 

 

# searchsploit

Usage: searchsploit [options] term1 [term2] ... [termN]   ========== Examples ========== searchsploit afd windows local searchsploit -t oracle windows searchsploit -p 39446   ========= Options ========= -c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe). -e, --exact [Term] Perform an EXACT match on exploit title (Default is AND) [Implies "-t"]. -h, --help Show this help screen. -j, --json [Term] Show result in JSON format. -m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory. -o, --overflow [Term] Exploit titles are allowed to overflow their columns. -p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible). -t, --title [Term] Search JUST the exploit title (Default is title AND the file's path). -u, --update Check for and install any exploitdb package updates (deb or git) -w, --www [Term] Show URLs to Exploit-DB.com rather than the local path. -x, --examine [EDB-ID] Examine (aka opens) the exploit using . --colour Disable colour highlighting in search results. --id Display the EDB-ID value rather than local path.   ======= Notes ======= * You can use any number of search terms. * Search terms are not case-sensitive (by default), and ordering is irrelevant. * Use '-c' if you wish to reduce results by case-sensitive searching. * And/Or '-e' if you wish to filter results by using an exact match. * Use '-t' to exclude the file's path to filter the search results. * Remove false positives (especially when searching using numbers - i.e. versions). * When updating from git or displaying help, search terms will be ignored.

 

# searchsploit oracle 오라클을 공격할 때 쓸수 있는 코드 종류

---------------------------------------------------- ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms) ---------------------------------------------------- ---------------------------------- Oracle XDB FTP Service - UNLOCK Buffer Overflow | ./windows/remote/80.c Oracle (oidldapd connect) - Local Command Line Over | ./linux/local/183.c Oracle Database Server 10.1.0.2 - Buffer Overflow | ./windows/local/932.sql Oracle Database PL/SQL Statement - Multiple SQL Inj | ./windows/local/933.sql Oracle 9.2.0.1 - Universal XDB HTTP Pass Overflow ( | ./windows/remote/1365.pm Oracle Database Server 9i/10g - (XML) Buffer Overfl | ./windows/local/1455.txt Oracle 10g Release 2 - 'DBMS_EXPORT_EXTENSION' SQL | ./multiple/local/1719.txt ..... (중략) ..... Oracle BeeHive 2 - voice-servlet prepareAudioToPlay | ./windows/remote/38860.rb Oracle Supply Chain Products Suite - Remote Securit | ./multiple/remote/39018.txt Oracle - HtmlConverter.exe Buffer Overflow | ./windows/local/39284.txt Oracle GlassFish Server 4.1 - Directory Traversal | ./multiple/webapps/39441.txt Oracle Application Testing Suite 12.4.0.2.0 - Authe | ./jsp/webapps/39691.py OpenSSL - Padding Oracle in AES-NI CBC MAC Check | ./multiple/dos/39768.txt Oracle Application Testing Suite (ATS) - Arbitrary | ./java/remote/39852.rb Sun Secure Global Desktop and Oracle Global Desktop | ./cgi/webapps/39887.txt Oracle Orakill.exe 11.2.0 - Buffer Overflow | ./windows/dos/39947.py ---------------------------------------------------- ----------------------------------

 

# searchsploit oracle | wc -l

250

 

# searchsploit oracle windows

..... (중략) ..... Oracle AutoVue 20.0.1 - 'AutoVueX.ocx' ActiveX Cont | ./windows/remote/36250.html Oracle Hyperion Smart View for Office 11.1.2.3.000 | ./windows/dos/36783.txt Oracle - Outside-In DOCX File Parsing Memory Corrup | ./windows/dos/36788.txt Oracle Outside In PDF 8.5.2 - Parsing Memory Corrup | ./windows/dos/38788.txt Oracle Outside In PDF 8.5.2 - Parsing Memory Corrup | ./windows/dos/38789.txt Oracle BeeHive 2 - voice-servlet processEvaluation( | ./windows/remote/38859.rb Oracle BeeHive 2 - voice-servlet prepareAudioToPlay | ./windows/remote/38860.rb Oracle - HtmlConverter.exe Buffer Overflow | ./windows/local/39284.txt Oracle Orakill.exe 11.2.0 - Buffer Overflow | ./windows/dos/39947.py ---------------------------------------------------- ----------------------------------

