search

1N3 / Sn1per

Attack Surface Management Platform
https://sn1persecurity.com
Other
8.08k stars 1.84k forks source link

more extensive search with searchsploit #79

Closed ifly53e closed 7 years ago

ifly53e commented 7 years ago

Consider adding the -v switch for searchsploit commands... Without the -v switch, all terms must be present to get a result (squid is in the exploit_db but did not give a result in the example below)

root@thpkali:~# searchsploit -t --nmap /usr/share/sniper/loot/nmap/nmap-192.168.1.239.xml
[i] SearchSploit's XML mode (without verbose enabled)
[i] Reading: '/usr/share/sniper/loot/nmap/nmap-192.168.1.239.xml'

[i] /usr/bin/searchsploit -t openssh 5 9p1 debian 5ubuntu1 1
[i] /usr/bin/searchsploit -t squid http proxy 3 1 19
[i] /usr/bin/searchsploit -t http proxy
-------------------------------------------------------- ----------------------------------
 Exploit Title                                          |  Path
                                                        | (/usr/share/exploitdb/platforms/)
-------------------------------------------------------- ----------------------------------
ZoneAlarm 8.0.20 - HTTP Proxy Remote Denial of Service  | windows/dos/32428.txt
SapporoWorks Black JumboDog 2.6.4/2.6.5 - HTTP Proxy Bu | windows/remote/21214.c
W3C CERN httpd 3.0 Proxy - Cross-Site Scripting         | unix/remote/21704.txt
Cacheflow CacheOS 4.1.10016 - HTTP HOST Proxy           | multiple/remote/23137.txt
Symantec Enterprise Firewall / Gateway Security - HTTP  | multiple/remote/27852.pl
phpBB 2.0.20 - Unauthorized HTTP Proxy                  | php/webapps/27863.txt
-------------------------------------------------------- ----------------------------------

===================================

With the -v switch it was found...

root@thpkali:~# searchsploit -v -t --nmap /usr/share/sniper/loot/nmap/nmap-192.168.1.239.xml
[i] Reading: '/usr/share/sniper/loot/nmap/nmap-192.168.1.239.xml'

[i] /usr/bin/searchsploit -t openssh 
-------------------------------------------------------- ----------------------------------
 Exploit Title                                          |  Path
                                                        | (/usr/share/exploitdb/platforms/)
-------------------------------------------------------- ----------------------------------
Dropbear / OpenSSH Server - (MAX_UNAUTH_CLIENTS) Denial | multiple/dos/1572.pl
OpenSSH 4.3 p1 - (Duplicated Block) Remote Denial of Se | multiple/dos/2444.sh
Novell Netware 6.5 - OpenSSH Remote Stack Overflow      | novell/dos/14866.txt
OpenSSH 7.2 - Denial of Service                         | linux/dos/40888.py
glibc-2.2 / openssh-2.3.0p1 / glibc 2.1.9x - Exploits   | linux/local/258.sh
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwa | linux/local/40962.txt
OpenSSH 6.8 < 6.9 - 'PTY' Privilege Escalation          | linux/local/41173.c
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool       | linux/remote/25.c
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident     | linux/remote/26.sh
Portable OpenSSH 3.6.1p-PAM / 4.1-SuSE - Timing Attack  | multiple/remote/3303.sh
Debian OpenSSH - Authenticated Remote SELinux Privilege | linux/remote/6094.txt
FreeBSD OpenSSH 3.5p1 - Remote Command Execution        | freebsd/remote/17462.txt
OpenSSH 1.2 - '.scp' File Create/Overwrite              | linux/remote/20253.sh
OpenSSH 2.x/3.0.1/3.0.2 - Channel Code Off-by-One       | unix/remote/21314.txt
OpenSSH 2.x/3.x - Kerberos 4 TGT/AFS Token Buffer Overf | linux/remote/21402.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (1)    | unix/remote/21578.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (2)    | unix/remote/21579.txt
OpenSSH 7.2p1 - Authenticated xauth Command Injection   | multiple/remote/39569.py
OpenSSHd 7.2p2 - Username Enumeration (PoC)             | linux/remote/40113.txt
OpenSSHd 7.2p2 - Username Enumeration                   | linux/remote/40136.py
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loadin | linux/remote/40963.txt
-------------------------------------------------------- ----------------------------------

