diff --git a/NuCom/NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation/NuCom_11N_Wireless_Router_V5_07_Remote_Privilege_Escalation.gif b/NuCom/NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation/NuCom_11N_Wireless_Router_V5_07_Remote_Privilege_Escalation.gif
new file mode 100644
index 0000000..12eebea
Binary files /dev/null and b/NuCom/NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation/NuCom_11N_Wireless_Router_V5_07_Remote_Privilege_Escalation.gif differ
diff --git a/NuCom/NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation/README.md b/NuCom/NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation/README.md
new file mode 100644
index 0000000..c33736c
--- /dev/null
+++ b/NuCom/NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation/README.md	
@@ -0,0 +1,10 @@
+# NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation
+
+The application suffers from a privilege escalation vulnerability. The non-privileged default user (user:user) can elevate his privileges by sending a HTTP GET request to the configuration backup endpoint and disclose the http super password (admin credentials) in Base64 encoded value. Once authenticated as admin, an attacker will be granted access to the additional and privileged pages.
+
+FOFA **query rule**: [title="NuCom 11N Wireless Router"||body="NuCom 11N Wireless Router"](https://fofa.so/result?qbase64=dGl0bGU9Ik51Q29tIDExTiBXaXJlbGVzcyBSb3V0ZXIifHxib2R5PSJOdUNvbSAxMU4gV2lyZWxlc3MgUm91dGVyIg%3D%3D)
+
+# Demo
+
+![](NuCom_11N_Wireless_Router_V5_07_Remote_Privilege_Escalation.gif)
+
diff --git a/Ricon/Ricon Industrial Cellular Router apply.cgi RCE/README.md b/Ricon/Ricon Industrial Cellular Router apply.cgi RCE/README.md
new file mode 100644
index 0000000..c948b9f
--- /dev/null
+++ b/Ricon/Ricon Industrial Cellular Router apply.cgi RCE/README.md	
@@ -0,0 +1,10 @@
+# Ricon Industrial Cellular Router apply.cgi RCE
+
+The router suffers from an authenticated OS command injection vulnerability, This can be exploited to inject and execute arbitrary shell commands as the admin user via the ping_server_ip POST parameter. Also vulnerable to Heartbleed.
+
+FOFA **query rule**: [body="Industrial Cellular" && server="WEB-ROUTER"](https://fofa.so/result?qbase64=Ym9keT0iSW5kdXN0cmlhbCBDZWxsdWxhciIgJiYgc2VydmVyPSJXRUItUk9VVEVSIg%3D%3D)
+
+# Demo
+
+![](Ricon_Industrial_Cellular_Router_apply_cgi_RCE.gif)
+
diff --git a/Ricon/Ricon Industrial Cellular Router apply.cgi RCE/Ricon_Industrial_Cellular_Router_apply_cgi_RCE.gif b/Ricon/Ricon Industrial Cellular Router apply.cgi RCE/Ricon_Industrial_Cellular_Router_apply_cgi_RCE.gif
new file mode 100644
index 0000000..834e5dc
Binary files /dev/null and b/Ricon/Ricon Industrial Cellular Router apply.cgi RCE/Ricon_Industrial_Cellular_Router_apply_cgi_RCE.gif differ
diff --git a/ZBL/ZBL EPON ONU Broadband Router 1.0/README.md b/ZBL/ZBL EPON ONU Broadband Router 1.0/README.md
new file mode 100644
index 0000000..a75e701
--- /dev/null
+++ b/ZBL/ZBL EPON ONU Broadband Router 1.0/README.md	
@@ -0,0 +1,10 @@
+# ZBL EPON ONU Broadband Router 1.0 Remote Privilege Escalation
+
+The limited administrative user admin:admin can elevate her privileges by sending a HTTP GET request to the configuration backup endpoint or the password page and disclose the http super user password. Once authenticated as super, an attacker will be granted access to additional and privileged functionalities.
+
+FOFA **query rule**: [body="HG104B-ZG-E"](https://fofa.so/result?qbase64=Ym9keT0iSEcxMDRCLVpHLUUi)
+
+# Demo
+
+![](ZBL_EPON_ONU_Broadband_Router_1_0_Remote_Privilege_Escalation.gif)
+
diff --git a/ZBL/ZBL EPON ONU Broadband Router 1.0/ZBL_EPON_ONU_Broadband_Router_1_0_Remote_Privilege_Escalation.gif b/ZBL/ZBL EPON ONU Broadband Router 1.0/ZBL_EPON_ONU_Broadband_Router_1_0_Remote_Privilege_Escalation.gif
new file mode 100644
index 0000000..d1c9251
Binary files /dev/null and b/ZBL/ZBL EPON ONU Broadband Router 1.0/ZBL_EPON_ONU_Broadband_Router_1_0_Remote_Privilege_Escalation.gif differ
diff --git a/qdPM/qdPM 9.2 Database Information leakage/README.md b/qdPM/qdPM 9.2 Database Information leakage/README.md
new file mode 100644
index 0000000..d64ccfc
--- /dev/null
+++ b/qdPM/qdPM 9.2 Database Information leakage/README.md	
@@ -0,0 +1,10 @@
+# qdPM 9.2 Database Information leakage
+
+The password and connection string for the database are stored in a yml file. To access the yml file you can go to /core/config/databases.yml file and download.
+
+FOFA **query rule**: [body="qdPM"](https://fofa.so/result?qbase64=Ym9keT0icWRQTSI%3D)
+
+# Demo
+
+![](qdPM_9_2_Database_Information_leakage.gif)
+
diff --git a/qdPM/qdPM 9.2 Database Information leakage/qdPM_9_2_Database_Information_leakage.gif b/qdPM/qdPM 9.2 Database Information leakage/qdPM_9_2_Database_Information_leakage.gif
new file mode 100644
index 0000000..a276888
Binary files /dev/null and b/qdPM/qdPM 9.2 Database Information leakage/qdPM_9_2_Database_Information_leakage.gif differ