Shulou(Shulou.com)06/02 Report--

Chapter one, background

Recently, in the course of penetration, I found a logic loophole in the release of VPN for remote applications. Share it here.

There are all kinds of strange logic loopholes, there are so many postures that can not be enumerated, here is only a simple list of them, hope to open your understanding of logic loopholes, a soul, thanks.

The second chapter, the strange logic

Logic loopholes are caused by lack of rigorous logic or insufficient control of the permissions of the application system, which is difficult to identify under normal circumstances. If you occasionally trigger some conditions or modify some parameters, you will get strange results, or if you bypass part of the process, you can also get the same results. Here I would like to reproduce the topic of remote applications releasing VPN logic vulnerabilities to obtain shell problems.

2.1. Prophase-normal access

First of all, in the login box, log in to the remote application with a user name and password to publish the VPN system (login to VPN with a weak password):

After logging in, click and follow the application, here we need to install the application:

2.2. Medium-term-bold breakthrough

After the program is installed, there will be the following client pop-up box, the normal idea is to log in through the user name and password, here the opposite is done. Click the help function point to view the help content:

After clicking help, the following interface appears. Here, right-click the interface, click to view the source file, and here you will call the text document from the front machine and display the file information:

The content of the file is mainly web front-end information, which may be of no use, but go further here, click on the file, and save as, select all files as save type, and change the path to save as to C:\ Windows\ System32:

By browsing, we can see cmd.exe, right-click to run cmd.exe with Super Admin, and we can see that the cmd is the CMD command of the front machine. Then, it is equivalent to getting the cmdshell permission of the front machine through this feature:

As follows:

Perform whoami:

Perform ipconfig:

At the end of this train of thought, there is no in-depth intranet penetration.

2.4. Mind map

Here, my overall idea is listed as follows by way of mind map:

Chapter three: summary

In the face of logical loopholes, there is no fixed train of thought, the way of thinking is bold and conjecture, maybe this is the Goldbach conjecture of the security circle, thanks again.

Thank you for your reading. The above is the content of "Technical discussion | remote Application Publishing VPN Logic loopholes to obtain Shell Research". After the study of this article, I believe everyone has a deeper understanding of the technical discussion | remote Application Publishing VPN Logic vulnerabilities to obtain Shell Research, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.