From f0efa2c25a06e1dcff30e60fb931c7141883fc67 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Wed, 26 Oct 2016 12:07:52 +0100 Subject: [PATCH] Add '--nmap' flag. Able to load from Nmap's XML output --- README.md | 33 ++++---- searchsploit | 210 ++++++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 210 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 63f50ee36..a8037c218 100755 --- a/README.md +++ b/README.md @@ -13,9 +13,9 @@ Included with this repository is the **searchsploit** utility, which will allow root@kali:~# searchsploit -h Usage: searchsploit [options] term1 [term2] ... [termN] -========= +========== Examples -========= +========== searchsploit afd windows local searchsploit -t oracle windows searchsploit -p 39446 @@ -23,20 +23,21 @@ root@kali:~# searchsploit -h ========= Options ========= - -c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe). - -e, --exact [Term] Perform an EXACT match on exploit title (Default is AND) [Implies "-t"]. - -h, --help Show this help screen. - -j, --json [Term] Show result in JSON format. - -m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory. - -o, --overflow [Term] Exploit titles are allowed to overflow their columns. - -p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible). - -t, --title [Term] Search JUST the exploit title (Default is title AND the file's path). - -u, --update Check for and install any exploitdb package updates (deb or git) - -w, --www [Term] Show URLs to Exploit-DB.com rather than the local path. - -x, --examine [EDB-ID] Examine (aka opens) the exploit using . - --colour Disable colour highlighting in search results. - --id Display the EDB-ID value rather than local path. - + -c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe). + -e, --exact [Term] Perform an EXACT match on exploit title (Default is AND) [Implies "-t"]. + -h, --help Show this help screen. + -j, --json [Term] Show result in JSON format. + -m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory. + -o, --overflow [Term] Exploit titles are allowed to overflow their columns. + -p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible). + -t, --title [Term] Search JUST the exploit title (Default is title AND the file's path). + -u, --update Check for and install any exploitdb package updates (deb or git). + -w, --www [Term] Show URLs to Exploit-DB.com rather than the local path. + -x, --examine [EDB-ID] Examine (aka opens) the exploit using $PAGER. + --colour Disable colour highlighting in search results. + --id Display the EDB-ID value rather than local path. + --nmap [file.xml] Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml). + Use "-v" (verbose) to try even more combinations ======= Notes ======= diff --git a/searchsploit b/searchsploit index f47cd71e0..9a771d88c 100755 --- a/searchsploit +++ b/searchsploit @@ -1,6 +1,6 @@ #!/bin/bash # Name: SearchSploit - Exploit-DB's CLI search tool -# Version: 3.6.1 (Release date: 2016-09-20) +# Version: 3.7 (Release date: 2016-10-26) # Written by: Offensive Security, Unix-Ninja & g0tmi1k # Homepage: https://github.com/offensive-security/exploit-database # @@ -33,7 +33,9 @@ JSON=0 MIRROR=0 OVERFLOW=0 SCASE=0 +VERBOSE=0 WEBLINK=0 +XML=0 COLOUR_TAG="" TAGS="" SEARCH="" @@ -60,21 +62,21 @@ function usage() echo "=========" echo " Options " echo "=========" - echo " -c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe)." - echo " -e, --exact [Term] Perform an EXACT match on exploit title (Default is AND) [Implies \"-t\"]." - echo " -h, --help Show this help screen." - echo " -j, --json [Term] Show result in JSON format." - echo " -m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory." - echo " -o, --overflow [Term] Exploit titles are allowed to overflow their columns." - echo " -p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible)." - echo " -t, --title [Term] Search JUST the exploit title (Default is title AND the file's path)." - echo " -u, --update Check for and install any exploitdb package updates (deb or git)" - echo " -w, --www [Term] Show URLs to Exploit-DB.com rather than the local path." - echo " -x, --examine [EDB-ID] Examine (aka opens) the exploit using $PAGER." - echo " --colour Disable colour highlighting in search results." - echo " --id Display the EDB-ID value rather than local path." - - echo + echo " -c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe)." + echo " -e, --exact [Term] Perform an EXACT match on exploit title (Default is AND) [Implies \"-t\"]." + echo " -h, --help Show this help screen." + echo " -j, --json [Term] Show result in JSON format." + echo " -m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory." + echo " -o, --overflow [Term] Exploit titles are allowed to overflow their columns." + echo " -p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible)." + echo " -t, --title [Term] Search JUST the exploit title (Default is title AND the file's path)." + echo " -u, --update Check for and install any exploitdb package updates (deb or git)." + echo " -w, --www [Term] Show URLs to Exploit-DB.com rather than the local path." + echo " -x, --examine [EDB-ID] Examine (aka opens) the exploit using \$PAGER." + echo " --colour Disable colour highlighting in search results." + echo " --id Display the EDB-ID value rather than local path." + echo " --nmap [file.xml] Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml)." + echo " Use \"-v\" (verbose) to try even more combinations" echo "=======" echo " Notes " echo "=======" @@ -171,6 +173,145 @@ function drawline() } +## Used in searchsploitout/nmap's XML +function validterm() +{ + ## Check to see if its any phrases which would give a TON of incorrect results + if [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "microsoft" ] \ + || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "microsoft windows" ] \ + || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "windows" ] \ + || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "apache" ] \ + || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "ftp" ] \ + || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "http" ] \ + || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "linux" ] \ + || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "net" ] \ + || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "network" ] \ + || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "oracle" ] \ + || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "ssh" ] \ + || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "unknown" ]; then + echo -e "[-] Skipping term: ${1} (Term is too general. Please re-search manually: $0 ${arg} ${1})\n" 1>&2 + return 1 + fi + return 0 +} + + +## Used in searchsploitout/nmap's XML +function searchsploitout() +{ + ## Make sure there is a value + if [ "${software}" = "" ]; then + return + fi + + #echo "" 1>&2 + + arg="-t" ## Title search by default! + [[ "${JSON}" == "1" ]] && arg="${arg} --json" + [[ "${OVERFLOW}" == "1" ]] && arg="${arg} --overflow" + [[ "${WEBLINK}" == "1" ]] && arg="${arg} --www" + [[ "${COLOUR}" != "1" ]] && arg="${arg} --colour" + [[ "${EDBID}" == "1" ]] && arg="${arg} --id" + + ## Try and remove terms that could confuse searches + #software=$( echo "${software}" | sed 's_/_ _g' ) + software=$( echo "${software}" | sed -e 's/[^a-zA-Z0-9]/ /g' ) + + if [[ "${VERBOSE}" -eq 1 ]]; then + ## Loop each word? + tmp="" + for word in $( echo ${software} ); do + ## Add current search term on + tmp="${tmp}${word} " + + ## Check to see if its any phrases which would give a TON of incorrect results + validterm "${tmp}" \ + || continue + + ## Feedback + echo "[i] $0 ${arg} ${tmp}" 1>&2 + out=$( bash "$0" ${arg} ${tmp} ) + + ## Are there too many result? + lines=$( echo -e "${out}" | wc -l ) + if [[ "${lines}" -gt 100 ]]; then + echo -e "[-] Skipping output: ${tmp} (Too many results. Please re-search manually: $0 ${arg} ${tmp})\n" 1>&2 + ## Are there any result? + elif [[ "${lines}" -gt 6 ]]; then + echo -e "${out}\n\n" + ## If there's no results + else + break + fi + done + + ## Padding between loops + echo -e "\n\n" 1>&2 + else + ## Check to see if its any phrases which would give a TON of incorrect results + validterm "${software}" \ + || return + + ## Feedback + echo "[i] $0 ${arg} ${software}" 1>&2 + out=$( bash "$0" ${arg} ${software} ) + + ## Are there too many result? + lines=$( echo -e "${out}" | wc -l ) + if [[ "${lines}" -gt 100 ]]; then + echo -e "[-] Skipping output: ${software} (Too many results. Please re-search manually: $0 ${arg} ${software})\n" 1>&2 + ## Are there any result? + elif [[ "${lines}" -gt 6 ]]; then + echo -e "${out}\n\n" + fi + fi +} + + +## Read XML file +function nmapxml() +{ + ## Remove any old traces + rm -f /tmp/searchsploitout + + ## Feedback to the end user + echo -e "[i] Reading: '${FILE}'\n" + + ## Read in XMP (IP, name, service and version) + xmllint --xpath '//address/@addr|//service/@name|//service/@product|//service/@version' "${FILE}" \ + | sed -e $'s/addr=/\\\n[IP] /g; s/name=/\\\n[NAME] /g; s/product=/\\\n[PRODUCT] /g;s/" version="/\\\n[VERSION] /g; s/"//g' \ + | grep -v '\[IP\].*\:' \ + | while read line; do + type=$( echo "${line}" | cut -d" " -f 1 ) + input=$( echo "${line}" | cut -d" " -f 2- ) + + case "${type}" in + "[IP]") + #[[ "${VERBOSE}" -eq 1 ]] && echo -e "\n\n\e[32m[*] IP: ${input}\e[39m" 1>&2 + ;; + "[NAME]") + #searchsploitout + echo "${software}" >> /tmp/searchsploitout + software="${input}" + ;; + "[PRODUCT]") + software="${input}" + ;; + "[VERSION]") + software="${software} ${input}" + ;; + esac + done + #searchsploitout + echo "${software}" >> /tmp/searchsploitout + + ## Read in from file (so there isn't any duplicates but unable to print out IPs) + cat /tmp/searchsploitout | tr '[:upper:]' '[:lower:]' | awk '!x[$0]++' | while read software; do + searchsploitout + done +} + + ## Check for empty args if [[ $# -eq 0 ]]; then usage >&2 @@ -209,6 +350,10 @@ for param in "$@"; do COLOUR="" elif [[ "${param}" == "--id" ]]; then EDBID=1 + elif [[ "${param}" == "--nmap" ]]; then + XML=1 + elif [[ "${param}" == "--verbose" ]]; then + VERBOSE=1 else if [[ "${param:0:1}" == "-" ]]; then ARGS=${ARGS}${param:1} @@ -221,7 +366,7 @@ done ## Parse short arguments -while getopts "cehjmoptuwx" arg "${ARGS}"; do +while getopts "cehjmnoptuvwx" arg "${ARGS}"; do if [[ "${arg}" = "?" ]]; then usage >&2; fi @@ -231,10 +376,12 @@ while getopts "cehjmoptuwx" arg "${ARGS}"; do h) usage >&2;; j) JSON=1;; m) GETPATH=1; MIRROR=1;; + n) XML=1;; o) OVERFLOW=1;; p) GETPATH=1; CLIPBOARD=1;; t) FILEPATH=0;; u) update;; + v) VERBOSE=1;; w) WEBLINK=1;; x) GETPATH=1; EXAMINE=1;; esac @@ -249,6 +396,35 @@ if [[ ! -f "${csvpath}" ]]; then fi +## Read in XML +if [[ "${XML}" -eq 1 ]]; then + ## Trim white spaces + FILE=$(echo ${TAGS} | xargs) + + ## Is there a file? + if [[ ! -f "${FILE}" ]]; then + echo -e '\n[!] Could not find file:' ${FILE} 1>&2 + exit 1 + fi + + if ! hash xmllint 2>/dev/null; then + echo -e '\n[!] Please install xmllint' 1>&2 + echo -e '[i] Kali Linux -> apt install -y libxml2-utils' 1>&2 + exit 1 + fi + + if [[ "${VERBOSE}" -ne 1 ]]; then + echo "[i] SearchSploit's XML mode (without verbose enabled)" + fi + + ## Do the magic + nmapxml + + ## Done + exit 0 +fi + + ## Print the full path. If pbcopy/xclip is available then copy to the clipboard if [[ "${GETPATH}" -eq 1 ]]; then for exploit in $(echo ${TAGS}); do