Searchsploit version: 4.1.3 (2020-06-22)
Project git page: https://github.com/offensive-security/exploitdb

Analysis

1. Keywords of user will be crafted as search command at line 507

  ## If we are NOT to use the path name ("-t"/"-e")
  [[ "${FILEPATH}" -eq 0 ]] \
    && SEARCH="${SEARCH} | awk -F '[,]' '${CASE_TAG_FGREP}(\$3) ~ /${AWK_SEARCH}/ {print}'"

The full string of command is $SEARCH variable.
2. After being fully crafted, the command is executed by eval at line 601

  OUTPUT="$(
    ( \
      eval ${SEARCH}; \
      awk "/^(${ID}),/ {print}" "${path_in}/${file_in}" \
    ) \
    | sed 's/\"//g;   s_\\_\\\\_g' \
    | sort -u
  )"

Screenshot at 2020-11-11 22-59-24729×233 24.5 KB

Debug

1. I added a “Breakpoint” to show full search command
   
   

   Screenshot at 2020-11-11 23-01-111066×165 22.9 KB
2. Show the crafted command
   
   

   Screenshot at 2020-11-11 23-02-22883×167 26.9 KB
3. The whole user’s input isn’t filtered so we can escape the awk search and inject malicious payloads
   
   Close awk parameters part
   

Exploit

1. Crafted payload "foo' | echo * ;" shows all files and folders inside pwd (similar dir command)
   
   

   Screenshot at 2020-11-11 11-41-57884×359 66.9 KB
2. Create reverse shell connection
   
   

   Screenshot at 2020-11-11 13-15-04818×708 174 KB
   
   
3. On Kali machine, if current user is added to kali-trust group, searchsploit is granted sudo with no password asking so attacker can have root’s reverse shell.
   
   

   Screenshot at 2020-11-11 15-47-08742×732 133 KB

damn thats 1337

only 1 think: “it is a bash script. Who cares” lul

dyamn
hamckerman

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.