# Metasploit

## Install

```bash
# UBUNTU
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall
```

## Commands

```bash
# "Show" can be use to view all available modules
msf6 > show -h
[*] Valid parameters for the "show" command are: all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options, favorites
[*] Additional module-specific parameters are: missing, advanced, evasion, targets, actions

# Example
msf6 > show payloads

588  payload/windows/x64/vncinject/reverse_tcp_rc4                                normal  No     Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
589  payload/windows/x64/vncinject/reverse_tcp_uuid                               normal  No     Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
590  payload/windows/x64/vncinject/reverse_winhttp                                normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
591  payload/windows/x64/vncinject/reverse_winhttps                               normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)

```

```bash
# "use" will set the chosen module to be executed
msf6 > use $MODULE_PATH or $SEARCH_ID

# Ex:
588  exploit/unix/webapp/wp_asset_manager_upload_exec

msf6 > use exploit/unix/webapp/wp_asset_manager_upload_exec
OR
msf6 > use 558

msf6 exploit(unix/webapp/wp_asset_manager_upload_exec) > 
```

```bash
# "show info" with selected module will show all the options
# and description about it
msf6 exploit(unix/webapp/wp_asset_manager_upload_exec) > show info


       Name: WordPress Asset-Manager PHP File Upload Vulnerability
     Module: exploit/unix/webapp/wp_asset_manager_upload_exec
   Platform: PHP
       Arch: php
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2012-05-26

Provided by:
  Sammy FORGIT
  James Fitts <fitts.james@gmail.com>

Available targets:
  Id  Name
  --  ----
  0   asset-manager <= 2.0

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      80               yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The base path to the wordpress application
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits a vulnerability found in Asset-Manager <= 2.0 
  WordPress plugin. By abusing the upload.php file, a malicious user 
  can upload a file to a temp directory without authentication, which 
  results in arbitrary code execution.

References:
  OSVDB (82653)
  http://www.securityfocus.com/bid/53809
  https://www.exploit-db.com/exploits/18993
  http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html
  https://wpscan.com/vulnerability/6106
```

```bash
# "set $OPTION $VALUE" will set the value of an option for the module
msf6 exploit(my/exploit/path) > set RHOSTS mysite.com
RHOSTS => mysite.com
```

```bash
# "run" will execute the exploit
msf6 exploit(my/exploit/path) > run
```

```bash
# Search for exploits 
msf6 > search type:exploit fullname:"Windows X.Y.Z"
  # type:exploit -> show only exploits
  # fullname:"Windows X.Y.Z" -> filter for specific info


```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://benhurott.gitbook.io/appsecben/tools/metasploit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.