go-exploit-cache builds an HTTP cache SQLite database used by the go-exploit framework to enable cross-exploit sharing and scanless target verification. Instead of actively connecting to targets, go-exploit can consult the cache to run version checks and other scans using previously-collected HTTP data (Shodan, Censys, PCAP, RunZero, etc.).
Project:
vulncheck-oss/go-exploit
This tool generates the SQLite cache thatgo-exploitreads.
- Ingests and normalizes HTTP requests/responses from multiple sources.
- Produces an SQLite
http_cachethatgo-exploituses for scanless verification and version checks. - Supported inputs: Shodan
.json.gz, RunZero JSONL (and limited RunZero JSON1), PCAP/pcapng, and Censys JSONL (via helper script).
- Enables scanless verification and version detection for demos, research, or workflows where active scanning is undesirable.
- Aggregates diverse HTTP data sources into a single, reusable DB.
- Allows multiple exploit modules / scanners to share observed HTTP artifacts (headers, cookies, bodies, favicon hash, etc.).
- Ingests and normalizes:
- Shodan
.json.gz - RunZero JSONL (and limited RunZero JSON1)
- PCAP/pcapng (extracts HTTP)
- Censys JSONL (use
censys/censys_v3_dump.pyto prepare)
- Shodan
- Produces an SQLite DB consumable by
go-exploit - Emits auxiliary target lists for some backends (e.g., Censys)
See USAGE.md for more details.
./build/go-exploit-cache \
-type shodan-gzip \
-in ~/Downloads/734342e9-56b8-4299-a072-9d1d28f66434.json.gz \
-out confluence.dbTypical output:
Decompressing the Shodan GZIP... this can be slow
Decompressed file written to .tmp/shodan.json
Generating database entries...
Cleaning up .tmp directory
Inspect DB:
sqlite3 confluence.db
sqlite> select rhost, rport from http_cache limit 1;
52.200.210.54|80You can verify a target using only cached data. Example uses unshare -n to block network access (for demo only — unshare not required):
sudo unshare -n ./build/cve-2023-22527_linux-arm64 \
-c -v -rhost 52.200.210.54 -rport 80 \
-db ~/go-exploit-cache/confluence.dbExample output:
time=... level=STATUS msg="Starting target" host=52.200.210.54 port=80
time=... level=STATUS msg="Validating Confluence target"
time=... level=SUCCESS msg="Target verification succeeded!"
time=... level=VERSION msg="The reported version is 7.19.17"
time=... level=STATUS msg="The target appears to be a patched version." vulnerable=no
shodan-gzip— Shodan.json.gzexportrunzero-jsonl— RunZero JSONL (limited JSON1 support)pcap/pcapng— PCAP files (extracts HTTP traffic)censys-jsonl— Censys JSONL (use helper script incensys/)
See test/testdata for example files.
- Censys doesn't offer a nice clean "download all the info you want" mechanism. So we've created
censys_v3_dump.pyto grab the data. It starts by accepting a Censys Platform search query and then download the individual hosts to access the HTTP headers and full HTTP body. Usecensys/censys_v3_dump.pyto collect and format Censys results into JSONL suitable for ingestion.
http_cache — main table (cache generated table)
| column | type | description |
|---|---|---|
| id | INTEGER | primary key |
| created | INTEGER | date |
| rhost | TEXT | remote host (IP) |
| rport | INT | remote port |
| uri | TEXT | the cached path |
| data | BLOB | HTTP headers + body |
verified — software description table (go-exploit populated table)
| column | type | description |
|---|---|---|
| id | INTEGER | primary key |
| created | INTEGER | date |
| software name | TEXT | Name of software |
| installed | INT | 0 or 1 |
| version | TEXT | The software version |
| rhost | TEXT | remote host (IP) |
| rport | INT | remote port |
On Ubuntu:
sudo apt install libpcap-dev
make(Requires a Go toolchain — see https://go.dev/doc/install.)