exploitdb

表題について。`brew`で検索していて”exploitdb“なるものがあるのに気が付いたので触ってみる。

■ 環境

  • exploitdb
  • Homebrew
  • macOS High Sierra

■ exploitdb

$ brew info exploitdb
exploitdb: stable 2018-04-05, HEAD
The official Exploit Database
https://www.exploit-db.com/
Not installed
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/exploitdb.rb
==> Options
--HEAD
    Install HEAD version
$

exploitdb“ってあれだよな?と思って`info`で表示されるURLを訪れてみたが、イメージ通りであった。インストールすると何かあるのか?

$ brew install exploitdb

さて何がインストールされたのであろう。

$ brew ls exploitdb
/usr/local/Cellar/exploitdb/2018-04-05/bin/searchsploit
/usr/local/Cellar/exploitdb/2018-04-05/share/exploit-database/ (39996 files)
$

`searchsploit`はコマンドであろうし、名前からイメージがつく。

$ searchsploit -h
  Usage: searchsploit [options] term1 [term2] ... [termN]

==========
 Examples
==========
  searchsploit afd windows local
  searchsploit -t oracle windows
  searchsploit -p 39446
  searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"

  For more examples, see the manual: https://www.exploit-db.com/searchsploit/

=========
 Options
=========
   -c, --case     [Term]      Perform a case-sensitive search (Default is inSEnsITiVe).
   -e, --exact    [Term]      Perform an EXACT match on exploit title (Default is AND) [Implies "-t"].
   -h, --help                 Show this help screen.
   -j, --json     [Term]      Show result in JSON format.
   -m, --mirror   [EDB-ID]    Mirror (aka copies) an exploit to the current working directory.
   -o, --overflow [Term]      Exploit titles are allowed to overflow their columns.
   -p, --path     [EDB-ID]    Show the full path to an exploit (and also copies the path to the clipboard if possible).
   -t, --title    [Term]      Search JUST the exploit title (Default is title AND the file's path).
   -u, --update               Check for and install any exploitdb package updates (deb or git).
   -w, --www      [Term]      Show URLs to Exploit-DB.com rather than the local path.
   -x, --examine  [EDB-ID]    Examine (aka opens) the exploit using $PAGER.
       --colour               Disable colour highlighting in search results.
       --id                   Display the EDB-ID value rather than local path.
       --nmap     [file.xml]  Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
                                Use "-v" (verbose) to try even more combinations
       --exclude="term"       Remove values from results. By using "|" to separated you can chain multiple values.
                                e.g. --exclude="term1|term2|term3".

=======
 Notes
=======
 * You can use any number of search terms.
 * Search terms are not case-sensitive (by default), and ordering is irrelevant.
   * Use '-c' if you wish to reduce results by case-sensitive searching.
   * And/Or '-e' if you wish to filter results by using an exact match.
 * Use '-t' to exclude the file's path to filter the search results.
   * Remove false positives (especially when searching using numbers - i.e. versions).
 * When updating or displaying help, search terms will be ignored.

$

試しに最近話題になった”drupal“でやってみる。

$ searchsploit drupal
------------------------------------------------------------------- -------------------------------------------------------------------
 Exploit Title                                                     |  Path
                                                                   | (/usr/local/opt/exploitdb/share/exploit-database/)
------------------------------------------------------------------- -------------------------------------------------------------------
Drupal 4.0 - News Message HTML Injection                           | exploits/php/webapps/21863.txt
Drupal 4.1/4.2 - Cross-Site Scripting                              | exploits/php/webapps/22940.txt
Drupal 4.5.3 < 4.6.1 - Comments PHP Injection                      | exploits/php/webapps/1088.pl
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution        | exploits/php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection                      | exploits/php/webapps/27020.txt
Drupal 5.2 - PHP Zend Hash ation Vector                            | exploits/php/webapps/4510.txt
Drupal 5.21/6.16 - Denial of Service                               | exploits/php/dos/10826.sh
Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabili | exploits/php/webapps/11060.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)  | exploits/php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)   | exploits/php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Pass | exploits/php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Pass | exploits/php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Exec | exploits/php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities                             | exploits/php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution                 | exploits/php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution            | exploits/php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution              | exploits/php/webapps/3312.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities                      | exploits/php/webapps/33706.txt
Drupal < 7.34 - Denial of Service                                  | exploits/php/dos/35415.txt
Drupal Module Ajax Checklist 5.x-1.0 - Multiple SQL Injections     | exploits/php/webapps/32415.txt
Drupal Module CAPTCHA - Security Bypass                            | exploits/php/webapps/35335.html
Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross | exploits/php/webapps/18389.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent  | exploits/php/webapps/25493.txt
Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)    | exploits/php/webapps/40149.rb
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution      | exploits/php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scri | exploits/php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary | exploits/php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media | exploits/php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)  | exploits/php/remote/40130.rb
Drupal Module Sections - Cross-Site Scripting                      | exploits/php/webapps/10485.txt
Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection            | exploits/php/webapps/33410.txt
------------------------------------------------------------------- -------------------------------------------------------------------
Shellcodes: No Result
$

なるほど。`ls`の時にも見えたpathは実際のコードが入っている場所か。セキュリティ界隈の人には便利なのかな。

以上。