 

# searchsploit oracle windows | wc -l

86

 

# searchsploit oracle windows local

---------------------------------------------------- ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms) ---------------------------------------------------- ---------------------------------- Oracle Database Server 10.1.0.2 - Buffer Overflow | ./windows/local/932.sql Oracle Database PL/SQL Statement - Multiple SQL Inj | ./windows/local/933.sql Oracle Database Server 9i/10g - (XML) Buffer Overfl | ./windows/local/1455.txt Oracle 10g (Windows x86) - (PROCESS_DUP_HANDLE) Loc | ./windows/local/3451.c Oracle 10/11g - exp.exe Parameter file Local Buffer | ./windows/local/16169.py Oracle 8/9i - DBSNMP Oracle Home Environment Variab | ./windows/local/21044.c Oracle - HtmlConverter.exe Buffer Overflow | ./windows/local/39284.txt ---------------------------------------------------- ----------------------------------

 

# cd /usr/share/exploitdb/platforms

# ls

aix bsd_ppc hardware lin_x86-64 novell python system_z android bsd_x86 hp-ux linux openbsd qnx tru64 arm bsdi_x86 immunix linux_mips openbsd_x86 ruby ultrix ashx cfm ios linux_ppc osx sco unix asp cgi irix linux_sparc osx_ppc sco_x86 unixware aspx freebsd java minix palm_os sh4 win_x86 atheos freebsd_x86 json multiple perl solaris win_x86-64 beos freebsd_x86-64 jsp netbsd_x86 php solaris_sparc windows bsd generator lin_x86 netware plan9 solaris_x86 xml

 

# cd windows/local

# ls

# vi 16169.py

#!/usr/bin/python # Oracle 10/11g exp.exe - param file Local Buffer Overflow PoC Exploit # Date found approx: 9/3/2010 # Software Link: http://www.oracle.com/technology/products/database/oracle10g/index.html # Version: 10.x and 11g r1 (r2 untested) # Tested on: Windows XP SP3 En # Usage: # $ORACLE_HOME\exp.exe system parfile=overflow_oracle_exp.txt   def banner(): print "\n\t| ------------------------------------- |" print "\t| Oracle exp.exe code execution explo!t |" print "\t| by mr_me - net-ninja.net ------------ |\n"   header = ("\x69\x6E\x64\x65\x78\x65\x73\x3D\x6E\x0D\x0A\x6C\x6F\x67\x3D\x72\x65\x73\x75" "\x6C\x74\x73\x2E\x74\x78\x74\x0D\x0A\x66\x69\x6C\x65\x3D"); ..... (중략) .....

.py( 파이썬) .rb(루비) .p(펄) .c(c언어) .sql(쿼리) 

   

*****************************************************************************************************************

[실습] exploitdb 업데이트

---------------------------------------------------

RedHat 계열)     # rpb -qf /bin/ls

       # rpm -ql coreutils (list 출력)

---------------------------------------------------

Debian 계열)     # dpkg -S /bin/ls

# dpkg -L coreutils (list 출력)

----------------------------------------------------

# cd /usr/share/explitdb ; ls

files.cvs   playforms/     searchsploit*

# dpkg -S /usr/share/exploitdb/files.cvs

exploitdb: /usr/share/exploitdb/files.cvs

# dpkg -L exploitdb

-> 목록 생략

# apt-get update

# apr-get -y install exploitdb

*****************************************************************************************************************

[실습] searchspolit.sh 스크립트 작성

 

(KaliLinux)

 

# cp /usr/share/exploitdb/files.csv /root/bin/files.csv

# cd /root/bin

# cat files.csv | head

id, file, description, date, author, platform, type, port 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (Redhat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 7,platforms/linux/remote/7.pl,"Samba 2.2.x - Remote Root Buffer Overflow",2003-04-07,"H D Moore",linux,remote,139 8,platforms/linux/remote/8.c,"SETI@home Clients - Buffer Overflow",2003-04-08,zillion,linux,remote,0 ..... (중략) .....

