Skip to main content
Status: Stable Version: 1.0.0 Author: Rifteo Tags: pentest, security, infrastructure
Installation 
rifteo-skills add check-exploit

Summary

Given a service name, version, CVE ID, or technology stack, systematically search every major exploit source in priority order and return a triage table of findings.
  • Normalizes the target into a consistent search query before hitting any source
  • Searches across Searchsploit, Metasploit, Shodan CVEDB, Vulners, Sploitus, search_vulns, Sploitify, PacketStorm, and Pompem in order
  • Classifies each result by type, auth requirement, reliability, and active exploitation status (CISA KEV)
  • Outputs a structured triage table and a ranked highest-severity finding with recommended next steps

SKILL.md file

Check Exploit

Given a service name, version, CVE ID, or technology stack, systematically search every major exploit source in priority order and return a triage table of findings.

When to Use This Skill

Use this skill when the user:
  • Has identified a service/version and wants to know if public exploits exist
  • Provides a CVE ID and wants proof-of-concept or weaponized exploit references
  • Ran nmap/banner grabbing and wants to cross-reference results against exploit databases
  • Wants to know if a vulnerability is actively exploited in the wild
  • Is preparing a pentest report and needs exploit evidence references

What Does It Check?

The skill normalizes the target into a search string, then works through every major exploit source in priority order. For each source it records whether results were found, the exploit ID and title, and whether a working PoC or weaponized exploit exists.In scope:
  • Remote/local exploits, web app exploits, privilege escalation, DoS, info disclosure
  • CISA KEV status for active exploitation confirmation
  • End-of-life version detection via search_vulns / endoflife.date
Out of scope:
  • Running or adapting exploits this skill is for discovery and triage only
  • Vulnerability scanning requires separate tooling

How It Works

Phase 1: Build the Search QueryExtract product name, version, and OS/platform from the input. Construct exact, broad, and CVE-based query variants. Identify the vulnerability class if inferable (RCE, LFI, auth bypass, privesc, DoS).Phase 2: Systematic Source SearchRun scripts/multi-search.py as the starting point it executes searchsploit locally and generates ready-to-open URLs for all online sources. Then work through each source in order:
  1. Searchsploit (Exploit-DB offline fastest)
  2. Metasploit module search by product, platform, port, or CVE
  3. Shodan CVEDB CVSS, EPSS, CISA KEV status, affected CPEs
  4. Vulners aggregates NVD, Exploit-DB, packetstorm, vendor advisories
  5. Sploitus searches Exploit-DB, GitHub PoCs, Packet Storm simultaneously
  6. search_vulns aggregates NVD, PoC-in-GitHub, GitHub Security Advisory, endoflife.date
  7. Sploitify categorized exploits by vulnerability and service type
  8. PacketStorm fallback for advisories and papers with PoC code
  9. Pompem searches Exploit-DB, Packet Storm, and NVD in one pass
Phase 3: Triage and ClassifyFor each exploit found, classify by type, auth requirement, reliability (weaponized / PoC / theoretical), and complexity. Check CISA KEV for active exploitation. Priority: weaponized + no auth + remote → Critical.Phase 4: OutputProduce a structured triage table, highest-severity finding summary, and recommended next steps (Metasploit command, PoC adaptation notes, or upgrade advice).

Output

StatusCondition
CriticalWeaponized exploit, no auth required, remote
HighPoC published, no auth required, remote
MediumAuth required or local only
Low/InfoDoS or information disclosure only
Example output structure:
Target: Apache 2.4.49

Exploit Triage Table:
| Source   | ID     | Title         | Type    | Auth | Reliability |
|-------------|------------|------------------------|------------|------|--------------|
| Exploit-DB | EDB-50383 | Apache Path Traversal | Remote RCE | None | PoC     |
| Metasploit | exploit/… | Apache Normalize RCE  | Remote   | None | Weaponized  |

Highest-Severity Finding:
CVE: CVE-2021-41773 | Type: Remote RCE | CISA KEV: Listed

Known Limitations

  • Searchsploit requires a local Exploit-DB copy run searchsploit --update if results seem stale
  • jku/x5u online sources may be rate-limited or require an account (Vulners, Shodan)
  • Google Dork results are unstructured and must be recorded manually
  • Never invent exploit IDs, CVE numbers, or GitHub URLs if a source is not accessible

ssti-hunter

Complete SSTI detection and exploitation methodology across all major template engines

xss-hunter

Complete XSS testing methodology reflected, stored, DOM, blind, CSP bypass, WAF evasion

finding-writer

Convert raw pentest notes into structured audit findings ready for reporting