Shulou(Shulou.com)05/31 Report--

Metasploit basic command is what, many novices are not very clear about this, in order to help you solve this problem, the following small series will explain in detail for everyone, there are people who need this can learn, I hope you can gain something.

As we mentioned last time, my msf database is inexplicably... It collapsed...

How to deal with it, you should remember:

Perfect reset database restart msf~

After solving the small problem, continue to start today's study ~

It's an honor, but today we're back in business

Finally started using MSF.

In MSF, there are three ways to help, which are "? " 、"help"、"-h"。

We're not going to do anything about how to bring up the help menu,

Simply put (as in kill command):

？kill / kill -h /help kill

But what about a point?" "The way is not officially intentional.

Unable to retrieve tab auto-supplement bug has not been fixed

This means that you need to manually type all commands.

Another handy feature of msf is that

Support external command execution, i.e. system commands.

You don't need to open a separate window to view certain system information.

Of course, the habit of system commands is also reserved, such as tab.

Let's take a quick look at how the so-called ~ core command under the console menu is core.

Did he look dumbfounded? Wasn't this the system's order?

Let's pick a few different ones to feel:

connect command. You can understand what this is about at a glance.

Connect with a famous company! A website within the intranet.

This interface seems to have been seen somewhere before. Does it look familiar?

Guess what, it's Swiss netcat, no doubt.

In my opinion, MSF response speed is almost non-delayed.

But this does not deny the fact that 100KB NC is portable.

Each has its own merits, if not its own hidden agenda.

MSF recommends some more here, to give up NC meow ~

Of course, as I just said, msf supports external command calls, and you can use NC here.

The next command is SHOW!

The show command will be one of the most frequently used features of your future,

Its role is to display all currently available resources,

It seems that the previous version of show only shows the resource directory at the next level.

However, the author's hand is broken today, and the effect really shows all...

A few thousand lines of script names came out just like that, and the virtual machine almost collapsed!

When you use it normally, the name of the show module can be used.

And the module is still able to continue to use the command.

Of course, when faced with the script,

Naturally, you will think of the search function.

This brings us to another high-frequency basic command;search keyword.

I suddenly thought of the weblogic Java anti-sequence vulnerability recently tested.

Let's try searching. EMMM, the results are not satisfactory.

It can also be seen from this that mythology is not perfect.

But there is a foreshadowing here. We also see that msf does not provide java deserialization vulnerability poc.

We really can't use msf to complete this vulnerability.

Objectively speaking, you can only say that msf officials or the community did not provide poc.

It does not mean that the individual has not provided the corresponding module.

Interested in Google msfJava deserialization

See how big shots develop msf J**A deserialization module independently.

We'll repeat it later if we get a chance.

After all this, please trust MSF!

The search feature allows us to get what we want from msf's massive scripts at any time.

In addition to details, we can see about vulnerability exposure time and script rating,

This allows us to understand vulnerabilities faster.

After we find the module we want?

Of course it was used. This leads to the next high-frequency base command: use.

Here we take MySQL as an example.

Just find a login test scan module ~

Know nothing about this module? It doesn't matter, info command is used to view current module information.

The basic options are what we need to configure.

Mmp, just give me an example. There are so many configuration items. Doesn't this leave a psychological shadow on the newcomer?

Is the info interface too confusing? I don't know what to match. show options

Of course, with an unknown script, even if we see all the configuration items,

And we don't know what we need to configure.

We don't know what commands to use,

Then we used it. We just raised it to show. Continue ~

where show missing is required to show missing.

You can see all the uses of show,

And easy to use help us understand what we need configuration instructions for,

What is the missing configuration content of the script,

Here is a wordy sentence: we can see that the show command here is actually exactly the same as the command content under our root directory.

However, the effect is not exactly the same, of course, I do not distinguish here.

Say, for example, if your vulnerability is unique to lunix,

If you show payloads here, the payloads that come out will only be payloads for the Linux platform.

evasion is used to obfuscate advanced attributes, so we won't explain them.

All of a sudden, you may want to ask something.

After half a day of talking about modifying items, how should we modify them?

Use the set command for assignment operations.

Then use show options to check.

Finally, execute the script command: run.

So, this is the end of this long course.

Let's see what we missed and add...

The first is to introduce the edit command to big shots with script development capabilities.

This command feels visually like opening a script file with vi.

Take a picture of Meimei's parrot ~ Ying

The operating habits are exactly the same as vi.

Then ask a command: check, only for a small part of the script, only detect not to use.

It's okay to ignore it because most scripts don't distinguish between the two.

Then, color command, color ~

A screenshot clearly states whether to open the directory color change,

Depends on personal habits.

All right, end of mission: back order

Go back to console (home directory we just worked on) interface ~

Did reading the above help you? If you still want to have further understanding of related knowledge or read more related articles, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.