[i] /usr/bin/searchsploit -t openssh 5 
-------------------------------------------------------- ----------------------------------
 Exploit Title                                          |  Path
                                                        | (/usr/share/exploitdb/platforms/)
-------------------------------------------------------- ----------------------------------
Novell Netware 6.5 - OpenSSH Remote Stack Overflow      | novell/dos/14866.txt
FreeBSD OpenSSH 3.5p1 - Remote Command Execution        | freebsd/remote/17462.txt
-------------------------------------------------------- ----------------------------------

[i] /usr/bin/searchsploit -t openssh 5 9p1 

[i] /usr/bin/searchsploit -t squid 
-------------------------------------------------------- ----------------------------------
 Exploit Title                                          |  Path
                                                        | (/usr/share/exploitdb/platforms/)
-------------------------------------------------------- ----------------------------------
Squid < 3.1 5 - HTTP Version Number Parsing Denial of S | multiple/dos/8021.pl
Squid 3.3.5 - Denial of Service (PoC)                   | linux/dos/26886.pl
Squid Proxy 2.5/2.6 - FTP URI Remote Denial of Service  | linux/dos/29473.txt
SquidGuard 1.4 - Long URL Handling Remote Denial of Ser | xml/dos/37685.txt
Squid - 'httpMakeVaryMark()' Function Remote Denial of  | linux/dos/38365.txt
Squid 2.4.1 - Remote Buffer Overflow                    | linux/remote/347.c
Squid 2.5.x / 3.x - NTLM Buffer Overflow (Metasploit)   | multiple/remote/9951.rb
Squid - NTLM Authenticate Overflow (Metasploit)         | linux/remote/16847.rb
National Science Foundation Squid Web Proxy 1.0/1.1/2.1 | linux/remote/19567.txt
Squid Web Proxy 2.2 - cachemgr.cgi Unauthorized Connect | cgi/remote/20465.sh
Squid Web Proxy 2.3 - Reverse Proxy                     | linux/remote/21017.txt
Squid 2.0-4 - Cache FTP Proxy URL Buffer Overflow       | unix/remote/21297.c
Squid Proxy 2.4/2.5 - NULL URL Character Unauthorized A | linux/remote/23777.txt
SquidGuard 1.x - NULL URL Character Unauthorized Access | linux/remote/23848.txt
National Science Foundation Squid Proxy 2.3 - Internet  | linux/remote/24105.txt
PageSquid CMS 0.3 Beta - 'index.php' SQL Injection      | php/webapps/5899.txt
MySQL Squid Access Report 2.1.4 - HTML Injection        | php/webapps/20055.txt
-------------------------------------------------------- ----------------------------------

[i] /usr/bin/searchsploit -t squid http 
-------------------------------------------------------- ----------------------------------
 Exploit Title                                          |  Path
                                                        | (/usr/share/exploitdb/platforms/)
-------------------------------------------------------- ----------------------------------
Squid < 3.1 5 - HTTP Version Number Parsing Denial of S | multiple/dos/8021.pl
Squid - 'httpMakeVaryMark()' Function Remote Denial of  | linux/dos/38365.txt
-------------------------------------------------------- ----------------------------------

[i] /usr/bin/searchsploit -t squid http proxy 

[-] Skipping term: http    (Term is too general. Please re-search manually: /usr/bin/searchsploit -t http )

[i] /usr/bin/searchsploit -t http proxy 
-------------------------------------------------------- ----------------------------------
 Exploit Title                                          |  Path
                                                        | (/usr/share/exploitdb/platforms/)
-------------------------------------------------------- ----------------------------------
ZoneAlarm 8.0.20 - HTTP Proxy Remote Denial of Service  | windows/dos/32428.txt
SapporoWorks Black JumboDog 2.6.4/2.6.5 - HTTP Proxy Bu | windows/remote/21214.c
W3C CERN httpd 3.0 Proxy - Cross-Site Scripting         | unix/remote/21704.txt
Cacheflow CacheOS 4.1.10016 - HTTP HOST Proxy           | multiple/remote/23137.txt
Symantec Enterprise Firewall / Gateway Security - HTTP  | multiple/remote/27852.pl
phpBB 2.0.20 - Unauthorized HTTP Proxy                  | php/webapps/27863.txt
-------------------------------------------------------- ----------------------------------

root@thpkali:~#

Thanks.

1N3 commented 7 years ago

Thanks for the suggestion. I implemented the fix in v2.5e which is now public!