Merge pull request #20327 from cgranleese-r7/update-vulns-command

Update `vulns` command

Author: adfoster-r7

lib/msf/ui/console/command_dispatcher/db.rb

@@ -1059,7 +1059,8 @@ def cmd_vulns_help
     [ '-R', '--rhosts' ] => [ false, 'Set RHOSTS from the results of the search.' ],
     [ '-S', '--search' ] => [ true, 'Search string to filter by.', '<filter>' ],
     [ '-i', '--info' ] => [ false, 'Display vuln information.' ],
-    [ '-d', '--delete' ] => [ false, 'Delete vulnerabilities. Not officially supported.' ]
+    [ '-d', '--delete' ] => [ false, 'Delete vulnerabilities. Not officially supported.' ],
+    [ '-v', '--verbose' ] => [ false, 'Display additional information.' ]
   )
 
   def cmd_vulns(*args)
@@ -1073,6 +1074,7 @@ def cmd_vulns(*args)
 
     search_term = nil
     show_info   = false
+    show_vuln_attempts = false
     set_rhosts  = false
     output_file = nil
     delete_count = 0
@@ -1111,6 +1113,8 @@ def cmd_vulns(*args)
         search_term = val
       when '-i', '--info'
         show_info = true
+      when '-v', '--verbose'
+        show_vuln_attempts = true
       else
         # Anything that wasn't an option is a host to search for
         unless (arg_host_range(val, host_ranges))
@@ -1182,11 +1186,20 @@ def cmd_vulns(*args)
     end
 
     if output_file
-      File.write(output_file, tbl.to_csv)
-      print_status("Wrote vulnerability information to #{output_file}")
+      if show_vuln_attempts
+        print_warning("Cannot output to a file when verbose mode is enabled. Please remove verbose flag and try again.")
+      else
+        File.write(output_file, tbl.to_csv)
+        print_status("Wrote vulnerability information to #{output_file}")
+      end
     else
       print_line
-      print_line(tbl.to_s)
+      if show_vuln_attempts
+        vulns_and_attempts = _format_vulns_and_vuln_attempts(vulns)
+        _print_vulns_and_attempts(vulns_and_attempts)
+      else
+        print_line(tbl.to_s)
+      end
     end
 
     # Finally, handle the case where the user wants the resulting list
@@ -2347,6 +2360,50 @@ def print_msgs(status_msg, error_msg)
     end
   end
 
+  def _format_vulns_and_vuln_attempts(vulns)
+    vulns.map.with_index do |vuln, index|
+      vuln_formatted = <<~EOF.strip.indent(2)
+        #{index}. Vuln ID: #{vuln.id}
+           Timestamp: #{vuln.created_at}
+           Host: #{vuln.host.address}
+           Name: #{vuln.name}
+           References: #{vuln.refs.map {|r| r.name}.join(',')}
+           Information: #{_format_vuln_value(vuln.info)}
+      EOF
+
+      vuln_attempts_formatted = vuln.vuln_attempts.map.with_index do |vuln_attempt, i|
+        <<~EOF.strip.indent(5)
+          #{i}. ID: #{vuln_attempt.id}
+             Vuln ID: #{vuln_attempt.vuln_id}
+             Timestamp: #{vuln_attempt.attempted_at}
+             Exploit: #{vuln_attempt.exploited}
+             Fail reason: #{_format_vuln_value(vuln_attempt.fail_reason)}
+             Username: #{vuln_attempt.username}
+             Module: #{vuln_attempt.module}
+             Session ID: #{_format_vuln_value(vuln_attempt.session_id)}
+             Loot ID: #{_format_vuln_value(vuln_attempt.loot_id)}
+             Fail Detail: #{_format_vuln_value(vuln_attempt.fail_detail)}
+        EOF
+      end
+
+      { :vuln => vuln_formatted, :vuln_attempts => vuln_attempts_formatted }
+    end
+  end
+
+  def _print_vulns_and_attempts(vulns_and_attempts)
+    print_line("Vulnerabilities\n===============")
+    vulns_and_attempts.each do |vuln_and_attempt|
+      print_line(vuln_and_attempt[:vuln])
+      print_line("Vuln attempts:".indent(5))
+      vuln_and_attempt[:vuln_attempts].each do |attempt|
+        print_line(attempt)
+      end
+    end
+  end
+
+  def _format_vuln_value(s)
+    s.blank? ? s.inspect  : s.to_s
+  end
 end
 
 end end end end

spec/lib/msf/ui/console/command_dispatcher/db_spec.rb

@@ -305,13 +305,70 @@
           "    -R, --rhosts             Set RHOSTS from the results of the search.",
           "    -S, --search <filter>    Search string to filter by.",
           "    -s, --service <name>     List vulns matching these service names.",
+          "    -v, --verbose            Display additional information.",
           "Examples:",
           "  vulns -p 1-65536          # only vulns with associated services",
           "  vulns -p 1-65536 -s http  # identified as http on any port"
         ]
       end
     end
 
+    describe "-v" do
+      before(:example) do
+        vuln_opts = {
+          updated_at: Time.utc(2025, 6, 17, 9, 17, 37),
+          host: '192.168.0.1',
+          name: 'ThinkPHP Multiple PHP Injection RCEs',
+          info: 'Exploited by exploit/unix/webapp/thinkphp_rce to create Session 1',
+          refs: ["CVE-2018-20062"]
+        }
+
+        vuln_attempt_opts = {
+          id: 3,
+          vuln_id: 1,
+          attempted_at: Time.utc(2025, 6, 17, 9, 17, 37),
+          exploited: true,
+          fail_reason: nil,
+          username: "foo",
+          module: "exploit/unix/webapp/thinkphp_rce",
+          session_id: 1,
+          loot_id: nil,
+          fail_detail: nil
+        }
+
+        @vuln = framework.db.report_vuln(vuln_opts)
+        @vuln_attempt = framework.db.report_vuln_attempt(@vuln, vuln_attempt_opts)
+      end
+
+      after(:example) do
+        framework.db.delete_vuln({ids: [@vuln.id]})
+      end
+
+      it "should list vulns and vuln attempts" do
+        db.cmd_vulns "-v"
+        expect(@output).to match_array [
+          "Vulnerabilities",
+          "===============",
+          "  0. Vuln ID: #{@vuln.id}",
+          "     Timestamp: #{@vuln.created_at}",
+          "     Host: 192.168.0.1",
+          "     Name: ThinkPHP Multiple PHP Injection RCEs",
+          "     References: CVE-2018-20062",
+          "     Information: Exploited by exploit/unix/webapp/thinkphp_rce to create Session 1",
+          "     Vuln attempts:",
+          "     0. ID: #{@vuln_attempt.id}",
+          "        Vuln ID: #{@vuln.id}",
+          "        Timestamp: #{@vuln_attempt.attempted_at}",
+          "        Exploit: true",
+          "        Fail reason: nil",
+          "        Username: foo",
+          "        Module: exploit/unix/webapp/thinkphp_rce",
+          "        Session ID: 1",
+          "        Loot ID: nil",
+          "        Fail Detail: nil",
+        ]
+      end
+    end
   end
 
   describe "#cmd_workspace" do