 

# searchsploit.sh

Usage: searchsploit term1 [term2] ... [termN] Example: searchsploit oracle windows local

-> 사용하는 방법

 

# searchsploit.sh oracle

cat files.csv | egrep -i oracle   # cat files.csv | egrep -i 'Oracle Identity Manager' 32670,platforms/php/webapps/32670.txt,"Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0) - Unvalidated Redirects",2014-04-03,"Giuseppe D'Amore",php,webapps,0 | | V # searchsploit oracle Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0) - Unval | /php/webapps/32670.txt

 

# searchsploit.sh oracle windows

cat files.csv | egrep -i oracle | egrep -i windows   # searchsploit oracle windows Oracle Demantra 12.2.1 - Database Credentials Disclosur | /windows/webapps/31995.txt

 

# searchsploit.sh oracle windows local

cat files.csv | egrep -i oracle | egrep -i windows | egrep -i local   # searchsploit oracle windows local Oracle 8/9i DBSNMP Oracle Home Environment Variable Buf | /windows/local/21044.c

 

# vi searchsploit.sh

--------------------------------------------------

#!/bin/bash

if [ $# -le 0 ] ; then

echo "usage: searchsploit oracle windows local"

exit 1

fi

for PATTERN in $@

do

if [ "$SEARCH" ] ; then

SEARCH="$SEARCH |"

fi

SEARCH="$SEARCH fgrep -i --color \"$PATTERN\""

done

cat files.csv | eval $SEARCH | while read LINE

do

LINE1=`echo $LINE | awk -F, '{print $3}' | cut -c 1-44`

LINE2=`echo $LINE | awk -F, '{print $2}' | sed 's/platforms//'`

echo "$LINE1 | $LINE2"

done

--------------------------------------------------

 

# ./searchsploit.sh oracle windows local

Oracle Database Server <= 10.1.0.2 - Buffer Overflow Ex | /windows/local/932.sql Oracle Database PL/SQL Statement Multiple SQL Injection | /windows/local/933.sql Oracle Database Server 9i/10g (XML) Buffer Overflow Exp | /windows/local/1455.txt Oracle 10g (PROCESS_DUP_HANDLE) Local Privilege Elevati | /windows/local/3451.c Oracle 10/11g exp.exe - param file Local Buffer Overflo | /windows/local/16169.py Oracle 8/9i DBSNMP Oracle Home Environment Variable Buf | /windows/local/21044.c

 

[참고] eval CMD

# name=chan

# chan=test

# echo $name -> chan

# echo $chan -> test

# echo $`echo $name` -> $chan

# eval echo $`echo $name` -> test

 

(예) # ls -a -l -t -r

# A=ls

# B=" -a -l "

# C=" -t -r "

# CMD=$A$B$C /* CMD=ls -a -l -t -r */

# $CMD

-> 잘 실행되는가?

-> # eval $CMD

 

 

[참고] grep/fgrep/egrep CMD

■ grep CMD

# grep '[abc]d' file.txt

■ fgrep CMD(Fixed grep)

# fgrep 'f*' file.txt

■ egrep CMD(Extended grep)

# egrep '(root|user01)' /etc/passwd

 

 

[참고] 명령어 실행 패턴 분석

 

# ./searchsploit.sh oracle($1) windows($2) local($3)

$# => 3

 

cat files.csv | grep -i "$1" \

| grep -i "$2" \

| grep -i "$3" \

| ......

 

SEARCH="cat files.csv"

SEARCH=$SEARCH | grep -i "$1"

SEARCH=$SEARCH | grep -i "$2"

SEARCH=$SEARCH | grep -i "$3"

SEARCH='cat files.csv | grep -i "$1" | grep -i "$2" | grep -i "$3"'

 

 

 

[참고] /usr/share/exploitdb/searchsploit 스크립트 내용 확인