bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/51941.txt
Exploit-DB a44e138f78 DB: 2024-04-03 
28 changes to exploits/shellcodes/ghdb

Casdoor < v1.331.0 - '/api/set-password' CSRF

GL-iNet MT6000 4.5.5 - Arbitrary File Download

Axigen < 10.5.7 - Persistent Cross-Site Scripting

Blood Bank v1.0 - Stored Cross Site Scripting (XSS)

CE Phoenix v1.0.8.20 - Remote Code Execution
Daily Habit Tracker 1.0 - Broken Access Control
Daily Habit Tracker 1.0 - SQL Injection
Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)

E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)

Elementor Website Builder < 3.12.2 - Admin+ SQLi
Employee Management System 1.0 - _txtfullname_ and _txtphone_ SQL Injection
Employee Management System 1.0 - _txtusername_ and _txtpassword_ SQL Injection (Admin Login)
FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI)
FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI)

Gibbon LMS v26.0.00 - SSTI vulnerability

Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)

LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated)

Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)

OpenCart Core 4.0.2.3 - 'search' SQLi

Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)

Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal

Smart School 6.4.1 - SQL Injection

Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)

ASUS Control Center Express 01.06.15 - Unquoted Service Path

Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation

Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G

Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path
2024-04-03 00:16:27 +00:00

35 lines
No EOL
1.5 KiB
Text
Raw Blame History

# Exploit Title: Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path
# Date: 2024-04-2
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.rapid7.com/
# Software Link: https://www.rapid7.com/products/nexpose/
# Version: 6.6.240
# Tested: Windows 10 x64
# Step to discover Unquoted Service Path:
C:\Users\saudh>wmic service where 'name like "%nexposeconsole%"' get name, displayname, pathname, startmode, startname
DisplayName Name PathName StartMode StartName
Nexpose Security Console nexposeconsole "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe" Auto LocalSystem
# Service info:
C:\Users\saudh>sc qc nexposeconsole
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: nexposeconsole
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Nexpose Security Console
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
Reference in a new issue View git blame Copy permalink